Skip to main content

Supported Platforms

N
Written by Nataliia Pukaliak

Currently, Attack Detective supports the following platforms via API integration:

  • On-prem IBM QRadar (to connect Attack Detective to your on-prem instance, you also need to install the SOC Prime Attack Detective App for IBM QRadar. For details, see this help article)

    • Required Credentials:

      • IBM QRadar URL. URL of your IBM QRadar web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used).

      • Attack Detective API key. Generate an Attack Detective API key needed to configure the SOC Prime Attack Detective App for IBM QRadar.

    • Required permissions:

      • Security Profile. Attack Detective searches will run with any permission, but will only return data from the Networks/Log Sources/Domains assigned to the selected Security Profile.

      • User Role. Select a user role with at least these permissions: "Log Activity" for event searches and "Network Activity" for flow searches.

  • Sumo Logic (For details on how to get credentials, see this article)

    • Required Credentials

      • Deployment Region

      • Timezone

      • Access ID

      • Folder ID

      • Access Key

  • Amazon Athena (For details about prerequisites, permissions, and credentials, see this help article). Use this integration to run investigations against your Amazon Security Lake data in OCSF-compatible format

    • Required credentials:

      • AWS Access Key ID

      • Secret Access Key

      • Database

      • Region

      • Query result location

  • AWS OpenSearch

    • Required credentials:

      • OpenSearch URL (it should contain the hostname and port number (unless the default port 443 is used))

      • OpenSearch Host & Port

      • OpenSearch Login & Password or API Key

    • Required permissions (for step-by-step instructions on how to grant these permissions, see this help article):

      • Cluster permissions: cluster_composite_ops_ro, cluster_monitor

      • Index permissions (select * for the index pattern): read, indices:data/read/get, indices:data/read/search*, manage

      • Tenant permissions: global_tenant with the Read only access

  • Splunk Cloud

    • Required credentials:

      • Splunk URL (the URL of your Splunk web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used))

      • Custom Search App. Optionally fill in this field if you want to run hunting queries (when validating scan results) in an app other than Search. If the field is left empty, the default Search app is used.

      • Splunk Username

      • Splunk Password

      • Splunk API URL

    • Required permissions:

      In your Splunk instance, create a user and assign it a standard User role. Alternatively, you can create a custom role similar to a User role with capabilities to read all indexes and run queries since these capabilities are sufficient for Attack Detective.

      When creating a new user, make sure that the checkmark Require password change on first login is disabled.

  • On-prem Splunk (to connect Attack Detective to your on-prem instance, you also need to install the SOC Prime Attack Detective App for Splunk. For details, see this help article)

    • Required credentials:

      • Splunk URL (the URL of your Splunk web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used))

      • Attack Detective API key. Generate an Attack Detective API key needed to configure the input in the SOC Prime Attack Detective App for Splunk.

    • Required permissions:

      In your Splunk instance, create a user and assign it a standard User role. Alternatively, you can create a custom role similar to a User role with capabilities to read all indexes and run queries since these capabilities are sufficient for Attack Detective.

      When creating a new user, make sure that the checkmark Require password change on first login is disabled.

  • Microsoft Sentinel (For details about getting access to the platform's API, see How to Get Credentials modal in the Data Plane integration setup)

    • Required credentials:

      • Client ID (Application ID)

      • Client Secret

      • Tenant ID (Directory ID)

      • Microsoft Sentinel URL

    • Required permission:

      • Register your app and assign it the Microsoft Sentinel Reader role

  • Microsoft Defender for Endpoint (For details about getting access to the platform's API, see here)

    • Required credentials:

      • Directory ID

      • Application ID

      • Client Secret

    • Required permission:

      • Create an AAD Web-Application and assign it the AdvancedQuery.Read.All permission

  • Elastic Cloud

    • Required credentials:

      • Kibana URL (it should contain the hostname and port number (unless the default port 443 is used))

      • Elasticsearch API Host & Port

      • Elastic Login & Password or API Key

    • Required privileges:

      • Cluster privileges: monitor

      • Index privileges (select * in the Indices dropdown): read, view_index_metadata, monitor

  • On-prem Elastic (to connect Attack Detective to your on-prem instance, you also need to install the SOC Prime Attack Detective App for Elastic. For details, see this help article)

    • Required credentials:

      • Kibana URL. URL of your Kibana web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used).

