Telemetry

• 1: Telemetry Monitoring
• 2: Integrations
• 2.1: Supported Integrations
• 2.2: Integration Actions
• 2.3: Generic Log Sources
• 3: Collectors
• 3.1: Samurai Local Collector
• 3.2: Samurai Cloud Native Collector

1 - Telemetry Monitoring

It is important to understand and keep track of the health of Integrations you have configured.

The Samurai platform monitors telemetry ingested from your integrations displaying the applicable status (refer to View Integration Status), if problems are encountered after specific time periods the integration is highlighted within the Telemetry Monitoring view and triggers an email notification after 24 hours.

For an integration to be monitored, the Samurai platform must recieve event data consistently every hour over a 24hour period, this is because we cannot guarantee accurate monitoring for telemetry sources that may log intermittently.

Access Telemetry Monitoring

Click Telemetry and select Telemetry Monitoring from the main menu.

Figure 1: Telemetry monitoring menu and visual indicator  

A visual indicator will be displayed beside the Telemetry Monitoring menu item showing the total number of integrations which may require attention.

Figure 2: Example telemetry monitoring table

Telemetry Monitoring View

The Telemetry Monitoring view displays summary information (as applicable):

• Number of integrations with no events seen in the last 24 hours by the Samurai platform
• Number of integrations with no events seen in the last 12 hours by the Samurai platform
• Unknown integration (unsupported)
• Number of provisioning integrations
• Number of healthy integrations

Figure 3: Example summary information

Telemetry Monitoring Table

Integrations are displayed in the table if the Samurai platform has not received any events in the last 12 hours.

Figure 4: Example detail table

The list shows the details of the integrated telemetry sources which are considered unhealthy as per the table below:

Clicking on the Integration will navigate you to the Integration Details. For integrations of type Log an events graph will be displayed which may help in troubleshooting.

For information on Integration types refer to What are the Integration fields? in the Integration Actions article.

The table may also display:

• Unsupported integrations

  • These integrations are displayed as Product - unknown and Vendor - unknown - for you convenience the Samurai platform does monitor these telemetry event sources but does not send email notifications.
  • Info will display the following: This integration is currently not supported and will not trigger a notification if it stops sending events.

• Integrations where the Samurai platform ingests events intermittantly

  • If the Samurai platform does not receive events every hour over any 24 hour period, the integration will still be displayed but will not trigger a notification.
  • Info will display the following: This integration does not send enough events to trigger a notification if it stops sending events altogether.

The above integrations will be highlighted with an Info icon () and when hovering over will display the applicable text highlighted above.

For your convenience you may want to display the integrations above in a different view, in doing so you remove from view integrations that will not trigger notifications - Hide Log Integrations provides this functionality.

Hide Log Integrations

Only integrations of type Log can be hidden - these are telemetry sources that typically send event data via syslog consistently. Example reasons why you may want to hide an integration include:

• It is an unsupported/generic log source integration.
• You do not want to recieve an email notifications if there is an issue with telemetry ingestion to the Samurai platform.

To hide an integration from the Telemetry Monitoring view:

1. Find the relevant Log integration within the table
2. Click on more options () to the left of the integration and select Hide integration
3. A Hide Log Integration window will be displayed warning you it will be removed from the Integrations and Telemetry Monitoring pages, click Confirm

To view hidden integrations from the Telemetry Monitoring view:

1. Click on more options () at the top right of the window and select Hidden log integrations
2. A Hidden Log Integrations window will be displayed
3. The integrations will display an Info icon () amd whem hopvering over will display the following Notifications for this integration has been disabled

Unhide Log Integrations

To unhide log integrations from the Telemetry Monitoring view:

1. Click on more options () at the top right of the window and select Hidden log integrations
2. A Hidden Log Integrations window will be displayed
3. Find the relevant hidden integration
4. Click on more options () within the integrations table and select Unhide integration

Hide, view and unhide functionality is also available within the Integrations View view.

Muted Integration

Muted integrations do not send an email notification if there is an issue with telemetry ingestion to the Samurai platform. This could be based on one of the categories mentioned above (unsupported or sends events intermittently) The Telemetry Monitoring view will display muted integrations by default. For convenience you can disable displaying muted integrations from the Telemetry Monitoring view:

1. Click on more options () at the top right of the window and deselect Show muted integrations

If you have hidden a log integration it will not be displayed when Show muted integrations is enabled.

