Integrations
What is an Integration?
A data source integrated with the Samurai platform. An integration allows us to collect and ingest telemetry data from multiple sources, including network, endpoint and cloud.
What integrations are available?
We have pre-built integrations to a comprehensive array of 3rd party products and services. Select Supported Integrations to view what is available.
For syslog sources, even if events do not match a supported Integration, we will still ingest events into our data lake as a Generic Log Source. You will still be able to process this data using Advanced Query, and include events from generic log sources within your queries.
How do I integrate data sources?
Select Integration for steps that can be taken with integrations within the Samurai MDR application.
Integration Health
Once you have configured Integrations to bring your data into the Samurai platform, you will also want to make sure that your data sources are healthy. For more details on how to maintain Integration health and troubleshoot problems, please read our article about Integration Health.
What’s Next?
Upon completion of your integrations and validation of health, the platform will start collecting and ingesting telemetry data. Dependent on your phase of MDR onboarding our team will be in contact with you.
1 - Supported Integrations
Samurai Integrations facilitate the ingestion of data sources from a wide range of third party vendors. Our Integrations are updated regularly as new and emerging technologies are released.
Each Integration typically requires a configuration guide outlining steps you must follow to integrate your data source to the Samurai platform.
For details such as transport methods and logs collected please refer to each supporting vendor configuration guide by clicking the link in the table or browsing directly to Product Integration Guides.
All supported integrations are categorized according to our Detection Categorization. For further information refer to the following article: Telemetry Data Source Categorization.
If you do not see an integration guide available, please reach out to your NTT contact for further information as we are constantly developing support for additional data sources.
Available configuration guides
In the pipeline
Outlined below are integrations we have in the pipeline however have no committed dates for support. Please contact NTT for further information or if you require additional support.
Vendor | Product |
---|
Nozomi | Guardian |
WithSecure | Elements EDR |
Palo Alto Networks | Prisma Access |
2 - Integration Actions
Select the action you wish to take and jump to the relevant section:
If you are new to integrations you should review Integrations Overview
Create Integration
- From your Samurai MDR application tenant select Integrations from the main menu
- Click Create integration
- Select the product you wish to integrate with the Samurai platform
- Click Next. Dependent on how we collect telemetry, the product may be integrated via a Cloud Collector, a Cloud Native Collector or Local Collector. Follow the steps based on the Collector type:
Cloud Collector
- If the integration is cloud-based it will be added to the Cloud Collector which shall be displayed - Select Next
- Select Configuration Guidewhich will direct you to Samurai documentation outlining how to configure your product and obtain required fields.
- Once you have configured your product, complete the required fields
- Select Finish
Cloud Native Collector
- Your Cloud Native Collector(s) will be listed. Select the Cloud Native Collector that you will integrate the product/service with. If you do not have a Cloud Native Collector listed pr setup, follow the steps in our Samurai Cloud Native Collector article.
- Click Next.
- Your cloud resource information will be displayed for your confirmation and to use if following the configuration guide.
- Click Configuration Guide which will direct you to Samurai documentation outlining how to configure your product/service.
- Click Finish
Local Collector
- Your Local Collector(s) will be listed. Select the Local Collector that you will integrate the product with
- Click Next (typically this is the syslog destination host when configuring your device). If you do not have a Local Collector setup and deployed, follow the steps in our Samurai Local Collector article.
- The Local Collector IP Address will be displayed, copy the IP address or take note of it
- Click Configuration Guide which will direct you to Samurai documentation outlining how to configure your product.
- Based on the product, Extended Data Collection may be displayed, if so jump to Extended Data Collection
- Click Finish
You do not need to follow the steps above for a Local Collector integration, however we advise you follow the steps to determine if extended data collection is available for the product, and if you wish to enable it. You may choose to follow our configuration guides to send logs directly to your Local Collector, the Samurai platform will auto detect the vendor and product for supported integrations. If we do not support the product, your integration will be displayed as ‘unknown’ under the Vendor and Product fields, however the Samurai platform will store the telemetry data.
Extended Data Collection
For many products we are able to collect extended data enhancing our threat detection capabilities and accuracy, for example Packet Capture (PCAP) data. This option will be displayed during configuration of an integration.
- If extended data collection is available for the product, you can choose to enable or disable via the toggle. If you choose to disable, Select Finish
- If you choose to enable extended data collection you must complete all the necessary fields. The parameters for each field are derived from following the associated product configuration guide. Once complete, Select Finish.
You can choose to follow the configuration guide at anytime during the process, however if your product is not configured, the Samurai platform will obviously not receive any telemetry.
All third-party product configuration guides can be found HERE
View Integration
There are multiple methods of viewing your integrations.
