This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Integrations

What is an Integration?

A data source integrated with the Samurai platform. An integration allows us to collect and ingest telemetry data from multiple sources, including network, endpoint and cloud.

What integrations are available?

We have pre-built integrations to a comprehensive array of 3rd party products and services. Select Supported Integrations to view what is available.

For syslog sources, even if events do not match a supported Integration, we will still ingest events into our data lake as a Generic Log Source. You will still be able to process this data using Advanced Query, and include events from generic log sources within your queries.

How do I integrate data sources?

Select Integration for steps that can be taken with integrations within the Samurai MDR portal.

Integration Health

Once you have configured Integrations to bring your data into the Samurai platform, you will also want to make sure that your data sources are healthy. For more details on how to maintain Integration health and troubleshoot problems, please read our article about Integration Health.

What’s Next?

Upon completion of your integrations and validation of health, the platform will start collecting and ingesting telemetry data. Dependent on your phase of MDR onboarding our team will be in contact with you.

1 - Supported Integrations

Samurai Integrations facilitate the ingestion of data sources from a wide range of third party vendors. Our Integrations are updated regularly as new and emerging technologies are released.

Each Integration typically requires a configuration guide outlining steps you must follow to integrate your data source to the Samurai platform.

For details such as transport methods and logs collected please refer to each supporting vendor configuration guide by clicking the link in the table or browsing directly to Product Integration Guides.

All supported integrations are categorized according to our Detection Categorization. For further information refer to the following article: Telemetry Data Source Categorization.

Available configuration guides

VendorProductDetection Category
Amazon Web ServicesCloudTrailDetection
Amazon Web ServicesVirtual Private Cloud (VPC) Flow LogsDetection
ApacheHTTP ServerEnrichment
Aruba NetworksClearPassEnrichment
Blackberry (Cylance)Cylance PROTECTEnrichment
Check PointNext-Generation FirewallFoundation
CiscoIOS Routers & SwitchesEnrichment
CiscoIdentity Services Engine (ISE)Enrichment
CiscoMeraki MX Security AppliancesDetection
CiscoSecure EndpointFoundation
CiscoSecure Firewall (ASA Appliances)Foundation
CiscoSecure Firewall (Firepower Threat Defense)Foundation
CiscoUmbrellaFoundation
CitrixNetscalerEnrichment
ClarotyContinuous Threat Detection (CTD)Foundation
ClarotyxDomeDetection
CrowdstrikeFalcon InsightFoundation
Cyber-ArkPrivileged Access Security (PAS)Enrichment
ESETProtectDetection
F5BIG-IP Load Traffic Manager (LTMDetection
FortinetFortiAnalyzerFoundation
FortinetFortiGate Next-Generation FirewallFoundation
FortinetFortiWeb Web Application FirewallDetection
GestioIPIP Address Management (IPAM)Enrichment
GoogleWorkspaceEnrichment
InfoBloxDDIDetection
LinuxAuthentications LogsEnrichment
MicrosoftAzure Application GatewayDetection
MicrosoftAzure Activity LogsEnrichment
MicrosoftAzure FirewallDetection
MicrosoftAzure Virtual Networks (NSG Flow)Enrichment
MicrosoftDefender for EndpointFoundation
MicrosoftDefender Advanced HuntingFoundation
MicrosoftEntra IDEnrichment
MicrosoftGraph SecurityDetection
MicrosoftInternet Information Services (IIS)Detection
MicrosoftOffice 365Enrichment
MicrosoftDHCP ServerEnrichment
MicrosoftDNS ServerDetection
MicrosoftWindows Event LogEnrichment
OktaWorkforce Identity CloudEnrichment
Palo Alto NetworksCortex XDR ProFoundation
Palo Alto NetworksNext Generation FirewallFoundation
Palo Alto NetworksPanoramaFoundation
PowerDNSRecursorDetection
ProofPointTargeted Attack ProtectionDetection
SambaSamba Active DirectoryEnrichment
SquidSquid CacheFoundation
SophosSophos Central (Intercept X)Detection
TrellixEndpoint Security (ENS)Foundation
TrellixEndpoint Security (HX)Foundation
Trend MicroVision OneDetection
VMwareCarbon Black Cloud Enterprise EDRFoundation
WatchguardFireboxDetection
ZscalerInternet Access (ZIA)Detection

In the pipeline

Outlined below are integrations we have in the pipeline however have no committed dates for support. Please note any integration may be influenced by changing business opportunities and client requirements. Please contact NTT for further information or if you require additional support.

