From 6c4292a2303330cef3a28be5003ade1ff7ccd6e2 Mon Sep 17 00:00:00 2001 From: Bivic Date: Thu, 1 Aug 2024 10:59:49 +0200 Subject: [PATCH 1/3] add old pages for compatibility --- .../categories/endpoint/cybereason_malop.md | 41 ++++++++ .../endpoint/cybereason_malop_activity.md | 53 ++++++++++ docs/integration/categories/endpoint/ibm_i.md | 72 ++++++++++++++ .../categories/endpoint/sentinelone.md | 59 +++++++++++ .../endpoint/stormshield_endpoint.md | 57 +++++++++++ .../network/efficientip_solidserver_ddi.md | 69 +++++++++++++ .../categories/network/ekinops_oneos.md | 50 ++++++++++ .../categories/network/juniper_switches.md | 98 +++++++++++++++++++ .../categories/network/sesameit_jizo.md | 44 +++++++++ .../network_security/bitsight_spm.md | 51 ++++++++++ mkdocs.yml | 20 ++++ 11 files changed, 614 insertions(+) create mode 100644 docs/integration/categories/endpoint/cybereason_malop.md create mode 100644 docs/integration/categories/endpoint/cybereason_malop_activity.md create mode 100644 docs/integration/categories/endpoint/ibm_i.md create mode 100644 docs/integration/categories/endpoint/sentinelone.md create mode 100644 docs/integration/categories/endpoint/stormshield_endpoint.md create mode 100644 docs/integration/categories/network/efficientip_solidserver_ddi.md create mode 100644 docs/integration/categories/network/ekinops_oneos.md create mode 100644 docs/integration/categories/network/juniper_switches.md create mode 100644 docs/integration/categories/network/sesameit_jizo.md create mode 100644 docs/integration/categories/network_security/bitsight_spm.md diff --git a/docs/integration/categories/endpoint/cybereason_malop.md b/docs/integration/categories/endpoint/cybereason_malop.md new file mode 100644 index 0000000000..6d012bc13d --- /dev/null +++ b/docs/integration/categories/endpoint/cybereason_malop.md @@ -0,0 +1,41 @@ +uuid: 9f89b634-0531-437b-b060-a9d9f2d270db +name: Cybereason MalOp +type: intake + +## Overview + +Cybereason offers a set of Endpoint Detection and Response (EDR) solutions. Through the Cybereason platform, all suspicious operations will be gathered in MalOps, a multi-stage visualizations of device activities. + +!!! warning + If your tenant uses an allowlist to authorize connections, please ensure that Sekoia.io's IPs are allowed. + See our [FAQ](../../../../FAQ.md) to get our IPs. + + +{!_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md!} + +## Configure + +This setup guide will lead you into forwarding all MalOp activities to Sekoia.io. + +### Prerequisites + +To forward events produced by Cybereason to Sekoia.io, you will need your Cybereason username and password. + +!!! warning + Please ensure the user has, at least, `Analyst L2` rights granted. + +### Create your intake + +On Sekoia.io, go to the [Intakes page](https://app.sekoia.io/operations/intakes/new) and generate a new intake with the `Cybereason MalOp` format. +Keep aside the intake key. + +### Pull events + +To start pulling events, you have to: + +1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new events from Cybereason](../../../../automate/library/cybereason) module. +2. Set up the module configuration with your Cybereason username and password. +3. Set up the trigger configuration with your intake key +4. Start the playbook and enjoy your [events](https://app.sekoia.io/operations/events). \ No newline at end of file diff --git a/docs/integration/categories/endpoint/cybereason_malop_activity.md b/docs/integration/categories/endpoint/cybereason_malop_activity.md new file mode 100644 index 0000000000..305cdb5635 --- /dev/null +++ b/docs/integration/categories/endpoint/cybereason_malop_activity.md @@ -0,0 +1,53 @@ +uuid: 0de050fb-3f56-4c7a-a9b6-76bf5298a617 +name: Cybereason MalOp activity +type: intake + +## Overview + +Cybereason offers a set of Endpoint Detection and Response (EDR) solutions. Through the Cybereason platform, all suspicious operations will be gathered in MalOps, a multi-stage visualizations of device activities. + +Please find below information available in MalOp activities: + +- the list of affected machines +- the list of affected users +- all suspicious network connections +- all suspicious executions + +{!_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md!} + +## Configure + +This setup guide will lead you into forwarding all MalOp activities to Sekoia.io. + +### Create your intake + +On Sekoia.io, go to the [Intakes page](https://app.sekoia.io/operations/intakes/new) and generate a new intake with the `Cybereason MalOp Activities` format. +Keep aside the intake key. + +### Setup the Syslog collector + +Check the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to install and set up the syslog collector. + +Once the setup has completed, write down the IP address and port. This information will be used in the next step. + +### Setup the CybeReason CEF Forwarder + +Contact the Cybereason Customer Success Manager to get the Cybereason CEF Forwarder. + +Connect to the [Cybereason Partner Nest](https://nest.cybereason.com/user/login) and follow [these instructions](https://nest.cybereason.com/node/3517551) for the installation of the CEF forwarder. + +Create a [new configuration](https://nest.cybereason.com/node/3517426) to forward MalOp activities to the