diff --git a/docs/assets/integration/mimecast_es_architecture.png b/docs/assets/integration/mimecast_es_architecture.png new file mode 100644 index 0000000000..c33d00b597 Binary files /dev/null and b/docs/assets/integration/mimecast_es_architecture.png differ diff --git a/docs/integration/categories/email/mimecast_email_security.md b/docs/integration/categories/email/mimecast_email_security.md index 8c2ac0a9dc..dfc0a18915 100644 --- a/docs/integration/categories/email/mimecast_email_security.md +++ b/docs/integration/categories/email/mimecast_email_security.md @@ -7,7 +7,7 @@ A secure email gateway to block spam, viruses, and malware. - **Vendor**: Mimecast - **Plan**: Defend Prime -- **Supported environment**: Cloud +- **Supported environment**: Cloud - **Detection based on**: Telemetry - **Supported application or feature**: Email gateway @@ -15,9 +15,41 @@ A secure email gateway to block spam, viruses, and malware. !!! warning Important note - This format is currently in beta. We highly value your feedback to improve its performance. -## Configure +## High-Level Architecture Diagram -### Create API credentials +- **Type of integration**: PULL by Sekoia.io +- **Schema** + +![mimecast_es_architecture](/assets/integration/mimecast_es_architecture.png){: style="max-width:100%"} + +## Specification + +### Prerequisites + +- **Permissions**: + - The Mimecast administrator must be assigned a Role with the following criteria. + - Read and Edit API Application Permissions under the Service Menu. + - Security Permissions setting must permit the Management of Application Roles. + - The generated API key must be a Mimecast Administrator with at least the Security Events and Data Retrieval | Threat and Security Events (SIEM)| Read permission. + +### Transport Protocol/Method + +- **Direct HTTP** + +### Logs details + +- **Supported functionalities**: See section [Overview](#overview) +- **Supported type(s) of structure**: JSON +- **Supported verbosity level**: Informational + +!!! Note + Log levels are based on the taxonomy of [RFC5424](https://datatracker.ietf.org/doc/html/rfc5424). Adapt according to the terminology used by the editor. + +## Step-by-Step Configuration Procedure + +### Instructions on the 3rd Party Solution + +#### Create API credentials 1. Login to **Mimecast Administration Console** 2. Navigate to **Services | API and Platform Integrations** @@ -28,6 +60,7 @@ A secure email gateway to block spam, viruses, and malware. 7. Review the Summary information for the API application and click on **Add** if you are happy to proceed with creating the application. 8. The wizard completes and displays a pop-up window including your `Client ID` and `Client Secret` key data. +### Instruction on Sekoia ### Create your intake 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Mimecast Email Security`. diff --git a/docs/integration/categories/endpoint/auditbeat_linux.md b/docs/integration/categories/endpoint/auditbeat_linux.md index 253f38858f..e932fbaa77 100644 --- a/docs/integration/categories/endpoint/auditbeat_linux.md +++ b/docs/integration/categories/endpoint/auditbeat_linux.md @@ -232,7 +232,7 @@ $IncludeConfig /etc/rsyslog.d/*.conf ```bash module(load="imfile" PollingInterval="10") input(type="imfile" - File="/tmp/auditbeat/auditbeat*.ndjson" + File="/var/log/auditbeat/auditbeat*.ndjson" Tag="linux_auditbeat" Severity="info" Facility="local7" diff --git a/docs/integration/categories/network_security/darktrace_threat_visualizer.md b/docs/integration/categories/network_security/darktrace_threat_visualizer.md index b9517fc09c..d619332b94 100644 --- a/docs/integration/categories/network_security/darktrace_threat_visualizer.md +++ b/docs/integration/categories/network_security/darktrace_threat_visualizer.md @@ -8,26 +8,88 @@ Darktrace monitors all people and digital assets across your entire ecosystem. - **Vendor**: Darktrace - **Plan**: Defend Core & Defend Prime -- **Supported environment**: Cloud +- **Supported environment**: Cloud and On Premise versions 6.1 or above - **Detection based on**: Alert, Telemetry - **Supported application or feature**: Darktrace Threat Visualizer + +## Specification + +### Prerequisites + +For On Premise version: +- **Resource**: + - Self-managed syslog forwarder +- **Network**: + - Outbound traffic allowed +- **Permissions**: + - Administrator privileges on the Darktrace appliance + - Root access to the Linux server with the syslog forwarder + +For Cloud version, only an dministrator privileges on the Darktrace appliance is mandatory. + +### Transport Protocol/Method + +- **Direct HTTP** for Cloud +- **Indirect syslog** for On Premise + +### Logs details + +- **Supported functionalities**: See section [Overview](#overview) +- **Supported type(s) of structure**: JSON +- **Supported verbosity level**: Informational, Alert + +!!! Note + Log levels are based on the taxonomy of [RFC5424](https://datatracker.ietf.org/doc/html/rfc5424). Adapt according to the terminology used by the editor. + ## Step-by-Step Configuration Procedure This setup guide describes how to forward logs from Darktrace Threat visualizer to Sekoia.io. +### Instruction on Sekoia + +{!