1 - Telemetry Monitoring

It is important to understand and keep track of the health of Integrations you have configured.

The Samurai platform monitors telemetry ingested from your integrations displaying the applicable status (refer to View Integration Status), if problems are encountered after specific time periods the integration is highlighted within the Telemetry Monitoring view and triggers an email notification after 24 hours.

Access Telemetry Monitoring

Click Telemetry and select Telemetry Monitoring from the main menu.

Figure 1: Telemetry monitoring menu and visual indicator  

Figure 2: Example telemetry monitoring table

Telemetry Monitoring View

The Telemetry Monitoring view displays summary information (as applicable):

  • Number of integrations with no events seen in the last 24 hours by the Samurai platform
  • Number of integrations with no events seen in the last 12 hours by the Samurai platform
  • Unknown integration (unsupported)
  • Number of provisioning integrations
  • Number of healthy integrations

Figure 3: Example summary information

Telemetry Monitoring Table

Integrations are displayed in the table if the Samurai platform has not received any events in the last 12 hours.

Figure 4: Example detail table

The list shows the details of the integrated telemetry sources which are considered unhealthy as per the table below:

StatusDescription
No events seen in last 12 hoursThe Samurai platform has not seen any events in the last 12 hours
No events in last 24 hoursThe Samurai platform has not seen any events in the last 24 hours - this triggers an email notification for supported integrations

Clicking on the Integration will navigate you to the Integration Details. For integrations of type Log an events graph will be displayed which may help in troubleshooting.

The table may also display:

  • Unsupported integrations

    • These integrations are displayed as Product - unknown and Vendor - unknown - for you convenience the Samurai platform does monitor these telemetry event sources but does not send email notifications.
    • Info will display the following: This integration is currently not supported and will not trigger a notification if it stops sending events.
  • Integrations where the Samurai platform ingests events intermittantly

    • If the Samurai platform does not receive events every hour over any 24 hour period, the integration will still be displayed but will not trigger a notification.
    • Info will display the following: This integration does not send enough events to trigger a notification if it stops sending events altogether.

The above integrations will be highlighted with an Info icon () and when hovering over will display the applicable text highlighted above.

For your convenience you may want to display the integrations above in a different view, in doing so you remove from view integrations that will not trigger notifications - Hide Log Integrations provides this functionality.

Hide Log Integrations

Only integrations of type Log can be hidden - these are telemetry sources that typically send event data via syslog consistently. Example reasons why you may want to hide an integration include:

  • It is an unsupported/generic log source integration.
  • You do not want to recieve an email notifications if there is an issue with telemetry ingestion to the Samurai platform.

To hide an integration from the Telemetry Monitoring view:

  1. Find the relevant Log integration within the table
  2. Click on more options () to the left of the integration and select Hide integration
  3. A Hide Log Integration window will be displayed warning you it will be removed from the Integrations and Telemetry Monitoring pages, click Confirm

To view hidden integrations from the Telemetry Monitoring view:

  1. Click on more options () at the top right of the window and select Hidden log integrations
  2. A Hidden Log Integrations window will be displayed
  3. The integrations will display an Info icon () amd whem hopvering over will display the following Notifications for this integration has been disabled

Unhide Log Integrations

To unhide log integrations from the Telemetry Monitoring view:

  1. Click on more options () at the top right of the window and select Hidden log integrations
  2. A Hidden Log Integrations window will be displayed
  3. Find the relevant hidden integration
  4. Click on more options () within the integrations table and select Unhide integration

Muted Integration

Muted integrations do not send an email notification if there is an issue with telemetry ingestion to the Samurai platform. This could be based on one of the categories mentioned above (unsupported or sends events intermittently) The Telemetry Monitoring view will display muted integrations by default. For convenience you can disable displaying muted integrations from the Telemetry Monitoring view:

  1. Click on more options () at the top right of the window and deselect Show muted integrations

If you have hidden a log integration it will not be displayed when Show muted integrations is enabled.

Telemetry Monitoring Notifications

Samurai will send email notifications to registered application users if no events are seen for an integration over 24 hours. You can opt-in to receive notifications by raising a request via the Samurai MDR portal or in discussion with the SOC during MDR onboarding.