syslog collector: fill `host` and `port` with the address and the listening port of the syslog collector. + +### Start the forwarding + +Start the CEF Forwarder with your new configuration + +```bash +$ cybereason-forwarders/scripts/run_forwarder.sh config/.json +``` + +### Enjoy your events + +Go to the [Events page](https://app.sekoia.io/operations/events) and wait for your incoming events! \ No newline at end of file diff --git a/docs/integration/categories/endpoint/ibm_i.md b/docs/integration/categories/endpoint/ibm_i.md new file mode 100644 index 0000000000..22b91f1089 --- /dev/null +++ b/docs/integration/categories/endpoint/ibm_i.md @@ -0,0 +1,72 @@ +uuid: fc03f783-5039-415e-915a-a4b010d9a872 +name: IBM iSeries (AS/400) +type: intake + +## Overview + +IBM iSeries (AS/400) is a robust, scalable family of midrange business computers running the IBM i operating system, known for its integrated DB2 database and strong security features. + +!!! warning + Important - This integration requires the installation of Syslog Reporting Manager on IBM i, for which a fee is charged. + +!!! warning + Important note - This format is currently in beta. We highly value your feedback to improve its performance. + +## Supported versions + +This integration supports the following versions: + +- 7.3 +- 7.4 +- 7.5 + +## Supported events + +This integration supports the following events: + +- Audit journal (Command entry, Authority failure) +- Integrated file system monitoring +- Message queues monitoring +- Database monitoring +- History logs + +{!_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md!} + +## Configure + +In this guide, you will configure the gateway to forward events to syslog. + +### Prerequisites + +1. An internal syslog concentrator is required to collect and forward events to Sekoia.io. +2. Syslog Reporting Manager installed on the iSeries. See [docs](https://www.ibm.com/support/pages/ibm-i-security) for more info. + +### Forward IBM iSeries events + +1. Ensure having `Syslog Reporting Manager` installed and configured +2. On the SLMON menu, type `CFGSRM` +3. On the Configure global settings, select Option `2` +4. Type the address and the port of the log concentrator +5. Select `RFC5424` as `Syslog format` +6. Select `CEF` as `SIEM message format` +7. Select the protocol for the log concentrator (`TCP` is recommended) +8. At the bottom of the screen, press `Enter` to save the changes + +### Enable Audit logs (optional) + +1. On the SLMON menu, type `CFGSRM` +2. On the Configure global settings, select Option `10` +3. Enable the following type: + - AF: Authority failures + - CD: Command string audit +4. Press `F3` to save the changes + +## Create the intake + +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format IBM iSeries. + +## Send logs to Sekoia.io + +Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. \ No newline at end of file diff --git a/docs/integration/categories/endpoint/sentinelone.md b/docs/integration/categories/endpoint/sentinelone.md new file mode 100644 index 0000000000..3f37cc520b --- /dev/null +++ b/docs/integration/categories/endpoint/sentinelone.md @@ -0,0 +1,59 @@ +uuid: 07c556c0-0675-478c-9803-e7990afe78b6 +name: SentinelOne +type: intake + +## Overview + +SentinelOne is an Endpoint Detection and Response (EDR) solution. By using the standard SentinelOne EDR logs collection by API, you will be provided with high-level information on the detection and investigation of your EDR. + +Please find below a limited list of field types that are available with SentinelOne default EDR logs: + +- Information about the Endpoint +- Information about the SentinelOne agent installed +- Activity type and its description (authentication access, user management, 2FA setup, etc.) + +Depending on the context of the log, additional content could be available, such as: + +- Process information +- Network information +- File information + +!!! Tip + For advanced log collection, we suggest you use the SentinelOne Cloud Funnel 2.0 option, as described in the [SentinelOne Cloud Funnel 2.0 integration](sentinelone_cloudfunnel2.0.md). + + +{!_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md!} + +## Configure + +This setup guide will show you how to pull events produced by SentinelOne EDR on [Sekoia.io](https://app.sekoia.io/). To collect the SentinelOne logs, you must generate an API token from the SentinelOne Management Console. We recommend creating a Service User to use a dedicated account for the integration. + +**Important**: If you have multiple SentinelOne Management Consoles, you must generate an API Token for each one. + +!!! note + The API token you generate is time-limited. To generate a new token (and invalidate the old one), you will need to copy the Service User. Please refer to the SentinelOne documentation to obtain guidance on how to do this action. + +1. In the SentinelOne management console, go to `Settings`, select `USERS`, and then select `Service Users`. +2. Create a new `Service User` by specifying a name and an expiration date. +3. Choose the `Scope` of the `Service User`: `Global`, `Account` or `Site`, select the appropriate `Account(s)` or `Site(s)` and the role to grant to the `Service User` +4. Select `Create User` and copy the generated API token. + +!!! note + A `Service User` with the `Site Admin` or `IR Team` role can mitigate threats from [Sekoia.io](https://app.sekoia.io/) using [SentinelOne playbook actions](/xdr/features/automate/library/sentinelone.md). A user with the `Site Viewer` role can view activity events and threats but cannot take action. + +## Create a SentinelOne intake + +In the [Sekoia.io Operation Center](https://app.sekoia.io/operations/intakes): + +1. Go to the `Intakes` page. +2. Search for `SentinelOne` by navigating the page or using the search bar. +3. Click `Create` under the relevant object (SentinelOne EDR or SentinelOne Cloud Funnel). +4. Enter the `Name` of your intake that will be displayed, select the related `Entity` from the dropdown, and then select `Automatically`: + +![SentinelOne EDR Intake creation](/assets/operation_center/integration_catalog/endpoint/sentinelone/sentinelone-configure-intake.png){: style="max-width:60%"} + +5. Enter the previously downloaded SentinelOne `API token` and the related `URL Domain`: + +![SentinelOne EDR secret](/assets/operation_center/integration_catalog/endpoint/sentinelone/sentinelone_edr_api.png){: style="max-width:60%"} \ No newline at end of file diff --git a/docs/integration/categories/endpoint/stormshield_endpoint.md b/docs/integration/categories/endpoint/stormshield_endpoint.md new file mode 100644 index 0000000000..0a0268c7aa --- /dev/null +++ b/docs/integration/categories/endpoint/stormshield_endpoint.md @@ -0,0 +1,57 @@ +uuid: f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0 +name: Stormshield SES +type: intake + +## Overview + +Stormshield SES is a comprehensive cybersecurity solution designed to protect individual devices, such as computers and servers, from various cyber threats and attacks. It encompasses advanced features like antivirus, firewall, intrusion detection and prevention, application control, and data encryption. This solution aims to safeguard endpoints from malware, ransomware, phishing, and other malicious activities, while providing centralized management and real-time threat visibility for enhanced security posture. + +{!_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md!} + +## Configure + +This section will guide you to forward Stormshield SES logs to SEKOIA.IO + +### Create the intake + +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Stormshield Endpoint Security. + +### Configure the Agent handler + +1. Log on out Stormshield SES console +2. Go to `Backoffice > Agent handlers` +3. Select an Agent handler group or create a new one +4. On the Agent handler group, in the `Syslog servers`, click `+ Add a server` + ![Agent handlers](/assets/operation_center/integration_catalog/endpoint/stormshield/stormshield_ses_01.png){: style="max-width:100%"} +5. In the syslog server configuration: + + 1. Set the address of the syslog destination to `intake.sekoia.io` + 2. Select `TCP/TLS` as the protocol + 3. Define the syslog destination port to 10514 + 4. Select `Raw Json` as message Content + 5. Select `Non-Transparent-Framing` as transfert-type + 6. In the `Structured data` input, add `[SEKOIA@53288 intake_key=""]` with our intake key as replacement of the placeholder + 7. Save the configuration + ![Configuration](/assets/operation_center/integration_catalog/endpoint/stormshield/stormshield_ses_02.png){: style="max-width:100%"} + +## Troubleshooting + +### The SES Agent handler cannot authenticate the Sekoia.io syslog endpoint + +The Sekoia.io syslog endpoint is secured with a [Letsencrypt](https://letsencrypt.org) certificate. + +According to our SES Agent handler installation, it may be necessary to install `ISRG ROOT X1` certificate in our **trusted root certification authorities certificate store**: + +On the SES Agent handler machines: + +1. Download the `ISRG ROOT X1` certificate: +2. Rename the downloaded certificate by suffixing it with the extension`.crt` +3. Import the certificate in the trusted root certification authorities certificate store of the machine + ![Certificate store](/assets/operation_center/integration_catalog/endpoint/stormshield/stormshield_ses_03.png){: style="max-width:100%"} + + +## Further Readings + +You can read all documentation [here](https://documentation.stormshield.eu/SES/v7.2/en/Content/PDF/ses-en-administration_guide-v7.2.pdf) \ No newline at end of file diff --git a/docs/integration/categories/network/efficientip_solidserver_ddi.md b/docs/integration/categories/network/efficientip_solidserver_ddi.md new file mode 100644 index 0000000000..1a4520bc79 --- /dev/null +++ b/docs/integration/categories/network/efficientip_solidserver_ddi.md @@ -0,0 +1,69 @@ +uuid: f95fea50-533c-4897-9272-2f8361e63644 +name: EfficientIP SOLIDServer DDI +type: intake + +## Overview + +EfficientIP SOLIDserver suite of appliances is designed to deliver highly scalable, secure and robust virtual and hardware appliances for critical IPAM-DNS-DHCP-NTP-TFTP services. + +!!! warning + Important note - This format is currently in beta. We highly value your feedback to improve its performance. + +## Supported versions + +This integration supports the following versions: + +- 8.3.x + +## Supported events + +This integration supports the following events: + +- DNS logs from named + +{!