diff --git a/_shared_content/operations_center/integrations/google_cloud.md b/_shared_content/operations_center/integrations/google_cloud.md index 731e096fa3..13636df41f 100644 --- a/_shared_content/operations_center/integrations/google_cloud.md +++ b/_shared_content/operations_center/integrations/google_cloud.md @@ -32,16 +32,10 @@ You should now have: To pull events, you have to: -1. Go to [the playbooks' page](https://app.sekoia.io/operations/playbooks) -2. Click on `+New playbook` to create a new playbook -3. Select `Use a template` when creating a playbook -4. Search for `Google Cloud` then select `Forward Google Pubsub records to Sekoia.io` +1. Go to [the intake's page](https://app.sekoia.io/intakes) +2. Click on `+New intakes` to create a new intake -This playbook consumes records from Google Pubsub and pushes them to Sekoia.io. - -You can also create your own on the same basis by using the "Google Pub/Sub" trigger (`Connect to the specified`) - -- Use the JSON keys (*service account credentials*) information downloaded to complete the fields on the trigger +This intake consumes records from Google Pubsub and pushes them to Sekoia.io. **Fields description** diff --git a/docs/integration/categories/applicative/1password_epm.md b/docs/integration/categories/applicative/1password_epm.md index 986eb61a5f..44b7c5f8d4 100644 --- a/docs/integration/categories/applicative/1password_epm.md +++ b/docs/integration/categories/applicative/1password_epm.md @@ -47,19 +47,6 @@ Go to your Sekoia.io [Intakes page](https://app.sekoia.io/operations/intakes), a 1. Click on **+ Intake** button to create a new one 2. Choose **1Password EPM**, give it a name and choose the relevant Entity 3. Click on **Create** button -4. Copy the **Intake key** - -!!! Note - Save the `Intake key` on a block note. It will be used in the next step. - -### Pull the logs to collect them on Sekoia.io - -Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), and follow these steps: - -1. Click on **+ PLAYBOOK** button to create a new one -2. Select **Use a template** -3. Search for `1Password` keyword on the search bar and select the template named `Fetch new events from 1Password EPM` -4. Create a **Module configuration** using - API token from `How to create an API token` step. - Base URL depending by the server that hosts your 1Password account: @@ -69,11 +56,6 @@ Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), | 1Password.ca | https://events.1password.ca | | 1Password.eu | https://events.1password.eu | - Name the module configuration as you wish - -5. Create a **Trigger configuration** using `Intake key` created on the previous step -6. Click on the **Save** button -7. Toggle **Activate the playbook** on the top right corner of the page #### Enjoy your events on the [Events page](https://app.sekoia.io/operations/events) diff --git a/docs/integration/categories/applicative/azure_files.md b/docs/integration/categories/applicative/azure_files.md index fcb760e2e5..2424b57c17 100644 --- a/docs/integration/categories/applicative/azure_files.md +++ b/docs/integration/categories/applicative/azure_files.md @@ -52,15 +52,10 @@ This setup guide describe how to forward events produced by `Azure Files` to Sek ### Create the intake in Sekoia.io -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Azure Files`. Copy the intake key. +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Azure Files`. -### Pull events +Set up the intake configuration with the EventHub's `Connection string-primary key`, the hub name, the consumer group, the storage's `Connection string-primary key` and the container name. -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Consume Eventhub messages](/xdr/features/automate/library/microsoft-azure.md#consume-eventhub-messages) -2. Set up the trigger configuration with the EventHub's `Connection string-primary key`, the hub name, the consumer group, the storage's `Connection string-primary key` and the container name. -3. Start the playbook and enjoy your events {!_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6_sample.md!} diff --git a/docs/integration/categories/applicative/fastly_audit_waf.md b/docs/integration/categories/applicative/fastly_audit_waf.md index ef1bb6c59b..a156381be0 100644 --- a/docs/integration/categories/applicative/fastly_audit_waf.md +++ b/docs/integration/categories/applicative/fastly_audit_waf.md @@ -32,25 +32,9 @@ Fastly WAF audit logs tracks activities related to your corp and your sites like #### Create your intake 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Fastly Audit`. -2. Copy the associated Intake key +2. Enter `User's email`, `API token`, `Corporation name` and `Site name` (if needed) from the Fastly WAF dashboard -#### Pull the logs to collect them on Sekoia.io -Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), and follow these steps: - -1. Click **+ PLAYBOOK** button to create a new one -2. Select **Create a playbook from scratch** -3. Give it a name in the field **Name** -4. Open the left panel, click **Fastly** then select the trigger `Fetch new audit logs from Fastly WAF` -5. Click **Create** - -6. Create a **Module configuration**. Name the module configuration as you wish. -7. Create a **Trigger configuration** using: -7.1. Type the `Intake key` created on the previous step -7.2 Enter `User's email`, `API token`, `Corporation name` and `Site name` (if needed) from the Fastly WAF dashboard - -- Click the **Save** button -- **Activate the playbook** with the toggle button in the top right corner of the page #### Enjoy your events on the [Events page](https://app.sekoia.io/operations/events) diff --git a/docs/integration/categories/applicative/github_audit_logs.md b/docs/integration/categories/applicative/github_audit_logs.md index e716e9fe50..6cbd894ea0 100644 --- a/docs/integration/categories/applicative/github_audit_logs.md +++ b/docs/integration/categories/applicative/github_audit_logs.md @@ -83,15 +83,8 @@ To create an API key on [Github](https://github.com/): ### Create the intake in Sekoia.io -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Github audit logs`. Copy the intake key. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new audit logs from Github](/integration/action_library/github.md) trigger -2. Set up the module configuration with the Github organization and the APIkey. Set up the trigger configuration with the intake key -3. Start the playbook and enjoy your events +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Github audit logs`. +2. Edit the intake configuration with the Github organization and the APIkey. {!_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9_sample.md!} diff --git a/docs/integration/categories/applicative/google_cloud_audit.md b/docs/integration/categories/applicative/google_cloud_audit.md index f6df2a51a6..b666d77457 100644 --- a/docs/integration/categories/applicative/google_cloud_audit.md +++ b/docs/integration/categories/applicative/google_cloud_audit.md @@ -163,33 +163,10 @@ Go to your Sekoia.io [Intakes page](https://app.sekoia.io/operations/intakes), a 1. Click on **+ Intake** button to create a new one 2. Choose **Google Cloud Audit Logs**, give it a name and choose the relevant Entity 3. Click on **Create** button -4. Copy the **Intake key** of this Google Intake. - -!!! Note - Save the `Intake key` on a block note. It will be used in the next step. - -#### Pull the logs to collect them on Sekoia.io - -Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), and follow these steps: - -- Click on **+ PLAYBOOK** button to create a new one -- Select **Use a template** -- Search for `Google` keywork on the search bar and select the template named `Forward Google Pubsub records to Sekoia.io` - -![google-playbook-template](/assets/integration/cloud_and_saas/google/google-template.PNG){: style="max-width:100%"} - -- Create a **Module configuration** using your service account credentials from your Google Cloud environment extracted on a JSON file. Name