_shared_content/integration/intake_configuration.md!} + +#### For Cloud verion only + +{!_shared_content/integration/connector_configuration.md!} + ### Instructions on the 3rd party solution -#### Acquire your public and private key +#### For Cloud verion - Acquire your public and private key As a prerequisite, you need a Darktrace Threat Visualizer API tenant url. See the [Darktrace documentation](https://customerportal.darktrace.com/product-guides/main/api-tokens) for intructions to acquire your public and private key. -### Instruction on Sekoia +#### For On Premise verion - Send logs to a syslog server -{!_shared_content/integration/intake_configuration.md!} +1. Open the Threat Visualizer and navigate to the **System Config** page (Main menu › Admin). +2. From the left-side menu, **select Modules**, then navigate to the **Workflow Integrations** section and choose +**Syslog**. +A window with four tabs will open, a Status tab that lists existing configurations per-Syslog server and an individual tab for each Syslog format. The Status tab may not be present if there are no existing configurations. +- If the instance is not a Unified View, proceed to Step 3. +- If the instance where configuration is being performed is a Darktrace Unified View instance, choose which Darktrace master instance will send alerts at the top of the page. +- If a a subordinate master (submaster) is selected, the master will be the instance to emit alerts but will only generate alerts originating from itself. +- If the UV instance is selected, an additional field - Master - will appear further down the page. This field is used to control the source of alerts sent by the Unified View for this configuration. +3. Syslog MUST be sent in **JSON format**. +4. Scroll past any existing configurations and click New to set up forwarding Darktrace alerts to a new server via syslog. +5. Enter the IP address of the syslog server in the Server field and optionally modify the communication port. +6. If the instance is not a Unified View, proceed to Step 7. +- If the instance where configuration is being performed is a Darktrace Unified View instance, and the Unified +View has been selected to send alerts from, an additional field - Master - will appear. This field is used to +control the source of alerts sent by the Unified View for this configuration. +- If a submaster is selected, the UV will only send alerts from that submaster for this configuration. +- If “all” is selected, alerts sourced from all submasters will be sent. +- Select the appropriate source. +7. Turn on Show Advanced Options. All options and settings are covered in Optional Filters and Settings. +8. Select **TCP-format alerting setting** +9. Select which **alert types** should be sent via Syslog. Alerts will not be sent until the master Send Alerts toggle is turned on. +10. Within the same configuration, click **Add** to **save the changes**. Observe a confirmation message. +11. Scroll to the top of the entry and **click Verify alert settings** to send a test alert to the specified Syslog server. +12. Finally, **turn on Send Alerts** and **save** changes. + +{!_shared_content/integration/forwarder_configuration.md!} -{!_shared_content/integration/connector_configuration.md!} {!_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188_sample.md!} diff --git a/mkdocs.yml b/mkdocs.yml index 081ebe5427..98c866d92d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -785,7 +785,7 @@ plugins: xdr/features/collect/integrations/index.md: integration/categories/index.md xdr/features/collect/integrations/endpoint/sekoiaio.md: integration/categories/endpoint/sekoiaio.md xdr/features/collect/ingestion_methods/index.md: integration/ingestion_methods/index.md - xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder.md: integration/ingestion_methods/sekoiaio_forwarder.md + xdr/features/collect/ingestion_methods/sekoiaio_forwarder.md: integration/ingestion_methods/syslog/sekoiaio_forwarder.md xdr/features/collect/ingestion_methods/https/format.md: integration/ingestion_methods/https/format.md getting_started/2fa.md: getting_started/account_security.md getting_started/apikey_creation.md: getting_started/manage_api_keys.md