_shared_content/operations_center/detection/generated/suggested_rules_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md!} + +## Configure + +In this guide, you will configure the gateway to forward events to syslog. + +### Prerequisites + +An internal syslog concentrator is required to collect and forward events to Sekoia.io. + + +### Enable Syslog forwarding + +1. Log in SOLIDServer console +2. On the left panel, click `Administration` + + ![Adminstation](/assets/operation_center/integration_catalog/network/efficientip_solidserver/01 - administration.png) + +3. In the `monitoring` section, click `Configuration` + + ![Configuration](/assets/operation_center/integration_catalog/network/efficientip_solidserver/02 - configuration.png) + +4. In the menu, click `+ Add` + + ![syslog](/assets/operation_center/integration_catalog/network/efficientip_solidserver/03 - syslog.png) + +5. In the `Services` drop-dwon, select the following services: + - `named` + +6. In the `Target server`, fill the ip address and the port of the log concentrator. + + ![target](/assets/operation_center/integration_catalog/network/efficientip_solidserver/04 - target.png) + +7. Click `OK` + + +## Create the intake + +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `EfficientIP SOLIDServer DDI`. + + +## Forward logs to Sekoia.io + +Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. \ No newline at end of file diff --git a/docs/integration/categories/network/ekinops_oneos.md b/docs/integration/categories/network/ekinops_oneos.md new file mode 100644 index 0000000000..7be0eb3985 --- /dev/null +++ b/docs/integration/categories/network/ekinops_oneos.md @@ -0,0 +1,50 @@ +uuid: 4760d0bc-2194-44e5-a876-85102b18d832 +name: Ekinops OneOS +type: intake + +## Overview + + Ekinops OneOS is a comprehensive and flexible network operating system designed to meet the evolving needs of modern telecommunications networks. It provides a unified platform for managing and orchestrating a wide range of network functions, including routing, switching, security, and more. With its modular architecture and open APIs, OneOS enables network operators to easily deploy and scale their networks, while also providing the flexibility to integrate with third-party applications and services. This allows for greater innovation and agility in network operations, ultimately leading to improved service delivery and customer satisfaction. + +{!_shared_content/operations_center/detection/generated/suggested_rules_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md!} + +## Configure + +This setup guide will show you how to forward your Ekinops OneOS logs to Sekoia.io by means of a syslog transport channel. + +### Prerequisites + +- Have an internal log concentrator + +### Enable Syslog forwarding logs + +To enable syslog forwarding logs, you must follow the steps below: + +1. Connect on the Ekinops OneOS console +2. Add the log concentrator as a new syslog server +```bash +localhost#configure terminal +Enter configuration commands, one per line. End with CNTL/Z. +localhost(config)#syslog server 23 tcp +localhost(config)#logging syslog filter all +localhost(config)#logging syslog informational +localhost(config)#end +localhost#write mem +``` +3. Check the configuration +```bash +localhost#show syslog servers +S.No Syslog Server Facility VrfName Protocol port Interface Bytes-Sent +1 23 default +``` +4. exit the console + +### Create the intake + +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Ekinops OneOS. + +### Forward logs to Sekoia.io + +Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. \ No newline at end of file diff --git a/docs/integration/categories/network/juniper_switches.md b/docs/integration/categories/network/juniper_switches.md new file mode 100644 index 0000000000..ce7f7a0dca --- /dev/null +++ b/docs/integration/categories/network/juniper_switches.md @@ -0,0 +1,98 @@ +uuid: b1545bb3-6f55-4ba4-ac80-d649040a127c +name: Juniper Network Switches +type: intake + +## Overview + +Juniper Networks' JunOS is an advanced operating system powering Juniper's networking devices, renowned for its reliability, performance, and comprehensive feature set for routing, switching, and security functionalities in enterprise networks. + +- **Vendor**: Juniper +- **Plan**: Defend Prime +- **Supported environment**: On prem +- **Version Compatibility**: 23.2 +- **Detection based on**: Telemetry + +!!! warning + Important note - This format is currently in beta. We highly value your feedback to improve its performance. + + +## Supported events + +This integration supports the following events: + +- Firewall events + +## Configure +This setup guide will show you how to forward your Juniper Switches logs to Sekoia.io by means of a syslog transport channel. + +### Prerequisites + +- Have an internal log concentrator + +### Enable Syslog forwarding +1. Log into the firewall console +2. Configure the log forwarding to the log concentrator +```shell +root@:~ #cli + +root> configure + +[edit] +root# set system syslog host firewall any + +[edit] +root# set system syslog host port + +[edit] +root# commit +``` + +3. Configure a firewall filters to log events (see [Juniper documentation](https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/example/firewall-filter-option-logging-example.html#configuration1385__d58769e137) for