Skip to main content

Data Planes

Setting up and managing integrations with your Data Planes

S
Written by Sergey Bayrachny

In this article:

Overview

Data Planes (ex Environments) are where your data lives – your SIEM, EDR, XDR, or Data Lake instances. Integrate with your organization's Data Planes to enable direct content search, content deployment, or running investigations. Depending on the platform, choose where your integration will be used:

  • Quick Hunt and direct search from a Sigma rule page. This is a lightweight integration via web. Queries are passed to your Data Plane as part of the URL.

  • Automation and direct deployment from a Sigma rule page. This is a fully-fledged integration via your platform's API.

  • Attack Detective. This is a fully-fledged integration via your platform's API.

Important!

Configuration of a Data Plane integration is necessary to get the full value from:

The Data Planes page in Platform Settings lists all Data Plane profiles configured by your team:

  • My tab: Data Planes configured by you

  • Company tab: Data Planes configured by your colleagues and shared across your company's team

Integrations Created During Onboarding

If you've completed the Integration step in the Onboarding Wizard, a web search and API deploy integration with the selected platform was created for you automatically (for some platforms only one type of integration is available). It has the default name Onboarding Data Plane (or Onboarding environment if created before Environments were renamed to Data Planes). You can edit it to make additional configurations that depend on your platform, or set up more Data Planes.

Set up a Data Plane Integration

Here you can find recommendations on the configuration of the integration with your Data Plane.

Anomali Security Analytics

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select Anomali Security Analytics as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select where your Data Plane will be used:

    • Attack Detective

    Currently, only one option is available for this platform.

  4. Fill in the fields that appeared in the Configuration section:

    • URL. Use the default value https://api.threatstream.com/

    • Username. The email address associated with your ThreatStream account. You can find it in the My Account tab within ThreatStream settings

    • API Key. Your dedicated API Key. You can find it in the My Account tab within ThreatStream settings

    Notes:

    • You need to have read access via search RESTful API

    • Attack Detective scan speed is capped by the Anomaly Security Analytics rates (only 10 new search API requests per minute per organization are allowed)

  5. Optionally, select the following settings:

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in Attack Detective based on the chosen log source. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

  7. Check the connection status of the newly created Data Plane on the Data Planes page:

    • If the status is Connected, the Data Plane integration is ready for use.

    • If the status is Disconnected, see the information in the tooltip and check the entered credentials.

Amazon Athena

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select Amazon Athena as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select where your Data Plane will be used:

    • Attack Detective

    Currently, only one option is available for this platform.

  4. Fill in the fields that appeared in the Configuration section:

    • AWS Access Key ID

    • Secret Access Key

    • Database

    • Region

    • Query result location

    Notes:

    To find out how to get the required credentials and set correct permissions in Amazon Athena, see this article.

  5. Optionally, select the following settings for Quick Hunt:

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

  7. Check the connection status of the newly created Data Plane on the Data Planes page:

    • If the status is Connected, the Data Plane integration is ready for use.

    • If the status is Disconnected, see the information in the tooltip and check the entered credentials.

Microsoft Sentinel

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select Microsoft Sentinel as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select where your Data Plane will be used:

    • Quick Hunt and direct search from a Sigma rule page

    • Automation and direct deployment from a Sigma rule page

    • Attack Detective

    You can choose one or multiple options. Depending on your choice, you'll need to set different parameters at the next step since hunting is done via passing a URL, while deployment and investigation require a fully-fledged API integration.

  4. Fill in the fields that appeared in the Configuration section. The exact set of fields depends on your choice in the previous step. Here is the list of the fields when all options have been selected.

    • Client ID

    • Client Secret

    • Tenant ID

    • Microsoft Sentinel URL. The URL of your Microsoft Sentinel web console. Open your workspace, select Settings > Workspace Settings > Logs, and copy the full URL of the page. It should contain the following parameters: subscriptions, resource groups, providers, and workspaces.

    Notes:

    • To use the Data Plane integration for Automation and direct deployment from a Sigma rule page and Attack Detective, you need to have API access under your Microsoft Sentinel subscription with the appropriate permissions to read and deploy resources. For Attack Detective alone (without Automation and direct deployment from a Sigma rule page), the Microsoft Sentinel Reader role is sufficient.

    • To see step-by-step instructions on where to find the required credentials in your SIEM instance, click How To Get Credentials at the bottom of the Configuration section.

  5. Optionally, make the following settings:

    • Default Config. Select an alternative data schema used in your Data Plane. You'll see content tailored to it by default for this Data Plane in Quick Hunt.

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in Quick Hunt and Automation to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

  7. Check the connection status of the newly created Data Plane on the Data Planes page:

    • If the status is Connected, the Data Plane integration is ready for use.

    • If the status is Disconnected, see the information in the tooltip and check the entered credentials.

Elastic Stack

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select Elastic Stack as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

    Note:

    Enable the On Prem switch to connect to your on-prem Elastic instance for running investigations in Attack Detective. In this case, you also need to install the SOC Prime Attack Detetive App for Elastic. For details, see this help article. If you want to integrate with a cloud Elastic instance, keep the On Prem switch disabled.

  3. Select where your Data Plane will be used:

    • Quick Hunt and direct search from a Sigma rule page

    • Automation and direct deployment from a Sigma rule page

    • Attack Detective

    You can choose one or multiple options. Depending on your choice, you'll need to set different parameters at the next step since hunting is done via passing a URL, while deployment and investigation require a fully-fledged API integration.

