Merge pull request #1933 from SEKOIA-IO/fixes-from-martial-feedback

add old pages for compatibility

_shared_content/automate/actions.md

@@ -98,7 +98,7 @@ These helpers need their associated trigger to function properly:
 
 ## Third-party applications
 
-- [Microsoft Entra ID (Azure AD) ](/integration/action_library/iam_sase/microsoft-entra-id.md)
+- [Microsoft Entra ID (Azure AD) ](/integration/action_library/iam/microsoft-entra-id.md)
 - [Microsoft Remote Server](/integration/action_library/applicative/microsoft-remote-server.md)
 - [Fortigate Firewalls](/integration/action_library/network/fortigate-firewalls.md)
 - [HarfangLab](/integration/action_library/endpoint/harfanglab.md)

docs/integration/categories/endpoint/cybereason_malop.md

@@ -0,0 +1,41 @@
+uuid: 9f89b634-0531-437b-b060-a9d9f2d270db
+name: Cybereason MalOp
+type: intake
+
+## Overview
+
+Cybereason offers a set of Endpoint Detection and Response (EDR) solutions. Through the Cybereason platform, all suspicious operations will be gathered in MalOps, a multi-stage visualizations of device activities.
+
+!!! warning
+    If your tenant uses an allowlist to authorize connections, please ensure that Sekoia.io's IPs are allowed.
+    See our [FAQ](../../../../FAQ.md) to get our IPs.
+
+
+{!_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md!}
+
+{!_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md!}
+
+## Configure
+
+This setup guide will lead you into forwarding all MalOp activities to Sekoia.io.
+
+### Prerequisites
+
+To forward events produced by Cybereason to Sekoia.io, you will need your Cybereason username and password. 
+
+!!! warning
+    Please ensure the user has, at least, `Analyst L2` rights granted.
+
+### Create your intake
+
+On Sekoia.io, go to the [Intakes page](https://app.sekoia.io/operations/intakes/new) and generate a new intake with the `Cybereason MalOp` format.
+Keep aside the intake key.
+
+### Pull events
+
+To start pulling events, you have to: 
+
+1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new events from Cybereason](../../../../automate/library/cybereason) module. 
+2. Set up the module configuration with your Cybereason username and password.
+3. Set up the trigger configuration with your intake key
+4. Start the playbook and enjoy your [events](https://app.sekoia.io/operations/events).

docs/integration/categories/endpoint/cybereason_malop_activity.md

@@ -0,0 +1,53 @@
+uuid: 0de050fb-3f56-4c7a-a9b6-76bf5298a617
+name: Cybereason MalOp activity
+type: intake
+
+## Overview
+
+Cybereason offers a set of Endpoint Detection and Response (EDR) solutions. Through the Cybereason platform, all suspicious operations will be gathered in MalOps, a multi-stage visualizations of device activities.
+
+Please find below information available in MalOp activities:
+
+- the list of affected machines
+- the list of affected users
+- all suspicious network connections
+- all suspicious executions
+
+{!_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md!}
+
+{!_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md!}
+
+## Configure
+
+This setup guide will lead you into forwarding all MalOp activities to Sekoia.io.
+
+### Create your intake
+
+On Sekoia.io, go to the [Intakes page](https://app.sekoia.io/operations/intakes/new) and generate a new intake with the `Cybereason MalOp Activities` format.
+Keep aside the intake key.
+
+### Setup the Syslog collector
+
+Check the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to install and set up the syslog collector.
+
+Once the setup has completed, write down the IP address and port. This information will be used in the next step.
+
+### Setup the CybeReason CEF Forwarder
+
+Contact the Cybereason Customer Success Manager to get the Cybereason CEF Forwarder.
+
+Connect to the [Cybereason Partner Nest](https://nest.cybereason.com/user/login) and follow [these instructions](https://nest.cybereason.com/node/3517551) for the installation of the CEF forwarder.
+
+Create a [new configuration](https://nest.cybereason.com/node/3517426) to forward MalOp activities to the syslog collector: fill `host` and `port` with the address and the listening port of the syslog collector.
+
+### Start the forwarding
+
+Start the CEF Forwarder with your new configuration
+
+```bash
+$ cybereason-forwarders/scripts/run_forwarder.sh config/<my new configuration>.json
+```
+
+### Enjoy your events
+
+Go to the [Events page](https://app.sekoia.io/operations/events) and wait for your incoming events!