If you want additional information on Integration health, please review How do I know if my integration is functioning?

2 - Integrations

What is an Integration?

A data source integrated with the Samurai platform. An integration allows us to collect and ingest telemetry data from multiple sources, including network, endpoint and cloud.

What integrations are available?

We have pre-built integrations to a comprehensive array of 3rd party products and services. Select Supported Integrations to view what is available.

For syslog sources, even if events do not match a supported Integration, we will still ingest events into our data lake as a Generic Log Source. You will still be able to process this data using Advanced Query, and include events from generic log sources within your queries.

How do I integrate data sources?

Select Integration for steps that can be taken with integrations within the Samurai MDR portal.

Integration Health

Once you have configured Integrations to bring your data into the Samurai platform, you will also want to make sure that your data sources are healthy. For more details on how to maintain Integration health and troubleshoot problems, please read our article about Integration Health.

What’s Next?

Upon completion of your integrations and validation of health, the platform will start collecting and ingesting telemetry data. Dependent on your phase of MDR onboarding our team will be in contact with you.

2.1 - Supported Integrations

Samurai Integrations facilitate the ingestion of data sources from a wide range of third party vendors. Our Integrations are updated regularly as new and emerging technologies are released.

Each Integration typically requires a configuration guide outlining steps you must follow to integrate your data source to the Samurai platform.

For details such as transport methods and logs collected please refer to each supporting vendor configuration guide by clicking the link in the table or browsing directly to Product Integration Guides.

All supported integrations are categorized according to our Detection Categorization. For further information refer to the following article: Telemetry Data Source Categorization.

Available configuration guides

VendorProductDetection Category
Amazon Web ServicesCloudTrailDetection
Amazon Web ServicesVirtual Private Cloud (VPC) Flow LogsDetection
ApacheHTTP ServerEnrichment
Aruba NetworksClearPassEnrichment
Blackberry (Cylance)Cylance PROTECTEnrichment
Check PointNext-Generation FirewallFoundation
CiscoIOS Routers & SwitchesEnrichment
CiscoIdentity Services Engine (ISE)Enrichment
CiscoMeraki MX Security AppliancesDetection
CiscoSecure EndpointFoundation
CiscoSecure Firewall (ASA Appliances)Foundation
CiscoSecure Firewall (Firepower Threat Defense)Foundation
CiscoUmbrellaFoundation
CitrixNetscalerEnrichment
ClarotyContinuous Threat Detection (CTD)Foundation
ClarotyxDomeDetection
Click StudiosPasswordstateEnrichment
CrowdstrikeFalcon InsightFoundation
Cyber-ArkPrivileged Access Security (PAS)Enrichment
ESETProtectDetection
F5BIG-IP Load Traffic Manager (LTMDetection
FortinetFortiAnalyzerFoundation
FortinetFortiGate Next-Generation FirewallFoundation
FortinetFortiWeb Web Application FirewallDetection
GestioIPIP Address Management (IPAM)Enrichment
GoogleWorkspaceEnrichment
Heimdal SecurityHeimdal SecurityDetection
InfoBloxDDIDetection
LinuxAuthentications LogsEnrichment
MicrosoftAzure Application GatewayDetection
MicrosoftAzure Activity LogsEnrichment
MicrosoftAzure FirewallDetection
MicrosoftAzure Virtual Networks (NSG Flow)Enrichment
MicrosoftDefender for EndpointFoundation
MicrosoftDefender Advanced HuntingFoundation
MicrosoftEntra IDEnrichment
MicrosoftGraph SecurityDetection
MicrosoftInternet Information Services (IIS)Detection
MicrosoftOffice 365Enrichment
MicrosoftDHCP ServerEnrichment
MicrosoftDNS ServerDetection
MicrosoftWindows Event LogEnrichment
Nozomi NetworksGuardianDetection
OktaWorkforce Identity CloudEnrichment
Palo Alto NetworksCortex XDR ProFoundation
Palo Alto NetworksNext Generation FirewallFoundation
Palo Alto NetworksPanoramaFoundation
PowerDNSRecursorDetection
ProofPointTargeted Attack ProtectionDetection
SambaSamba Active DirectoryEnrichment
SquidSquid CacheFoundation
SophosSophos Central (Intercept X)Detection
TrellixEndpoint Security (ENS)Foundation
TrellixEndpoint Security (HX)Foundation
Trend MicroVision OneDetection
VMwareCarbon Black Cloud Enterprise EDRFoundation
WatchguardFireboxDetection
ZscalerInternet Access (ZIA)Detection

