Skip to main content

Integration Actions

  • Updated

Select the action you wish to take and jump to the relevant section:

mceclip0.png If you are new to integrations you should review Integrations Overview 

 

Create Integration

  1. From your Samurai XDR application tenant select Telemetry > Integrations from the main menu
  2. Click Create
  3. The Create Integrations widget is displayed, select the product you wish to integrate with Samurai XDR
  4. Click Next. Dependent on how we collect telemetry, the product may be integrated via a Cloud Collector or Local Collector. Follow the steps based on the Collector type:

 

Cloud Collector

  1. If the integration is cloud-based it will be added to the Cloud Collector which shall be displayed - Select Next
  2. Select Configuration Guide which will direct you to the Help Center article outlining how to configure your product and obtain required fields.
  3. Once you have configured your product, complete the required fields
  4. Select Finish

 

Local Collector

  1. Your Local Collector(s) will be listed. Select the Local Collector that you will integrate the product with
  2. Click Next (typically this is the syslog destination host when configuring your device).  If you do not have a Local Collector setup and deployed, select Create Collector and follow the steps in our Samurai XDR Local Collector article.
  3. The Local Collector IP Address will be displayed, copy the IP address or take note of it
  4. Click Configuration Guide which will direct you to the Help Center article outlining how to configure your product. 
  5. Based on the product, Extended Telemetry Collection may be displayed, if so jump to Extended Telemetry Collection
  6. Click Finish

mceclip0.png You do not need to follow the steps above for a Local Collector integration, however we advise you follow the steps to determine if extended telemetry collection is available for the product, and if you wish to enable it.  You may choose to follow our configuration guides to send logs directly to your Local Collector, Samurai XDR will auto detect the vendor and product for supported integrations. If we do not support the product, your integration will be displayed as 'unknown' under the Vendor and Product fields, however Samurai XDR will store the telemetry data. 

 

Extended Telemetry Collection

For many products we are able to collect extended telemetry enhancing our threat detection capabilities and accuracy, for example Packet Capture (PCAP) data. This option will be displayed during configuration of an integration. 

  1. If extended telemetry collection is available for the product, you can choose to enable or disable via the toggle. If you choose to disable, Select Finish
  2. If you choose to enable extended telemetry collection you must complete all the necessary fields. The parameters for each field are derived from following the associated product configuration guide. Once complete, Select Finish.

mceclip0.png You can choose to follow the configuration guide at anytime during the process, however if your product is not configured, Samurai XDR will obviously not receive any telemetry.

mceclip0.png All third-party product configuration guides can be found on the Samurai Help Center

 

View Integration

There are multiple methods of viewing your integrations. 

If you wish to view integrations associated with a specific collector:

  1. From your Samurai XDR application tenant select Telemetry > Collectors
  2. Select mceclip0.png (expand)  next to the corresponding collector
  3. Your integrated telemetry sources will be listed with associated information
  4. Alternatively at step 2. select the name of your collector and you will be shown a summary of all integrations associated with the collector which includes Status.

You can also view  all integrations regardless of collector:

  1. Select Telemetry > Integrations in the main menu 
  2. All of your Integrations will be listed 

mceclip0.png A single product integration may be displayed multiple times based on telemetry data ingested. For example, if you enabled Extended Telemetry Collection whilst creating an integration the individual product will be displayed multiple times with different Type fields associated - see below for further explanation.

 

What are all the Integration fields?

integration_fields.PNG

 

  • Vendor: vendor name of the product 
  • Product: product name
  • Type: integration type used to gather or ingest telemetry.  Potential entries you could see here include:
    • Log: displayed when a telemetry source sends logs (typically via syslog). 
    • Local: displayed when we leverage an API from the local collector to gather telemetry
    • Cloud: displayed when we leverage an API from a Samurai XDR cloud collector to gather telemetry
  • Name: integration name you provided during configuration
  • Collector: the collector name associated with the integration
  • Hostname: hostname of the integrated telemetry source derived from the logs
  • Description: an optional description you provided during integration configuration
  • Last Event Seen: the last event seen from the telemetry source in the format [yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC). 
  • Created: date and time of integration creation in the format [yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC). 

 

View Integration Configuration

There are multiple methods of viewing your integration configuration. If you wish to view integration configuration associated with a specific Collector:

  1. From your Samurai XDR application select Telemetry > Collectors
  2. Select the relevant collector for your list
  3. You will now see all integrations associated with the collector
  4. On the right hand side of the relevant integration, click on mceclip1.png (more options) and select View Configuration
  5. You will now see all configuration parameters for that integration

You can also view all integration configuration regardless of collector:

  1. Selecting Telemetry > Integrations in the main menu on the left of the screen
  2. Find your integrated product
  3. Select View Configuration by clicking on mceclip1.png(more options)

 

View Integration Status

There are multiple methods of viewing your Integration status.

If you wish to view integration status associated with a specific Collector:

  1. From your Samurai XDR application select Telemetry > Collectors
  2. Select the relevant collector from your list
  3. All integrations listed related to the collector will be displayed alongside a summary of Healthy and Not Healthy integrations

You can also view status of all integrations regardless of collector:

  1. From your Samurai XDR application select Telemetry > Integrations 
  2. All integrations shall be displayed with a status color. 

Potential status displayed are included in the table below:

 

Status

Description
Not Available Unsuccessful or failed
Not-Healthy One of more components unhealthy
Healthy All components healthy 
Provisioning Telemetry components installing / provisioning

 

For more information about Integration status, please see the article on how to manage Integration Health.

 

Delete Integration

mceclip0.png  If you delete an integration, it cannot be reversed! however events from the telemetry source will remain within Samurai XDR.  However if the integration is auto-detected, it will reappear as type log if your telemetry source remains sending logs.

If you wish to delete an integration associated with a specific Collector:

  1. From your Samurai XDR application select Telemetry > Collectors
  2. Select the relevant collector from your list
  3. You will now see all integrations associated with the collector
  4. On the right hand side of the relevant integration, click on mceclip1.png (more options) and select Delete Integration
  5. The following warning will appear: 'Warning: This is a destructive action and cannot be reversed.'. To ensure you intended to delete the integration you will need to type in the highlighted 'Integration's Hostname' and select Delete Integration

You can also complete delete configuration from the Integrations menu item:

  1. Select Telemetry > Integrations in the main menu 
  2. Find your integrated product
  3. Select Delete Configuration by clicking on mceclip1.png(more options)
  4. See step 5 above!

 

 

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Article is closed for comments.