diff --git a/_shared_content/operations_center/integrations/event_hub.md b/_shared_content/operations_center/integrations/event_hub.md index 2a04c69869..6f3386cd9f 100644 --- a/_shared_content/operations_center/integrations/event_hub.md +++ b/_shared_content/operations_center/integrations/event_hub.md @@ -1,5 +1,5 @@ **Azure Event Hubs** is a cloud-based event streaming platform and event ingestion service provided by Microsoft Azure. It is designed to handle large amounts of event data generated by various applications, devices, and services in real-time. **Event Hubs** enables you to ingest, process, and store events, logs, telemetry data, and other streaming data for further analysis, monitoring, and processing. -Two ways are suggested in order to set up everything you need to forward your events on Sekoia.io. +Two ways are suggested in order to set up everything you need to forward your events on Sekoia.io. If you are not an expert and want an easy way to configure the ressources on Azure, we recommend to use to **Automatic** way as it is easier to set up. @@ -13,12 +13,12 @@ These two ways will create an Azure Event Hub and a Storage Account. To get started, click on the button below and fill the form on Azure to set up the required environment for Sekoia [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw%2Egithubusercontent%2Ecom%2FSEKOIA%2DIO%2Fdocumentation%2Fmain%2Fdocs%2Fassets%2Foperation%5Fcenter%2Fintegration%5Fcatalog%2Fcloud%5Fand%5Fsaas%2Fazure%2Feventhub%5Ftemplate%2Ejson) Some fields must be filled in. - + ***Project details*** - **Subscription**: select the Azure subscription you want to use - **Resource Group**: select or create a new Resource Group. A Resource Group is a container that holds related resources - + ***Instance details*** - **Region**: select the appropriated region @@ -39,10 +39,17 @@ These two ways will create an Azure Event Hub and a Storage Account. - **Partition Count**: The number of event hub partitions. Microsoft recommends a maximum throughput of 1 MB/s per partition. ***Unless you plan to add more Event hubs to the Event Hub Namespace, the Partition Count and Throughput Unit variables should have the same values.*** - **Retention Time**: How long you will keep events in the Event hub in days. + + + ** Use the output variables to create a Sekoia playbook** - + When the message **Your deployment is complete** is displayed, click on **Outputs**. - + +
+ image +
+ Keep these 5 pieces of information displayed carefully, it will used to configure the **Trigger Configuration** of the Sekoia playbook. @@ -76,28 +83,28 @@ These two ways will create an Azure Event Hub and a Storage Account. **Step 2: Create Event Hub Namespace** - 1. Navigate to [Home > Event Hubs](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.EventHub%2Fnamespaces). - 2. Create an **Event Hub Namespace**. - 3. Select your Subscription and your Resource group. - Click on create new if you want your **Event Hub Namespace** in a new Resource group. + 1. Navigate to [Home > Event Hubs](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.EventHub%2Fnamespaces). + 2. Create an **Event Hub Namespace**. + 3. Select your Subscription and your Resource group. + Click on create new if you want your **Event Hub Namespace** in a new Resource group. 4. Choose a namespace name. 5. Select a location based on your events location. - 6. Select the [pricing tier plan](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-quotas#basic-vs-standard-vs-premium-vs-dedicated-tiers) based on your utilisation: Standard or Premimum (We don't recommend to choose the Basic plan due to its limitations.) - 7. Select the [throughput units](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-scalability#throughput-units) number based on your events, or enable the auto inflate mode: - 1 throughput unit can process up to 1 MB per second or 1000 events per second (whichever comes first). + 6. Select the [pricing tier plan](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-quotas#basic-vs-standard-vs-premium-vs-dedicated-tiers) based on your utilisation: Standard or Premimum (We don't recommend to choose the Basic plan due to its limitations.) + 7. Select the [throughput units](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-scalability#throughput-units) number based on your events, or enable the auto inflate mode: + 1 throughput unit can process up to 1 MB per second or 1000 events per second (whichever comes first).
image
**Step 3: Create Event Hub Instance** - When your **Event Hub Namespace** is created you can create an **Event Hub** inside: - 1. Navigate to [Home > Event Hubs](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.EventHub%2Fnamespaces) > company-eventhubnamespace. - 2. Create an **Event Hub**. + When your **Event Hub Namespace** is created you can create an **Event Hub** inside: + 1. Navigate to [Home > Event Hubs](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.EventHub%2Fnamespaces) > company-eventhubnamespace. + 2. Create an **Event Hub**. !!! info - We advise at least the following values: - - cleanup policy: Delete + We advise at least the following values: + - cleanup policy: Delete - retention time: 168h (7 days)
image @@ -108,24 +115,24 @@ These two ways will create an Azure Event Hub and a Storage Account. **Step 4: Create “Shared Access Policies” for the Event Hub** - 1. Navigate to [Home > Event Hubs](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.EventHub%2Fnamespaces) > company-eventhubnamespace > eventhubname | Shared access policies. + 1. Navigate to [Home > Event Hubs](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.EventHub%2Fnamespaces) > company-eventhubnamespace > eventhubname | Shared access policies. 2. Create a policy (e.g. `sekoiaio`) with the claims `Listen`.