In the pipeline

Outlined below are integrations we have in the pipeline however have no committed dates for support. Please note any integration may be influenced by changing business opportunities and client requirements. Please contact NTT for further information or if you require additional support.

VendorProduct
Palo Alto NetworksPrisma Access (Strata Logging Service)
Check PointSmart-1 Cloud
CloudflareCloudflare

2.2 - Integration Actions

Select the action you wish to take and jump to the relevant section:

Create Integration

  1. From your Samurai MDR portal tenant click Telemetry and select Integrations from the main menu.
  2. Click Create integration.
  3. Select the product you wish to integrate with the Samurai platform.
  4. Click Next. Dependent on how we collect telemetry, the product may be integrated via a Cloud Collector or Local Collector. Follow the steps based on the Collector type:

Cloud Collector

  1. If the integration is cloud-based you need to select the relevant Cloud Collector. Select the relevant Cloud Collector and click Next.
    • If you are using a public cloud storage account you should already have completed the steps in Cloud Collector.
    • If no cloud storage is utilized then a default cloud collector is available.
  2. Select Configuration Guide which will direct you to Samurai documentation outlining how to configure your product and obtain required fields.
  3. Once you have configured your product, complete the required fields.
  4. Select Finish.

Local Collector

  1. Your Local Collector(s) will be listed. Select the Local Collector that you will integrate the product with.
  2. Click Next (typically this is the syslog destination host when configuring your device). If you do not have a Local Collector setup and deployed, follow the steps in our Samurai Local Collector article.
  3. The Local Collector IP Address will be displayed, copy the IP address or take note of it.
  4. Click Configuration Guide which will direct you to Samurai documentation outlining how to configure your product.
  5. Based on the product, Extended Data Collection may be displayed, if so jump to Extended Data Collection.
  6. Click Finish

Extended Data Collection

For many products we are able to collect extended data enhancing our threat detection capabilities and accuracy, for example Packet Capture (PCAP) data. This option will be displayed during configuration of an integration.

  1. If extended data collection is available for the product, you can choose to enable or disable via the toggle. If you choose to disable, Select Finish
  2. If you choose to enable extended data collection you must complete all the necessary fields. The parameters for each field are derived from following the associated product configuration guide. Once complete, Select Finish

View Integration

There are multiple methods of viewing your integrations.

If you wish to view integrations associated with a specific collector:

  1. From your Samurai MDR portal tenant click Telemetry and select Collectors from the main menu
  2. Select the relevant Collector
  3. All integrations associated with the Collector will be displayed with associated information

You can also view all integrations regardless of collector:

  1. Click Telemetry and select Integrations in the main menu
  2. All of your Integrations will be listed

What are the Integration fields?

integration_fields.jpg

  • Status: Color indication of integration status

  • Status Description: Description of the status

  • Info: An info icon (info_icon.png) will be displayed if:

    • the integration is unsupported (unknown Vendor and Product)
    • the integration does not send enough events to trigger a telemetry monitoring notification. Refer to Telemetry Monitoring for additional information
  • ID: Universally Unique Identifier (UUID) for integration

  • Vendor: Vendor name of the product

  • Product: Product name

  • Type: Integration type used to gather or ingest telemetry. Potential entries you could see here include:

    • Log: Displayed when a telemetry source sends logs (typically via syslog)
    • Local: Displayed when we leverage an API from a Samurai local collector to gather telemetry
    • Cloud: Displayed when we leverage an API from a Samurai cloud collector or retrieve telemetry from public cloud storage
  • Name: Integration name you provided during configuration

  • IP Address: IP address of the host

  • Collector: Collector name associated with the integration

  • Description: Optional description you provided during integration configuration

  • Last Event Seen: The last event seen from the telemetry source in the format [yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC).

