Subscribe
Here is a recap of recent intakes and automations added to our Integration catalog.
Credits goes to the LockSelf team for developing the LockSelf intake π
isolate endpoint
, deisolate endpoint
, scan endpoint
). read moreAs part of our ongoing efforts to improve data consistency and analysis capabilities across our XDR platform, we are implementing an important modification to the HarfangLab EDR
log parsing process.
We are enhancing the way user information is parsed to ensure better standardization across all data sources. This change specifically affects how domain and username information is structured.
user.name
= domain\user
user.domain
= domain
user.name
= user
ποΈ Deployment is scheduled for February 20th, 2025 at 12:00 CET
user.name
fieldContact our Support Team if you have any questions or need assistance preparing for this change.
Best regards,
The Integrations Team
GA
:To prevent IP blocking issues with Mimecast APIs due to repeated authentication errors, we are modifying the following behavior with these 2 intakes:
ERROR
levelCRITICAL
levelThis modification signifies that after 5 failed authentication attempt, the intake will be automatically stopped.
A grace period of 30 minutes is applied meaning that after 30 minutes, the error counter is resetted to zero if no new errors occured.
ποΈ This update will be applied on January 14th around 12:00 CET.
A timezone issue has been identified with certain Fortigate events (specifically those containing a timestamp
field), which may cause events to be incorrectly dated in the future.
To resolve this issue, we are implementing two fixes:
eventtime
field will be prioritized as the primary timestamp sourcePlease note: These corrections may affect the chronological distribution of events on the timeline, as some event timestamps will be adjusted to their accurate times.
ποΈ This corrective update will be applied on January 21th around 12:00 CET.
Here is a recap of recent intakes and automations added to our Integration catalog.
ChromeOS
events (read more)create iocs
, isolate machine
, deisolate machine
, scan a machine
, stop and quarantine a file
, update an alert
, comment an alert
, get machine action
, restrict code execution
, unrestrict code execution
). Read moreupdate alert status
, comment alert
). Read morecreate iocs
, comment threat
, update threat status
, download file from endpoint
). Read moreCredits goes to the HarfangLab team for developing the download file from endpoint
action π
We are thrilled to announce the release of a new version of the SEKOIA Forwarder 2.7.0
. This update introduces enhanced monitoring capabilities
for your concentrator, allowing you to gain better insights into your data ingestion processes.
With this new version, you can effortlessly monitor the performance
and status
of your integrations, ensuring a smoother and more efficient data flow.
Enable monitoring of the Sekoia forwarder to get access to health status information and advanced metrics of event forwarding. Theses new metrics allows you to identify forwarding workflow issues
in your infrastructure and easier your debug process
.
Explore these new features and elevate your data management experience with SEKOIA!
This modification impacts the intakes VadeM365
and VadeCloud
.
To prevent IP blocking issues with Vade APIs due to repeated authentication errors, we are modifying the following behavior with these 2 intakes:
ERROR
levelCRITICAL
levelThis modification signifies that after 5 failed authentication attempt, the intake will be automatically stopped.
A grace period of 30 minutes is applied meaning that after 30 minutes, the error counter is resetted to zero if no new errors occured.
ποΈ This update will be applied on Wednesday 13th around 12:00 CET.
Integrations Team,
ποΈ A recap of new intakes and new automations added to our Integration catalog and some improvements on HarfangLab.
initiate scan
, Update Threat Incident
, Create Threat Note
and Create Iocs
)kill thread
, kill process
and enumerate processes
)isolate endpoint
, deisolate endpoint
and scan
)comment uuid
, comment content
, comment date
and comment author uuid
)New fields parsed in HarfangLab events:
An extension for Sekoia Defend (XDR)
is now available in Palo Alto XSOAR
marketplace.
This content pack allows you to:
By integrating these features, Sekoia Defend (XDR) pack helps you maintain a robust and proactive security posture, effectively protecting your organization's digital assets against evolving threats.
Our integration with Netskope
was improved with new additional DLP fields:
The playbook actions isolate hosts and deisolate hosts for Crowdstrike
were added to our Automation library.
Accelerate your incident response by isolating the compromised hosts.