more details) +```shell +user@:~ #cli + +user> configure + +[edit] +user# edit firewall family filter + +[edit firewall family filter ] +user# set term then syslog + +[edit firewall family filter ] +user# commit +``` + +4. Apply the filter to a logical interface (see [Juniper documentation](https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/example/firewall-filter-option-logging-example.html#configuration1385__d58769e196) for more details) +```shell +user@:~ #cli + +user> configure + +[edit] +user# edit interfaces unit 0 family + +[edit interfaces unit 0 family ] +user# set filter input + +[edit interfaces unit 0 family ] +user# commit +``` +5. Exit the console + +### Create the intake + +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Juniper Switches. + +### Forward logs to Sekoia.io + +Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. + + +{!_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c_sample.md!} + + +{!_shared_content/integration/detection_section.md!} + +{!_shared_content/operations_center/detection/generated/suggested_rules_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.md!} +{!_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c.md!} \ No newline at end of file diff --git a/docs/integration/categories/network/sesameit_jizo.md b/docs/integration/categories/network/sesameit_jizo.md new file mode 100644 index 0000000000..5d9e8c7d60 --- /dev/null +++ b/docs/integration/categories/network/sesameit_jizo.md @@ -0,0 +1,44 @@ +uuid: 46e14ac3-0b79-42d6-8630-da4fcdb8d5f1 +name: Sesame it Jizo NDR +type: intake + +## Overview +Sesame it Jizo NDR is a network observability platform that enables decision-makers to anticipate, identify and block cyber-attacks. + +!!! warning + Important note - This format is currently in beta. We highly value your feedback to improve its performance. + + +{!_shared_content/operations_center/detection/generated/suggested_rules_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1.md!} + + +## Configure + +In this guide, you will configure the Jizo NDR to forward events to syslog. + +### Prerequisites + +An internal syslog concentrator is required to collect and forward events to Sekoia.io. + +### Configure log settings + +1. Log into jizo console +2. Configure Syslog Primary to receive alerts Logs + + ```shell + syslog_conf set 2 + ``` + + with for protocol (tcp or udp) used to send Logs and 2 to indicate first IdsLog (syslog primary) + + +## Create the intake + +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Sesame it Jizo NDR`. + + +## Forward logs to Sekoia.io + +Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. \ No newline at end of file diff --git a/docs/integration/categories/network_security/bitsight_spm.md b/docs/integration/categories/network_security/bitsight_spm.md new file mode 100644 index 0000000000..995bcd3d06 --- /dev/null +++ b/docs/integration/categories/network_security/bitsight_spm.md @@ -0,0 +1,51 @@ +uuid: 57eda191-2f93-4fd9-99a2-fd8ffbcdff50 +name: Bitsight SPM +type: intake + +## Overview + +Bitsight Security Performance Management enables organizations to continuously monitor, measure, and improve their cybersecurity performance by providing actionable insights and metrics on security posture and risk. + +!!! warning + Important note - This format is currently in beta. We highly value your feedback to improve its performance. + +## Supported events + +This integration supports the following events: + +- Findings (with vulnerability detail and asset detail) + +{!_shared_content/operations_center/detection/generated/suggested_rules_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md!} + +## Configure + +This setup guide will show you how to provide an integration between Bitsight SPM and Sekoia.io. + +### Generate the API token + +To collect the events from the Cato Networks platform, an API token is required: + +1. Make sure the Bitsight user used for the integration has at least Reader permissions. +2. Log in to Bitsight Security Ratings Platform +3. Go to `Settings` -> `Account` -> `API Token` -> `Generate New Token (API Key)` +4. Create new API Token + + ![Personal settings](/assets/instructions/bitsight/new_token.png) + + +### Create an intake + +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Bitsight SPM`. Copy the intake key. + +### Pull events + +To start to pull events, you have to: + +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the `Bitsight SPM` trigger +2. Set up the module configuration with the Api Token and Company UUIds. Set up the trigger configuration with the intake key +3. Start the playbook and enjoy your events + +## Further readings +- [Bitsight API Token Management](https://help.bitsighttech.com/hc/en-us/articles/115014888388-API-Token-Management) \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index fc62046203..21a3761371 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -345,10 +345,13 @@ nav: - Check Point Harmony Mobile: integration/categories/endpoint/checkpoint_harmony_mobile.md - CrowdStrike Falcon: integration/categories/endpoint/crowdstrike_falcon.md - CrowdStrike Falcon Telemetry: integration/categories/endpoint/crowdstrike_falcon_telemetry.md + - Cybereason MalOp: integration/categories/endpoint/cybereason_malop.md + - Cybereason MalOp activity: integration/categories/endpoint/cybereason_malop_activity.md - Eset Protect: integration/categories/endpoint/eset_protect.md - Google Kubernetes Engine (GKE): integration/categories/endpoint/google_kubernetes_engine.md - Harfanglab: integration/categories/endpoint/harfanglab.md - IBM AIX: integration/categories/endpoint/ibm_aix.md + - IBM iSeries (AS/400): integration/categories/endpoint/ibm_i.md - Kaspersky Endpoint Security: integration/categories/endpoint/kaspersky_endpoint_security.md - Linux AuditBeat: integration/categories/endpoint/auditbeat_linux.md - Log Insight Windows: integration/categories/endpoint/log_insight_windows.md @@ -356,9 +359,11 @@ nav: - Microsoft Intune: integration/categories/endpoint/microsoft_intune.md - Palo Alto Cortex XDR (EDR): integration/categories/endpoint/paloalto_cortex_edr.md - Panda Security Aether: integration/categories/endpoint/panda_security_aether.md + - SentinelOne: integration/categories/endpoint/sentinelone.md - SentinelOne Cloud Funnel 2.0: integration/categories/endpoint/sentinelone_cloudfunnel2.0.md - Sekoia.io Endpoint Agent: integration/categories/endpoint/sekoiaio.md - Sophos EDR: integration/categories/endpoint/sophos_edr.md + - Stormshield SES: docs/integration/categories/endpoint/stormshield_endpoint.md - Symantec Endpoint Protection: integration/categories/endpoint/symantec_epp.md - TEHTRIS Endpoint Detection & Reponse: integration/categories/endpoint/tehtris_edr.md - Tanium: integration/categories/endpoint/tanium.md @@ -401,12 +406,15 @@ nav: - Cloudflare Gateway HTTP: integration/categories/network/cloudflare-gateway-http.md - Cloudflare Gateway Network: integration/categories/network/cloudflare-gateway-network.md - Cloudflare HTTP requests: integration/categories/network/cloudflare-http-requests.md + - EfficientIP SOLIDServer DDI: integration/categories/network/efficientip_solidserver_ddi.md + - Ekinops OneOS: integration/categories/network/ekinops_oneos.md - F5 BIG-IP: integration/categories/network/f5-big-ip.md - Forcepoint Secure Web Gateway: integration/categories/network/forcepoint_web_gateway.md - Google VPC Flow Logs: integration/categories/network/google_vpc_flow_logs.md - HAProxy: integration/categories/network/haproxy.md - ISC DHCP: integration/categories/network/dhcpd.md - Infoblox DDI: integration/categories/network/infoblox_ddi.md + - Juniper Network Switches: integration/categories/network/juniper_switches.md - Microsoft Always On VPN: integration/categories/network/microsoft_always_on_vpn.md - NGINX: integration/categories/network/nginx.md - Netfilter: integration/categories/network/netfilter.md @@ -415,6 +423,7 @@ nav: - OpenVPN: integration/categories/network/openvpn.md - Pulse Connect Secure: integration/categories/network/pulse.md - Squid: integration/categories/network/squid.md + - Sesame it Jizo NDR: integration/categories/network/sesameit_jizo.md - Umbrella DNS Logs: integration/categories/network/umbrella_dns.md - Unbound: integration/categories/network/unbound.md - Network Security: @@ -424,6 +433,7 @@ nav: - Amazon WAF: integration/categories/network_security/aws_waf.md - Azure Front Door: integration/categories/network_security/azure_front_door.md - Azure Network Watcher (NSG flow logs): integration/categories/network_security/azure_network_watcher.md + - Bitsight SPM: docs/integration/categories/network_security/bitsight_spm.md - Broadcom Cloud Secure Web Gateway: integration/categories/network_security/broadcom_cloud_swg.md - Broadcom Edge Secure Web Gateway: integration/categories/network_security/broadcom_edge_swg.md - Check Point: integration/categories/network_security/checkpoint.md @@ -639,6 +649,7 @@ plugins: xdr/features/collect/integrations/cloud_and_saas/azure/azure_network_watcher.md: integration/categories/network_security/azure_network_watcher.md xdr/features/collect/integrations/cloud_and_saas/azure/azure_windows.md: integration/categories/endpoint/azure_windows.md xdr/features/collect/integrations/cloud_and_saas/azure/entra_id.md: integration/categories/iam/entra_id.md + xdr/features/collect/integrations/cloud_and_saas/bitsight_spm.md: integration/categories/network_security/bitsight_spm.md xdr/features/collect/integrations/cloud_and_saas/broadcom_cloud_swg.md: integration/categories/network_security/broadcom_cloud_swg.md xdr/features/collect/integrations/cloud_and_saas/cato_sase.md: integration/categories/network/cato_sase.md xdr/features/collect/integrations/cloud_and_saas/cisco_duo_security.md: integration/categories/iam/cisco_duo_security.md @@ -695,18 +706,23 @@ plugins: xdr/features/collect/integrations/endpoint/checkpoint_harmony_mobile.md: integration/categories/endpoint/checkpoint_harmony_mobile.md xdr/features/collect/integrations/endpoint/crowdstrike_falcon.md: integration/categories/endpoint/crowdstrike_falcon.md xdr/features/collect/integrations/endpoint/crowdstrike_falcon_telemetry.md: integration/categories/endpoint/crowdstrike_falcon_telemetry.md + xdr/features/collect/integrations/endpoint/cybereason_malop_activity.md: integration/categories/endpoint/cybereason_malop_activity.md + xdr/features/collect/integrations/endpoint/cybereason_malop.md: integration/categories/endpoint/cybereason_malop.md