Integration catalog updates πŸŽ‰

Here is a recap of recent intakes and automations added to our Integration catalog.

New Intakes

  • LockSelf LockPass/LockTransfer/LockFiles (read more)

Credits goes to the LockSelf team for developing the LockSelf intake πŸŽ‰

New Automations

  • ESET Protect/Inspect actions (isolate endpoint, deisolate endpoint, scan endpoint). read more
What do you think about this update?
⚠️ Important update: HarfangLab EDR Log Parsing Enhancement

As part of our ongoing efforts to improve data consistency and analysis capabilities across our XDR platform, we are implementing an important modification to the HarfangLab EDR log parsing process.

What's Changing?

We are enhancing the way user information is parsed to ensure better standardization across all data sources. This change specifically affects how domain and username information is structured.

Current Format

  • Single field: user.name = domain\user
  • This format creates inconsistencies with other data source formats

New Format

  • Split into two distinct fields
  • user.domain = domain
  • user.name = user

When

πŸ—“οΈ Deployment is scheduled for February 20th, 2025 at 12:00 CET

Required Actions

  • Review and update any custom detection rules, automations using the user.name field
  • Update any saved queries or dashboards referencing this field
  • Test modified queries before the deployment date

Need Help?

Contact our Support Team if you have any questions or need assistance preparing for this change.

Best regards,
The Integrations Team

What do you think about this update?
New integrations in GA πŸŽ‰

βœ… The following intakes are now officially available in GA:

⚠️ Mimecast Email Security important change

To prevent IP blocking issues with Mimecast APIs due to repeated authentication errors, we are modifying the following behavior with these 2 intakes:

  • Before: Authentication errors were considered as ERROR level
  • After: Authentication errors will be considered as CRITICAL level

This modification signifies that after 5 failed authentication attempt, the intake will be automatically stopped.
A grace period of 30 minutes is applied meaning that after 30 minutes, the error counter is resetted to zero if no new errors occured.

πŸ—“οΈ This update will be applied on January 14th around 12:00 CET.

⚠️ Fortinet Fortigate important change

A timezone issue has been identified with certain Fortigate events (specifically those containing a timestamp field), which may cause events to be incorrectly dated in the future.

To resolve this issue, we are implementing two fixes:

  • Events with a timestamp field will now use their native timezone for timestamp calculations
  • When available, the eventtime field will be prioritized as the primary timestamp source

Please note: These corrections may affect the chronological distribution of events on the timeline, as some event timestamps will be adjusted to their accurate times.

πŸ—“οΈ This corrective update will be applied on January 21th around 12:00 CET.

What do you think about this update?
Integration catalog updates πŸŽ‰

Here is a recap of recent intakes and automations added to our Integration catalog.

New Intakes

New Automations

  • Microsoft Defender EDR actions (create iocs, isolate machine, deisolate machine, scan a machine, stop and quarantine a file, update an alert, comment an alert, get machine action, restrict code execution, unrestrict code execution). Read more
  • Crowdstrike EDR actions (update alert status, comment alert). Read more
  • HarfangLab EDR actions (create iocs, comment threat, update threat status, download file from endpoint). Read more

Credits goes to the HarfangLab team for developing the download file from endpoint action πŸŽ‰

What do you think about this update?
⚠️ Important incoming update for VadeM365 and VadeCloud

This modification impacts the intakes VadeM365 and VadeCloud.

To prevent IP blocking issues with Vade APIs due to repeated authentication errors, we are modifying the following behavior with these 2 intakes:

  • Before: Authentication errors were considered as ERROR level
  • After: Authentication errors will be considered as CRITICAL level

This modification signifies that after 5 failed authentication attempt, the intake will be automatically stopped.
A grace period of 30 minutes is applied meaning that after 30 minutes, the error counter is resetted to zero if no new errors occured.

πŸ—“οΈ This update will be applied on Wednesday 13th around 12:00 CET.

Integrations Team,

What do you think about this update?
Integrations updates πŸ—žοΈ

πŸ—žοΈ A recap of new intakes and new automations added to our Integration catalog and some improvements on HarfangLab.