docs/integration/categories/endpoint/ibm_i.md

@@ -0,0 +1,72 @@
+uuid: fc03f783-5039-415e-915a-a4b010d9a872
+name: IBM iSeries (AS/400)
+type: intake
+
+## Overview
+
+IBM iSeries (AS/400) is a robust, scalable family of midrange business computers running the IBM i operating system, known for its integrated DB2 database and strong security features.
+
+!!! warning
+	Important - This integration requires the installation of Syslog Reporting Manager on IBM i, for which a fee is charged.
+
+!!! warning
+    Important note - This format is currently in beta. We highly value your feedback to improve its performance.
+
+## Supported versions
+
+This integration supports the following versions:
+
+- 7.3
+- 7.4
+- 7.5
+
+## Supported events
+
+This integration supports the following events:
+
+- Audit journal (Command entry, Authority failure)
+- Integrated file system monitoring
+- Message queues monitoring
+- Database monitoring
+- History logs
+
+{!_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md!}
+
+{!_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md!}
+
+## Configure
+
+In this guide, you will configure the gateway to forward events to syslog.
+
+### Prerequisites
+
+1. An internal syslog concentrator is required to collect and forward events to Sekoia.io.
+2. Syslog Reporting Manager installed on the iSeries. See [docs](https://www.ibm.com/support/pages/ibm-i-security) for more info.
+
+### Forward IBM iSeries events
+
+1. Ensure having `Syslog Reporting Manager` installed and configured
+2. On the SLMON menu, type `CFGSRM`
+3. On the Configure global settings, select Option `2`
+4. Type the address and the port of the log concentrator
+5. Select `RFC5424` as `Syslog format`
+6. Select `CEF` as `SIEM message format`
+7. Select the protocol for the log concentrator (`TCP` is recommended)
+8. At the bottom of the screen, press `Enter` to save the changes
+
+### Enable Audit logs (optional)
+
+1. On the SLMON menu, type `CFGSRM`
+2. On the Configure global settings, select Option `10`
+3. Enable the following type:
+	- AF: Authority failures
+	- CD: Command string audit
+4. Press `F3` to save the changes
+
+## Create the intake
+
+Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format IBM iSeries.
+
+## Send logs to Sekoia.io
+
+Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io.

docs/integration/categories/endpoint/sentinelone.md

@@ -0,0 +1,59 @@
+uuid: 07c556c0-0675-478c-9803-e7990afe78b6
+name: SentinelOne
+type: intake
+
+## Overview
+
+SentinelOne is an Endpoint Detection and Response (EDR) solution. By using the standard SentinelOne EDR logs collection by API, you will be provided with high-level information on the detection and investigation of your EDR.
+
+Please find below a limited list of field types that are available with SentinelOne default EDR logs:
+
+- Information about the Endpoint
+- Information about the SentinelOne agent installed
+- Activity type and its description (authentication access, user management, 2FA setup, etc.)
+
+Depending on the context of the log, additional content could be available, such as:
+
+- Process information
+- Network information
+- File information
+
+!!! Tip
+    For advanced log collection, we suggest you use the SentinelOne Cloud Funnel 2.0 option, as described in the [SentinelOne Cloud Funnel 2.0 integration](sentinelone_cloudfunnel2.0.md).
+
+
+{!_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md!}
+
+{!_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md!}
+
+## Configure
+
+This setup guide will show you how to pull events produced by SentinelOne EDR on [Sekoia.io](https://app.sekoia.io/). To collect the SentinelOne logs, you must generate an API token from the SentinelOne Management Console. We recommend creating a Service User to use a dedicated account for the integration.
+
+**Important**: If you have multiple SentinelOne Management Consoles, you must generate an API Token for each one.
+
+!!! note
+    The API token you generate is time-limited. To generate a new token (and invalidate the old one), you will need to copy the Service User. Please refer to the SentinelOne documentation to obtain guidance on how to do this action.
+
+1. In the SentinelOne management console, go to `Settings`, select `USERS`, and then select `Service Users`.
+2. Create a new `Service User` by specifying a name and an expiration date.
+3. Choose the `Scope` of the `Service User`: `Global`, `Account` or `Site`, select the appropriate `Account(s)` or `Site(s)` and the role to grant to the `Service User`
+4. Select `Create User` and copy the generated API token.
+
+!!! note
+    A `Service User` with the `Site Admin` or `IR Team` role can mitigate threats from [Sekoia.io](https://app.sekoia.io/) using [SentinelOne playbook actions](/xdr/features/automate/library/sentinelone.md). A user with the `Site Viewer` role can view activity events and threats but cannot take action.
+
+## Create a SentinelOne intake
+
+In the [Sekoia.io Operation Center](https://app.sekoia.io/operations/intakes):
+
+1. Go to the `Intakes` page.
+2. Search for `SentinelOne` by navigating the page or using the search bar.
+3. Click `Create` under the relevant object (SentinelOne EDR or SentinelOne Cloud Funnel).
+4. Enter the `Name` of your intake that will be displayed, select the related `Entity` from the dropdown, and then select `Automatically`:
+
+![SentinelOne EDR Intake creation](/assets/operation_center/integration_catalog/endpoint/sentinelone/sentinelone-configure-intake.png){: style="max-width:60%"}
+
+5. Enter the previously downloaded SentinelOne `API token` and the related `URL Domain`:
+
+![SentinelOne EDR secret](/assets/operation_center/integration_catalog/endpoint/sentinelone/sentinelone_edr_api.png){: style="max-width:60%"}