the module configuration as you wish - -![template-playbook-configuration](/assets/integration/cloud_and_saas/google/template-configuration.png ){: style="max-width:100%"} - -- Create a **Trigger configuration** using: - - * `Intake key` created on the previous +4. Configure your intake with * The project ID * The suject ID that is `sekoia-gca-subscription` -- Click on the **Save** button -- **Activate the playbook** with the toggle button on the top right corner of the page #### Enjoy your events on the [Events page](https://app.sekoia.io/operations/events) diff --git a/docs/integration/categories/applicative/google_reports.md b/docs/integration/categories/applicative/google_reports.md index d6ecca48d2..5b9e27d6c2 100644 --- a/docs/integration/categories/applicative/google_reports.md +++ b/docs/integration/categories/applicative/google_reports.md @@ -126,33 +126,13 @@ Find more information on the [official google documentation](https://cloud.googl ### Create your intake 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Google Report`. -2. Copy the associated Intake key - -### Pull the logs to collect them on Sekoia.io - -Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), and follow these steps: - -- Click on **+ PLAYBOOK** button to create a new one -- Select **Create a playbook from scratch** -- Give it a name in the field **Name** -- Open the left panel, click **Google** then select the trigger `Get user activities` -- Click on **Create** - -- Create a **Module configuration** using your service account credentials from your Google Cloud environment extracted on a JSON file. Name the module configuration as you wish - - -- Create a **Trigger configuration** using: - - * Type the `Intake key` created on the previous +2. Edit the intake configuration with the following attribut: * Select the `application name` what you to fetch events from * Type the `an Google workspace admin email`. !!! Important This Google workspace admin email is any user part of the domain **that has** the right to view de Data of Google Workspace -- Click on the **Save** button -- **Activate the playbook** with the toggle button on the top right corner of the page - ### Enjoy your events on the [Events page](https://app.sekoia.io/operations/events) diff --git a/docs/integration/categories/applicative/salesforce.md b/docs/integration/categories/applicative/salesforce.md index bfd745b8c0..fca2e4a125 100644 --- a/docs/integration/categories/applicative/salesforce.md +++ b/docs/integration/categories/applicative/salesforce.md @@ -54,15 +54,9 @@ This setup guide will show you how to provide an integration between Salesforce ### Create an intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Salesforce. Copy the intake key. +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Salesforce. +2. Set up the intake configuration with the consumer key and consumer secret. -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Salesforce](/integration/action_library/salesforce.md) trigger -2. Set up the module configuration with the consumer key and consumer secret. Set up the trigger configuration with the intake key -3. Start the playbook and enjoy your events !!! note diff --git a/docs/integration/categories/email/o365.md b/docs/integration/categories/email/o365.md index abf65130db..da66b2ba3e 100644 --- a/docs/integration/categories/email/o365.md +++ b/docs/integration/categories/email/o365.md @@ -90,19 +90,7 @@ Go to your Sekoia.io [Intakes page](https://app.sekoia.io/operations/intakes), a 1. Click `+ Intake` button to create a new one 2. Choose `Microsoft 365/Office 365`, give it a name and choose the relevant Entity -3. Click `Manually` then click `Create` -4. Copy the `intake key` - -#### Create your playbook - -Go to your Sekoia.io [playbooks page](https://app.sekoia.io/operations/playbooks), and follow these steps: - -1. Click on `+New playbook` to create a new playbook -2. Select `Create a playbook from scratch` when creating a playbook -3. Give it a `Name` and a `Description` -4. During the step "Choose a trigger", search for `Office 365` then select `Office 365 Management API`. The playbook details interface will open and will contain only one module named `Office 365 Management API` -6. Click on the module, and configure it by clicking on the "Configuration" tab on the right panel using the `client id`, the `client secret`, the `intake key` (from the previous step) and `tenant id` -8. Save the playbook and start it +3. Edit the intake configuration using the `client id`, the `client secret` and `tenant id` !!! Important Once the integration is created on Sekoia.io, it may take up to 12 hours for the Microsoft API to make data available for the first time. diff --git a/docs/integration/categories/email/proofpoint_pod.md b/docs/integration/categories/email/proofpoint_pod.md index 0157d843b2..0113ad6a3f 100644 --- a/docs/integration/categories/email/proofpoint_pod.md +++ b/docs/integration/categories/email/proofpoint_pod.md @@ -30,13 +30,8 @@ To create an APIKey, from our dashboard: ### Create the intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Proofpoint PoD`. - -### Pull events - -Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [ProofPoint PoD connector](/integration/action_library/proofpoint.md#get-proofpoint-pod-events). - -Set up the trigger configuration with the api key, the cluster id and the intake key. Customize others parameters if needed. +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Proofpoint PoD`. +2. Set up the intake configuration with the api key and the cluster id. Start the playbook and enjoy your events. diff --git a/docs/integration/categories/email/proofpoint_tap.md b/docs/integration/categories/email/proofpoint_tap.md index d95a789316..79b207a29e 100644 --- a/docs/integration/categories/email/proofpoint_tap.md +++ b/docs/integration/categories/email/proofpoint_tap.md @@ -27,13 +27,8 @@ As a prerequisite, you need to create a service principal and a secret on the se ### Create the intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Proofpoint TAP`. - -### Pull events - -Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [ProofPoint TAP connector](/integration/action_library/proofpoint.md#get-proofpoint-tap-events). - -Set up the trigger configuration with the service principal, the secret and the intake key. Customize others parameters if needed. +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Proofpoint TAP`. +2. Set up the intake configuration with the service principal and the secret. Start the playbook and enjoy your events. diff --git a/docs/integration/categories/email/trend_micro_email_security.md b/docs/integration/categories/email/trend_micro_email_security.md index 829f567c13..18a858b476 100644 --- a/docs/integration/categories/email/trend_micro_email_security.md +++ b/docs/integration/categories/email/trend_micro_email_security.md @@ -32,21 +32,8 @@ Trend Micro Email Security is a robust email protection solution that safeguards ### Create your intake 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Trend Micro Email Security`. -2. Copy the associated Intake key +2. Edit the intake configuration using your `Service URL`, `Username` and `Login ID`. All three are required. -### Pull the logs to collect them on Sekoia.io - -Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), and follow these steps: - -1. Click on **+ PLAYBOOK** button to create a new one -2. Select **Create a playbook from scratch** -3. Give it a name in the field **Name** -4. Open the left panel, click **Trend Micro Email Security** then select the trigger `Fetch new logs` -5. Click on **Create** - -6. Create a **Trigger configuration** using your `Service URL`, `Username`, `API key` and `Intake key`. All four are required. - -* `API key` is created on the first step * `username` is your `Login ID` entered during account creating * The value of `service URL` varies according to your location: @@ -59,10 +46,6 @@ Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), | Singapore | api.tmes-sg.trendmicro.com | | India | api.tmes-in.trendmicro.com | -* Type the `Intake key` created on the previous step - -7. Click on the **Save** button -8. **Activate the playbook** with the toggle button in the top right corner of the page ### Enjoy your events on the [Events page](https://app.sekoia.io/operations/events) diff --git a/docs/integration/categories/email/vade_cloud.md b/docs/integration/categories/email/vade_cloud.md index 5f2ae38658..c8f20f3d22 100644 --- a/docs/integration/categories/email/vade_cloud.md +++ b/docs/integration/categories/email/vade_cloud.md @@ -18,22 +18,13 @@ In this documentation we will explain how to collect and send Vade Cloud logs to ### Create the intake in Sekoia.io -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Vade Cloud`. Copy the **intake key**. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the `Fetch new logs from Vade Cloud` trigger -2. Set up the module configuration with the: +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Vade Cloud`. +2. Set up the intake configuration with the: - Vade Cloud API hostname: the URL of your admin interface of Vade Cloud. Most of the time this is `https://cloud.vadesecure.com`; TO BE ADAPTED depending on your context. - The email of the user: the login you use to connect to the admin interface of Vade Cloud. The account type **MUST** be "Admin". - The user password: the password you use to connect to the admin interface of Vade Cloud. -3. Set up the trigger configuration with the **intake key** from the previous step. -4. Start the playbook and enjoy your events - !!! Info Please make sure that the login is your account email. diff --git a/docs/integration/categories/endpoint/checkpoint_harmony_mobile.md b/docs/integration/categories/endpoint/checkpoint_harmony_mobile.md index 0071cc8df1..85c425222c 100644 --- a/docs/integration/categories/endpoint/checkpoint_harmony_mobile.md +++ b/docs/integration/categories/endpoint/checkpoint_harmony_mobile.md @@ -35,16 +35,8 @@ Check Point Harmony Mobile is the industry's first unified security solution for ### Create the intake -To create the intake, go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Check Point Harmony Mobile`. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Check Point Harmony Mobile](/integration/action_library/check-point.md) trigger -2. Set up the module configuration with the Client ID, Client Secret and Authentication URL. -3. Set up the trigger configuration with the intake key -4. Start the playbook and enjoy your events +1. To create the intake, go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Check Point Harmony Mobile`. +2. Set up the intake configuration with the Client ID, Client Secret and Authentication URL. {!_shared_content/operations_center/integrations/generated/ff53e0db-059b-4e16-ba90-8c4dbf5cee35_sample.md!} diff --git a/docs/integration/categories/endpoint/crowdstrike_falcon.md b/docs/integration/categories/endpoint/crowdstrike_falcon.md index 08413571cd..207b7edee3 100644 --- a/docs/integration/categories/endpoint/crowdstrike_falcon.md +++ b/docs/integration/categories/endpoint/crowdstrike_falcon.md @@ -51,16 +51,8 @@ To collect `Vertex`, please contact Crowdstrike Support to activate the Threat G ### Create the intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `CrowdStrike Falcon`. Copy the intake key. - - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch CrowdStrike Falcon Events](/integration/action_library/crowdstrike-falcon.md) trigger -2. Set up the module configuration with the base URL of the API (e.g. https://api.eu-1.crowdstrike.com), your client id and your client secret. Set up the trigger configuration with the intake key. -3. Start the playbook and enjoy your events +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `CrowdStrike Falcon`. +2. Set up the intake configuration with the base URL of the API (e.g. https://api.eu-1.crowdstrike.com), your client id and your client secret. {!_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29_sample.md!} diff --git a/docs/integration/categories/endpoint/crowdstrike_falcon_telemetry.md b/docs/integration/categories/endpoint/crowdstrike_falcon_telemetry.md index e2358fb1a2..0edf6eff35 100644 --- a/docs/integration/categories/endpoint/crowdstrike_falcon_telemetry.md +++ b/docs/integration/categories/endpoint/crowdstrike_falcon_telemetry.md @@ -40,16 +40,8 @@ To set up the integration: ### Create the intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `CrowdStrike Falcon Telemetry`. Copy the intake key. - - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new events from CrowdStrike Data replication](/integration/action_library/crowdstrike.md) trigger -2. Set up the module configuration with your client id, the client secret and the region. Set up the trigger configuration with the intake key and the queue name. -3. Start the playbook and enjoy your events +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `CrowdStrike Falcon Telemetry`. +2. Set up the intake configuration with your client id, the client secret, the region and the queue name. {!_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5_sample.md!} diff --git a/docs/integration/categories/endpoint/cybereason_malop.md b/docs/integration/categories/endpoint/cybereason_malop.md index a16414955b..3156f922f2 100644 --- a/docs/integration/categories/endpoint/cybereason_malop.md +++ b/docs/integration/categories/endpoint/cybereason_malop.md @@ -28,18 +28,8 @@ To forward events produced by Cybereason to Sekoia.io, you will need your Cybere ### Create your intake -On Sekoia.io, go to the [Intakes page](https://app.sekoia.io/operations/intakes/new) and generate a new intake with the `Cybereason MalOp` format. -Keep aside the intake key. - -### Pull events - -To start pulling events, you have to: - -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new events from Cybereason](/integration/action_library/cybereason.md) module. -2. Set up the module configuration with your Cybereason username and password. -3. Set up the trigger configuration with your intake key -4. Start the playbook and enjoy your [events](https://app.sekoia.io/operations/events). - +1. On Sekoia.io, go to the [Intakes page](https://app.sekoia.io/operations/intakes/new) and generate a new intake with the `Cybereason MalOp` format. +2. Set up the intake configuration with your Cybereason username and password. {!_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db_sample.md!} diff --git a/docs/integration/categories/endpoint/paloalto_cortex_edr.md b/docs/integration/categories/endpoint/paloalto_cortex_edr.md index cd31e1b7f8..5002e03424 100644 --- a/docs/integration/categories/endpoint/paloalto_cortex_edr.md +++ b/docs/integration/categories/endpoint/paloalto_cortex_edr.md @@ -65,20 +65,9 @@ Before using the **Cortex XDR** connector, you must generate an API key in Corte ### Create the intake 1. Go to the [Intake page](https://app.sekoia.io/operations/intakes) and create a new `Palo Alto Cortex XDR (EDR)` intake. -2. Copy the associated Intake key ( You will use it in the playbook part ) - -### Pull events - -1. Go to the [Playbook page](https://app.sekoia.io/operations/playbooks). -2. Click on `+ PLAYBOOK` and choose `Create a playbook from scratch`. -3. Give it a name and a description and click on `Next`. -4. In `Choose a trigger`, select the `Fetch Alerts from Cortex`. -5. Click on the `Fetch Alerts from Cortex` module on the right sidebar and in the `Module Configuration` section, select `Create new configuration`. -6. Write a `name` and paste the `API Key`, `API Key ID` and `Fqdn`, then click on `Save`. -7. In the `Trigger Configuration` section, click on `Create new configuration`. -8. Write a `name`, choose a `frequency` - Default is `60` -, paste the `intake_key` associated to your `Fetch Alerts from Cortex` intake and click on `Save`. -9. On the top right corner, start the Playbook. You should see monitoring messages in the `Trigger Logs` section. -10. Check on the Events page that the Cortex logs are being received. +2. Create or Select a Palo Alto account with an `API Key`, `API Key ID` and `Fqdn`. +3. Edit the intake configuration with a `chunk size` - Default is `100` and a `frequency` - Default is `60` + {!_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_sample.md!} diff --git a/docs/integration/categories/endpoint/panda_security_aether.md b/docs/integration/categories/endpoint/panda_security_aether.md index 659806155c..a69656934c 100644 --- a/docs/integration/categories/endpoint/panda_security_aether.md +++ b/docs/integration/categories/endpoint/panda_security_aether.md @@ -29,22 +29,9 @@ Copy the access IDs, the API url and an API Key. ### Create the intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Panda Security Aether. - - -### Pull events - -Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Panda Security trigger](/integration/action_library/panda-security.md#fetch-security-events). You can use the existing template to fasten and ease the creation of your playbook. - -Set up the module configuration with an access ID, the password of the access ID (`access_secret`), your WatchGuard Cloud account ID (`account_id`), the API Key (`api_key`). -Set the `base_url` with the domain part of the API Url (e.g: for the API URL `https://api.usa.cloud.watchguard.com/rest/`, the `base_url` is `https://api.usa.cloud.watchguard.com`). -Set up the trigger configuration with the frequency of the pull. - -At the end of the playbook, set up the action `Push events to intake` with a Sekoia.io API key and the intake key, from the intake previously created. - -Start the playbook and enjoy your events. - - +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Panda Security Aether. +2. Set up the intake account with an access ID, the password of the access ID (`access_secret`), your WatchGuard Cloud account ID (`account_id`), the API Key (`api_key`). Set the `base_url` with the domain part of the API Url (e.g: for the API URL `https://api.usa.cloud.watchguard.com/rest/`, the `base_url` is `https://api.usa.cloud.watchguard.com`). +3. Set up the intake configuration with the frequency of the pull. {!_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_sample.md!} diff --git a/docs/integration/categories/endpoint/sentinelone_cloudfunnel2.0.md b/docs/integration/categories/endpoint/sentinelone_cloudfunnel2.0.md index d8fc7dd57a..805ef94d95 100644 --- a/docs/integration/categories/endpoint/sentinelone_cloudfunnel2.0.md +++ b/docs/integration/categories/endpoint/sentinelone_cloudfunnel2.0.md @@ -89,16 +89,8 @@ In the [Sekoia.io Operations Center](https://app.sekoia.io/operations/intakes): 2. Search for `SentinelOne Cloud Funnel 2.0` by navigating the page or using the search bar 3. Click `Create` on the relevant object 4. Specify the `Name` of your intake that will be displayed and select the `Entity` needed - -### Pull events - -To start pulling events, follow these steps: - -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) -2. Create a new playbook with the [AWS Fetch new logs on S3 connector](/integration/action_library/aws.md) -3. Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name -4. Set up the trigger configuration with the name of the SQS queue and the intake key (from the intake previously created) -5. Start the playbook and enjoy your events +5. Set up the intake account configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name +6. Set up the intake configuration with the name of the SQS queue {!_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340_sample.md!} diff --git a/docs/integration/categories/endpoint/sophos_edr.md b/docs/integration/categories/endpoint/sophos_edr.md index 75b7cd45f8..1bbc98bfdb 100644 --- a/docs/integration/categories/endpoint/sophos_edr.md +++ b/docs/integration/categories/endpoint/sophos_edr.md @@ -32,25 +32,14 @@ In the Sophos Central Admin console: ### Create the intake 1. Go to the [Intake page](https://app.sekoia.io/operations/intakes) and create a new `Sophos EDR` intake. -2. Copy the associated Intake key - -### Pull events - -1. Go to the [Playbook page](https://app.sekoia.io/operations/playbooks). -2. Click on `+ PLAYBOOK` and choose `Create a playbook from scratch`. -3. Give it a name and a description and click on `Next`. -4. In `Choose a trigger`, select the [Get Sophos events](/integration/action_library/sophos.md). -5. Click on the `Get Sophos events` module on the right sidebar and in the `Module Configuration` section, select `Create new configuration`. -6. Write a `name` and paste the `client_id` and `client_secret` from the Sophos console and click on `Save`. +2. Set the intake account: Write a `name` and paste the `client_id` and `client_secret` from the Sophos console and click on `Save`. !!! info - If you want to change the region with your own region, you can find your region via **protect devices field**, first click on **Protect Devices**, Then copy link of any download links and finally Check the region that appears as part of the URL. - No need to change the **Oauth2 Authorization Url** for the moment, as this's the only endpoint to get a JWT token -7. In the `Trigger Configuration` section, click on `Create new configuration`. -8. Write a `name`, choose a `frequency` - Default is `60` -, paste the `intake_key` associated to your `Sophos EDR` intake and click on `Save`. -9. On the top right corner, start the Playbook. You should see monitoring messages in the `Logs` section. -10. Check on the Events page that the Sophos logs are being received. +3. Set the intake configuration, choose a `frequency` - Default is `60` - + ![Sophos Module Configuration](/assets/integration/cloud_and_saas/sophos_edr/sophos_module_configuration.png){: style="max-width:60%"} ![Sophos Trigger Configuration](/assets/integration/cloud_and_saas/sophos_edr/sophos_trigger_configuration.png){: style="max-width:60%"} diff --git a/docs/integration/categories/endpoint/tehtris_edr.md b/docs/integration/categories/endpoint/tehtris_edr.md index 29ab56d259..ace7dcbe4b 100644 --- a/docs/integration/categories/endpoint/tehtris_edr.md +++ b/docs/integration/categories/endpoint/tehtris_edr.md @@ -30,17 +30,8 @@ To forward events produced by TEHTRIS EDR to Sekoia.io, you have to: ### Create the intake -To create the intake, go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `TEHTRIS Endpoint Detection & Reponse`. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new events from TEHTRIS](/integration/action_library/tehtris.md#fetch-new-events-from-tehtris) module - -2. Set up the module configuration with your API key and your tenant ID (most of time, your tenant ID is the subdomain of your TEHTRIS instance; eg: `https://{tenant_id}.tehtris.net`) - -3. Start the playbook and enjoy your [events](https://app.sekoia.io/operations/events) +1. To create the intake, go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `TEHTRIS Endpoint Detection & Reponse`. +2. Set up the intake configuration with your API key and your tenant ID (most of time, your tenant ID is the subdomain of your TEHTRIS instance; eg: `https://{tenant_id}.tehtris.net`) {!_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_sample.md!} diff --git a/docs/integration/categories/endpoint/trellix_edr.md b/docs/integration/categories/endpoint/trellix_edr.md index 0c52e22d10..2ff335963a 100644 --- a/docs/integration/categories/endpoint/trellix_edr.md +++ b/docs/integration/categories/endpoint/trellix_edr.md @@ -24,15 +24,8 @@ This setup guide will show you how to forward your Trellix EDR events to Sekoia. ### Create an intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Trellix EDR. Copy the intake key. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Trellix](/integration/action_library/trellix.md) trigger -2. Set up the module configuration with the Client Id and Client Secret. Set up the trigger configuration with the intake key -3. Start the playbook and enjoy your events +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Trellix EDR. +2. Set up the intake configuration with the Client Id and Client Secret. {!_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5_sample.md!} diff --git a/docs/integration/categories/endpoint/withsecure_elements.md b/docs/integration/categories/endpoint/withsecure_elements.md index 1f4c7bbe06..905a112ca6 100644 --- a/docs/integration/categories/endpoint/withsecure_elements.md +++ b/docs/integration/categories/endpoint/withsecure_elements.md @@ -29,21 +29,8 @@ In the WithSecure Elements Central Admin console: ### Create the intake 1. Go to the [Intake page](https://app.sekoia.io/operations/intakes) and create a new `WithSecure Elements` intake. -2. Copy the associated Intake key - -### Create the playbook that fetches the events - -1. Go to the [Playbook page](https://app.sekoia.io/operations/playbooks). -2. Click on `+ PLAYBOOK` and choose `Create a playbook from scratch`. -3. Give it a name such as `Collect WithSecure Elements events` and a description and click on `Next`. -4. In `Choose a trigger`, select the [Fetch security events](/integration/action_library/withsecure.md). -5. Click on the `Fetch security events` trigger and, on the right sidebar, create a new `Module Configuration`. Give it a name such as `My Organisation WithSecure` and enter your API Client credentials `Client ID`/`Secret` -6. In the Trigger Configuration section, Click on `Create new configuration`. -8. Write a `name`, paste the `intake_key` associated to your `WithSecure Elements` intake and click on `Save`. -9. On the top right corner, start the Playbook. You should see monitoring messages in the `Logs` section of your action. -10. After a couple of minutes check on the Events page that WithSecure Elements logs are being received. - -![WithSecure Playbook Example](/assets/integration/endpoint/withsecure/withsecure_playbook_collect.png){: style="max-width:80%"} +2. Set the intake account with your API Client credentials `Client ID`/`Secret` +3. After a couple of minutes check on the Events page that WithSecure Elements logs are being received. {!_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48_sample.md!} diff --git a/docs/integration/categories/iam/azure_key_vault.md b/docs/integration/categories/iam/azure_key_vault.md index 1666feafa7..a0c7997244 100644 --- a/docs/integration/categories/iam/azure_key_vault.md +++ b/docs/integration/categories/iam/azure_key_vault.md @@ -32,15 +32,8 @@ Detailed instructions can be found in official docs [here](https://learn.microso ### Create the intake in Sekoia.io -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Azure Key Vault`. Copy the intake key. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Azure Key Vault](/integration/action_library/microsoft-azure.md) -2. Set up the trigger configuration with `account_key`, `account_name` and the `container_name`. -3. Start the playbook and enjoy your events +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Azure Key Vault`. +2. Set up the intake configuration with `account_key`, `account_name` and the `container_name`. {!_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_sample.md!} diff --git a/docs/integration/categories/iam/cisco_duo_security.md b/docs/integration/categories/iam/cisco_duo_security.md index 05d4b21770..520db544e9 100644 --- a/docs/integration/categories/iam/cisco_duo_security.md +++ b/docs/integration/categories/iam/cisco_duo_security.md @@ -26,15 +26,8 @@ More details in [Duo documentation](https://duo.com/docs/adminapi#first-steps) ### Create the intake in Sekoia.io -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Cisco Duo Security`. Copy the intake key. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the **Fetch new logs from Duo** trigger -2. Set up the module configuration with the base URL of your Netskope instance. Set up the trigger configuration with the API token and the intake key -3. Start the playbook and enjoy your events +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Cisco Duo Security`. +2. Set up the intake account configuration with the Hostname, Integration Key and Secret Key {!_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e_sample.md!} diff --git a/docs/integration/categories/iam/jumpcloud_directory_insights.md b/docs/integration/categories/iam/jumpcloud_directory_insights.md index f01973e1f9..ea43c4121a 100644 --- a/docs/integration/categories/iam/jumpcloud_directory_insights.md +++ b/docs/integration/categories/iam/jumpcloud_directory_insights.md @@ -27,16 +27,7 @@ Jumpcloud Directory Insights provides activity records related to your organizat 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) 2. Create a new intake from the format `Jumpcloud Directory Insights`. -3. Copy the intake key - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Jumpcloud Directory Insights Connector](/integration/action_library/jumpcloud-directory-insights.md) trigger -2. Set up the module configuration with your API Key. Set up the trigger configuration with the intake key and select the event types you want to collect (`all` by default, refer to the [Jumpcloud Directory Insights service list](https://docs.jumpcloud.com/api/insights/directory/1.0/index.html#section/Using-the-Directory-Insights-API/JSON-POST-Request-Body) for other possible values). -3. Start the playbook and enjoy your events - +3. Set up the intake configuration with your API Key and select the event types you want to collect (`all` by default, refer to the [Jumpcloud Directory Insights service list](https://docs.jumpcloud.com/api/insights/directory/1.0/index.html#section/Using-the-Directory-Insights-API/JSON-POST-Request-Body) for other possible values). {!_shared_content/integration/detection_section.md!} diff --git a/docs/integration/categories/iam/okta_system_log.md b/docs/integration/categories/iam/okta_system_log.md index a5e5c32bdf..c9b383f23a 100644 --- a/docs/integration/categories/iam/okta_system_log.md +++ b/docs/integration/categories/iam/okta_system_log.md @@ -20,15 +20,8 @@ Sign in your Okta organization with administrator role and follow [this guide](h ### Create the intake in Sekoia.io -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Okta System logs`. Copy the intake key. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new system logs from OKTA](/integration/action_library/okta.md) trigger -2. Set up the module configuration with your API Key and the base url of your Okta instance. Set up the trigger configuration with the intake key -3. Start the playbook and enjoy your events +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Okta System logs`. +2. Set up the intake configuration with your API Key and the base url of your Okta instance. !!! note diff --git a/docs/integration/categories/network/aws_flow_logs.md b/docs/integration/categories/network/aws_flow_logs.md index 26971649b9..f53e5d051e 100644 --- a/docs/integration/categories/network/aws_flow_logs.md +++ b/docs/integration/categories/network/aws_flow_logs.md @@ -37,17 +37,9 @@ Please follow [this guide](https://docs.aws.amazon.com/vpc/latest/userguide/flow ### Create the intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `AWS Flowlogs`. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with: - - the [AWS Fetch new Flowlogs on S3 connector](/integration/action_library/aws.md) for plain text files (gzipped included) - - the [AWS Fetch new FlowLogs Parquet records on S3 connector](/integration/action_library/aws.md) for parquet files -2. Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the trigger configuration with the name of the SQS queue and the intake key, from the intake previously created. -3. Start the playbook and enjoy your events. +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `AWS Flowlogs`. +2. Set up the intake account configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. +3. Set up the intake configuration with the name of the SQS queue. {!_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002_sample.md!} diff --git a/docs/integration/categories/network/azure_application_gateway.md b/docs/integration/categories/network/azure_application_gateway.md index a499b54275..bc3e308ce1 100644 --- a/docs/integration/categories/network/azure_application_gateway.md +++ b/docs/integration/categories/network/azure_application_gateway.md @@ -41,15 +41,8 @@ These instructions are illustrated and more detailed [here](https://learn.micros ### Create the intake in Sekoia.io -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Azure Application Gateway`. Copy the intake key. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Consume Eventhub messages](/xdr/features/automate/library/microsoft-azure.md#consume-eventhub-messages) -2. Set up the trigger configuration with the EventHub's `Connection string-primary key`, the hub name, the consumer group, the storage's `Connection string-primary key` and the container name. -3. Start the playbook and enjoy your events +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Azure Application Gateway`. +2. Set up the intake configuration with the EventHub's `Connection string-primary key`, the hub name, the consumer group, the storage's `Connection string-primary key` and the container name. {!_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889_sample.md!} diff --git a/docs/integration/categories/network/cato_sase.md b/docs/integration/categories/network/cato_sase.md index c28c7b71b9..6ecdbb9411 100644 --- a/docs/integration/categories/network/cato_sase.md +++ b/docs/integration/categories/network/cato_sase.md @@ -43,15 +43,8 @@ In addition to the API key, Cato `account ID` is also required for the Account c ### Create an intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Cato SASE. Copy the intake key. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Cato SASE](/integration/action_library/cato-networks.md) trigger -2. Set up the module configuration with the Api Key and Account Id. Set up the trigger configuration with the intake key -3. Start the playbook and enjoy your events +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Cato SASE. +2. Set up the intake account configuration with the Api Key and Account Id. {!_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da_sample.md!} diff --git a/docs/integration/categories/network/umbrella_dns.md b/docs/integration/categories/network/umbrella_dns.md index dcbf84fc14..d9d1fcc58a 100644 --- a/docs/integration/categories/network/umbrella_dns.md +++ b/docs/integration/categories/network/umbrella_dns.md @@ -28,15 +28,9 @@ Once created: ### Create the intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Cisco Umbrella DNS`. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [AWS Fetch new logs on S3 connector](/integration/action_library/aws.md) -2. Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the trigger configuration with the name of the SQS queue and the intake key, from the intake previously created -3. Start the playbook and enjoy your events +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Cisco Umbrella DNS`. +2. Set up the intake account configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. +3. Set up the intake configuration with the name of the SQS queue. {!_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55_sample.md!} diff --git a/docs/integration/categories/network_security/aws_cloudfront.md b/docs/integration/categories/network_security/aws_cloudfront.md index 1e873ba711..4ebca03e3d 100644 --- a/docs/integration/categories/network_security/aws_cloudfront.md +++ b/docs/integration/categories/network_security/aws_cloudfront.md @@ -41,12 +41,12 @@ To turn on standard logging for a CloudFront distribution, follow these steps: {!_shared_content/integration/intake_configuration.md!} ### Pull events +#### Create your intake + +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `AWS CloudFront`. +2. Set up the intake account configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the intake configuration with the name of the SQS queue -To start to pull events, you have to: -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new CloudFront logs on S3](/integration/action_library/aws.md). -2. Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the trigger configuration with the name of the SQS queue and the intake key, from the intake previously created. -3. Start the playbook and enjoy your events. {!_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415_sample.md!} diff --git a/docs/integration/categories/network_security/aws_cloudtrail.md b/docs/integration/categories/network_security/aws_cloudtrail.md index 1fff69a905..cfc040e987 100644 --- a/docs/integration/categories/network_security/aws_cloudtrail.md +++ b/docs/integration/categories/network_security/aws_cloudtrail.md @@ -34,13 +34,14 @@ Activate the logging on the trail through the switch button (On/Off) located at {!_shared_content/integration/intake_configuration.md!} ### Pull events +#### Create your intake -Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new CloudTrail records on S3 connector](/integration/action_library/aws.md). +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `AWS CloudTrail`. +2. Set up the intake account configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the intake configuration with the name of the SQS queue -Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key, and the region name. Set up the trigger configuration with the name of the SQS queue and the intake key from the previously created intake. !!!important - In the "Trigger Configuration" settings of your Cloudtrail playbook, we recommend using the following configuration by default: chunk_size = `10000`, frequency = `10` and `tick the box` "delete_consumed_messages" that will delete [S3 notifications](https://docs.aws.amazon.com/AmazonS3/latest/userguide/NotificationHowTo.html) of your Amazon Simple Queue Service to avoid duplicates. + In the "intake configuration" settings, we recommend using the following configuration by default: chunk_size = `10000`, frequency = `10` and `tick the box` "delete_consumed_messages" that will delete [S3 notifications](https://docs.aws.amazon.com/AmazonS3/latest/userguide/NotificationHowTo.html) of your Amazon Simple Queue Service to avoid duplicates. Start the playbook and enjoy your events. diff --git a/docs/integration/categories/network_security/aws_guardduty.md b/docs/integration/categories/network_security/aws_guardduty.md index d9f8de0c9e..aa2ae6de64 100644 --- a/docs/integration/categories/network_security/aws_guardduty.md +++ b/docs/integration/categories/network_security/aws_guardduty.md @@ -29,12 +29,11 @@ You have to: {!_shared_content/integration/intake_configuration.md!} ### Pull events +#### Create your intake -To start to pull events, you have to: +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `AWS GuardDuty`. +2. Set up the intake account configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the intake configuration with the name of the SQS queue -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [AWS Fetch new logs on S3 connector](/integration/action_library/aws.md) -2. Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the trigger configuration with the name of the SQS queue as well as the intake key from the intake previously created -3. Start the playbook and enjoy your events {!_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930_sample.md!} diff --git a/docs/integration/categories/network_security/aws_waf.md b/docs/integration/categories/network_security/aws_waf.md index 44bff17f7d..ce1d1ded0d 100644 --- a/docs/integration/categories/network_security/aws_waf.md +++ b/docs/integration/categories/network_security/aws_waf.md @@ -32,12 +32,10 @@ To forward events produced by AWS WAF to S3, you have to: {!_shared_content/integration/intake_configuration.md!} ### Pull events +#### Create your intake -To start to pull events, you have to: - -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [AWS Fetch new logs on S3 connector](/integration/action_library/aws.md) -2. Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the trigger configuration with the name of the SQS queue and the intake key, from the intake previously created -3. Start the playbook and enjoy your events +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `AWS WAF`. +2. Set up the intake account configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the intake configuration with the name of the SQS queue {!_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0_sample.md!} diff --git a/docs/integration/categories/network_security/azure_front_door.md b/docs/integration/categories/network_security/azure_front_door.md index f19c62e418..9c1bdc1151 100644 --- a/docs/integration/categories/network_security/azure_front_door.md +++ b/docs/integration/categories/network_security/azure_front_door.md @@ -27,15 +27,8 @@ Configure Azure Front door to stream its logs to the EventHub with [this guide]( ### Create the intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Azure Front Door`. - -### Pull events - -Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Consume Eventhub messages](/integration/action_library/microsoft-azure.md#consume-eventhub-messages). - -Set up the trigger configuration with the EventHub's `Connection string-primary key`, the hub name, the consumer group, the storage's `Connection string-primary key` and the container name. - -Start the playbook and enjoy your [events](https://app.sekoia.io/operations/events). +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Azure Front Door`. +2. Set up the intake configuration with the EventHub's `Connection string-primary key`, the hub name, the consumer group, the storage's `Connection string-primary key` and the container name. {!_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987_sample.md!} diff --git a/docs/integration/categories/network_security/bitsight_spm.md b/docs/integration/categories/network_security/bitsight_spm.md index b5f1138672..65f430a625 100644 --- a/docs/integration/categories/network_security/bitsight_spm.md +++ b/docs/integration/categories/network_security/bitsight_spm.md @@ -37,15 +37,8 @@ To collect the events from the Cato Networks platform, an API token is required: ### Create an intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Bitsight SPM`. Copy the intake key. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the `Bitsight SPM` trigger -2. Set up the module configuration with the Api Token and Company UUIds. Set up the trigger configuration with the intake key -3. Start the playbook and enjoy your events +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Bitsight SPM`. +2. Set up the intake configuration with the Api Token and Company UUIds. {!_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50_sample.md!} diff --git a/docs/integration/categories/network_security/extrahop_revealx_360.md b/docs/integration/categories/network_security/extrahop_revealx_360.md index fc0746349b..53ba6149b7 100644 --- a/docs/integration/categories/network_security/extrahop_revealx_360.md +++ b/docs/integration/categories/network_security/extrahop_revealx_360.md @@ -45,22 +45,7 @@ ExtraHop Reveal(x) 360 is a cloud-based network detection and response platform ### Create your intake 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `ExtraHop Reveal(x) 360`. -2. Copy the associated Intake key - -### Pull the logs to collect them on Sekoia.io - -Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), and follow these steps: - -- Click on **+ PLAYBOOK** button to create a new one -- Select **Create a playbook from scratch** -- Give it a name in the field **Name** -- Open the left panel, click **ExtraHop** then select the trigger `Fetch new alerts from ExtraHop Reveal(x) 360` -- Click on **Create** - -- Create a **Module configuration** using your REST API credentials created on the *How to create REST API credentials* step. Name the module configuration as you wish -- Create a **Trigger configuration** and Type the `Intake key` created on the previous step -- Click on the **Save** button -- **Activate the playbook** with the toggle button on the top right corner of the page +2. Set the intake account configuration using your REST API credentials created on the *How to create REST API credentials* step. ### Enjoy your events on the [Events page](https://app.sekoia.io/operations/events) diff --git a/docs/integration/categories/network_security/lacework_cloud_security.md b/docs/integration/categories/network_security/lacework_cloud_security.md index 503b505c19..7e13059c9a 100644 --- a/docs/integration/categories/network_security/lacework_cloud_security.md +++ b/docs/integration/categories/network_security/lacework_cloud_security.md @@ -65,22 +65,8 @@ Download the generated API key file and open it in an editor to view and use the ### Instruction on Sekoia #### Create an intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Lacework Cloud Security` format. - -#### Pull events - -To start to pull events, you have to: - -1. Go to the [Playbook page](https://app.sekoia.io/operations/playbooks). -2. Click on `+ PLAYBOOK` and choose `Create a playbook from scratch`. -3. Give it a name and a description and click on `Next`. -4. In `Choose a trigger`, select `Fetch new logs from Lacework`. -5. On the right sidebar, in "Using which account ?", select `+ Add new account`. -6. Write a `name` and set up the account configuration with the account, the keyId and the secret of your API Key. -7. In the `Trigger Configuration` section, click on `Create new configuration`. -8. Write a `name`, choose a `frequency` - Default is `60` -, paste the `intake_key` associated to your `Lacework Cloud Security` intake and click on `Save`. -9. On the top right corner, start the Playbook. You should see monitoring messages in the `Trigger logs` section. -10. Check on the [Events page](https://app.sekoia.io/operations/events) that the Lacework logs are being received. +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Lacework Cloud Security` format. +2. Set the intake account configuration with the account, the keyId and the secret of your API Key. {!_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650_sample.md!} diff --git a/docs/integration/categories/network_security/netskope_transaction.md b/docs/integration/categories/network_security/netskope_transaction.md index 763f4461ea..561c5c694d 100644 --- a/docs/integration/categories/network_security/netskope_transaction.md +++ b/docs/integration/categories/network_security/netskope_transaction.md @@ -63,34 +63,18 @@ Example of Subcription Endoint: `projects/1023456728636/locations/europe-west3-a | Zone ID | a | ### Instruction on Sekoia +#### Create your intake -!!! Note - The intake you would like to configure is nammed `Netskope Transaction Events`. Not `Netskope Events`. - -{!_shared_content/integration/intake_configuration.md!} - -#### Pull the logs to collect them on Sekoia.io - -Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), and follow these steps: - -- Click on **+ PLAYBOOK** button to create a new one -- Select **Create a playbook from scratch** -- Give it a name in the field **Name** -- Open the left panel, click **Google** then select the trigger `Fetch new transaction events from Netskope` -- Click on **Create** - -- Create a **Trigger configuration** using: +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Netskope Transaction Events`. +2. Set the intake configuration using: * Your service account credentials from your Google Cloud environment extracted on a JSON file * Subscription ID, Cloud Region and Zone ID extracted from the Subscription Endpoint on Netskope Event Streaming section - * Type the `Intake key` created on the previous * Select the `application name` what you to fetch events from * Type the `Admin email` !!! Note Please copy past the whole private key value during the procedure, including the begining and ending separators. -- Click on the **Save** button -- **Activate the playbook** with the toggle button on the top right corner of the page {!