      • Attack Detective API key. Generate an Attack Detective API key needed to configure the SOC Prime Attack Detective App for Elastic.

    • Required privileges:

      • Cluster privileges: monitor, read_security, manage_api_key, manage_security

      • Index privileges (select * in the Indices dropdown): read, view_index_metadata, monitor

  • On-prem Falcon LogScale (to connect Attack Detective to your on-prem instance, you also need to install the SOC Prime Attack Detective App for Falcon LogScale. For details, see this help article)

    • Required credentials:

      • Falcon LogScale URL. The URL of your Falcon LogScale web console that you can copy from your browser. The link should not contain a repository or view name.

      • Attack Detective API key. Generate an Attack Detective API key needed to configure the SOC Prime Attack Detective App for Falcon LogScale.

    • Required privileges:

      • Data read access permission when generating a repository token in Facon LogScale

  • Cloud Falcon LogScale

    • Required credentials:

      • Falcon LogScale URL. The URL of your Falcon LogScale web console that you can copy from your browser. The link should not contain a repository or view name if the Data Plane is going to be used only for Attack Detective. Otherwise, if you will also use it for Automation and hunting, the URL should include a repository or view name.

      • API Token. A repository token generated in Facon LogScale that grants required API access to your repository. See this instruction on how to create a token.

    • Required privileges:

      • Data read access permission when generating a repository token in Facon LogScale

  • Google SecOps (both the OLD Cloud BackStory API and the NEW Cloud Chronicle API are supported)

    • Required Credentials:

      • Region

      • Instance ID (only for the new API)

      • Google SecOps URL. The URL of your Google SecOps web console that you can copy from your browser

      • Project ID

      • Private Key ID

      • Private Key

      • Client Email

      • Client ID

      • Auth URI

      • Token URI

      • Auth Provider x509 Cert URL

      • Client x509 Cert URL

        Note:

        You need to have API access under your Google SecOps subscription with the appropriate permissions to read resources.

        • OLD Cloud BackStory API: Request the Google SecOps API credentials from your reseller or dedicated Google Partner Team. When you have the credentials, import them by clicking Import JSON at the bottom of the Data Plane configuration screen.

        • NEW Cloud Chronicle API: learn how to get credentials here.

    • Required privileges:

      • OLD Cloud BackStory API: Data read permissions in Google SecOps

      • NEW Cloud Chronicle API: Chronicle API Viewer permission for your service account

      Note that investigations in Google SecOps involve certain constraints imposed by Chronicle Security API limitations:

      • Both old Cloud BackStory API and new Cloud Chronicle API have a rate limit of 360 queries per hour. We recommend using scenarios to limit the number of queries in a scan to keep scanning time reasonably short.

      • The maximum supported number of log sources is 60. If you have more log sources, please contact us.

      • For the old Cloud BackStory API, it’s possible to get only the number of affected users and assets that will be available in the statistics. The new Chronicle API also provides the total number of users and assets.

      • Blind spot detection based on missing event codes is available only for new Cloud Chronicle API.

      • We do not recommend using the same API token for multiple scans simultaneously since it may substantially decrease the scanning speed.

  • Anomali Security Analytics

    • Required Credentials:

      • URL. Use the default value https://api.threatstream.com/

      • Username. The email address associated with your ThreatStream account. You can find it in the My Account tab within ThreatStream settings

      • API Key. Your dedicated API Key. You can find it in the My Account tab within ThreatStream settings

    • Required privileges:

      • You need to have read access via search RESTful API

      Note:

      Attack Detective scan speed is capped by the Anomaly Security Analytics rates (only 10 new search API requests per minute per organization are allowed)

The integration is set up in the Data Planes module of the SOC Prime Platform. To learn more, go to the Data Planes Guide.

Did this answer your question?