AWS CloudFront is now available in General Availability.
Collect Web logs
from AWS CDN to enhance your Cloud Threat Detection, improve your Threat Hunting and gain unified visibility in Sekoia SOC platform (learn more)
alerts
from Canaries into Sekoia to detect intruders and block cyber-attacks (learn more)Integrations Fastly Next-Gen WAF Audit Logs and Veeam Backup & Replication are now available in GA.
Corp audit logs
and Site audit logs
to monitor unusual admin activity in your WAF (learn more)Application
, File
, Network
and Service
logs to monitor your critical backup and replication systems (learn more)Five new integrations entered our Intake catalog in BETA
.
alerts
and telemetry
into Sekoia to improve your visibility and monitor your endpoints closely (documentation)firewall
logs from Juniper Switches into Sekoia (documentation)access
and firewall
logs from Azure Application Gateway into Sekoia (documentation)dns
logs from EfficientIP SOLIDserver into Sekoia to leverage our CTI (documentation)logs
from JizΓ΄ NDR into Sekoia (documentation)New integrations Bitsight SPM and Mimecast Email Security have entered BETA phase.
findings
with vulnerability and asset details into Sekoia (documentation).email gateway logs
into Sekoia (documentation).We are excited to welcome 2 amazing French security products.
logs
from Daspren Parad into Sekoia (documentation)create an alert
in Nybble Hub when a new alert is raised in SEKOIA.IO (documentation)playbook template
is available to quickly setup an automation We fixed 2 issues related to the parsing of DNS values to improve CTI Detection.
On MacOS, S1 CloudFunnel could return sometimes a DNS value that was incompatible with our CTI Detection.
Before: dns.question.name
= "type: 1 example.com"
Now: dns.question.name
= "example.com"
Cisco Umbrella DNS returned a DNS value that was not matching with our CTI detection because of the dot at the end.
Before: dns.question.name
= "example.com."
Now: dns.question.name
= "example.com"
We made some improvements to Office 365
intake format:
ParticipantInfo.HasForeignTenantUsers
field was added to detect that a chat conversation was created with external usersemail
field was not extracted in some specific casesWe made several improvements to Windows
intake format to easier the analyst's investigation:
The process.parent.pid
field was added to allow analysts to read the whole process tree.
The TargetLogonId
field was added to allow analysts to get the user session ID. With this ID, analysts can easily search for all actions made by an attacker.
The MessageNumber
and MessageTotal
fields were added to allow analysts to reconstitute a Poweshell script that was splitted.
The parsing of the field registry.key
was fixed.
Before: registry.key
= PATH\VALUE
Now: registry.key
= PATH
This field is now ECS compliant and aligned with other integrations like SentinelOne. It will easier investigation or creation of universal detection rules.
Finally, the detection pattern of related detection rules was updated accordingly (see changelog of June 21th 2024).
The intake IBM iSeries is now available in [BETA] phase (formerly known as AS/400).
audit journal
, integrated file system
, message queues
, database
and history
events into Sekoia to monitor your critical systems (documentation).New integrations Azure Key Vault and Ubika Cloud Protector Traffic have entered BETA phase.
Five Endpoint integrations are now in General Availability.
audit logs
into Sekoia to monitor your organization cryptographic keys and secrets (documentation).web logs
into Sekoia to leverage our CTI and built-in detection rules (documentation).alerts
into Sekoia to improve your visibility on mobile devices (documentation).telemetry
into Sekoia to monitor your endpoints closely (documentation).alerts
and telemetry
to improve your visibility and monitor your endpoints closely (documentation).telemetry
to monitor your endpoints closely (documentation).telemetry
to monitor your endpoints closely (documentation).We have introduced a new dedicated playbook action to support the version 5 of TheHive.
If you plan to migrate to TheHive v5, please update your playbooks with this new playbook action to automate your work in TheHive platform.
Here is a recap of the integrations that joined in our catalog in April.
WAF alerts
into Sekoia for better visibility (documentation).Corp audit logs
and Site audit logs
to monitor unusual admin activity in your WAF (documentation).network logs
into Sekoia to leverage our CTI and our built-in detection rules (documentation).WAF alerts
into Sekoia for better visibility (documentation).authentication logs
from Systancia PAM (Privilege Access Management) to leverage our CTI and monitor critical resources (documentation).We're thrilled to announce new integrations available on our platform, enhancing your security operations and threat detection capabilities.
AWS CloudFront is now in BETA! Seamlessly integrate this powerful CDN service from Amazon Web Services for secure content delivery with low latency. Learn more here.
Palo Alto Cortex XDR (EDR) integration is also in BETA! Collect alerts and associated telemetry events in real time for improved threat detection and response. Dive deeper here.
Introducing Broadcom Cloud Secure Web Gateway and Broadcom Edge Secure Web Gateway both in BETA! Enhance your security posture with these cloud-native and on-prem solutions providing advanced threat protection and content filtering. Explore more here and here respectively.
Crowdstrike Falcon For Mobile is now generally available (GA)! Gain insights into alerts detected on iOS and Android mobile devices. Find out more here.
Stay tuned for more updates and integrations to fortify your security infrastructure! For detailed documentation on each integration, visit our integration docs page.
Changelog:
Remarks:
*The previous value of βevent.categoryβ was moved to βevent.actionβ
**The previous value of βobserver.typeβ was moved to βobserver.productβ
For questions or assistance, please contact our support team.
Our SOC platform has been upgraded with new intakes and improved connectors for better security insights. Here's a quick overview of the latest updates:
1. OpenVPN: Access logs and connection events detection with our CTI rules. Learn more.
2. Checkpoint Harmony Mobile: Alerts collection for mobile devices. Learn more.
3. Azure Monitor for Azure Files: Events collection and access monitoring for sensitive files. Learn more.
4. Microsoft IIS: Access logs. Learn more.
5. Darktrace: Enhanced connector supporting "IA analyst" events. Learn more.
6. Cato: SASE connector for comprehensive event collection (Firewall, IPS, Malware detection, Network connection and more). Learn more.
These updates offer advanced security monitoring and incident response tools. For questions or assistance, please contact our support team.
Get even more automation for actions on your local network with a major upgrade to our Active Directory integration!
Now, effortlessly manage tasks such as enabling/disabling user, resetting user password, and more β both in Microsoft Entra ID in the cloud and in your on-premises Active Directory, through our playbooks.
Explore the full potential of Active Directory integration by diving into our documentation. π
Improve your team's security alerting capabilities by integrating Sekoia with Jira. Receive timely alerts directly in your Jira environment when security detections are triggered.
Sekoia automates the creation of specific issues in Jira through playbooks, enabling your team to quickly analyze incidents, assign ownership and initiate thorough investigations.
Through Jira, your team can monitor the status of issues and optimize remediation processes, streamlining workflows for greater efficiency in addressing security concerns.
Check out our documentation to integrate with JIRA!
We're excited to announce the launch of four new integrations available for effortless connection to the Sekoia SOC Platform: AD Audit Plus, Sonicwall Secure Mobile Access, Trellix Network Security, and Trend Micro Email Security.
Please take a look at these new integrations and give us your feedback!
To see all of our available integrations, visit our integrations catalog.
We are thrilled to announce the addition of six powerful network integrations to Sekoia.io SOC platform, enhancing your threat detection capabilities and further simplifying incident management. These new integrations are Cato Networks SASE, Cisco NX-OS, OGO WAF, OPNSense, Skyhigh Secure Web Gateway, and SonicWall Firewall.
These integrations bring a host of benefits to your cybersecurity efforts:
π Anomaly detection: Add an extra layer of threat detection with anomaly detection capabilities.
π Threat intelligence: Leverage Sekoia.io threat intelligence to develop confirmed threat alerts.
ποΈ Improved visibility: Simplify incident management and enhance your overall visibility into network security.
π₯ Firewall context for XDR: Monitor IP addresses, URLs, and domains, allowing for effective blocking at the network perimeter and alerting for triaging and correlation.
These integrations are designed to elevate your network security efforts, streamline incident response, and ultimately bolster your organization's resilience to cyber threats.
Get started today and boost your security!