Merge pull request #1984 from SEKOIA-IO/update_mimecast

add mimecast least permission & fix auditbeat path

docs/integration/categories/email/mimecast_email_security.md

@@ -7,17 +7,49 @@ A secure email gateway to block spam, viruses, and malware.
 
 - **Vendor**: Mimecast
 - **Plan**: Defend Prime
-- **Supported environment**: Cloud 
+- **Supported environment**: Cloud
 - **Detection based on**: Telemetry
 - **Supported application or feature**: Email gateway
 
 
 !!! warning
     Important note - This format is currently in beta. We highly value your feedback to improve its performance.
 
-## Configure
+## High-Level Architecture Diagram
 
-### Create API credentials
+- **Type of integration**: PULL by Sekoia.io
+- **Schema**
+
+![mimecast_es_architecture](/assets/integration/mimecast_es_architecture.png){: style="max-width:100%"}
+
+## Specification
+
+### Prerequisites
+
+- **Permissions**:
+    - The Mimecast administrator must be assigned a Role with the following criteria.
+        - Read and Edit API Application Permissions under the Service Menu.
+        - Security Permissions setting must permit the Management of Application Roles.
+    - The generated API key must be a Mimecast Administrator with at least the Security Events and Data Retrieval | Threat and Security Events (SIEM)| Read permission.
+
+### Transport Protocol/Method
+
+- **Direct HTTP**
+
+### Logs details
+
+- **Supported functionalities**: See section [Overview](#overview)
+- **Supported type(s) of structure**: JSON
+- **Supported verbosity level**: Informational
+
+!!! Note
+    Log levels are based on the taxonomy of [RFC5424](https://datatracker.ietf.org/doc/html/rfc5424). Adapt according to the terminology used by the editor.
+
+## Step-by-Step Configuration Procedure
+
+### Instructions on the 3rd Party Solution
+
+#### Create API credentials
 
 1. Login to **Mimecast Administration Console**
 2. Navigate to **Services | API and Platform Integrations**
@@ -28,6 +60,7 @@ A secure email gateway to block spam, viruses, and malware.
 7. Review the Summary information for the API application and click on **Add** if you are happy to proceed with creating the application.
 8. The wizard completes and displays a pop-up window including your `Client ID` and `Client Secret` key data.
 
+### Instruction on Sekoia
 ### Create your intake
 
 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Mimecast Email Security`.