  • Created: Date and time of integration creation in the format[yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC).

Views

You can save filters you set through views. This is useful if, for example, you have a large number of integrations and wish to view only specific products or types of integration.

Click Views to save/reset/delete your different filters. Once saved you can toggle between views.

views.png

View Integration Details

There are multiple methods of viewing your integration details. If you wish to view integration details associated with a specific Collector:

  1. From your Samurai MDR portal click Telemetry and select Collectors from the main menu
  2. Select the relevant collector for your list
  3. All integrations associated with the collector will be displayed
  4. Find and click on your integrated product

You can also view all integration configuration regardless of collector:

  1. Click Telemetry and select Integrations from the main menu
  2. Find and click your integrated product
  3. Configuration parameters will be displayed

For integrations of type Log an events graph will be displayed. This is a useful indicator of the number of events over a given period and may show spikes and drops in events.

events_graph.png

You can also pivot directly into Advanced Query by selecting the magnifying glass icon (magnifying_glass.png) to view the underlying event data.

By clicking the time period you can update the events graph to a specific date and time range. We default to the Last 7 days however have included Quick time ranges or you can specify a date and time period.

 

View Integration Status

There are multiple methods of viewing your Integration status.

If you wish to view integration status associated with a specific Collector:

  1. From the Samurai MDR portal Telemetry and select Integrations from the main menu
  2. Select the relevant collector from your list
  3. All integrations listed related to the collector will be displayed with status color and description (if enabled)

You can also view status of all integrations regardless of collector:

  1. From your Samurai MDR portal Telemetry and select Integrations from the main menu
  2. All integrations shall be displayed with a status color and description (if enabled)

Potential status displayed are included in the table below:

StatusDescription
ProvisioningTelemetry components installing / provisioning
UnknownThe Samurai platform is unable to determine a status
HealthyAll components healthy
No events seen in last 12The Samurai platform has not seen any events in the last 12 hours
No events in last 24 hoursThe Samurai platform has not seen any events in the last 24 hours - this typically triggers an email notification

For more information about Integration status, please see the article on how to manage Integration Health.

Hide Integration

Hiding an integration will remove it from the integrations displayed and also from the Telemetry Monitoring view. Additionally if the integration is supported and the Samurai platform ingests no events, you will not receive an email notification.

Only integrations of type Log can be hidden. Some reasons why you may want to hide an integration include:

  • You may want to hide all of your unsupported/generic log source integrations, the Samurai platform does monitor unsupported integrations for your convenience however does not notify you if events are not seen in 24 hours.
  • You do not want to recieve any notifications if there is an issue with telemetry ingestion to the Samurai platform.

To hide an integration:

  1. Click Telemetry and select Integrations from the main menu
  2. Find the relevant Log integration
  3. Click on more.png (more options) within the integrations table and select Hide integration
  4. A Hide Log Integration window will be displayed, click Confirm

To view any hidden integrations:

  1. Click Telemetry and select Integrations from the main menu
  2. Click more.png (more options) at the top right of the window select Hidden log integrations
  3. A Hidden Log Integrations window will be displayed

Unhide Integration

  1. Click Telemetry and select Integrations from the main menu
  2. Click more.png (more options) at the top right of the window select Hidden log integrations
  3. A Hidden Log Integrations window will be displayed
  4. Find the relevant hidden integration
  5. Click on more.png (more options) within the integrations table and select Unhide integration

Delete Integration

If you wish to delete an integration associated with a specific Collector:

  1. From your Samurai MDR portal Telemetry and select Collectors from the main menu
  2. Select the relevant collector from your list
  3. You will now see all integrations associated with the collector
  4. Select your integrations
  5. On the right hand side of the relevant integration, click on more.png (more options) and select Delete Integration
  6. The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the integration you will need to type in the highlighted ‘Integration’s Hostname’ and select Delete Integration

You can also delete from the Integrations menu item:

  1. Click Telemetry and select Integrations from the main menu
  2. Find and select your integrated product
  3. On the right hand side of the relevant integration, click on more.png (more options) and select Delete Integration

2.3 - Generic Log Sources

While we make an effort to support a wide variety of Integrations and different types of log sources, it is possible that there may be a log source that you would like to ingest into the Samurai platform which we are not able to parse and analyze. This is especially true for events generated via syslog log sources.