VendorProduct
NozomiGuardian
Palo Alto NetworksPrisma Access
Heimdal SecurityEndpoint Security
ClickstudiosPasswordstate

2 - Integration Actions

Select the action you wish to take and jump to the relevant section:

Create Integration

  1. From your Samurai MDR portal tenant click Telemetry and select Integrations from the main menu.
  2. Click Create integration.
  3. Select the product you wish to integrate with the Samurai platform.
  4. Click Next. Dependent on how we collect telemetry, the product may be integrated via a Cloud Collector or Local Collector. Follow the steps based on the Collector type:

Cloud Collector

  1. If the integration is cloud-based you need to select the relevant Cloud Collector. Select the relevant Cloud Collector and click Next.
    • If you are using a public cloud storage account you should already have completed the steps in Cloud Collector.
    • If no cloud storage is utilized then a default cloud collector is available.
  2. Select Configuration Guide which will direct you to Samurai documentation outlining how to configure your product and obtain required fields.
  3. Once you have configured your product, complete the required fields.
  4. Select Finish.

Local Collector

  1. Your Local Collector(s) will be listed. Select the Local Collector that you will integrate the product with.
  2. Click Next (typically this is the syslog destination host when configuring your device). If you do not have a Local Collector setup and deployed, follow the steps in our Samurai Local Collector article.
  3. The Local Collector IP Address will be displayed, copy the IP address or take note of it.
  4. Click Configuration Guide which will direct you to Samurai documentation outlining how to configure your product.
  5. Based on the product, Extended Data Collection may be displayed, if so jump to Extended Data Collection.
  6. Click Finish

Extended Data Collection

For many products we are able to collect extended data enhancing our threat detection capabilities and accuracy, for example Packet Capture (PCAP) data. This option will be displayed during configuration of an integration.

  1. If extended data collection is available for the product, you can choose to enable or disable via the toggle. If you choose to disable, Select Finish
  2. If you choose to enable extended data collection you must complete all the necessary fields. The parameters for each field are derived from following the associated product configuration guide. Once complete, Select Finish

View Integration

There are multiple methods of viewing your integrations.

If you wish to view integrations associated with a specific collector:

  1. From your Samurai MDR portal tenant click Telemetry and select Collectors from the main menu
  2. Select the relevant Collector
  3. All integrations associated with the Collector will be displayed with associated information

You can also view all integrations regardless of collector:

  1. Click Telemetry and select Integrations in the main menu
  2. All of your Integrations will be listed

What are the Integration fields?

integration_fields.jpg

  • Status: Color indication of integration status

  • Status Description: Description of the status

  • Info: An info icon (info_icon.png) will be displayed if:

    • the integration is unsupported (unknown Vendor and Product)
    • the integration does not send enough events to trigger a telemetry monitoring notification. Refer to Telemetry Monitoring for additional information
  • ID: Universally Unique Identifier (UUID) for integration

  • Vendor: Vendor name of the product

  • Product: Product name

  • Type: Integration type used to gather or ingest telemetry. Potential entries you could see here include:

    • Log: Displayed when a telemetry source sends logs (typically via syslog)
    • Local: Displayed when we leverage an API from a Samurai local collector to gather telemetry
    • Cloud: Displayed when we leverage an API from a Samurai cloud collector or retrieve telemetry from public cloud storage
  • Name: Integration name you provided during configuration

  • IP Address: IP address of the host

  • Collector: Collector name associated with the integration

  • Description: Optional description you provided during integration configuration

  • Last Event Seen: The last event seen from the telemetry source in the format [yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC).

  • Created: Date and time of integration creation in the format[yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC).

Views

You can save filters you set through views. This is useful if, for example, you have a large number of integrations and wish to view only specific products or types of integration.

Click Views to save/reset/delete your different filters. Once saved you can toggle between views.

views.png

View Integration Details

There are multiple methods of viewing your integration details. If you wish to view integration details associated with a specific Collector:

  1. From your Samurai MDR portal click Telemetry and select Collectors from the main menu
  2. Select the relevant collector for your list
  3. All integrations associated with the collector will be displayed
  4. Find and click on your integrated product

You can also view all integration configuration regardless of collector:

  1. Click Telemetry and select Integrations from the main menu
  2. Find and click your integrated product
  3. Configuration parameters will be displayed

For integrations of type Log an events graph will be displayed. This is a useful indicator of the number of events over a given period and may show spikes and drops in events.

events_graph.png

You can also pivot directly into Advanced Query by selecting the magnifying glass icon (magnifying_glass.png) to view the underlying event data.