xdr/features/collect/integrations/endpoint/darktrace_threat_visualizer.md: integration/categories/network_security/darktrace_threat_visualizer.md xdr/features/collect/integrations/endpoint/daspren_parad.md: integration/categories/network_security/daspren_parad.md xdr/features/collect/integrations/endpoint/eset_protect.md: integration/categories/endpoint/eset_protect.md xdr/features/collect/integrations/endpoint/harfanglab.md: integration/categories/endpoint/harfanglab.md xdr/features/collect/integrations/endpoint/ibm_aix.md: integration/categories/endpoint/ibm_aix.md + xdr/features/collect/integrations/endpoint/ibm_i.md: integration/categories/endpoint/ibm_i.md xdr/features/collect/integrations/endpoint/linux.md: integration/categories/endpoint/linux.md xdr/features/collect/integrations/endpoint/kaspersky_endpoint_security.md: integration/categories/endpoint/kaspersky_endpoint_security.md xdr/features/collect/integrations/endpoint/log_insight_windows.md: integration/categories/endpoint/log_insight_windows.md xdr/features/collect/integrations/endpoint/microsoft_intune.md: integration/categories/endpoint/microsoft_intune.md xdr/features/collect/integrations/endpoint/paloalto_cortex_edr.md: integration/categories/endpoint/paloalto_cortex_edr.md xdr/features/collect/integrations/endpoint/panda_security_aether.md: integration/categories/endpoint/panda_security_aether.md + xdr/features/collect/integrations/endpoint/sentinelone.md: integration/categories/endpoint/sentinelone.md xdr/features/collect/integrations/endpoint/sophos_edr.md: integration/categories/endpoint/sophos_edr.md + xdr/features/collect/integrations/endpoint/stormshield_endpoint.md: docs/integration/categories/endpoint/stormshield_endpoint.md xdr/features/collect/integrations/endpoint/symantec_epp.md: integration/categories/endpoint/symantec_epp.md xdr/features/collect/integrations/endpoint/tanium.md: integration/categories/endpoint/tanium.md xdr/features/collect/integrations/endpoint/tehtris_edr.md: integration/categories/endpoint/tehtris_edr.md @@ -731,6 +747,8 @@ plugins: xdr/features/collect/integrations/network/cisco/cisco_nx_os.md: integration/categories/network/cisco_nx_os.md xdr/features/collect/integrations/network/cisco/cisco_wsa.md: integration/categories/network_security/cisco_wsa.md xdr/features/collect/integrations/network/citrix_netscaler_adc.md: integration/categories/network/citrix_netscaler_adc.md + xdr/features/collect/integrations/network/ekinops_oneos.md: integration/categories/network/ekinops_oneos.md + xdr/features/collect/integrations/network/efficientip_solidserver_ddi.md: integration/categories/network/efficientip_solidserver_ddi.md xdr/features/collect/integrations/network/f5-big-ip.md: integration/categories/network/f5-big-ip.md xdr/features/collect/integrations/network/forcepoint_web_gateway.md: integration/categories/network/forcepoint_web_gateway.md xdr/features/collect/integrations/network/fortigate.md: integration/categories/network_security/fortigate.md @@ -738,6 +756,7 @@ plugins: xdr/features/collect/integrations/network/fortiweb.md: integration/categories/network_security/fortiweb.md xdr/features/collect/integrations/network/gatewatcher_aioniq.md: integration/categories/network_security/gatewatcher_aioniq.md xdr/features/collect/integrations/network/infoblox_ddi.md: integration/categories/network/infoblox_ddi.md + xdr/features/collect/integrations/network/juniper_switches.md: integration/categories/network/juniper_switches.md xdr/features/collect/integrations/network/microsoft_always_on_vpn.md: integration/categories/network/microsoft_always_on_vpn.md xdr/features/collect/integrations/network/netfilter.md: integration/categories/network/netfilter.md xdr/features/collect/integrations/network/olfeo_secure_web_gateway.md: integration/categories/network_security/olfeo_secure_web_gateway.md @@ -745,6 +764,7 @@ plugins: xdr/features/collect/integrations/network/paloalto.md: integration/categories/network_security/paloalto.md xdr/features/collect/integrations/network/pulse.md: integration/categories/network/pulse.md xdr/features/collect/integrations/network/rubycat_prove_it.md: integration/categories/iam/rubycat_prove_it.md + xdr/features/collect/integrations/network/sesameit_jizo.md: integration/categories/network/sesameit_jizo.md xdr/features/collect/integrations/network/skyhigh_secure_web_gateway.md: integration/categories/network_security/skyhigh_secure_web_gateway.md xdr/features/collect/integrations/network/sonicwall_fw.md: integration/categories/network_security/sonicwall_fw.md xdr/features/collect/integrations/network/sonicwall_sma.md: integration/categories/network_security/sonicwall_sma.md From e6649ddcd467a02eb674b6199c1de4d4c2f70582 Mon Sep 17 00:00:00 2001 From: Bivic Date: Thu, 1 Aug 2024 11:08:11 +0200 Subject: [PATCH 2/3] change iam_sase to iam --- _shared_content/automate/actions.md | 2 +- .../action_library/{iam_sase => iam}/duo.md | 0 .../action_library/{iam_sase => iam}/intra_id.md | 0 .../jumpcloud-directory-insights.md | 0 .../{iam_sase => iam}/microsoft-active-directory.md | 0 .../{iam_sase => iam}/microsoft-entra-id.md | 0 .../action_library/{iam_sase => iam}/okta.md | 0 mkdocs.yml | 12 ++++++------ 8 files changed, 7 insertions(+), 7 deletions(-) rename