Telemetry Monitoring Notifications

Samurai will send email notifications to registered application users if no events are seen for an integration over 24 hours. You can opt-in to receive notifications by raising a request via the Samurai MDR portal or in discussion with the SOC during MDR onboarding.

The Samurai platform does not send notifications for unsupported (displayed as unknown) integrations or integrations that send event data intermittently.

If you want additional information on Integration health, please review How do I know if my integration is functioning?

2 - Integrations

What is an Integration?

A data source integrated with the Samurai platform. An integration allows us to collect and ingest telemetry data from multiple sources, including network, endpoint and cloud.

What integrations are available?

We have pre-built integrations to a comprehensive array of 3rd party products and services. Select Supported Integrations to view what is available.

For syslog sources, even if events do not match a supported Integration, we will still ingest events into our data lake as a Generic Log Source. You will still be able to process this data using Advanced Query, and include events from generic log sources within your queries.

How do I integrate data sources?

Select Integration for steps that can be taken with integrations within the Samurai MDR portal.

Integration Health

Once you have configured Integrations to bring your data into the Samurai platform, you will also want to make sure that your data sources are healthy. For more details on how to maintain Integration health and troubleshoot problems, please read our article about Integration Health.

What’s Next?

Upon completion of your integrations and validation of health, the platform will start collecting and ingesting telemetry data. Dependent on your phase of MDR onboarding our team will be in contact with you.

2.1 - Supported Integrations

Samurai Integrations facilitate the ingestion of data sources from a wide range of third party vendors. Our Integrations are updated regularly as new and emerging technologies are released.

Each Integration typically requires a configuration guide outlining steps you must follow to integrate your data source to the Samurai platform.

For details such as transport methods and logs collected please refer to each supporting vendor configuration guide by clicking the link in the table or browsing directly to Product Integration Guides.

All supported integrations are categorized according to our Detection Categorization. For further information refer to the following article: Telemetry Data Source Categorization.

If you do not see an integration guide available, please reach out to your NTT contact for further information as we are constantly developing support for additional data sources.

Available configuration guides

In the pipeline

Outlined below are integrations we have in the pipeline however have no committed dates for support. Please note any integration may be influenced by changing business opportunities and client requirements. Please contact NTT for further information or if you require additional support.

2.2 - Integration Actions

Select the action you wish to take and jump to the relevant section:

• Create Integration
• View Integrations
  • What are the Integration fields?
  • Views
• View Integration Details
• Integration Status
• Hide Integration
  • Unhide Integration
• Delete Integration

If you are new to integrations you should review Integrations Overview

Create Integration

1. From your Samurai MDR portal tenant click Telemetry and select Integrations from the main menu
2. Click Create integration
3. Select the product you wish to integrate with the Samurai platform
4. Click Next. Dependent on how we collect telemetry, the product may be integrated via a Cloud Collector, a Cloud Native Collector or Local Collector. Follow the steps based on the Collector type:

Cloud Collector

1. If the integration is cloud-based it will be added to the Cloud Collector which shall be displayed - Select Next
2. Select Configuration Guide which will direct you to Samurai documentation outlining how to configure your product and obtain required fields.
3. Once you have configured your product, complete the required fields
4. Select Finish

Cloud Native Collector

1. Your Cloud Native Collector(s) will be listed. Select the Cloud Native Collector that you will integrate the product/service with. If you do not have a Cloud Native Collector listed per setup, follow the steps in our Samurai Cloud Native Collector article.
2. Click Next
3. Your cloud resource information will be displayed for your confirmation and to use if following the configuration guide.
4. Click Configuration Guide which will direct you to Samurai documentation outlining how to configure your product/service.
5. Click Finish

Local Collector

1. Your Local Collector(s) will be listed. Select the Local Collector that you will integrate the product with.
2. Click Next (typically this is the syslog destination host when configuring your device). If you do not have a Local Collector setup and deployed, follow the steps in our Samurai Local Collector article.
3. The Local Collector IP Address will be displayed, copy the IP address or take note of it.
4. Click Configuration Guide which will direct you to Samurai documentation outlining how to configure your product.
5. Based on the product, Extended Data Collection may be displayed, if so jump to Extended Data Collection.
6. Click Finish

You do not need to follow the steps above for a Local Collector integration, however we advise you follow the steps to determine if extended data collection is available for the product, and if you wish to enable it. You may choose to follow our configuration guides to send logs directly to your Local Collector, the Samurai platform will auto detect the vendor and product for supported integrations. If we do not support the product, your integration will be displayed as unknown under the Vendor and Product fields, however the Samurai platform will store the telemetry data.

Extended Data Collection

For many products we are able to collect extended data enhancing our threat detection capabilities and accuracy, for example Packet Capture (PCAP) data. This option will be displayed during configuration of an integration.

1. If extended data collection is available for the product, you can choose to enable or disable via the toggle. If you choose to disable, Select Finish
2. If you choose to enable extended data collection you must complete all the necessary fields. The parameters for each field are derived from following the associated product configuration guide. Once complete, Select Finish

You can choose to follow the configuration guide at anytime during the process, however if your product is not configured, the Samurai platform will obviously not receive any telemetry.

All supported third-party product configuration guides can be found here.

View Integration

There are multiple methods of viewing your integrations.

If you wish to view integrations associated with a specific collector:

1. From your Samurai MDR portal tenant click Telemetry and select Collectors from the main menu
2. Select the relevant Collector
3. All integrations associated with the Collector will be displayed with associated information

You can also view all integrations regardless of collector:

1. Click Telemetry and select Integrations in the main menu
2. All of your Integrations will be listed

A single product integration may be displayed multiple times based on telemetry data ingested. For example, if you enabled Extended Data Collection whilst creating an integration the individual product will be displayed multiple times with different Type fields associated - see below for further explanation.

What are the Integration fields?

• Status: Color indication of integration status

• Status Description: Description of the status

• Info: An info icon () will be displayed if:

  • the integration is unsupported (unknown Vendor and Product)
  • the integration does not send enough events to trigger a telemetry monitoring notification. Refer to Telemetry Monitoring for additional information

• ID: Universally Unique Identifier (UUID) for integration

• Vendor: Vendor name of the product

• Product: Product name

• Type: Integration type used to gather or ingest telemetry. Potential entries you could see here include:

  • Log: Displayed when a telemetry source sends logs (typically via syslog)
  • Local: Displayed when we leverage an API from a Samurai local collector to gather telemetry
  • Cloud: Displayed when we leverage an API from a Samurai cloud collector to gather telemetry
  • Cloud Native: Displayed when we leverage a cloud native collector to ingest data from your cloud storage

• Name: Integration name you provided during configuration

• IP Address: IP address of the host

• Collector: Collector name associated with the integration

• Description: Optional description you provided during integration configuration

• Last Event Seen: The last event seen from the telemetry source in the format [yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC).

• Created: Date and time of integration creation in the format[yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC).

Select Columns to enable or disable visible fields and Filters to filter on fields.

Views

You can save filters you set through views. This is useful if, for example, you have a large number of integrations and wish to view only specific products or types of integration.

Click Views to save/reset/delete your different filters. Once saved you can toggle between views.

View Integration Details

There are multiple methods of viewing your integration details. If you wish to view integration details associated with a specific Collector:

1. From your Samurai MDR portal click Telemetry and select Collectors from the main menu
2. Select the relevant collector for your list
3. All integrations associated with the collector will be displayed
4. Find and click on your integrated product

You can also view all integration configuration regardless of collector:

1. Click Telemetry and select Integrations from the main menu
2. Find and click your integrated product
3. Configuration parameters will be displayed

For integrations of type Log an events graph will be displayed. This is a useful indicator of the number of events over a given period and may show spikes and drops in events.

You can also pivot directly into Advanced Query by selecting the magnifying glass icon () to view the underlying event data.

By clicking the time period you can update the events graph to a specific date and time range. We default to the Last 7 days however have included Quick time ranges or you can specify a date and time period.

You can edit and update the integration description to help you keep track of your integrations.

View Integration Status

There are multiple methods of viewing your Integration status.

