Skip to content

Commit

Permalink
up
Browse files Browse the repository at this point in the history
  • Loading branch information
CharlesLR-sekoia committed Sep 12, 2024
1 parent f094168 commit d84379c
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 28 deletions.
32 changes: 22 additions & 10 deletions docs/integration/categories/email/mimecast_email_security.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ A secure email gateway to block spam, viruses, and malware.
- The Mimecast administrator must be assigned a Role with the following criteria.
- Read and Edit API Application Permissions under the Service Menu.
- Security Permissions setting must permit the Management of Application Roles.
- The generated API key must be a Mimecast Administrator with at least the Security Events and Data Retrieval | Threat and Security Events (SIEM)| Read permission.
- The generated API key must be a Mimecast Administrator with at least the Security Events and Data Retrieval | Threat and Security Events (SIEM) and Threat and security statistics | Read permission.

### Transport Protocol/Method

Expand All @@ -52,21 +52,33 @@ A secure email gateway to block spam, viruses, and malware.
#### Create API credentials

1. Login to **Mimecast Administration Console**
2. Navigate to **Services | API and Platform Integrations**
3. Locate the following **Mimecast API 2.0** tile and click on **Generate Keys.**
4. After reading the **Terms & Conditions**, complete the **I accept** check box to enable the **Next** button to progress onto the next step.
5. Complete the **Application Details** section.
6. Please provide details for a **Technical Point of Contact**.
7. Review the Summary information for the API application and click on **Add** if you are happy to proceed with creating the application.
8. The wizard completes and displays a pop-up window including your `Client ID` and `Client Secret` key data.
2. Navigate to **Account** > **Roles** > **New Role**
3. Name the role as you wish, for instance "Sekoia"
4. Add the following roles under the section called **Security Events and Data Retrieval**:
- **Threat and security svents (SIEM)** with READ permission,
- **Threat and security statistics** with READ permission.
5. Navigate to **Services | API and Platform Integrations**
6. Locate the following **Mimecast API 2.0** tile and click on **Generate Keys.**
7. After reading the **Terms & Conditions**, complete the **I accept** check box to enable the **Next** button to progress onto the next step.
8. Complete the **Application Details** section by providing:
- Application Name: Select **SIEM Integration**,
- Description (Optional),
- Integration Partner (Optional),
- Products: Select all products,
- Role: Select the "Sekoia" role created above.
9. Complete the **Notifications** section by providing:
- Technical Point of Contact: Write the name of the administrator to be contacted if you encounter any issue with the API,
- Email : Write the administrator's email.
10. Validate the form and Click on **Add and Generate Keys**
11. The wizard completes and displays a pop-up window including your `Client ID` and `Client Secret` key data.

### Instruction on Sekoia
### Create your intake
#### Create your intake

1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Mimecast Email Security`.
2. Copy the associated Intake key

### Pull your logs on Sekoia.io
#### Pull your logs on Sekoia.io

Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), and follow these steps:

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,12 @@ name: Microsoft 365 Defender
type: intake

## Overview
- **Vendor**:
- **Vendor**: Microsoft
- **Plan**: Defend Core & Defend Prime
- **Supported environment**:
- **Version compatibility**:
- **Detection based on**: Alert, Telemetry
- **Supported application or feature**:
- **Supported application or feature**: see section below

**This Intake was previously called Microsoft Defender for Endpoints.**

Expand All @@ -17,8 +17,6 @@ Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suit
This setup guide describes how to forward events produced by `Microsoft 365 Defender` to Sekoia.io XDR.




## Microsoft 365 Defender event types supported
Here is a list of all the Microsoft 365 Defender event types supported by this integration:

Expand Down
2 changes: 1 addition & 1 deletion docs/integration/categories/iam/entra_id.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Microsoft Entra ID (Azure AD)
type: intake

## Overview
- **Vendor**:
- **Vendor**: Microsoft
- **Plan**: Defend Core & Defend Prime
- **Supported environment**: SaaS
- **Detection based on**: Telemetry
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,25 +11,36 @@ In this documentation we will explain how to collect and send Stormshield Networ
- **Vendor**: Stormshield
- **Plan**: Defend Core & Defend Prime
- **Supported environment**: On prem
- **Version compatibility**:
- **Version compatibility**: 4.8.2 and newer
- **Detection based on**: Alert, Telemetry
- **Supported application or feature**: Network device logs, Network protocol analysis, SSL/TLS inspection, Anti-virus

## Step-by-Step Configuration Procedure

### Instruction on Sekoia
#### Create your intake

Everything you need to do for this part of the configuration is described [here](/xdr/features/collect/intakes).

1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Stormshield Network Security`.
2. Copy the associated Intake key

## Configure
### Instructions on the 3rd Party Solution

This section will guide you to forward Stormshield SNS logs to Sekoia.

### Create the intake
#### Import the intake certificate

Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Stormshield Network Security.
On a device, please download the [Sekoia.io intake certificate](https://app.sekoia.io/assets/files/SEKOIA-IO-intake.pem)

### Import the intake certificate
1. Log on the UTM administration console
2. Click `Configuration` tab
3. On the left panel, Click `Objects` > `Certificats and PKI`
4. Click `+ Add`
5. Select the intake certificate
6. Click `Import`

On a device, please download the [Sekoia.io intake certificate](https://app.sekoia.io/assets/files/SEKOIA-IO-intake.pem)
#### Configure the log forwarding

1. Log on the UTM administration console
2. Click `Configuration` tab
Expand All @@ -44,16 +55,9 @@ On a device, please download the [Sekoia.io intake certificate](https://app.seko
11. In the advanced configuration section, paste the intake key
12. Click `APPLY`

### Configure the log forwarding

You have to go on your Sekoia.io instance to generate an "intake key".
Everything you need to do for this part of the configuration is described [here](/xdr/features/collect/intakes).

Finally, to push logs, you have to [configure](/integration/ingestion_methods/index) some filters and rewrite rules in Syslog that will add the proper “intake key” considering your logs.

{!_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_sample.md!}


{!_shared_content/integration/detection_section.md!}

{!_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md!}
Expand Down

0 comments on commit d84379c

Please sign in to comment.