New Intakes

New Automations

  • New SentinelOne EDR actions (initiate scan, Update Threat Incident, Create Threat Note and Create Iocs)
  • New WithSecure EDR actions (kill thread, kill process and enumerate processes)
  • New Sophos EDR actions (isolate endpoint, deisolate endpoint and scan)
  • Improvement of the trigger Alert Comment Created. The trigger now returns: comment uuid, comment content, comment date and comment author uuid)

HarfangLab

New fields parsed in HarfangLab events:

  • action.properties.CertIssuerName
  • action.properties.CertSerialNumber
  • action.properties.CertThumbprint
  • action.properties.PreAuthType
  • action.properties.ServiceName
  • action.properties.ServiceSid
  • action.properties.TicketEncryptionType
  • action.properties.TicketOptions
What do you think about this update?
New integration Thinkst Canary [BETA]

Thinkst Canary [BETA]

  • Thinkst Canary is a deception technology that helps detect attackers on your network before they can do any damage
  • Collect accurate alerts from Canaries into Sekoia to detect intruders and block cyber-attacks (learn more)
What do you think about this update?
Integrations Fastly Next-Gen WAF Audit Logs and Veeam Backup & Replication in GA

Integrations Fastly Next-Gen WAF Audit Logs and Veeam Backup & Replication are now available in GA.

Fastly WAF

  • Collect Corp audit logs and Site audit logs to monitor unusual admin activity in your WAF (learn more)

Veeam Backup & Replication

  • Collect Application, File, Network and Service logs to monitor your critical backup and replication systems (learn more)
What do you think about this update?
New integrations available for ESET, Juniper, Azure, EfficientIP and Sesame it πŸŽ‰

Five new integrations entered our Intake catalog in BETA.

ESET Protect / Inspect [BETA]

  • This integration available for Cloud and On-prem versions.
  • Collect alerts and telemetry into Sekoia to improve your visibility and monitor your endpoints closely (documentation)

Juniper Switches [BETA]

  • Collect firewall logs from Juniper Switches into Sekoia (documentation)

Azure Application Gateway [BETA]

  • Collect access and firewall logs from Azure Application Gateway into Sekoia (documentation)

Efficient IP [BETA]

  • Collect dns logs from EfficientIP SOLIDserver into Sekoia to leverage our CTI (documentation)

Sesame it JizΓ΄ NDR [BETA]

  • JizΓ΄ NDR is a network observability platform that enables decision-makers to anticipate, identify and block cyber-attacks
  • Collect logs from JizΓ΄ NDR into Sekoia (documentation)
What do you think about this update?
New integrations: Bitsight and Mimecast

New integrations Bitsight SPM and Mimecast Email Security have entered BETA phase.

Bitsight SPM [BETA]

  • Collect findings with vulnerability and asset details into Sekoia (documentation).

Mimecast Email Security [BETA]

What do you think about this update?
New integrations: Daspren Parad πŸ‡«πŸ‡· and Nybble Security πŸ‡«πŸ‡·

We are excited to welcome 2 amazing French security products.

Daspren Parad [BETA]

  • Daspren is the only Data Detection and Response (DDR) that integrates detection and blocking of cyber attacks
  • Collect logs from Daspren Parad into Sekoia (documentation)

Nybble Security

  • Nybble is a Community based cyberdefense that provides an alert triage and incident management service thanks to the world’s first qualified analyst network
  • Automatically create an alert in Nybble Hub when a new alert is raised in SEKOIA.IO (documentation)
  • A playbook template is available to quickly setup an automation
What do you think about this update?
[Intakes] DNS bug fixes

We fixed 2 issues related to the parsing of DNS values to improve CTI Detection.

SentinelOne CloudFunnel

On MacOS, S1 CloudFunnel could return sometimes a DNS value that was incompatible with our CTI Detection.
Before: dns.question.name = "type: 1 example.com"
Now: dns.question.name = "example.com"

Cisco Umbrella DNS

Cisco Umbrella DNS returned a DNS value that was not matching with our CTI detection because of the dot at the end.
Before: dns.question.name = "example.com."
Now: dns.question.name = "example.com"

What do you think about this update?
Integration catalog updates πŸŽ‰

New integrations Azure Key Vault and Ubika Cloud Protector Traffic have entered BETA phase.
Five Endpoint integrations are now in General Availability.

Azure Key Vault [BETA]

  • Collect audit logs into Sekoia to monitor your organization cryptographic keys and secrets (documentation).

Ubika Cloud Protector Traffic [BETA]

  • Collect web logs into Sekoia to leverage our CTI and built-in detection rules (documentation).

Checkpoint Harmony Mobile [GA]

  • Collect alerts into Sekoia to improve your visibility on mobile devices (documentation).

Crowdstrike Falcon Telemetry [GA]

  • Collect telemetry into Sekoia to monitor your endpoints closely (documentation).

Palo Alto Cortex EDR [GA]

  • Collect alertsand telemetry to improve your visibility and monitor your endpoints closely (documentation).

SentinelOne Cloud Funnel 2.0 [GA]

  • Collect telemetry to monitor your endpoints closely (documentation).

Stormshield SES [GA]

  • Collect telemetry to monitor your endpoints closely (documentation).
What do you think about this update?
New Integrations of April πŸŽ‰

Here is a recap of the integrations that joined in our catalog in April.