If you wish to view integration status associated with a specific Collector:

1. From the Samurai MDR portal Telemetry and select Integrations from the main menu
2. Select the relevant collector from your list
3. All integrations listed related to the collector will be displayed with status color and description (if enabled)

You can also view status of all integrations regardless of collector:

1. From your Samurai MDR portal Telemetry and select Integrations from the main menu
2. All integrations shall be displayed with a status color and description (if enabled)

Potential status displayed are included in the table below:

For more information about Integration status, please see the article on how to manage Integration Health.

Hide Integration

Hiding an integration will remove it from the integrations displayed and also from the Telemetry Monitoring view. Additionally if the integration is supported and the Samurai platform ingests no events, you will not receive an email notification.

Only integrations of type Log can be hidden. Some reasons why you may want to hide an integration include:

• You may want to hide all of your unsupported/generic log source integrations, the Samurai platform does monitor unsupported integrations for your convenience however does not notify you if events are not seen in 24 hours.
• You do not want to recieve any notifications if there is an issue with telemetry ingestion to the Samurai platform.

To hide an integration:

1. Click Telemetry and select Integrations from the main menu
2. Find the relevant Log integration
3. Click on (more options) within the integrations table and select Hide integration
4. A Hide Log Integration window will be displayed, click Confirm

To view any hidden integrations:

1. Click Telemetry and select Integrations from the main menu
2. Click (more options) at the top right of the window select Hidden log integrations
3. A Hidden Log Integrations window will be displayed

Unhide Integration

1. Click Telemetry and select Integrations from the main menu
2. Click (more options) at the top right of the window select Hidden log integrations
3. A Hidden Log Integrations window will be displayed
4. Find the relevant hidden integration
5. Click on (more options) within the integrations table and select Unhide integration

Hide, view and unhide functionality is also available within the Telemetry Monitoring view.

Delete Integration

If you delete an integration, it cannot be reversed! but events from the telemetry source will remain within the Samurai platform. However if the integration is auto-detected, it will reappear as type log if your telemetry source remains sending logs.

If you wish to delete an integration associated with a specific Collector:

1. From your Samurai MDR portal Telemetry and select Collectors from the main menu
2. Select the relevant collector from your list
3. You will now see all integrations associated with the collector
4. Select your integrations
5. On the right hand side of the relevant integration, click on (more options) and select Delete Integration
6. The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the integration you will need to type in the highlighted ‘Integration’s Hostname’ and select Delete Integration

You can also delete from the Integrations menu item:

1. Click Telemetry and select Integrations from the main menu
2. Find and select your integrated product
3. On the right hand side of the relevant integration, click on (more options) and select Delete Integration

2.3 - Generic Log Sources

While we make an effort to support a wide variety of Integrations and different types of log sources, it is possible that there may be a log source that you would like to ingest into the Samurai platform which we are not able to parse and analyze. This is especially true for events generated via syslog log sources.

The fact that we are not able to use a log source for detections doesn’t mean that it won’t still be useful to ingest into the Samurai platform. We will ingest any event data, provided via syslog (sent to a Samurai local collector), into our data lake and you will still be able to analyze that event data using Advanced Query. This allows you to include events from generic log sources when you are performing queries.

If you configure an unsupported log source to send syslog to a Samurai local collector it will be displayed in the Samurai MDR portal under Vendor and Product as unknown. However you can provide a description to allow you to keep track of them. Refer to Integration Actions for providing a description.

If a log source, ingested via syslog, does not match one of our supported integrations, we will ingest the log events, which will still contain, amongst others, the following fields:

• timestamp: the time at which the log message was ingested
• collector: the id of the collector which ingested the event
• host: the source host from which the event was received
• raw: the complete raw log message

You can then proceed to query these events using Advanced Query. For example, the following KQL query finds all the attempts to connect to a host using invalid user ids and then counts the attempts by source IPv4 or IPv6 address:

events | where host == "10.1.1.1" and i(raw contains "Invalid" or raw contains "failed") and raw !contains "connect" | project timestamp, user = extract("user ([a-zA-Z0-9\\-]+) from ", 1, raw), ipaddr = extract(".+ ([0-9a-f]+[\\:\\.][0-9a-f\\.\\:]+) ", 1, raw) | summarize num_attempts = count() by ipaddr| order by num_attempts

The output is ordered by the number of attempts from each IP address, producing a table like the following:

3 - Collectors

Samurai Collectors are used to receive and transport telemetry from your security controls, network devices or cloud services to the Samurai platform.

