I just noticed this morning that Absolute Software has a SIEM connector, and an AI search suggests it can send logs to Rapid7 IDR SIEM. However - I’ve never seen anything in IDR “Add Event Source” for Absolute.
Anyone have any experience with feeding IDR with Absolute?
Thanks,
Craig
I’m answering my own question even though this is one that is likely not common. In short, this is not possible unless the SIEM is on the same network where the server where the Absolute SIEM Connector Tool will be installed.
I looked into leveraging the Rapid7 agent to send Absolute Agent CTES logs to the R7 IDR SIEM but there is no value in that since they only contain information about agent health and nothing of a security nature.
Craig
We installed the Absolute SIEM Connector Tool on a Windows server in our DMZ and have been getting Absolute logs for over two years. The logs contain all events tracked by Absolute, not just agent health.
Great input, mwhite 
Is your server and SIEM in the same IP block?
Craig
Our Windows server that has the Absolute SIEM connector is also a collector. The Absolute SIEM Connector app sends syslog to a port on that same collector.