docs/integration/action_library/{iam_sase => iam}/duo.md (100%) rename docs/integration/action_library/{iam_sase => iam}/intra_id.md (100%) rename docs/integration/action_library/{iam_sase => iam}/jumpcloud-directory-insights.md (100%) rename docs/integration/action_library/{iam_sase => iam}/microsoft-active-directory.md (100%) rename docs/integration/action_library/{iam_sase => iam}/microsoft-entra-id.md (100%) rename docs/integration/action_library/{iam_sase => iam}/okta.md (100%) diff --git a/_shared_content/automate/actions.md b/_shared_content/automate/actions.md index e19cabf51d..b00138fff1 100644 --- a/_shared_content/automate/actions.md +++ b/_shared_content/automate/actions.md @@ -98,7 +98,7 @@ These helpers need their associated trigger to function properly: ## Third-party applications -- [Microsoft Entra ID (Azure AD) ](/integration/action_library/iam_sase/microsoft-entra-id.md) +- [Microsoft Entra ID (Azure AD) ](/integration/action_library/iamosoft-entra-id.md) - [Microsoft Remote Server](/integration/action_library/applicative/microsoft-remote-server.md) - [Fortigate Firewalls](/integration/action_library/network/fortigate-firewalls.md) - [HarfangLab](/integration/action_library/endpoint/harfanglab.md) diff --git a/docs/integration/action_library/iam_sase/duo.md b/docs/integration/action_library/iam/duo.md similarity index 100% rename from docs/integration/action_library/iam_sase/duo.md rename to docs/integration/action_library/iam/duo.md diff --git a/docs/integration/action_library/iam_sase/intra_id.md b/docs/integration/action_library/iam/intra_id.md similarity index 100% rename from docs/integration/action_library/iam_sase/intra_id.md rename to docs/integration/action_library/iam/intra_id.md diff --git a/docs/integration/action_library/iam_sase/jumpcloud-directory-insights.md b/docs/integration/action_library/iam/jumpcloud-directory-insights.md similarity index 100% rename from docs/integration/action_library/iam_sase/jumpcloud-directory-insights.md rename to docs/integration/action_library/iam/jumpcloud-directory-insights.md diff --git a/docs/integration/action_library/iam_sase/microsoft-active-directory.md b/docs/integration/action_library/iam/microsoft-active-directory.md similarity index 100% rename from docs/integration/action_library/iam_sase/microsoft-active-directory.md rename to docs/integration/action_library/iam/microsoft-active-directory.md diff --git a/docs/integration/action_library/iam_sase/microsoft-entra-id.md b/docs/integration/action_library/iam/microsoft-entra-id.md similarity index 100% rename from docs/integration/action_library/iam_sase/microsoft-entra-id.md rename to docs/integration/action_library/iam/microsoft-entra-id.md diff --git a/docs/integration/action_library/iam_sase/okta.md b/docs/integration/action_library/iam/okta.md similarity index 100% rename from docs/integration/action_library/iam_sase/okta.md rename to docs/integration/action_library/iam/okta.md diff --git a/mkdocs.yml b/mkdocs.yml index 21a3761371..416e91da16 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -526,12 +526,12 @@ nav: - Sekoia: integration/action_library/generic/sekoia-io.md - Utils: integration/action_library/generic/utils.md - IAM SASE: - - Duo: integration/action_library/iam_sase/duo.md - - Jumpcloud Directory Insights: integration/action_library/iam_sase/jumpcloud-directory-insights.md - - Microsoft Active Directory: integration/action_library/iam_sase/microsoft-active-directory.md - - Microsoft Entra ID: integration/action_library/iam_sase/microsoft-entra-id.md - - Microsoft Entra ID (Azure AD): integration/action_library/iam_sase/intra-id.md - - Okta: integration/action_library/iam_sase/okta.md + - Duo: integration/action_library/iam/duo.md + - Jumpcloud Directory Insights: integration/action_library/iam/jumpcloud-directory-insights.md + - Microsoft Active Directory: integration/action_library/iam/microsoft-active-directory.md + - Microsoft Entra ID: integration/action_library/iam/microsoft-entra-id.md + - Microsoft Entra ID (Azure AD): integration/action_library/iam/intra-id.md + - Okta: integration/action_library/iam/okta.md - Network: - Broadcom Cloud Secure Web Gateway: integration/action_library/network/broadcom-cloud-secure-web-gateway.md - Cato Networks: integration/action_library/network/cato-networks.md From 6e3543a40e3e08bc88f675ef18e423958acce2a1 Mon Sep 17 00:00:00 2001 From: Bivic Date: Thu, 1 Aug 2024 11:10:45 +0200 Subject: [PATCH 3/3] fix typo --- _shared_content/automate/actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_shared_content/automate/actions.md b/_shared_content/automate/actions.md index b00138fff1..a713928379 100644 --- a/_shared_content/automate/actions.md +++ b/_shared_content/automate/actions.md @@ -98,7 +98,7 @@ These helpers need their associated trigger to function properly: ## Third-party applications -- [Microsoft Entra ID (Azure AD) ](/integration/action_library/iamosoft-entra-id.md) +- [Microsoft Entra ID (Azure AD) ](/integration/action_library/iam/microsoft-entra-id.md) - [Microsoft Remote Server](/integration/action_library/applicative/microsoft-remote-server.md) - [Fortigate Firewalls](/integration/action_library/network/fortigate-firewalls.md) - [HarfangLab](/integration/action_library/endpoint/harfanglab.md)