There are three types of collectors:

1. Cloud Collector

• deployed within the Samurai platform and is used to gather telemetry from cloud services and/or security controls. For a cloud collector you simply need to complete the relevant integration.

2. Cloud Native Collector

• a transport method to gather telemetry from public cloud products and services, specifically Microsoft Azure, Amazon Web Services (AWS) and supported third parties. This collector type is used for monitoring cloud storage (Azure Blob and/or AWS S3) to pull data into the Samurai ingestion pipeline.

3. Local Collector

• deployed within your environment and is used to gather telemetry from your security controls and network devices. We have packaged the local collector to support multiple formats and envionments.

What type of Collector do you require?

This is dependent on the products you want to integrate with Samurai:

• For products deployed in your internal network, a Local Collector will be required to gather (pull & push) telemetry data and securely transfer it to the Samurai platform.
• For cloud based products providing API endpoints, a Cloud Collector will be used to pull the telemetry data and securely transfer it to the Samurai platform.
• For cloud based products utilizing streaming of telemetry data, a Cloud Native Collector will be required to receive the telemetry data and securely transfer it to the Samurai platform.

Next steps:

• Review our Supported Integrations and associated Integration Guides to determine the collector type(s) required. Within each Integration Guide there is a table denoting use of a Local, Cloud or Cloud Native Collector, alternatively this is displayed in the Samurai MDR portal when working through an integration.
• You may also choose to jump directly to the Samurai MDR portal and review integrations
• If you have determined you require a local collector then click on Samurai Local Collector and follow the steps to create, configure and install.
• If you have determined you require a Cloud Native collector then click on Samurai Cloud Native Collector and follow the steps to create and configure.

3.1 - Samurai Local Collector

If you have determined that you require a local collector then follow the steps below to learn what you need to get started, create, configure and download a local collector from the Samurai MDR portal and ensure it is working as expected.

1. Take a moment to understand what you need to get started
2. Create, configure and download a Collector
3. Install a Collector
4. Validate Collector Status
5. Collector Status Notifications
6. What’s next?
7. Deleting a Collector

What you need to get started

• Access to the Samurai MDR portal and your specific tenant.

• A hypervisor to run the virtual machine, for example VMware vSphere, Microsoft Hyper-V, Amazon EC2 or Azure Virtual Machine

  • View virtual machine requirements below.

• Ensure to make any necessary updates to comply with the collectors connectivity requirements.

• A static IP address for the collector and DNS server IP addresses unless you decide to use DHCP.

• Access to your products to make necessary changes outlined within the relevant integration guide.

Minimum Virtual Machine Requirements

The following machine requirements will support up to 15K events per second (EPS) peak, 10K EPS sustained over a 24hr period, approx 800GB per day.

Connectivity required for the Collector

The collector requires connectivity to resources outlined within the table below, you may need to update your security controls e.g firewall to allow this connectivity.

Create, Configure and Download a Collector

1. From your Samurai MDR portal tenant, click Telemetry and select Collectors from the main menu

2. Select Create Collector

3. Select Local collector

4. Complete the fields as required.

5. Select Create Collector once you have completed all relevant fields

6. Select the Collector you created by clicking the Name used in Step 2

7. Select Download

• The files you need to download are based on your Hypervisor. The options available for download are:

  • Configuration
    • iso - configuration file for your collector, this file is always required
  • Cloud init
    • AWS - used to provide cloud-init data to AWS instance
    • Azure - used to provide cloud-init data to Azure instance
  • Virtual machine
    • vmdk - disk image (not needed if using the ova)
    • vhdx - virtual hard disk format used for Hyper-V
    • ova - virtual machine that the collector will run (includes disk image) for VMware

8. Download the iso configuration file and also the relevant file needed for your hypervisor.

If you are creating multiple collectors, you only need to download the ova file once and can use it multiple times, the important file per collector is the configuration file (iso).