By clicking the time period you can update the events graph to a specific date and time range. We default to the Last 7 days however have included Quick time ranges or you can specify a date and time period.

 

View Integration Status

There are multiple methods of viewing your Integration status.

If you wish to view integration status associated with a specific Collector:

  1. From the Samurai MDR portal Telemetry and select Integrations from the main menu
  2. Select the relevant collector from your list
  3. All integrations listed related to the collector will be displayed with status color and description (if enabled)

You can also view status of all integrations regardless of collector:

  1. From your Samurai MDR portal Telemetry and select Integrations from the main menu
  2. All integrations shall be displayed with a status color and description (if enabled)

Potential status displayed are included in the table below:

StatusDescription
ProvisioningTelemetry components installing / provisioning
UnknownThe Samurai platform is unable to determine a status
HealthyAll components healthy
No events seen in last 12The Samurai platform has not seen any events in the last 12 hours
No events in last 24 hoursThe Samurai platform has not seen any events in the last 24 hours - this typically triggers an email notification

For more information about Integration status, please see the article on how to manage Integration Health.

Hide Integration

Hiding an integration will remove it from the integrations displayed and also from the Telemetry Monitoring view. Additionally if the integration is supported and the Samurai platform ingests no events, you will not receive an email notification.

Only integrations of type Log can be hidden. Some reasons why you may want to hide an integration include:

  • You may want to hide all of your unsupported/generic log source integrations, the Samurai platform does monitor unsupported integrations for your convenience however does not notify you if events are not seen in 24 hours.
  • You do not want to recieve any notifications if there is an issue with telemetry ingestion to the Samurai platform.

To hide an integration:

  1. Click Telemetry and select Integrations from the main menu
  2. Find the relevant Log integration
  3. Click on more.png (more options) within the integrations table and select Hide integration
  4. A Hide Log Integration window will be displayed, click Confirm

To view any hidden integrations:

  1. Click Telemetry and select Integrations from the main menu
  2. Click more.png (more options) at the top right of the window select Hidden log integrations
  3. A Hidden Log Integrations window will be displayed

Unhide Integration

  1. Click Telemetry and select Integrations from the main menu
  2. Click more.png (more options) at the top right of the window select Hidden log integrations
  3. A Hidden Log Integrations window will be displayed
  4. Find the relevant hidden integration
  5. Click on more.png (more options) within the integrations table and select Unhide integration

Delete Integration

If you wish to delete an integration associated with a specific Collector:

  1. From your Samurai MDR portal Telemetry and select Collectors from the main menu
  2. Select the relevant collector from your list
  3. You will now see all integrations associated with the collector
  4. Select your integrations
  5. On the right hand side of the relevant integration, click on more.png (more options) and select Delete Integration
  6. The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the integration you will need to type in the highlighted ‘Integration’s Hostname’ and select Delete Integration

You can also delete from the Integrations menu item:

  1. Click Telemetry and select Integrations from the main menu
  2. Find and select your integrated product
  3. On the right hand side of the relevant integration, click on more.png (more options) and select Delete Integration

3 - Generic Log Sources

While we make an effort to support a wide variety of Integrations and different types of log sources, it is possible that there may be a log source that you would like to ingest into the Samurai platform which we are not able to parse and analyze. This is especially true for events generated via syslog log sources.

The fact that we are not able to use a log source for detections doesn’t mean that it won’t still be useful to ingest into the Samurai platform. We will ingest any event data, provided via syslog (sent to a Samurai local collector), into our data lake and you will still be able to analyze that event data using Advanced Query. This allows you to include events from generic log sources when you are performing queries.

If a log source, ingested via syslog, does not match one of our supported integrations, we will ingest the log events, which will still contain, amongst others, the following fields:

  • timestamp: the time at which the log message was ingested
  • collector: the id of the collector which ingested the event
  • host: the source host from which the event was received
  • raw: the complete raw log message

You can then proceed to query these events using Advanced Query. For example, the following KQL query finds all the attempts to connect to a host using invalid user ids and then counts the attempts by source IPv4 or IPv6 address:

events | where host == "10.1.1.1" and i(raw contains "Invalid" or raw contains "failed") and raw !contains "connect" | project timestamp, user = extract("user ([a-zA-Z0-9\\-]+) from ", 1, raw), ipaddr = extract(".+ ([0-9a-f]+[\\:\\.][0-9a-f\\.\\:]+) ", 1, raw) | summarize num_attempts = count() by ipaddr| order by num_attempts

The output is ordered by the number of attempts from each IP address, producing a table like the following:

mceclip0.png