The fact that we are not able to use a log source for detections doesn’t mean that it won’t still be useful to ingest into the Samurai platform. We will ingest any event data, provided via syslog (sent to a Samurai local collector), into our data lake and you will still be able to analyze that event data using Advanced Query. This allows you to include events from generic log sources when you are performing queries.

If a log source, ingested via syslog, does not match one of our supported integrations, we will ingest the log events, which will still contain, amongst others, the following fields:

  • timestamp: the time at which the log message was ingested
  • collector: the id of the collector which ingested the event
  • host: the source host from which the event was received
  • raw: the complete raw log message

You can then proceed to query these events using Advanced Query. For example, the following KQL query finds all the attempts to connect to a host using invalid user ids and then counts the attempts by source IPv4 or IPv6 address:

events | where host == "10.1.1.1" and i(raw contains "Invalid" or raw contains "failed") and raw !contains "connect" | project timestamp, user = extract("user ([a-zA-Z0-9\\-]+) from ", 1, raw), ipaddr = extract(".+ ([0-9a-f]+[\\:\\.][0-9a-f\\.\\:]+) ", 1, raw) | summarize num_attempts = count() by ipaddr| order by num_attempts

The output is ordered by the number of attempts from each IP address, producing a table like the following:

mceclip0.png

3 - Collectors

Samurai Collectors are used to receive and transport telemetry from your security controls, network devices or cloud services to the Samurai platform.

There are two types of collectors:

1. Cloud Collector

  • Deployed within the Samurai platform and is used to gather telemetry from cloud services and/or security controls. Various use cases exist with differing requirements based on the Product/Service you are integrating with Samurai:
    • In some cases you simply need to complete the relevant integration and the cloud collector is automatically used.
    • When we gather telemetry from public cloud storage (specifically Microsoft Azure storage accounts and Amazon Web Services (AWS) S3 buckets) you must first deploy a cloud collector within the Samurai platform that is used to monitor your cloud storage for updated telemetry files.
    • When we ingest telemetry using Splunk HTTP Event Collection (HEC) you must also first deploy a cloud collector within the Samurai platform that is used to receieve telemetry data.

2. Local Collector

  • Deployed within your environment and is used to gather telemetry from your security controls and network devices. We have packaged the local collector to support multiple formats and envionments.

What type of Collector do you require?

This is dependent on the products you want to integrate with Samurai:

  • For products deployed in your internal network, a Local Collector will be required to gather (pull & push) telemetry data and securely transfer it to the Samurai platform.
  • For cloud based products providing API endpoints, a Cloud Collector will be used to pull the telemetry data and securely transfer it to the Samurai platform.
  • For cloud based products utilizing streaming of telemetry data to cloud storage, a Cloud Collector is also required to retrieve the telemetry data and securely transfer it to the Samurai platform.
  • For products that leverage streaming of telemetry via Splunk HTTP Event Collection (HEC), a Cloud Collector is required to receieve telemetry data to the Samurai platform.

Next steps:

  • Review our Supported Integrations and associated Integration Guides to determine the collector type(s) required. Within each Integration Guide there is a table denoting use of a Local or Cloud Collector, alternatively this is displayed in the Samurai MDR portal when working through an integration.
  • You may also choose to jump directly to the Samurai MDR portal and review integrations
  • If you have determined you require a local collector then click on Samurai Local Collector and follow the steps to create, configure and install.
  • If you have determined you require a cloud collector then click on Samurai Cloud Collector and follow the steps to create and configure.

3.1 - Samurai Local Collector

If you have determined that you require a local collector then follow the steps below to learn what you need to get started, create, configure and download a local collector from the Samurai MDR portal and ensure it is working as expected.

  1. Take a moment to understand what you need to get started
  2. Create, configure and download a Collector
  3. Install a Collector
  4. Validate Collector Status
  5. Collector Status Notifications
  6. What’s next?
  7. Deleting a Collector

What you need to get started

  • Access to the Samurai MDR portal and your specific tenant.