Fastly WAF [BETA]

  • Collect WAF alerts into Sekoia for better visibility (documentation).
  • Collect Corp audit logs and Site audit logs to monitor unusual admin activity in your WAF (documentation).

Olfeo Secure Web Gateway [BETA]

  • Collect network logs into Sekoia to leverage our CTI and our built-in detection rules (documentation).

Ubika Cloud Protector [BETA]

  • Collect WAF alerts into Sekoia for better visibility (documentation).

Systancia Cleanroom [BETA]

  • Collect authentication logs from Systancia PAM (Privilege Access Management) to leverage our CTI and monitor critical resources (documentation).
What do you think about this update?
πŸŽ‰ News integrations available! πŸŽ‰

We're thrilled to announce new integrations available on our platform, enhancing your security operations and threat detection capabilities.

  1. AWS CloudFront is now in BETA! Seamlessly integrate this powerful CDN service from Amazon Web Services for secure content delivery with low latency. Learn more here.

  2. Palo Alto Cortex XDR (EDR) integration is also in BETA! Collect alerts and associated telemetry events in real time for improved threat detection and response. Dive deeper here.

  3. Introducing Broadcom Cloud Secure Web Gateway and Broadcom Edge Secure Web Gateway both in BETA! Enhance your security posture with these cloud-native and on-prem solutions providing advanced threat protection and content filtering. Explore more here and here respectively.

  4. Crowdstrike Falcon For Mobile is now generally available (GA)! Gain insights into alerts detected on iOS and Android mobile devices. Find out more here.

Stay tuned for more updates and integrations to fortify your security infrastructure! For detailed documentation on each integration, visit our integration docs page.

What do you think about this update?
Update of intake F5 BIG-IP

Changelog:

  • Add support of F5 Big-IP APM, LTM, AFM and PSM
  • Extract the timestamp from event if available
  • Extract the name of the F5 Big-IP rule applied if available
  • event.type = info (currently "undefined")
  • event.category* = network (currently "Successful Request")
  • observer.type** = firewall (currently "ASM")
  • observer.product = ASM (currently "undefined")

Remarks:
*The previous value of β€œevent.category” was moved to β€œevent.action”
**The previous value of β€œobserver.type” was moved to β€œobserver.product”

For questions or assistance, please contact our support team.

What do you think about this update?
Integrations News & Updates πŸŽ‰

Our SOC platform has been upgraded with new intakes and improved connectors for better security insights. Here's a quick overview of the latest updates:

1. OpenVPN: Access logs and connection events detection with our CTI rules. Learn more.
2. Checkpoint Harmony Mobile: Alerts collection for mobile devices. Learn more.
3. Azure Monitor for Azure Files: Events collection and access monitoring for sensitive files. Learn more.
4. Microsoft IIS: Access logs. Learn more.
5. Darktrace: Enhanced connector supporting "IA analyst" events. Learn more.
6. Cato: SASE connector for comprehensive event collection (Firewall, IPS, Malware detection, Network connection and more). Learn more.

These updates offer advanced security monitoring and incident response tools. For questions or assistance, please contact our support team.

What do you think about this update?
4 new integrations available in public beta! πŸš€

PostLinkedin_Integrations_911_V2.gif-508
We're excited to announce the launch of four new integrations available for effortless connection to the Sekoia SOC Platform: AD Audit Plus, Sonicwall Secure Mobile Access, Trellix Network Security, and Trend Micro Email Security.

Please take a look at these new integrations and give us your feedback!

To see all of our available integrations, visit our integrations catalog.

What do you think about this update?
🌟 6 new network integrations now live in Sekoia SOC Platform! πŸš€

PostLinkedin_Network_Part_05_V1.gif-6398

We are thrilled to announce the addition of six powerful network integrations to Sekoia.io SOC platform, enhancing your threat detection capabilities and further simplifying incident management. These new integrations are Cato Networks SASE, Cisco NX-OS, OGO WAF, OPNSense, Skyhigh Secure Web Gateway, and SonicWall Firewall.

These integrations bring a host of benefits to your cybersecurity efforts:

πŸ” Anomaly detection: Add an extra layer of threat detection with anomaly detection capabilities.

🌐 Threat intelligence: Leverage Sekoia.io threat intelligence to develop confirmed threat alerts.

πŸ‘οΈ Improved visibility: Simplify incident management and enhance your overall visibility into network security.

πŸ”₯ Firewall context for XDR: Monitor IP addresses, URLs, and domains, allowing for effective blocking at the network perimeter and alerting for triaging and correlation.

These integrations are designed to elevate your network security efforts, streamline incident response, and ultimately bolster your organization's resilience to cyber threats.

Get started today and boost your security!

What do you think about this update?