docs/integration/categories/endpoint/auditbeat_linux.md

@@ -232,7 +232,7 @@ $IncludeConfig /etc/rsyslog.d/*.conf
 ```bash
 module(load="imfile" PollingInterval="10")
 input(type="imfile"
-      File="/tmp/auditbeat/auditbeat*.ndjson"
+      File="/var/log/auditbeat/auditbeat*.ndjson"
       Tag="linux_auditbeat"
       Severity="info"
       Facility="local7"

docs/integration/categories/network_security/darktrace_threat_visualizer.md

@@ -8,26 +8,88 @@ Darktrace monitors all people and digital assets across your entire ecosystem.
 
 - **Vendor**: Darktrace
 - **Plan**: Defend Core & Defend Prime
-- **Supported environment**: Cloud
+- **Supported environment**: Cloud and On Premise versions 6.1 or above
 - **Detection based on**: Alert, Telemetry
 - **Supported application or feature**: Darktrace Threat Visualizer
 
+
+## Specification
+
+### Prerequisites
+
+For On Premise version:
+- **Resource**:
+    - Self-managed syslog forwarder
+- **Network**:
+    - Outbound traffic allowed
+- **Permissions**:
+    - Administrator privileges on the Darktrace appliance
+    - Root access to the Linux server with the syslog forwarder
+
+For Cloud version, only an dministrator privileges on the Darktrace appliance is mandatory.
+
+### Transport Protocol/Method
+
+- **Direct HTTP** for Cloud
+- **Indirect syslog** for On Premise
+
+### Logs details
+
+- **Supported functionalities**: See section [Overview](#overview)
+- **Supported type(s) of structure**: JSON
+- **Supported verbosity level**: Informational, Alert
+
+!!! Note
+    Log levels are based on the taxonomy of [RFC5424](https://datatracker.ietf.org/doc/html/rfc5424). Adapt according to the terminology used by the editor.
+
 ## Step-by-Step Configuration Procedure
 
 This setup guide describes how to forward logs from Darktrace Threat visualizer to Sekoia.io.
 
+### Instruction on Sekoia
+
+{!_shared_content/integration/intake_configuration.md!}
+
+#### For Cloud verion only
+
+{!_shared_content/integration/connector_configuration.md!}
+
 ### Instructions on the 3rd party solution
-#### Acquire your public and private key
+#### For Cloud verion - Acquire your public and private key
 
 As a prerequisite, you need a Darktrace Threat Visualizer API tenant url.
 
 See the [Darktrace documentation](https://customerportal.darktrace.com/product-guides/main/api-tokens) for intructions to acquire your public and private key.
 
-### Instruction on Sekoia
+#### For On Premise verion - Send logs to a syslog server
 
-{!_shared_content/integration/intake_configuration.md!}
+1. Open the Threat Visualizer and navigate to the **System Config** page (Main menu › Admin).
+2. From the left-side menu, **select Modules**, then navigate to the **Workflow Integrations** section and choose
+**Syslog**.
+A window with four tabs will open, a Status tab that lists existing configurations per-Syslog server and an individual tab for each Syslog format. The Status tab may not be present if there are no existing configurations.
+- If the instance is not a Unified View, proceed to Step 3.
+- If the instance where configuration is being performed is a Darktrace Unified View instance, choose which Darktrace master instance will send alerts at the top of the page.
+- If a a subordinate master (submaster) is selected, the master will be the instance to emit alerts but will only generate alerts originating from itself.
+- If the UV instance is selected, an additional field - Master - will appear further down the page. This field is used to control the source of alerts sent by the Unified View for this configuration.
+3. Syslog MUST be sent in **JSON format**.
+4. Scroll past any existing configurations and click New to set up forwarding Darktrace alerts to a new server via syslog.
+5. Enter the IP address of the syslog server in the Server field and optionally modify the communication port.
+6. If the instance is not a Unified View, proceed to Step 7.
+- If the instance where configuration is being performed is a Darktrace Unified View instance, and the Unified
+View has been selected to send alerts from, an additional field - Master - will appear. This field is used to
+control the source of alerts sent by the Unified View for this configuration.
+- If a submaster is selected, the UV will only send alerts from that submaster for this configuration.
+- If “all” is selected, alerts sourced from all submasters will be sent.
+- Select the appropriate source.
+7. Turn on Show Advanced Options. All options and settings are covered in Optional Filters and Settings.
+8. Select **TCP-format alerting setting**
+9. Select which **alert types** should be sent via Syslog. Alerts will not be sent until the master Send Alerts toggle is turned on.
+10. Within the same configuration, click **Add** to **save the changes**. Observe a confirmation message.
+11. Scroll to the top of the entry and **click Verify alert settings** to send a test alert to the specified Syslog server.
+12. Finally, **turn on Send Alerts** and **save** changes.
+
+{!_shared_content/integration/forwarder_configuration.md!}
 
-{!_shared_content/integration/connector_configuration.md!}
 
 {!_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188_sample.md!}
 

mkdocs.yml

@@ -785,7 +785,7 @@ plugins:
       xdr/features/collect/integrations/index.md: integration/categories/index.md
       xdr/features/collect/integrations/endpoint/sekoiaio.md: integration/categories/endpoint/sekoiaio.md
       xdr/features/collect/ingestion_methods/index.md: integration/ingestion_methods/index.md
-      xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder.md: integration/ingestion_methods/sekoiaio_forwarder.md
+      xdr/features/collect/ingestion_methods/sekoiaio_forwarder.md: integration/ingestion_methods/syslog/sekoiaio_forwarder.md
       xdr/features/collect/ingestion_methods/https/format.md: integration/ingestion_methods/https/format.md
       getting_started/2fa.md: getting_started/account_security.md
       getting_started/apikey_creation.md: getting_started/manage_api_keys.md