  • A hypervisor to run the virtual machine, for example VMware vSphere, Microsoft Hyper-V, Amazon EC2 or Azure Virtual Machine

  • Ensure to make any necessary updates to comply with the collectors connectivity requirements.

  • A static IP address for the collector and DNS server IP addresses unless you decide to use DHCP.

  • Access to your products to make necessary changes outlined within the relevant integration guide.

Minimum Virtual Machine Requirements

CPU2 vCPU
Disk500GB disk
Memory4 GB

Connectivity required for the Collector

The collector requires connectivity to resources outlined within the table below, you may need to update your security controls e.g firewall to allow this connectivity.

FunctionProtocolPortSourceDestinationDetails
Enrolment, TelemetryTCP443Collector*.*.security.ntt

nttsecurity.io
.nttsecurity.io
.*.nttsecurity.io

samurai-xdr-prod-westeurope-xgliuoit.azure-api.net
All regular backend communication, telemetry
Remote ManagementTCP443Collectorra.cto.nttsecurity.io

deb.releases.teleport.dev

apt.releases.teleport.dev
Used for remote administration of collector (this is not mandatory and used when troubleshooting)
NTPUDP123CollectorClient infrastructure (NTP server(s)) if configured in Samurai app

OR

0.ubuntu.pool.ntp.org

1.ubuntu.pool.ntp.org

2.ubuntu.pool.ntp.org

3.ubuntu.pool.ntp.org
Time synchronization
DNSUDP53CollectorClient infrastructure (DNS server(s)) or external DNS servers (based on your collector configuration)Domain name resolution
Ubuntu updatesTCP80, 443Collector*.ubuntu.com

api.snapcraft.io
Ubuntu software repository
Container ManagementTCP443Collectordocker.com

*.docker.com (private container registry)

docker.io (private container registry)

*.docker.io (private container registry)
Private container registry
Amazon Cloud dependenciesTCP443Collector*.cloudfront.netAmazon CDN used by Collector API
Log storageTCP443Collector*.s3.*.amazonaws.comAmazon Cloud storage (this is not mandatory and used when troubleshooting)
Telemetry data(based on product - see Integration guide)Client ProductCollectorFrequent data transfer (based on product)

Create, Configure and Download a Collector

  1. From your Samurai MDR portal tenant, click Telemetry and select Collectors from the main menu

  2. Select Create Collector

  3. Select Local collector

  4. Complete the fields as required.

Collector nameA nickname for the collector
Description (Optional)A description of your collector, this could be the property name where installed
Location (Optional)Useful if you have collectors in multiple locations
HostnameA hostname for your collector
Proxy Server IP (Optional)Optional HTTP proxy IP address
NTP Servers (Optional)Input your own NTP server IP addresses
DHCP or StaticDetermine whether the collector will use DHCP or specify your own static IP address and network information
  1. Select Create Collector once you have completed all relevant fields

  2. Select the Collector you created by clicking the Name used in Step 2

  3. Select Download

  • The files you need to download are based on your Hypervisor. The options available for download are:

    • Configuration
      • iso - configuration file for your collector, this file is always required
    • Cloud init
      • AWS - used to provide cloud-init data to AWS instance
      • Azure - used to provide cloud-init data to Azure instance
    • Virtual machine
      • vmdk - disk image (not needed if using the ova)
      • vhdx - virtual hard disk format used for Hyper-V
      • ova - virtual machine that the collector will run (includes disk image) for VMware
  1. Download the iso configuration file and also the relevant file needed for your hypervisor.

Install a Collector

Based on your hypervisor follow the relevant section:

VMware vSphere

Follow the documentation from VMware:

  1. When asked to provide a virtual machine name, we suggest samurai-nttsh-collector
  2. Be sure to select the .ova file you downloaded when asked for the file to deploy your virtual machine from.

Once complete follow the VMware article to configure a datastore ISO file

  1. Be sure to select the .iso file you downloaded when asked to select file

The VM is now ready to be powered on.