Install a Collector

Based on your hypervisor follow the relevant section:

• VMware vSphere
• Microsoft Hyper-V
• Amazon EC2
• Azure Virtual Machine

VMware vSphere

Follow the documentation from VMware:

• Deploy a Virtual Machine from an OVF or OVA File in the VMware Host Client

1. When asked to provide a virtual machine name, we suggest samurai-nttsh-collector
2. Be sure to select the .ova file you downloaded when asked for the file to deploy your virtual machine from.

Once complete follow the VMware article to configure a datastore ISO file

• Configure a Datastore ISO File for the CD-DVD

1. Be sure to select the .iso file you downloaded when asked to select file

The VM is now ready to be powered on.

The .iso file must be mounted at first boot to configure the Collector. Once you have validated the Collector status is Healthy in the Samurai MDR portal you must ensure the .iso is dismounted.

Microsoft Hyper-V

Follow the documentation from Microsoft:

• Create a virtual machine in Hyper-V

1. When asked to provide a virtual machine name, we suggest samurai-nttsh-collector
2. Use the Virtual Machine Requirements when configuring memory and network
3. When asked to Connect Virtual Hard Disk ensure to use the .vhdx file you previously downloaded
4. For Installation Options ensure you use the .iso file you previously downloaded

Once you have completed setup of your Collector you should ensure it is running and validate the status within the Samurai MDR portal, upon initial setup this can take a little while.

Amazon EC2

Prerequisitve steps:

1. Ensure you have the AWS cloud-init.yaml file you downloaded from Create, Configure and Download a Collector.. This file will be used later during EC2 instance deployment.

Follow the vendor documentation from Amazon to launch a EC2 instance:

• Launch an instance

Perform the following adjustments to the vendor documentation when launching the instance:

1. During step 4.a, select Ubuntu as AMI.

2. During step 4.b*,* select the latest Ubuntu AMI

3. During step 5*,* select a suitable Instance Type based on estimated performance requirements while fulfilling the Minimum Virtual Machine Requirements.

4. During step 6 & 7, Set Key pair & Network Settings as per your AWS policies. Ensuring the the Network settings still fulfills the Connectivity required for the Collector.

5. Before step 8, modify the Configure storage section with the following settings:

   1. Adjust the Root Volume to be at least 64 GiB.
   2. Add a secondary volume with at least 500 GiB according to the Minimum Virtual Machine Requirements.
      Secondary disk volume will be used for spooling, size it according to estimated log volume and max downtime.

6. Before step 8, expand the section Advanced details and paste in the content of the cloud-init.yaml file into the User data section. Ensure that the check box User data has already been base64 encoded is not enabled.

7. Proceed with step 8 and finish the rest of the installation as per the vendor documentation.

Azure Virtual Machine

Prerequisite steps:

1. Ensure you have the Azure cloud-init.yaml file you downloaded from Create, Configure and Download a Collector.. This file will be used later during the Virtual Machine instance deployment.

Follow the vendor documentation from Microsoft to launch a Virtual Machine instance:

• Create a virtual machine

Perform the following adjustments to the vendor documentation when launching the instance:

1. Under the Basic tab, select Ubuntu Server 22.04 LTS as image
2. Under the Basic tab, select a suitable Size based on estimated performance requirements while fulfilling the Minimum Virtual Machine Requirements.
3. Under the Disk tab, add one data disk with at least 500 GiB according to the Minimum Virtual Machine Requirements.
   Data disk volume will be used for spooling, size it according to estimated log volume and max downtime.
4. Under the Advanced tab, paste the contents of cloud-init.yaml in the Custom datafield.

All other settings such authentication, network configuration and monitoring should be configured according to company policy and best practices.

Validate Collector Status

1. Click Telemetry and select Collectors from the main menu

2. Select the relevant Collector from the presented list

3. View Status

After you provision a Collector VM and start it, it will go through a process of installing updates and modules specified in the configuration ISO file which you downloaded. The time taken for this process is dependent on factors like the speed of the hardware you are running the Collector on and connectivity to the repositories that it downloads updates from. In some cases this process can take around 30 minutes.

The Collector may show as “Offline” during the initial provisioning steps. This is not any cause for alarm.

If you have any problems, please submit a ticket via the Samurai MDR portal.

Collector Status Notifications

Samurai will send email notifications to registered application users should your Local Collector status change from Healthy to Not-Healthy or Unavailable. Once any issues have been resolved, you will also be notified again when a Healthy status is reached.

If your Local Collector be restarted, during final startup you may notice the Status change from Healthy to Not-Healthy, this is not cause for alarm as this typically occurs for a short period of time as processes restart. Once complete your Local Collector status will be displayed as Healthy.

What’s next?

You should now have a collector running within your environment!

The next step is to start configuring integrations which will allow the Samurai platform to start receiving your telemetry data.

Select Integrations Overview for more information on integrations and where to start.

If you require high availability for your collector, this can be achieved using the capabilities of your virtualization platform.

Deleting a Collector

If you delete a local collector it cannot be reversed! In addition, all of your integrations related to the local collector will also be deleted!

If you need to delete a local collector you can do so by following the steps below:

1. From your Samurai MDR portal click Telemetry and select Collectors
2. Select the relevant collector from your list
3. On the right hand side of the relevant collector, click on (more options) and select Delete Collector
4. The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the collector you will need to type DELETE in the field and select Delete Collector

Replacing a Collector

If for some reason a Local Collector VM is lost due to corruption or damage, such as in the case of a major disk storage failure, you may need to replace your Collector. If this happens, you will need to delete the old Collector in the Samurai MDR portal, discard your old Collector VM image and then create a new Collector using the process described to Install a Collector.

Important Notes:

• If you need to replace a Collector VM, you cannot re-download the installer ISO for an existing Collector and redeploy it. You must delete the old Collector and replace it with a new one.
• You can re-use the same IP address as your old Collector. This allows you to replace a Collector without re-configuring any log sources which were sending logs to the old Collector.
• When replacing a Collector, any Integrations which were automatically detected and attached to the original Collector will be automatically detected and attached to the new Collector.
• Once you have created the new Collector, you will need to add any Integrations which you were previously using and which you had to previously manually add to the old Collector.

3.2 - Samurai Cloud Native Collector

The Cloud Native Collector is used to ingest data from public cloud storage. The Collector itself is agnostic to the data sent to cloud storage and monitors for new or updated files and pulls the data to the Samurai platform for ingestion - therefore there are minimum cloud storage retention requirements.

We recommend a minimum cloud storage retention period of 7 days

The Cloud Native Collector is used for specific integrations and is typically a requirement for Samurai to ingest events from Microsoft Azure, Amazon Web Services and third parties that leverage cloud storage. This will be clearly indicated within the Product Integration Guide.

If you have determined that you require a Cloud Native Collector then follow the steps below to configure and create the collector from the Samurai MDR portal and ensure it is working as expected.

Create Cloud Native Collector

1. From your Samurai MDR portal tenant, click Telemetry and select Collectors from the main menu

2. Select Create Collector

3. Select Cloud collector

4. Complete the fields as required.

5. Select Create Collector

6. Based on your Provider selection a Deploy to <Provider> will be displayed

7. Select Deploy to <Provider> - this will launch a template you should follow based on your Provider.

8. Click Close and follow the relevant section below based on your Provider.

The deployment button will only be displayed once after selecting Create Collector, therefore be sure to click the button before closing the dialog window.

Microsoft Azure

Selecting Microsoft Azure will launch an Azure Resource Manager (ARM) template. Follow the steps.

1. Complete the necessary fields within the template:

Project Details

Instance Details

2. Select Next

3. Select Review and Create

4. You are now complete and can navigate to the Samurai MDR portal.

Validate Collector Status

1. Select Collectors from the left-hand menu

2. Select the relevant Collector from the presented list

3. View Status

What’s next?

You should now have a collector running!

The next step is to start configuring integrations which will allow the Samurai platform to collect your telemetry data.

Select Integrations Overview for more information on integrations and where to start.

Deleting a Collector

If you delete a Cloud collector it cannot be reversed! In addition, all of your integrations related to the local collector will also be deleted!

If you need to delete a Cloud collector you can do so by following the steps below:

1. From your Samurai MDR portal click Telemetry and select Collectors from the main menu
2. Select the relevant collector from your list
3. On the right hand side of the relevant collector, click on (more options) and select Delete Collector
4. The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the collector you will need to type DELETE in the window and select Delete Collector