Samurai [Local] Collector | Samurai [Cloud] Collector |
---|---|
To complete this Integration you will need to:
1) Ensure Connectivity Requirements are in place
2) From the FireEye HX Console:
- Create Users
- Acquisition Setting
- Enable Auto Triage
- Data Acquisition Script Setting
- Configuration for Log Collection
- Polling Configuration
3) From the Samurai MDR portal:
Connectivity Requirements
Source | Destination | Port | Description |
---|---|---|---|
Samurai Local Collector | Trellix Endpoint Security Server | TCP/443 | API access |
Trellix Endpoint Security Server | Samurai Local Collector | UDP/514 TCP/514 | Log forwarding |
Create Users
Perform the following steps:
- Login to the Endpoint Security Web UI with admin access
- Navigate to Admin > Appliance Settings
- Click User Accounts and specify the following information to create a new user account for NTT:
Account | Parameter |
---|---|
User Name | you choose however we recommend: api_analyst_ntt |
Role | api_admin |
Password | [Set secure password] |
Verify the logins using the above accounts as you will need this information to Complete the Trellix Endpoint Security (HX) Integration
Acquisition Setting
Configure the Acquisition setting to enable triage file retrieval:
- Login to the Endpoint Security Web UI with admin access
- Navigate to Admin > Acquisition Settings
- Turn on File & Data Acquisition.
- Click Save.
Enable Auto Triage
Configure the auto triage setting to make triage files available in the HX instance:
- Login to the Endpoint Security Web UI with admin access
- Navigate to Admin > Triage Settings
- On the Automatic Triages settings page, toggle the Triage Settings switch to ON
- Click Save.
Data Acquisition Script Setting
Configure the Data Acquisition setting to enable event log retrieval:
- Login to the Endpoint Security Web UI with admin access
- Navigate to Admin > Data Acquisition Scripts
- Click Standard Investigative Details.
- On the Script Description page, click ACTIONS and select Edit
- Click Event Logs and then enable Security logs in the Windows event logs section.
- Click Save.
Configuration for Log Collection
Configure a syslog server (the Samurai Local Collector) using the CLI.
# show logging
Local logging level: notice
Override for class cef: none
Remote syslog default level: notice.
- Go to CLI Configuration mode and enter the following commands to configure syslog:
hostname > enable
hostname # configure terminal
hostname (config) # logging [IP Address of your Local Collector] trap none
hostname (config) # logging [IP Address of your Local Collector] trap overrride class cef
priority info
hostname # logging [IP Address of your Local Collector] protocol tcp
hostname (config) # (config) # write memory
- Configure RFC-3339 Time Format
hostname > enable
hostname # configure terminal
hostname (config) # logging fields timestamp format rfc-3339
hostname (config) # (config) # write memory
Polling Configuration
This configuration is not mandatory but recommended to configure certain parameters in order to fully align with our service.
Perform the following steps:
- Login to the Endpoint Security Web UI with admin access
- Navigate to Admin > Policies
- From the Policies page, click Agent Default policy to edit the policy
- From the Edit Policy page, select Polling and overwrite the parameters highlighted in the table below
Parameters | Time |
---|---|
① Polling agents | 1 minute |
② Fastpoll agents | 30 seconds |
③ Request sysinfo | 10 minutes |
④ Poll for agent config | 15 minutes |
- Click Save to apply the configuration
Complete the Trellix Endpoint Security (HX) Integration
Login to the Samurai MDR portal
Click Telemetry and select Integrations from the main menu
Click Create
Find and select Trellix Endpoint Security (HX)
Select the intended Samurai Local Collector
You will be presented with the Local Collector IP Address on the left of the screen
To configure Extended Telemetry Collection ensure it is enabled via the toggle
Enter the following information:
- Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
- Description (optional) - if completed will appear in the Samurai MDR portal for you to easily reference)
- Devicename - an arbitrary name to identify FireEye HX
- Username - enter a username (created under Create Users)
- Password - specify password to use (created under Create Users)
- Hostname / IP - IP address or hostname of the manager
- Custom Port (optional)- if you have changed the default port enter the port number, if not, we default to 443
Click on Finish
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.