If you wish to view integrations associated with a specific collector:
- From your Samurai MDR application tenant select Collectors
- Select the relevant Collector
- All integrations associated with the Collector will be displayed with associated information
You can also view all integrations regardless of collector:
- Select Integrations in the main menu
- All of your Integrations will be listed
A single product integration may be displayed multiple times based on telemetry data ingested. For example, if you enabled Extended Data Collection whilst creating an integration the individual product will be displayed multiple times with different Type fields associated - see below for further explanation.
What are all the Integration fields?
Status: Color indication of integration status
Status Description: description of the status
ID: Universally Unique Identifier (UUID) for integration
Vendor: vendor name of the product
Product: product name
Type: integration type used to gather or ingest telemetry. Potential entries you could see here include:
- Log: displayed when a telemetry source sends logs (typically via syslog).
- Local: displayed when we leverage an API from the local collector to gather telemetry
- Cloud: displayed when we leverage an API from a Samurai XDR cloud collector to gather telemetry
- **Cloud Native:**displayed when we leverage a Cloud Native collector to ingest data from your cloud storage
Name: integration name you provided during configuration
IP Address: IP address of the host
Collector: the collector name associated with the integration
Description: an optional description you provided during integration configuration
Last Event Seen: the last event seen from the telemetry source in the format [yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC).
Created: date and time of integration creation in the format[yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC).
Select Columns to enable or disable visible fields and Filters to filter on fields.
Views
You can save filters you set through views. This is useful if, for example, you have a large number of integrations and wish to view only specific products or types of integration.
Click Views to save/reset/delete your different filters. Once saved you can toggle between views.
View Integration Configuration
There are multiple methods of viewing your integration configuration. If you wish to view integration configuration associated with a specific Collector:
- From your Samurai MDR application select Collectors
- Select the relevant collector for your list
- All integrations associated with the collector will be displayed
You can also view all integration configuration regardless of collector:
- Select Integrations in the main menu on the left of the screen
- Find and Select your integrated product
- Configuration parameters will be displayed
View Integration Status
There are multiple methods of viewing your Integration status.
If you wish to view integration status associated with a specific Collector:
- From the Samurai MDR application select Collectors
- Select the relevant collector from your list
- All integrations listed related to the collector will be displayed with status color and description (if enabled)
You can also view status of all integrations regardless of collector:
- From your Samurai MDR application select Integrations
- All integrations shall be displayed with a status color and description (if enabled)
Potential status displayed are included in the table below:
Status | Description |
---|
Not Available | Unsuccessful or failed |
Not-Healthy | One of more components unhealthy |
Healthy | All components healthy |
Provisioning | Telemetry components installing / provisioning |
For more information about Integration status, please see the article on how to manage Integration Health.
Delete Integration
If you delete an integration, it cannot be reversed! however events from the telemetry source will remain within Samurai. However if the integration is auto-detected, it will reappear as type log if your telemetry source remains sending logs.
If you wish to delete an integration associated with a specific Collector:
- From your Samurai MDR application select Collectors
- Select the relevant collector from your list
- You will now see all integrations associated with the collector
- Select your integrations
- On the right hand side of the relevant integration, click on (more options) and select Delete Integration
- The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the integration you will need to type in the highlighted ‘Integration’s Hostname’ and select Delete Integration
You can also delete from the Integrations menu item:
- Select Integrations in the main menu
- Find and select your integrated product
- Select Delete Configuration by clicking on (more options)
- See step 5 above!
3 - Generic Log Sources
While we make an effort to support a wide variety of Integrations and different types of log sources, it is always possible that there may be a type of log source that you would like to ingest into the Samurai platform which we are not able to parse and analyze. This is especially true for events generated via syslog log sources.
The fact that we are not able to use a log source for detections doesn’t mean that it won’t still be useful to ingest it into the Samurai platform. We will ingest any event data, provided via syslog, into our data lake and you will still be able to analyze that event data using Advanced Query. This allows you to include events from generic log sources when you are performing queries.
If a log source, ingested via syslog, does not match one of our supported integrations, we will ingest the log events, which will still contain, amongst others, the following fields:
- timestamp: the time at which the log message was ingested
- collector: the id of the collector which ingested the event
- host: the source host from which the event was received
- raw: the complete raw log message
You can then proceed to query these events using Advanced Query. For example, the following KQL query finds all the attempts to connect to a host using invalid user ids and then counts the attempts by source IPv4 or IPv6 address:
events | where host == "10.1.1.1" and (raw contains "Invalid" or raw contains "failed") and raw !contains "connect"| project timestamp, user = extract("user ([a-zA-Z0-9\\-]+) from ", 1, raw), ipaddr = extract(".+ ([0-9a-f]+[\\:\\.][0-9a-f\\.\\:]+) ", 1, raw) | summarize num_attempts = count() by ipaddr| order by num_attempts
The output is ordered by the number of attempts from each IP address, producing a table like the following: