This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Telemetry

1: Telemetry Monitoring

2: Integrations

2.1: Supported Integrations

2.2: Integration Actions

2.3: Generic Log Sources

3: Collectors

3.1: Samurai Local Collector

3.2: Samurai Cloud Collector

1 - Telemetry Monitoring

It is important to understand and keep track of the health of Integrations you have configured.

The Samurai platform monitors telemetry ingested from your integrations displaying the applicable status (refer to View Integration Status), if problems are encountered after specific time periods the integration is highlighted within the Telemetry Monitoring view and triggers an email notification after 24 hours.

For an integration to be monitored, the Samurai platform must receive event data consistently every hour over a 24hour period, this is because we cannot guarantee accurate monitoring for telemetry sources that may log intermittently.

Access Telemetry Monitoring

Click Telemetry and select Telemetry Monitoring from the main menu.

Figure 1: Telemetry monitoring menu and visual indicator

A visual indicator will be displayed beside the Telemetry Monitoring menu item showing the total number of integrations which may require attention.

Figure 2: Example telemetry monitoring table

Telemetry Monitoring View

The Telemetry Monitoring view displays summary information (as applicable):

Number of integrations with no events seen in the last 24 hours by the Samurai platform
Number of integrations with no events seen in the last 12 hours by the Samurai platform
Unknown integration (unsupported)
Number of provisioning integrations
Number of healthy integrations

Figure 3: Example summary information

Telemetry Monitoring Table

Integrations are displayed in the table if the Samurai platform has not received any events in the last 12 hours.

Figure 4: Example detail table

The list shows the details of the integrated telemetry sources which are considered unhealthy as per the table below:

Status	Description
No events seen in last 12 hours	The Samurai platform has not seen any events in the last 12 hours
No events in last 24 hours	The Samurai platform has not seen any events in the last 24 hours - this triggers an email notification for supported integrations

Clicking on the Integration will navigate you to the Integration Details. For integrations of type Log an events graph will be displayed which may help in troubleshooting.

For information on Integration types refer to What are the Integration fields? in the Integration Actions article.

The table may also display:

Unsupported integrations
- These integrations are displayed as Product - unknown and Vendor - unknown - for you convenience the Samurai platform does monitor these telemetry event sources but does not send email notifications.
- Info will display the following: This integration is currently not supported and will not trigger a notification if it stops sending events.
Integrations where the Samurai platform ingests events intermittantly
- If the Samurai platform does not receive events every hour over any 24 hour period, the integration will still be displayed but will not trigger a notification.
- Info will display the following: This integration does not send enough events to trigger a notification if it stops sending events altogether.

The above integrations will be highlighted with an Info icon () and when hovering over will display the applicable text highlighted above.

For your convenience you may want to display the integrations above in a different view, in doing so you remove from view integrations that will not trigger notifications - Hide Log Integrations provides this functionality.

Hide Log Integrations

Only integrations of type Log can be hidden - these are telemetry sources that typically send event data via syslog consistently. Example reasons why you may want to hide an integration include:

It is an unsupported/generic log source integration.
You do not want to recieve an email notifications if there is an issue with telemetry ingestion to the Samurai platform.

To hide an integration from the Telemetry Monitoring view:

Find the relevant Log integration within the table
Click on more options () to the left of the integration and select Hide integration
A Hide Log Integration window will be displayed warning you it will be removed from the Integrations and Telemetry Monitoring pages, click Confirm

To view hidden integrations from the Telemetry Monitoring view:

Click on more options () at the top right of the window and select Hidden log integrations
A Hidden Log Integrations window will be displayed
The integrations will display an Info icon () amd whem hopvering over will display the following Notifications for this integration has been disabled

Unhide Log Integrations

To unhide log integrations from the Telemetry Monitoring view:

Click on more options () at the top right of the window and select Hidden log integrations
A Hidden Log Integrations window will be displayed
Find the relevant hidden integration
Click on more options () within the integrations table and select Unhide integration

Hide, view and unhide functionality is also available within the Integrations View view.

Muted Integration

Muted integrations do not send an email notification if there is an issue with telemetry ingestion to the Samurai platform. This could be based on one of the categories mentioned above (unsupported or sends events intermittently) The Telemetry Monitoring view will display muted integrations by default. For convenience you can disable displaying muted integrations from the Telemetry Monitoring view:

Click on more options () at the top right of the window and deselect Show muted integrations

If you have hidden a log integration it will not be displayed when Show muted integrations is enabled.

Telemetry Monitoring Notifications

Samurai will send email notifications to registered application users if no events are seen for an integration over 24 hours. You can opt-in to receive notifications by raising a request via the Samurai MDR portal or in discussion with the SOC during MDR onboarding.

The Samurai platform does not send notifications for unsupported (displayed as unknown) integrations or integrations that send event data intermittently.

If you want additional information on Integration health, please review How do I know if my integration is functioning?

2 - Integrations

What is an Integration?

A data source integrated with the Samurai platform. An integration allows us to collect and ingest telemetry data from multiple sources, including network, endpoint and cloud.

What integrations are available?

We have pre-built integrations to a comprehensive array of 3rd party products and services. Select Supported Integrations to view what is available.

For syslog sources, even if events do not match a supported Integration, we will still ingest events into our data lake as a Generic Log Source. You will still be able to process this data using Advanced Query, and include events from generic log sources within your queries.

How do I integrate data sources?

Select Integration for steps that can be taken with integrations within the Samurai MDR portal.

Integration Health

Once you have configured Integrations to bring your data into the Samurai platform, you will also want to make sure that your data sources are healthy. For more details on how to maintain Integration health and troubleshoot problems, please read our article about Integration Health.

What’s Next?

Upon completion of your integrations and validation of health, the platform will start collecting and ingesting telemetry data. Dependent on your phase of MDR onboarding our team will be in contact with you.

2.1 - Supported Integrations

Samurai Integrations facilitate the ingestion of data sources from a wide range of third party vendors. Our Integrations are updated regularly as new and emerging technologies are released.

Each Integration typically requires a configuration guide outlining steps you must follow to integrate your data source to the Samurai platform.

For details such as transport methods and logs collected please refer to each supporting vendor configuration guide by clicking the link in the table or browsing directly to Product Integration Guides.

All supported integrations are categorized according to our Detection Categorization. For further information refer to the following article: Telemetry Data Source Categorization.

If you do not see an integration guide available, please reach out to your NTT contact for further information as we are constantly developing support for additional data sources.

Available configuration guides

Vendor	Product	Detection Category
Amazon Web Services	CloudTrail	Detection
Amazon Web Services	Virtual Private Cloud (VPC) Flow Logs	Detection
Apache	HTTP Server	Enrichment
Aruba Networks	ClearPass	Enrichment
Blackberry (Cylance)	Cylance PROTECT	Enrichment
Check Point	Next-Generation Firewall	Foundation
Cisco	IOS Routers & Switches	Enrichment
Cisco	Identity Services Engine (ISE)	Enrichment
Cisco	Meraki MX Security Appliances	Detection
Cisco	Secure Endpoint	Foundation
Cisco	Secure Firewall (ASA Appliances)	Foundation
Cisco	Secure Firewall (Firepower Threat Defense)	Foundation
Cisco	Umbrella	Foundation
Citrix	Netscaler	Enrichment
Claroty	Continuous Threat Detection (CTD)	Foundation
Claroty	xDome	Detection
Click Studios	Passwordstate	Enrichment
Crowdstrike	Falcon Insight	Foundation
Cyber-Ark	Privileged Access Security (PAS)	Enrichment
ESET	Protect	Detection
F5	BIG-IP Load Traffic Manager (LTM	Detection
Fortinet	FortiAnalyzer	Foundation
Fortinet	FortiGate Next-Generation Firewall	Foundation
Fortinet	FortiWeb Web Application Firewall	Detection
GestioIP	IP Address Management (IPAM)	Enrichment
Google	Workspace	Enrichment
Heimdal Security	Heimdal Security	Detection
InfoBlox	DDI	Detection
Linux	Authentications Logs	Enrichment
Microsoft	Azure Application Gateway	Detection
Microsoft	Azure Activity Logs	Enrichment
Microsoft	Azure Firewall	Detection
Microsoft	Azure Virtual Networks (NSG Flow)	Enrichment
Microsoft	Defender for Endpoint	Foundation
Microsoft	Defender Advanced Hunting	Foundation
Microsoft	Entra ID	Enrichment
Microsoft	Graph Security	Detection
Microsoft	Internet Information Services (IIS)	Detection
Microsoft	Office 365	Enrichment
Microsoft	DHCP Server	Enrichment
Microsoft	DNS Server	Detection
Microsoft	Windows Event Log	Enrichment
Nozomi Networks	Guardian	Detection
Okta	Workforce Identity Cloud	Enrichment
Palo Alto Networks	Cortex XDR Pro	Foundation
Palo Alto Networks	Next Generation Firewall	Foundation
Palo Alto Networks	Panorama	Foundation
PowerDNS	Recursor	Detection
ProofPoint	Targeted Attack Protection	Detection
Samba	Samba Active Directory	Enrichment
Squid	Squid Cache	Foundation
Sophos	Sophos Central (Intercept X)	Detection
Trellix	Endpoint Security (ENS)	Foundation
Trellix	Endpoint Security (HX)	Foundation
Trend Micro	Vision One	Detection
VMware	Carbon Black Cloud Enterprise EDR	Foundation
Watchguard	Firebox	Detection
Zscaler	Internet Access (ZIA)	Detection

In the pipeline

Outlined below are integrations we have in the pipeline however have no committed dates for support. Please note any integration may be influenced by changing business opportunities and client requirements. Please contact NTT for further information or if you require additional support.

Vendor	Product
Palo Alto Networks	Prisma Access (Strata Logging Service)
Check Point	Smart-1 Cloud
Cloudflare	Cloudflare

2.2 - Integration Actions

Select the action you wish to take and jump to the relevant section:

Create Integration
View Integrations
- What are the Integration fields?
- Views
View Integration Details
Integration Status
Hide Integration
- Unhide Integration
Delete Integration

If you are new to integrations you should review Integrations Overview

Create Integration

From your Samurai MDR portal tenant click Telemetry and select Integrations from the main menu.
Click Create integration.
Select the product you wish to integrate with the Samurai platform.
Click Next. Dependent on how we collect telemetry, the product may be integrated via a Cloud Collector or Local Collector. Follow the steps based on the Collector type:

Cloud Collector

If the integration is cloud-based you need to select the relevant Cloud Collector. Select the relevant Cloud Collector and click Next.
- If you are using a public cloud storage account you should already have completed the steps in Cloud Collector.
- If no cloud storage is utilized then a default cloud collector is available.
Select Configuration Guide which will direct you to Samurai documentation outlining how to configure your product and obtain required fields.
Once you have configured your product, complete the required fields.
Select Finish.

Local Collector

Your Local Collector(s) will be listed. Select the Local Collector that you will integrate the product with.
Click Next (typically this is the syslog destination host when configuring your device). If you do not have a Local Collector setup and deployed, follow the steps in our Samurai Local Collector article.
The Local Collector IP Address will be displayed, copy the IP address or take note of it.
Click Configuration Guide which will direct you to Samurai documentation outlining how to configure your product.
Based on the product, Extended Data Collection may be displayed, if so jump to Extended Data Collection.
Click Finish

You do not need to follow the steps above for a Local Collector integration without extended data collection, however we advise you follow the steps to determine if extended data collection is available for the product, and if you wish to enable it. You may choose to follow our integration guides to send logs directly to your Local Collector, the Samurai platform will auto detect the vendor and product for supported integrations. If we do not support the product, your integration will be displayed as unknown under the Vendor and Product fields, however the Samurai platform will still store the telemetry data.

Extended Data Collection

For many products we are able to collect extended data enhancing our threat detection capabilities and accuracy, for example Packet Capture (PCAP) data. This option will be displayed during configuration of an integration.

If extended data collection is available for the product, you can choose to enable or disable via the toggle. If you choose to disable, Select Finish
If you choose to enable extended data collection you must complete all the necessary fields. The parameters for each field are derived from following the associated product configuration guide. Once complete, Select Finish

You can choose to follow the configuration guide at anytime during the process, however if your product is not configured, the Samurai platform will obviously not receive any telemetry.

All supported third-party product configuration guides can be found here.

View Integration

There are multiple methods of viewing your integrations.

If you wish to view integrations associated with a specific collector:

From your Samurai MDR portal tenant click Telemetry and select Collectors from the main menu
Select the relevant Collector
All integrations associated with the Collector will be displayed with associated information

You can also view all integrations regardless of collector:

Click Telemetry and select Integrations in the main menu
All of your Integrations will be listed

A single product integration may be displayed multiple times based on telemetry data ingested. For example, if you enabled Extended Data Collection whilst creating an integration the individual product will be displayed multiple times with different Type fields associated - see below for further explanation.

What are the Integration fields?

Status: Color indication of integration status
Status Description: Description of the status
Info: An info icon () will be displayed if:
- the integration is unsupported (unknown Vendor and Product)
- the integration does not send enough events to trigger a telemetry monitoring notification. Refer to Telemetry Monitoring for additional information
ID: Universally Unique Identifier (UUID) for integration
Vendor: Vendor name of the product
Product: Product name
Type: Integration type used to gather or ingest telemetry. Potential entries you could see here include:
- Log: Displayed when a telemetry source sends logs (typically via syslog)
- Local: Displayed when we leverage an API from a Samurai local collector to gather telemetry
- Cloud: Displayed when we leverage an API from a Samurai cloud collector or retrieve telemetry from public cloud storage
Name: Integration name you provided during configuration
IP Address: IP address of the host
Collector: Collector name associated with the integration
Description: Optional description you provided during integration configuration
Last Event Seen: The last event seen from the telemetry source in the format [yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC).
Created: Date and time of integration creation in the format[yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC).

Select Columns to enable or disable visible fields and Filters to filter on fields.

Views

You can save filters you set through views. This is useful if, for example, you have a large number of integrations and wish to view only specific products or types of integration.

Click Views to save/reset/delete your different filters. Once saved you can toggle between views.

View Integration Details

There are multiple methods of viewing your integration details. If you wish to view integration details associated with a specific Collector:

From your Samurai MDR portal click Telemetry and select Collectors from the main menu
Select the relevant collector for your list
All integrations associated with the collector will be displayed
Find and click on your integrated product

You can also view all integration configuration regardless of collector:

Click Telemetry and select Integrations from the main menu
Find and click your integrated product
Configuration parameters will be displayed

For integrations of type Log an events graph will be displayed. This is a useful indicator of the number of events over a given period and may show spikes and drops in events.

You can also pivot directly into Advanced Query by selecting the magnifying glass icon () to view the underlying event data.

By clicking the time period you can update the events graph to a specific date and time range. We default to the Last 7 days however have included Quick time ranges or you can specify a date and time period.

You can edit and update the integration description to help you keep track of your integrations.

View Integration Status

There are multiple methods of viewing your Integration status.

If you wish to view integration status associated with a specific Collector:

From the Samurai MDR portal Telemetry and select Integrations from the main menu
Select the relevant collector from your list
All integrations listed related to the collector will be displayed with status color and description (if enabled)

You can also view status of all integrations regardless of collector:

From your Samurai MDR portal Telemetry and select Integrations from the main menu
All integrations shall be displayed with a status color and description (if enabled)

Potential status displayed are included in the table below:

Status	Description
Provisioning	Telemetry components installing / provisioning
Unknown	The Samurai platform is unable to determine a status
Healthy	All components healthy
No events seen in last 12	The Samurai platform has not seen any events in the last 12 hours
No events in last 24 hours	The Samurai platform has not seen any events in the last 24 hours - this typically triggers an email notification

For more information about Integration status, please see the article on how to manage Integration Health.

Hide Integration

Hiding an integration will remove it from the integrations displayed and also from the Telemetry Monitoring view. Additionally if the integration is supported and the Samurai platform ingests no events, you will not receive an email notification.

Only integrations of type Log can be hidden. Some reasons why you may want to hide an integration include:

You may want to hide all of your unsupported/generic log source integrations, the Samurai platform does monitor unsupported integrations for your convenience however does not notify you if events are not seen in 24 hours.
You do not want to recieve any notifications if there is an issue with telemetry ingestion to the Samurai platform.

To hide an integration:

Click Telemetry and select Integrations from the main menu
Find the relevant Log integration
Click on (more options) within the integrations table and select Hide integration
A Hide Log Integration window will be displayed, click Confirm

To view any hidden integrations:

Click Telemetry and select Integrations from the main menu
Click (more options) at the top right of the window select Hidden log integrations
A Hidden Log Integrations window will be displayed

Unhide Integration

Click Telemetry and select Integrations from the main menu
Click (more options) at the top right of the window select Hidden log integrations
A Hidden Log Integrations window will be displayed
Find the relevant hidden integration
Click on (more options) within the integrations table and select Unhide integration

Hide, view and unhide functionality is also available within the Telemetry Monitoring view.

Delete Integration

If you delete an integration, it cannot be reversed! but events from the telemetry source will remain within the Samurai platform. However if the integration is auto-detected, it will reappear as type log if your telemetry source remains sending logs.

If you wish to delete an integration associated with a specific Collector:

From your Samurai MDR portal Telemetry and select Collectors from the main menu
Select the relevant collector from your list
You will now see all integrations associated with the collector
Select your integrations
On the right hand side of the relevant integration, click on (more options) and select Delete Integration
The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the integration you will need to type in the highlighted ‘Integration’s Hostname’ and select Delete Integration

You can also delete from the Integrations menu item:

Click Telemetry and select Integrations from the main menu
Find and select your integrated product
On the right hand side of the relevant integration, click on (more options) and select Delete Integration

2.3 - Generic Log Sources

While we make an effort to support a wide variety of Integrations and different types of log sources, it is possible that there may be a log source that you would like to ingest into the Samurai platform which we are not able to parse and analyze. This is especially true for events generated via syslog log sources.

The fact that we are not able to use a log source for detections doesn’t mean that it won’t still be useful to ingest into the Samurai platform. We will ingest any event data, provided via syslog (sent to a Samurai local collector), into our data lake and you will still be able to analyze that event data using Advanced Query. This allows you to include events from generic log sources when you are performing queries.

If you configure an unsupported log source to send syslog to a Samurai local collector it will be displayed in the Samurai MDR portal under Vendor and Product as unknown. However you can provide a description to allow you to keep track of them. Refer to Integration Actions for providing a description.

If a log source, ingested via syslog, does not match one of our supported integrations, we will ingest the log events, which will still contain, amongst others, the following fields:

timestamp: the time at which the log message was ingested
collector: the id of the collector which ingested the event
host: the source host from which the event was received
raw: the complete raw log message

You can then proceed to query these events using Advanced Query. For example, the following KQL query finds all the attempts to connect to a host using invalid user ids and then counts the attempts by source IPv4 or IPv6 address:

events | where host == "10.1.1.1" and i(raw contains "Invalid" or raw contains "failed") and raw !contains "connect" | project timestamp, user = extract("user ([a-zA-Z0-9\\-]+) from ", 1, raw), ipaddr = extract(".+ ([0-9a-f]+[\\:\\.][0-9a-f\\.\\:]+) ", 1, raw) | summarize num_attempts = count() by ipaddr| order by num_attempts

The output is ordered by the number of attempts from each IP address, producing a table like the following:

3 - Collectors

Samurai Collectors are used to receive and transport telemetry from your security controls, network devices or cloud services to the Samurai platform.

There are two types of collectors:

1. Cloud Collector

Deployed within the Samurai platform and is used to gather telemetry from cloud services and/or security controls. Various use cases exist with differing requirements based on the Product/Service you are integrating with Samurai:
- In some cases you simply need to complete the relevant integration and the cloud collector is automatically used.
- When we gather telemetry from public cloud storage (specifically Microsoft Azure storage accounts and Amazon Web Services (AWS) S3 buckets) you must first deploy a cloud collector within the Samurai platform that is used to monitor your cloud storage for updated telemetry files.
- When we ingest telemetry using Splunk HTTP Event Collection (HEC) you must also first deploy a cloud collector within the Samurai platform that is used to receieve telemetry data.

Requirements are clearly stated in the relevant Product Integration Guides.

2. Local Collector

Deployed within your environment and is used to gather telemetry from your security controls and network devices. We have packaged the local collector to support multiple formats and envionments.

What type of Collector do you require?

This is dependent on the products you want to integrate with Samurai:

For products deployed in your internal network, a Local Collector will be required to gather (pull & push) telemetry data and securely transfer it to the Samurai platform.
For cloud based products providing API endpoints, a Cloud Collector will be used to pull the telemetry data and securely transfer it to the Samurai platform.
For cloud based products utilizing streaming of telemetry data to cloud storage, a Cloud Collector is also required to retrieve the telemetry data and securely transfer it to the Samurai platform.
For products that leverage streaming of telemetry via Splunk HTTP Event Collection (HEC), a Cloud Collector is required to receieve telemetry data to the Samurai platform.

Next steps:

Review our Supported Integrations and associated Integration Guides to determine the collector type(s) required. Within each Integration Guide there is a table denoting use of a Local or Cloud Collector, alternatively this is displayed in the Samurai MDR portal when working through an integration.
You may also choose to jump directly to the Samurai MDR portal and review integrations
If you have determined you require a local collector then click on Samurai Local Collector and follow the steps to create, configure and install.
If you have determined you require a cloud collector then click on Samurai Cloud Collector and follow the steps to create and configure.

3.1 - Samurai Local Collector

If you have determined that you require a local collector then follow the steps below to learn what you need to get started, create, configure and download a local collector from the Samurai MDR portal and ensure it is working as expected.

Take a moment to understand what you need to get started
Create, configure and download a Collector
Install a Collector
Validate Collector Status
Collector Status Notifications
What’s next?
Deleting a Collector

What you need to get started

Access to the Samurai MDR portal and your specific tenant.
A hypervisor to run the virtual machine, for example VMware vSphere, Microsoft Hyper-V, Amazon EC2 or Azure Virtual Machine
- View virtual machine requirements below.
Ensure to make any necessary updates to comply with the collectors connectivity requirements.
A static IP address for the collector and DNS server IP addresses unless you decide to use DHCP.
Access to your products to make necessary changes outlined within the relevant integration guide.

Minimum Virtual Machine Requirements

The following machine requirements will support up to 15K events per second (EPS) peak, 10K EPS sustained over a 24hr period, approx 800GB per day.

CPU	2 vCPU
Disk	500GB disk
Memory	4 GB

Connectivity required for the Collector

The collector requires connectivity to resources outlined within the table below, you may need to update your security controls e.g firewall to allow this connectivity.

Function	Protocol	Port	Source	Destination	Details
Enrolment, Telemetry	TCP	443	Collector	..security.ntt nttsecurity.io .nttsecurity.io .*.nttsecurity.io samurai-xdr-prod-westeurope-xgliuoit.azure-api.net	All regular backend communication, telemetry
Remote Management	TCP	443	Collector	ra.cto.nttsecurity.io deb.releases.teleport.dev apt.releases.teleport.dev	Used for remote administration of collector (this is not mandatory and used when troubleshooting)
NTP	UDP	123	Collector	Client infrastructure (NTP server(s)) if configured in Samurai app OR 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org	Time synchronization
DNS	UDP	53	Collector	Client infrastructure (DNS server(s)) or external DNS servers (based on your collector configuration)	Domain name resolution
Ubuntu updates	TCP	80, 443	Collector	*.ubuntu.com api.snapcraft.io	Ubuntu software repository
Container Management	TCP	443	Collector	docker.com .docker.com (private container registry) docker.io (private container registry) .docker.io (private container registry)	Private container registry
Amazon Cloud dependencies	TCP	443	Collector	*.cloudfront.net	Amazon CDN used by Collector API
Log storage	TCP	443	Collector	.s3..amazonaws.com	Amazon Cloud storage (this is not mandatory and used when troubleshooting)
Telemetry data	(based on product - see Integration guide)	Client Product	Collector	Frequent data transfer (based on product)

Create, Configure and Download a Collector

From your Samurai MDR portal tenant, click Telemetry and select Collectors from the main menu
Select Create Collector
Select Local collector
Complete the fields as required.

Collector name	A nickname for the collector
Description (Optional)	A description of your collector, this could be the property name where installed
Location (Optional)	Useful if you have collectors in multiple locations
Hostname	A hostname for your collector
Proxy Server IP (Optional)	Optional HTTP proxy IP address
NTP Servers (Optional)	Input your own NTP server IP addresses
DHCP or Static	Determine whether the collector will use DHCP or specify your own static IP address and network information

Select Create Collector once you have completed all relevant fields
Select the Collector you created by clicking the Name used in Step 2
Select Download

The files you need to download are based on your Hypervisor. The options available for download are:
- Configuration
  - iso - configuration file for your collector, this file is always required
- Cloud init
  - AWS - used to provide cloud-init data to AWS instance
  - Azure - used to provide cloud-init data to Azure instance
- Virtual machine
  - vmdk - disk image (not needed if using the ova)
  - vhdx - virtual hard disk format used for Hyper-V
  - ova - virtual machine that the collector will run (includes disk image) for VMware

Download the iso configuration file and also the relevant file needed for your hypervisor.

If you are creating multiple collectors, you only need to download the ova file once and can use it multiple times, the important file per collector is the configuration file (iso).*

Install a Collector

Based on your hypervisor follow the relevant section:

VMware vSphere
Microsoft Hyper-V
Amazon EC2
Azure Virtual Machine

VMware vSphere

Follow the documentation from VMware:

Deploy a Virtual Machine from an OVF or OVA File in the VMware Host Client

When asked to provide a virtual machine name, we suggest samurai-nttsh-collector
Be sure to select the .ova file you downloaded when asked for the file to deploy your virtual machine from.

Once complete follow the VMware article to configure a datastore ISO file

Configure a Datastore ISO File for the CD-DVD

Be sure to select the .iso file you downloaded when asked to select file

The VM is now ready to be powered on.

The .iso file must be mounted at first boot to configure the Collector. Once you have validated the Collector status is Healthy in the Samurai MDR portal you must ensure the .iso is dismounted.*

Microsoft Hyper-V

Follow the documentation from Microsoft:

Create a virtual machine in Hyper-V

When asked to provide a virtual machine name, we suggest samurai-nttsh-collector
Use the Virtual Machine Requirements when configuring memory and network
When asked to Connect Virtual Hard Disk ensure to use the .vhdx file you previously downloaded
For Installation Options ensure you use the .iso file you previously downloaded

Once you have completed setup of your Collector you should ensure it is running and validate the status within the Samurai MDR portal, upon initial setup this can take a little while.

Amazon EC2

Prerequisitve steps:

Ensure you have the AWS cloud-init.yaml file you downloaded from Create, Configure and Download a Collector.. This file will be used later during EC2 instance deployment.

Follow the vendor documentation from Amazon to launch a EC2 instance:

Launch an instance

Perform the following adjustments to the vendor documentation when launching the instance:

During step 4.a, select Ubuntu as AMI.
During step 4.b*,* select the latest Ubuntu AMI
During step 5*,* select a suitable Instance Type based on estimated performance requirements while fulfilling the Minimum Virtual Machine Requirements.
During step 6 & 7, Set Key pair & Network Settings as per your AWS policies. Ensuring the the Network settings still fulfills the Connectivity required for the Collector.
Before step 8, modify the Configure storage section with the following settings:
1. Adjust the Root Volume to be at least 64 GiB.
2. Add a secondary volume with at least 500 GiB according to the Minimum Virtual Machine Requirements.

Secondary disk volume will be used for spooling, size it according to estimated log volume and max downtime.

Before step 8, expand the section Advanced details and paste in the content of the cloud-init.yaml file into the User data section. Ensure that the check box User data has already been base64 encoded is not enabled.
Proceed with step 8 and finish the rest of the installation as per the vendor documentation.

Azure Virtual Machine

Prerequisite steps:

Ensure you have the Azure cloud-init.yaml file you downloaded from Create, Configure and Download a Collector.. This file will be used later during the Virtual Machine instance deployment.

Follow the vendor documentation from Microsoft to launch a Virtual Machine instance:

Create a virtual machine

Perform the following adjustments to the vendor documentation when launching the instance:

Under the Basic tab, select Ubuntu Server 22.04 LTS as image
Under the Basic tab, select a suitable Size based on estimated performance requirements while fulfilling the Minimum Virtual Machine Requirements.
Under the Disk tab, add one data disk with at least 500 GiB according to the Minimum Virtual Machine Requirements.

Data disk volume will be used for spooling, size it according to estimated log volume and max downtime.

Under the Advanced tab, paste the contents of cloud-init.yaml in the Custom datafield.

All other settings such authentication, network configuration and monitoring should be configured according to company policy and best practices.*

Validate Collector Status

Click Telemetry and select Collectors from the main menu
Select the relevant Collector from the presented list
View Status

Status	Description
Offline	Collector created but not online
Unavailable	Collector has been online but no longer available
Healthy	Collector deployed and deployed add on components (including) Integrations and/or Evidence Fetchers)
Not-Healthy	Component(s) deployed on the Collector not healthy
Provisioning	Collector is in setup

After you provision a Collector VM and start it, it will go through a process of installing updates and modules specified in the configuration ISO file which you downloaded. The time taken for this process is dependent on factors like the speed of the hardware you are running the Collector on and connectivity to the repositories that it downloads updates from. In some cases this process can take around 30 minutes.

The Collector may show as “Offline” during the initial provisioning steps. This is not any cause for alarm.

If you have any problems, please submit a ticket via the Samurai MDR portal.

Collector Status Notifications

Samurai will send email notifications to registered application users should your Local Collector status change from Healthy to Not-Healthy or Unavailable. Once any issues have been resolved, you will also be notified again when a Healthy status is reached.

If your Local Collector be restarted, during final startup you may notice the Status change from Healthy to Not-Healthy, this is not cause for alarm as this typically occurs for a short period of time as processes restart. Once complete your Local Collector status will be displayed as Healthy.

What’s next?

You should now have a collector running within your environment!

The next step is to start configuring integrations which will allow the Samurai platform to start receiving your telemetry data.

Select Integrations Overview for more information on integrations and where to start.

If you require high availability for your collector, this can be achieved using the capabilities of your virtualization platform.

Deleting a Collector

If you delete a local collector it cannot be reversed! In addition, all of your integrations related to the local collector will also be deleted!

If you need to delete a local collector you can do so by following the steps below:

From your Samurai MDR portal click Telemetry and select Collectors
Select the relevant collector from your list
On the right hand side of the relevant collector, click on (more options) and select Delete Collector
The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the collector you will need to type DELETE in the field and select Delete Collector

Replacing a Collector

If for some reason a Local Collector VM is lost due to corruption or damage, such as in the case of a major disk storage failure, you may need to replace your Collector. If this happens, you will need to delete the old Collector in the Samurai MDR portal, discard your old Collector VM image and then create a new Collector using the process described to Install a Collector.

If you need to replace a Collector VM, you cannot re-download the installer ISO for an existing Collector and redeploy it. You must delete the old Collector and replace it with a new one.
You can re-use the same IP address as your old Collector. This allows you to replace a Collector without re-configuring any log sources which were sending logs to the old Collector.
When replacing a Collector, any Integrations which were automatically detected and attached to the original Collector will be automatically detected and attached to the new Collector.
Once you have created the new Collector, you will need to add any Integrations which you were previously using and which you had to previously manually add to the old Collector.

3.2 - Samurai Cloud Collector

Deployed within the Samurai platform, Cloud Collectors are used to:

Pull telemetry data via an API and securely transfer it to the Samurai platform.
Retrieve telemetry data from public cloud storage (Microsoft Azure storage accounts and Amazon Simple Storage Service - S3). The collector monitors for new or updated files in cloud storage and pulls the data into the Samurai platform for ingestion.
Receieve telemetry data for ingestion to the Samurai platform (Splunk HTTP Event Collection - HEC).

The need for a Cloud Collector is based on the specific product being integrated with the Samurai platform. This will be clearly indicated within the Product Integration Guide.

For integrations where we leverage an API, you can simply follow the integration guide as a cloud collector will already be available.
For integrations where we leverage collection of telemetry data from public cloud storage or receipt via Splunk HTTP Event Collector (HEC) there are steps you will need to follow as outlined in the section below Create Cloud Collector.

Create Cloud Collector

For public cloud storage we recommend a minimum cloud storage retention period of 7 days (our template default), however you can update as necessary if a longer retention period is required.

From the Samurai MDR portal, click Telemetry and select Collectors from the main menu
Select Create Collector
Select Cloud collector
Complete the fields as required.

Field	Description
Collector name	A name for the collector
Description (Optional)	A description of your collector
Provider	Select the correct Provider

Select Create Collector
Follow the relevant section below based on your provider.

Microsoft Azure

Click Deploy to Azure and you will be redirected to the Microsoft Azure login.

The Deploy to Azure button will only be displayed once after selecting Create Collector, therefore be sure to click the button before closing the dialog window.

An Azure Resource Manager (ARM) template will be launched, follow the steps and complete the necessary fields within the template:

Project Details

Field	Description
Subscription	Select your Azure subscription
Resource Group	Create or select your Resource Group

Instance Details

Field	Description
Region	Select the Azure region to deploy the Collector into
Collector Name	(this is auto populated from the Samurai MDR portal Collector name you defined)
Collector Id	(this is auto populated from Samurai)
Passkey	(this is auto populated from Samurai)

Select Next
Select Review and Create
Upon creation your Collector status will be updated to Healthy.
You can now refer to the relevant Product Integration Guides.

Amazon Web Services (AWS)

Click Launch Stack and you will be redirected to the AWS login.

The Launch Stack button will only be displayed once after selecting Create Collector, therefore be sure to click the button before closing the dialog window.

Login to your AWS account with administrative permissions.
The Samurai cloud formation template will be displayed.
If you have an existing S3 Bucket enter the name within the Parameters section under Enable Samurai ingestion on existing S3 bucket. If you have no existing S3 bucket, leave this field blank and a new S3 bucket will be created.
If you are integrating Cisco Umbrella, be sure to update Cisco Umbrella under the Parameters section to Yes.
Click Create Stack.
Upon creation of the stack your Collector status will be updated to Healthy.
You can now refer to the relevant Product Integration Guides.

Splunk HTTP Event Collector

If you selected this option you will be presented with the following information:

API URL
Token

Copy these entries as you will need them when completing your integration.

The API information is only displayed once after clicking Create Collector therefore be sure to save the information before clicking close.

Select Close.
You can now refer to the relevant Product Integration Guides.

Validate Collector Status

Select Telemetry and Collectors from the main menu
Select the relevant Collector from the presented list
View Status

Status	Description
Offline	Collector created but offline
Not available	Collector has been online but no longer available
Healthy	Collector deployed and healthy
Not-Healthy	Collector not healthy
Provisioning	Collector is being setup / provisioning

What’s next?

You should now have a collector running.

The next step is to start configuring integrations which will allow the Samurai platform to collect your telemetry data.

Select Integrations Overview for more information on integrations and where to start.

Deleting a Collector

If you delete a Cloud collector it cannot be reversed! In addition, all of your integrations related to the collector will also be deleted!

If you need to delete a Cloud collector you can do so by following the steps below:

From your Samurai MDR portal click Telemetry and select Collectors from the main menu
Select the relevant collector from your list
On the right hand side of the relevant collector, click on (more options) and select Delete Collector
The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the collector you will need to type DELETE in the window and select Delete Collector