_shared_content/operations_center/integrations/generated/a0716ffd-5f9e-4b97-add4-30f1870e3d03_sample.md!} diff --git a/docs/integration/categories/network_security/sophos_threat_analysis_center.md b/docs/integration/categories/network_security/sophos_threat_analysis_center.md index e7aee77dfa..bd8778d333 100644 --- a/docs/integration/categories/network_security/sophos_threat_analysis_center.md +++ b/docs/integration/categories/network_security/sophos_threat_analysis_center.md @@ -64,25 +64,13 @@ To enable hydrating the data lake for server: ## Create the intake 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Sophos Analysis Threat Center. -2. Copy the associated Intake key - -## Pull events - -1. Go to the [Playbook page](https://app.sekoia.io/operations/playbooks). -2. Click on `+ PLAYBOOK` and choose `Create a playbook from scratch`. -3. Give it a name and a description and click on `Next`. -4. In `Choose a trigger`, select the `Query IOC from data lake`. -5. Click on the `Query IOC from data lake` module on the right sidebar and in the `Module Configuration` section, select `Create new configuration`. -6. Write a `name` and paste the `client_id` and `client_secret` from the Sophos console and click on `Save`. +2. Set the intake account configuration with the `client_id` and `client_secret` from the Sophos console. !!! info - If you want to change the region with your own region, you can find your region via **protect devices field**, first click on **Protect Devices**, Then copy link of any download links and finally Check the region that appears as part of the URL. - No need to change the **Oauth2 Authorization Url** for the moment (this's the only endpoint to get a JWT token). -7. In the `Trigger Configuration` section, click on `Create new configuration`. -8. Write a `name`, choose a `frequency` - Default is `60` -, paste the `intake_key` associated to your `Sophos Threat Analysis Center` intake and click on `Save`. -9. On the top right corner, start the Playbook. You should see monitoring messages in the `Logs` section. -10. Check on the Events page that the Sophos logs are being received. +3. In the intake configuration section choose a `frequency` - Default is `60` -. {!_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb_sample.md!} diff --git a/docs/integration/categories/network_security/thinkst_canary.md b/docs/integration/categories/network_security/thinkst_canary.md index e4c528aaa4..0a629e4538 100644 --- a/docs/integration/categories/network_security/thinkst_canary.md +++ b/docs/integration/categories/network_security/thinkst_canary.md @@ -37,23 +37,10 @@ Thinkst Canary is a deceptive honeypot device that mimics various systems to lur ### Create your intake 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Thinkst Canary`. -2. Copy the associated Intake key - -### Pull the logs to collect them on Sekoia.io - -Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), and follow these steps: - -- Click on **+ PLAYBOOK** button to create a new one -- Select **Create a playbook from scratch** -- Give it a name in the field **Name** -- Open the left panel, click **Thinkst Canary** then select the trigger `Fetch Thinkst Canary Events` -- Click on **Create** -- Create a **Module configuration** using: +2. Set the intake configuration with the following parameters: - `Base URL`, which should be `https://DOMAINHASH.canary.tools`, where `DOMAINHASH` is your domain hash from the `How to create an API Key` step - `Auth token` from the same step -- Create a **Trigger configuration** using the `Intake key` created on the previous step -- Click on the **Save** button -- **Activate the playbook** with the toggle button on the top right corner of the page + ### Enjoy your events on the [Events page](https://app.sekoia.io/operations/events) diff --git a/docs/integration/categories/network_security/trellix_epo.md b/docs/integration/categories/network_security/trellix_epo.md index 124dda2689..ff7b58ebca 100644 --- a/docs/integration/categories/network_security/trellix_epo.md +++ b/docs/integration/categories/network_security/trellix_epo.md @@ -32,15 +32,8 @@ This setup guide will show you how to forward your Trellix ePO events to Sekoia. ### Create an intake -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Trellix. Copy the intake key. - -### Pull events - -To start to pull events, you have to: - -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Trellix](/integration/action_library/trellix.md) trigger -2. Set up the module configuration with the Client Id and Client Secret. Set up the trigger configuration with the intake key -3. Start the playbook and enjoy your events +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Trellix. +2. Set up the intake configuration with the Client Id and Client Secret. {!_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002_sample.md!} diff --git a/docs/integration/categories/network_security/ubika_cloud_protector_alerts.md b/docs/integration/categories/network_security/ubika_cloud_protector_alerts.md index 051b96b92d..580b038965 100644 --- a/docs/integration/categories/network_security/ubika_cloud_protector_alerts.md +++ b/docs/integration/categories/network_security/ubika_cloud_protector_alerts.md @@ -46,24 +46,7 @@ To get API keys info: ### Create your intake 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Ubika Cloud Protector`. -2. Copy the associated Intake key - -### Pull the logs to collect them on Sekoia.io - -Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), and follow these steps: - -- Click on **+ PLAYBOOK** button to create a new one -- Select **Create a playbook from scratch** -- Give it a name in the field **Name** -- Open the left panel, click **Ubika** then select the trigger `Fetch new alerts from Ubika Cloud Protector` -- Click on **Create** -- Create a **Trigger configuration** using: - - * Type the `Intake key` created on the previous step - * Type the `provider`, `tenant` and `token` from the `How to get API keys info` step - -- Click on the **Save** button -- **Activate the playbook** with the toggle button on the top right corner of the page +2. Set the intake account configuration with the `provider`, `tenant` and `token` from the `How to get API keys info` step ### Enjoy your events on the [Events page](https://app.sekoia.io/operations/events) diff --git a/docs/integration/categories/network_security/ubika_cloud_protector_traffic.md b/docs/integration/categories/network_security/ubika_cloud_protector_traffic.md index cdee0aac2e..2a6d7e37f9 100644 --- a/docs/integration/categories/network_security/ubika_cloud_protector_traffic.md +++ b/docs/integration/categories/network_security/ubika_cloud_protector_traffic.md @@ -40,24 +40,8 @@ To get API keys info: ### Create your intake 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Ubika Cloud Protector`. -2. Copy the associated Intake key +2. Set the intake account configuration with the `provider`, `tenant` and `token` from the `How to get API keys info` step. -### Pull the logs to collect them on Sekoia.io - -Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), and follow these steps: - -- Click on **+ PLAYBOOK** button to create a new one -- Select **Create a playbook from scratch** -- Give it a name in the field **Name** -- Open the left panel, click **Ubika** then select the trigger `Fetch new traffic events from Ubika Cloud Protector` -- Click on **Create** -- Create a **Trigger configuration** using: - - * Type the `Intake key` created on the previous step - * Type the `provider`, `tenant` and `token` from the `How to get API keys info` step - -- Click on the **Save** button -- **Activate the playbook** with the toggle button on the top right corner of the page ### Enjoy your events on the [Events page](https://app.sekoia.io/operations/events)