Microsoft Hyper-V

Follow the documentation from Microsoft:

  1. When asked to provide a virtual machine name, we suggest samurai-nttsh-collector
  2. Use the Virtual Machine Requirements when configuring memory and network
  3. When asked to Connect Virtual Hard Disk ensure to use the .vhdx file you previously downloaded
  4. For Installation Options ensure you use the .iso file you previously downloaded

Once you have completed setup of your Collector you should ensure it is running and validate the status within the Samurai MDR portal, upon initial setup this can take a little while.

Amazon EC2

Prerequisitve steps:

  1. Ensure you have the AWS cloud-init.yaml file you downloaded from Create, Configure and Download a Collector.. This file will be used later during EC2 instance deployment.

Follow the vendor documentation from Amazon to launch a EC2 instance:

Perform the following adjustments to the vendor documentation when launching the instance:

  1. During step 4.a, select Ubuntu as AMI.
  2. During step 4.b*,* select the latest Ubuntu AMI
  3. During step 5*,* select a suitable Instance Type based on estimated performance requirements while fulfilling the Minimum Virtual Machine Requirements.
  4. During step 6 & 7, Set Key pair & Network Settings as per your AWS policies. Ensuring the the Network settings still fulfills the Connectivity required for the Collector.
  5. Before step 8, modify the Configure storage section with the following settings:
    1. Adjust the Root Volume to be at least 64 GiB.
    2. Add a secondary volume with at least 500 GiB according to the Minimum Virtual Machine Requirements.
  1. Before step 8, expand the section Advanced details and paste in the content of the cloud-init.yaml file into the User data section. Ensure that the check box User data has already been base64 encoded is not enabled.
  2. Proceed with step 8 and finish the rest of the installation as per the vendor documentation.

Azure Virtual Machine

Prerequisite steps:

  1. Ensure you have the Azure cloud-init.yaml file you downloaded from Create, Configure and Download a Collector.. This file will be used later during the Virtual Machine instance deployment.

Follow the vendor documentation from Microsoft to launch a Virtual Machine instance:

Perform the following adjustments to the vendor documentation when launching the instance:

  1. Under the Basic tab, select Ubuntu Server 22.04 LTS as image
  2. Under the Basic tab, select a suitable Size based on estimated performance requirements while fulfilling the Minimum Virtual Machine Requirements.
  3. Under the Disk tab, add one data disk with at least 500 GiB according to the Minimum Virtual Machine Requirements.
  1. Under the Advanced tab, paste the contents of cloud-init.yaml in the Custom datafield.

Validate Collector Status

  1. Click Telemetry and select Collectors from the main menu

  2. Select the relevant Collector from the presented list

  3. View Status

StatusDescription
OfflineCollector created but not online
UnavailableCollector has been online but no longer available
HealthyCollector deployed and deployed add on components (including) Integrations and/or Evidence Fetchers)
Not-HealthyComponent(s) deployed on the Collector not healthy
ProvisioningCollector is in setup

After you provision a Collector VM and start it, it will go through a process of installing updates and modules specified in the configuration ISO file which you downloaded. The time taken for this process is dependent on factors like the speed of the hardware you are running the Collector on and connectivity to the repositories that it downloads updates from. In some cases this process can take around 30 minutes.

The Collector may show as “Offline” during the initial provisioning steps. This is not any cause for alarm.

If you have any problems, please submit a ticket via the Samurai MDR portal.

Collector Status Notifications

Samurai will send email notifications to registered application users should your Local Collector status change from Healthy to Not-Healthy or Unavailable. Once any issues have been resolved, you will also be notified again when a Healthy status is reached.

What’s next?

You should now have a collector running within your environment!

The next step is to start configuring integrations which will allow the Samurai platform to start receiving your telemetry data.

Select Integrations Overview for more information on integrations and where to start.

If you require high availability for your collector, this can be achieved using the capabilities of your virtualization platform.

Deleting a Collector

If you need to delete a local collector you can do so by following the steps below:

  1. From your Samurai MDR portal click Telemetry and select Collectors
  2. Select the relevant collector from your list
  3. On the right hand side of the relevant collector, click on mceclip1.png (more options) and select Delete Collector
  4. The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the collector you will need to type DELETE in the field and select Delete Collector

Replacing a Collector

If for some reason a Local Collector VM is lost due to corruption or damage, such as in the case of a major disk storage failure, you may need to replace your Collector. If this happens, you will need to delete the old Collector in the Samurai MDR portal, discard your old Collector VM image and then create a new Collector using the process described to Install a Collector.

