Deployed within the Samurai platform, Cloud Collectors are used to:
- Pull telemetry data via an API and securely transfer it to the Samurai platform.
- Retrieve telemetry data from public cloud storage (Microsoft Azure storage accounts and Amazon Simple Storage Service - S3). The collector monitors for new or updated files in cloud storage and pulls the data into the Samurai platform for ingestion.
- Receieve telemetry data for ingestion to the Samurai platform (Splunk HTTP Event Collection - HEC).
The need for a Cloud Collector is based on the specific product being integrated with the Samurai platform. This will be clearly indicated within the Product Integration Guide.
- For integrations where we leverage an API, you can simply follow the integration guide as a cloud collector will already be available.
- For integrations where we leverage collection of telemetry data from public cloud storage or receipt via Splunk HTTP Event Collector (HEC) there are steps you will need to follow as outlined in the section below Create Cloud Collector.
Create Cloud Collector
From the Samurai MDR portal, click Telemetry and select Collectors from the main menu
Select Create Collector
Select Cloud collector
Complete the fields as required.
Field | Description |
---|---|
Collector name | A name for the collector |
Description (Optional) | A description of your collector |
Provider | Select the correct Provider |
Select Create Collector
Follow the relevant section below based on your provider.
Microsoft Azure
- Click Deploy to Azure and you will be redirected to the Microsoft Azure login.
- An Azure Resource Manager (ARM) template will be launched, follow the steps and complete the necessary fields within the template:
Project Details
Field | Description |
---|---|
Subscription | Select your Azure subscription |
Resource Group | Create or select your Resource Group |
Instance Details
Field | Description |
---|---|
Region | Select the Azure region to deploy the Collector into |
Collector Name | (this is auto populated from the Samurai MDR portal Collector name you defined) |
Collector Id | (this is auto populated from Samurai) |
Passkey | (this is auto populated from Samurai) |
Select Next
Select Review and Create
Upon creation your Collector status will be updated to Healthy.
You can now refer to the relevant Product Integration Guides.
Amazon Web Services (AWS)
- Click Launch Stack and you will be redirected to the AWS login.
Login to your AWS account with administrative permissions.
The Samurai cloud formation template will be displayed.
If you have an existing S3 Bucket enter the name within the Parameters section under Enable Samurai ingestion on existing S3 bucket. If you have no existing S3 bucket, leave this field blank and a new S3 bucket will be created.
If you are integrating Cisco Umbrella, be sure to update Cisco Umbrella under the Parameters section to Yes.
Click Create Stack.
Upon creation of the stack your Collector status will be updated to Healthy.
You can now refer to the relevant Product Integration Guides.
Splunk HTTP Event Collector
- If you selected this option you will be presented with the following information:
- API URL
- Token
Copy these entries as you will need them when completing your integration.
Select Close.
You can now refer to the relevant Product Integration Guides.
Validate Collector Status
Select Telemetry and Collectors from the main menu
Select the relevant Collector from the presented list
View Status
Status | Description |
---|---|
Offline | Collector created but offline |
Not available | Collector has been online but no longer available |
Healthy | Collector deployed and healthy |
Not-Healthy | Collector not healthy |
Provisioning | Collector is being setup / provisioning |
What’s next?
You should now have a collector running.
The next step is to start configuring integrations which will allow the Samurai platform to collect your telemetry data.
Select Integrations Overview for more information on integrations and where to start.
Deleting a Collector
If you need to delete a Cloud collector you can do so by following the steps below:
- From your Samurai MDR portal click Telemetry and select Collectors from the main menu
- Select the relevant collector from your list
- On the right hand side of the relevant collector, click on (more options) and select Delete Collector
- The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the collector you will need to type DELETE in the window and select Delete Collector