docs/integration/categories/endpoint/stormshield_endpoint.md

@@ -0,0 +1,57 @@
+uuid: f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0
+name: Stormshield SES
+type: intake
+
+## Overview
+
+Stormshield SES is a comprehensive cybersecurity solution designed to protect individual devices, such as computers and servers, from various cyber threats and attacks. It encompasses advanced features like antivirus, firewall, intrusion detection and prevention, application control, and data encryption. This solution aims to safeguard endpoints from malware, ransomware, phishing, and other malicious activities, while providing centralized management and real-time threat visibility for enhanced security posture.
+
+{!_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md!}
+
+{!_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md!}
+
+## Configure
+
+This section will guide you to forward Stormshield SES logs to SEKOIA.IO
+
+### Create the intake
+
+Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Stormshield Endpoint Security.
+
+### Configure the Agent handler
+
+1. Log on out Stormshield SES console
+2. Go to `Backoffice > Agent handlers`
+3. Select an Agent handler group or create a new one
+4. On the Agent handler group, in the `Syslog servers`, click `+ Add a server`
+   ![Agent handlers](/assets/operation_center/integration_catalog/endpoint/stormshield/stormshield_ses_01.png){: style="max-width:100%"} 
+5. In the syslog server configuration:
+
+   1. Set the address of the syslog destination to `intake.sekoia.io`
+   2. Select `TCP/TLS` as the protocol
+   3. Define the syslog destination port to 10514
+   4. Select `Raw Json` as message Content
+   5. Select `Non-Transparent-Framing` as transfert-type
+   6. In the `Structured data` input, add `[SEKOIA@53288 intake_key="<YOUR_INTAKE_KEY>"]` with our intake key as replacement of the placeholder
+   7. Save the configuration
+   ![Configuration](/assets/operation_center/integration_catalog/endpoint/stormshield/stormshield_ses_02.png){: style="max-width:100%"} 
+
+## Troubleshooting
+
+### The SES Agent handler cannot authenticate the Sekoia.io syslog endpoint
+
+The Sekoia.io syslog endpoint is secured with a [Letsencrypt](https://letsencrypt.org) certificate.
+
+According to our SES Agent handler installation, it may be necessary to install `ISRG ROOT X1` certificate in our **trusted root certification authorities certificate store**:
+
+On the SES Agent handler machines: 
+
+1. Download the `ISRG ROOT X1` certificate: <https://letsencrypt.org/certs/isrgrootx1.pem>
+2. Rename the downloaded certificate by suffixing it with the extension`.crt`
+3. Import the certificate in the trusted root certification authorities certificate store of the machine
+   ![Certificate store](/assets/operation_center/integration_catalog/endpoint/stormshield/stormshield_ses_03.png){: style="max-width:100%"} 
+
+
+## Further Readings
+
+You can read all documentation [here](https://documentation.stormshield.eu/SES/v7.2/en/Content/PDF/ses-en-administration_guide-v7.2.pdf)

docs/integration/categories/network/efficientip_solidserver_ddi.md

@@ -0,0 +1,69 @@
+uuid: f95fea50-533c-4897-9272-2f8361e63644
+name: EfficientIP SOLIDServer DDI
+type: intake
+
+## Overview
+
+EfficientIP SOLIDserver suite of appliances is designed to deliver highly scalable, secure and robust virtual and hardware appliances for critical IPAM-DNS-DHCP-NTP-TFTP services.
+
+!!! warning
+    Important note - This format is currently in beta. We highly value your feedback to improve its performance.
+
+## Supported versions
+
+This integration supports the following versions:
+
+- 8.3.x
+
+## Supported events
+
+This integration supports the following events:
+
+- DNS logs from named
+
+{!_shared_content/operations_center/detection/generated/suggested_rules_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.md!}
+
+{!_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md!}
+
+## Configure
+
+In this guide, you will configure the gateway to forward events to syslog.
+
+### Prerequisites
+
+An internal syslog concentrator is required to collect and forward events to Sekoia.io.
+
+
+### Enable Syslog forwarding
+
+1. Log in SOLIDServer console
+2. On the left panel, click `Administration`
+
+    ![Adminstation](/assets/operation_center/integration_catalog/network/efficientip_solidserver/01 - administration.png)
+
+3. In the `monitoring` section, click `Configuration`
+
+    ![Configuration](/assets/operation_center/integration_catalog/network/efficientip_solidserver/02 - configuration.png)
+
+4. In the menu, click `+ Add`
+
+    ![syslog](/assets/operation_center/integration_catalog/network/efficientip_solidserver/03 - syslog.png)
+
+5. In the `Services` drop-dwon, select the following services:
+	- `named`
+
+6. In the `Target server`, fill the ip address and the port of the log concentrator.
+
+    ![target](/assets/operation_center/integration_catalog/network/efficientip_solidserver/04 - target.png)
+
+7. Click `OK`
+
+
+## Create the intake
+
+Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `EfficientIP SOLIDServer DDI`.
+
+
+## Forward logs to Sekoia.io
+
+Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io.