3.2 - Samurai Cloud Collector

Deployed within the Samurai platform, Cloud Collectors are used to:

  • Pull telemetry data via an API and securely transfer it to the Samurai platform.
  • Retrieve telemetry data from public cloud storage (Microsoft Azure storage accounts and Amazon Simple Storage Service - S3). The collector monitors for new or updated files in cloud storage and pulls the data into the Samurai platform for ingestion.
  • Receieve telemetry data for ingestion to the Samurai platform (Splunk HTTP Event Collection - HEC).

The need for a Cloud Collector is based on the specific product being integrated with the Samurai platform. This will be clearly indicated within the Product Integration Guide.

  • For integrations where we leverage an API, you can simply follow the integration guide as a cloud collector will already be available.
  • For integrations where we leverage collection of telemetry data from public cloud storage or receipt via Splunk HTTP Event Collector (HEC) there are steps you will need to follow as outlined in the section below Create Cloud Collector.

Create Cloud Collector

  1. From the Samurai MDR portal, click Telemetry and select Collectors from the main menu

  2. Select Create Collector

  3. Select Cloud collector

  4. Complete the fields as required.

FieldDescription
Collector nameA name for the collector
Description (Optional)A description of your collector
ProviderSelect the correct Provider
  1. Select Create Collector

  2. Follow the relevant section below based on your provider.

Microsoft Azure

  1. Click Deploy to Azure and you will be redirected to the Microsoft Azure login.
  1. An Azure Resource Manager (ARM) template will be launched, follow the steps and complete the necessary fields within the template:

Project Details

FieldDescription
SubscriptionSelect your Azure subscription
Resource GroupCreate or select your Resource Group

Instance Details

FieldDescription
RegionSelect the Azure region to deploy the Collector into
Collector Name(this is auto populated from the Samurai MDR portal Collector name you defined)
Collector Id(this is auto populated from Samurai)
Passkey(this is auto populated from Samurai)
  1. Select Next

  2. Select Review and Create

  3. Upon creation your Collector status will be updated to Healthy.

  4. You can now refer to the relevant Product Integration Guides.

Amazon Web Services (AWS)

  1. Click Launch Stack and you will be redirected to the AWS login.
  1. Login to your AWS account with administrative permissions.

  2. The Samurai cloud formation template will be displayed.

  3. If you have an existing S3 Bucket enter the name within the Parameters section under Enable Samurai ingestion on existing S3 bucket. If you have no existing S3 bucket, leave this field blank and a new S3 bucket will be created.

  4. If you are integrating Cisco Umbrella, be sure to update Cisco Umbrella under the Parameters section to Yes.

  5. Click Create Stack.

  6. Upon creation of the stack your Collector status will be updated to Healthy.

  7. You can now refer to the relevant Product Integration Guides.

Splunk HTTP Event Collector

  1. If you selected this option you will be presented with the following information:
  • API URL
  • Token

Copy these entries as you will need them when completing your integration.

  1. Select Close.

  2. You can now refer to the relevant Product Integration Guides.

Validate Collector Status

  1. Select Telemetry and Collectors from the main menu

  2. Select the relevant Collector from the presented list

  3. View Status

StatusDescription
OfflineCollector created but offline
Not availableCollector has been online but no longer available
HealthyCollector deployed and healthy
Not-HealthyCollector not healthy
ProvisioningCollector is being setup / provisioning

What’s next?

You should now have a collector running.

The next step is to start configuring integrations which will allow the Samurai platform to collect your telemetry data.

Select Integrations Overview for more information on integrations and where to start.

Deleting a Collector

If you need to delete a Cloud collector you can do so by following the steps below:

  1. From your Samurai MDR portal click Telemetry and select Collectors from the main menu
  2. Select the relevant collector from your list
  3. On the right hand side of the relevant collector, click on options.png (more options) and select Delete Collector
  4. The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the collector you will need to type DELETE in the window and select Delete Collector