image
3. Once created, click on the policy. -
+
image
!!! info Carefully store the connection string–primary key that will be used for sekoia playbook configuration. - + **Step 5: Create a Consumer group** - - 1. Navigate to [Home > Event Hubs](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.EventHub%2Fnamespaces) > company-eventhubnamespace > eventhubname | Consumer groups. + + 1. Navigate to [Home > Event Hubs](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.EventHub%2Fnamespaces) > company-eventhubnamespace > eventhubname | Consumer groups. 2. Create a **Consumer group** (e.g. `consumergroup_sekoiaio`).
image @@ -138,32 +145,32 @@ These two ways will create an Azure Event Hub and a Storage Account. In order to allow Sekoia.io keep track of the consumed events, the next step consists in creating a dedicated **Storage account**. - 1. Navigate to [Home > Storage accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts). - 2. Create a **Storage account**. - 3. Select your Subscription and your Resource group. + 1. Navigate to [Home > Storage accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts). + 2. Create a **Storage account**. + 3. Select your Subscription and your Resource group. 4. Choose a **Storage account** name. 5. Select a Region. - !!! info + !!! info You must choose the Region used during the **Event Hub Namespace** creation. - 6. Select your perfomance and redundancy parameters. + 6. Select your perfomance and redundancy parameters. !!! info - We advise at least the following values: - - performance: standard - - redundancy: Geo-Redundancy storage (GRS) - + We advise at least the following values: + - performance: standard + - redundancy: Geo-Redundancy storage (GRS) +
image
- When your storage account is created you can create an container inside. - 1. Navigate to [Home > Storage accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) > storageaccoutname | containers. - 2. Create an container. + When your storage account is created you can create an container inside. + 1. Navigate to [Home > Storage accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) > storageaccoutname | containers. + 2. Create an container. - Keep the Public Acces Level to Private. + Keep the Public Acces Level to Private. !!! info The container name should be the same as the **Event Hub** name. @@ -171,10 +178,10 @@ These two ways will create an Azure Event Hub and a Storage Account. **Step 7: Retrieve Connection String** - You have to retrieve the connection string from **Azure Web Portal**. + You have to retrieve the connection string from **Azure Web Portal**. - 1. Go to [Home > Storage accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) > storageaccoutname | Access Keys. - 2. Click on "Show Keys" on the first Connection String. + 1. Go to [Home > Storage accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) > storageaccoutname | Access Keys. + 2. Click on "Show Keys" on the first Connection String.
image
diff --git a/docs/assets/operation_center/integration_catalog/cloud_and_saas/event_hub/eventhub_template.png b/docs/assets/operation_center/integration_catalog/cloud_and_saas/event_hub/eventhub_template.png new file mode 100644 index 0000000000..34c512a0ff Binary files /dev/null and b/docs/assets/operation_center/integration_catalog/cloud_and_saas/event_hub/eventhub_template.png differ diff --git a/docs/xdr/features/collect/integrations/network/wallix.md b/docs/xdr/features/collect/integrations/network/wallix.md index 0c13367554..5d4ffec2d2 100644 --- a/docs/xdr/features/collect/integrations/network/wallix.md +++ b/docs/xdr/features/collect/integrations/network/wallix.md @@ -11,7 +11,36 @@ WALLIX Bastion is a “Privileged Access Management” solution. {!_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md!} ## Configure -This setup guide will show you how to forward logs produced by your Wallix bastion to Sekoia.io by means of an rsyslog transport channel. +This setup guide will show you how to forward logs produced by your Wallix bastion to Sekoia.io by means of an syslog transport channel. -### Configure the Rsyslog server -Please consult the [Rsyslog Transport](../../../ingestion_methods/syslog/overview/) documentation to forward these logs to Sekoia.io. +On the "SIEM Integration" page in the "System" menu, you can set up the routing of logged information log information to one or more other network devices syslog servers. + +!!! Warning + This page is only displayed when the "SIEM" functionality is associated with the license key. + +To set up routing via the syslog server you previously setup, such as the [Sekoia.io Forwarder](https://docs.sekoia.io/xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder/), enter the following information: + +- server IP address or FQDN, +- transmission protocol (UDP or TCP), +- port number, +- log format (standard RFC 3164 format), + - choose the timestamp format as ISO format (YYYY-MM-DDTHH:MM:SS±TZ), that contains year and time zone. +- filter for selecting the categories of logged information to be sent via the server, including: + * configuration changes, + * authentication logs, + * account activities, + * SSH proxies events, + * RDP proxies events, + * SSH session, + * RDP session, + * VNC session. + +!!! Note + When upgrading from a version prior to WALLIX Bastion 8.2, all logged information categories are selected by default for all servers previously configured on this page. + +Logs will then be sent to the selected IP address, port and transmission protocol, and also stored on the local file system, so that they are always available for reading on the "Logs audit" page in the "Configuration" menu. + + +### Configure the syslog server + +Please consult the [Sekoia.io Forwarder](https://docs.sekoia.io/xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io.