  4. Fill in the fields that appeared in the Configuration section. The exact set of fields depends on your choice in the previous step. Here is the list of the fields when all options have been selected.

    • For deploying Searches and Rule Alerts, you need to have access to Kibana:

      • Kibana URL. The URL of your Kibana web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used).

      • Kibana Login

      • Kibana Password

      • Default period. The default period for search.

    Note:

    For Quick Hunt and direct search from a Sigma rule page, it's sufficient to set Kibana URL and Default period.

    • For deploying Watchers and using Attack Detective, you need to have access to the Elasticsearch API (set the Show Elastic Configuration checkmark to show these fields):

      • Elastic Host

      • Elastic Port

      • Elastic Login + Elastic Password OR API Key

    Note:

    • For deploying Watchers, you need to have a read/write access to the .watches index.

    • For using Attack Detective, you need the following privileges in your instance (relevant both for cloud and on-prem):

      • Cluster privileges: monitor, read_security, manage_api_key, manage_security

      • Index privileges (select * in the Indices dropdown): read, view_index_metadata, monitor

    • For integration with an on-prem Elastic instance, the required credentials are as follows:

      • Kibana URL. URL of your Kibana web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used).

      • Attack Detective API key. Generate an Attack Detective API key needed to configure the SOC Prime Attack Detective App for Elastic.

  5. Optionally, make the following settings:

    • Indicate Kibana Space Name

    • Provide Index Pattern IDs for different events and make them default. To see detailed instructions, click How to get Index Pattern ID? at the bottom of the Kibana section.

    • Default Config. Select an alternative data schema used in your Data Plane. You'll see content tailored to it by default for this Data Plane in Quick Hunt.

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in Quick Hunt and Automation to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

  7. Check the connection status of the newly created Data Plane on the Data Planes page:

    • If the status is Connected, the Data Plane integration is ready for use.

    • If the status is Disconnected, see the information in the tooltip and check the entered credentials.

Falcon LogScale (ex-Humio)

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select Falcon LogScale as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select where your Data Plane will be used:

    • Quick Hunt and direct search from a Sigma rule page

    • Automation and direct deployment from a Sigma rule page

    • Attack Detective

    You can choose one or multiple options. Depending on your choice, you'll need to set different parameters at the next step since hunting is done via passing a URL, while deployment and investigation require a fully-fledged API integration.

  4. Fill in the fields that appeared in the Configuration section. The exact set of fields depends on your choice in the previous step. Here is the list of the fields when all options have been selected.

    • Falcon LogScale URL. The URL of your Falcon LogScale web console that you can copy from your browser. The link should contain the repository or view name.

    • API Token

    Notes:

    • For Automation and direct deployment from a Sigma rule page, you need to have API access under your Falcon LogScale subscription with the appropriate permissions to read and deploy resources.

    • To see step-by-step instructions on where to find the required credentials in your SIEM instance, click How To Get Credentials at the bottom of the Configuration section.

  5. Optionally, select the following settings:

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in Quick Hunt and Automation to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

  7. Check the connection status of the newly created Data Plane on the Data Planes page:

    • If the status is Connected, the Data Plane integration is ready for use.

    • If the status is Disconnected, see the information in the tooltip and check the entered credentials.

Sumo Logic

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select Sumo Logic as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select where your Data Plane will be used:

    • Quick Hunt and direct search from a Sigma rule page

    • Automation and direct deployment from a Sigma rule page

    • Attack Detective

    You can choose one or multiple options. Depending on your choice, you'll need to set different parameters at the next step since hunting is done via passing a URL, while deployment and investigation require a fully-fledged API integration.

  4. Fill in the fields that appeared in the Configuration section. The exact set of fields depends on your choice in the previous step. Here is the list of the fields when all options have been selected.

    • For deploying Sumo Logic Queries, you need to have API access under the Sumo Logic subscription with the appropriate permissions to read and deploy resources. Enter the following credentials:

      • Deployment Region

      • Timezone

      • Access ID

      • Folder ID

      • Access Key

    • For deploying CSE Rules, you need to enter the following credentials from your Sumo Logic CSE Data Plane (set the Enable Sumo Logic CSE Configuration checkmark to show these fields):

      • Sumo Logic URL. The URL of your Sumo Logic web console that you can copy from your browser. The link should contain the deployment region.

      • API Token

    • For Quick Hunt and direct search from a Sigma rule page, in addition to Sumo Logic URL specify the start and end of your log query time range in the Start and End fields.

    Note:

    To see step-by-step instructions on where to find the required credentials in your SIEM instance, click How To Get Credentials at the bottom of the Configuration section.

  5. Optionally, select the following settings:

    • Default Config. Select an alternative data schema used in your Data Plane. You'll see content tailored to it by default for this Data Plane in Quick Hunt.

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in Quick Hunt and Automation to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

  7. Check the connection status of the newly created Data Plane on the Data Planes page:

    • If the status is Connected, the Data Plane integration is ready for use.

    • If the status is Disconnected, see the information in the tooltip and check the entered credentials.

Splunk

Note:

  1. Splunk Cloud Platform does not allow external access to its API, so it's impossible to set up an integration for Automation and direct deployment from a Sigma rule page. To deploy detection content to your Splunk Data Plane, use the certified SOC Prime CCM App for Splunk - Optimized.

  2. Splunk for Attack Detective is currently in beta.

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select Splunk as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select where your Data Plane will be used:

    • Quick Hunt and direct search from a Sigma rule page

    • Automation and direct deployment from a Sigma rule page

    • Attack Detective

    You can choose one or multiple options. Depending on your choice, you'll need to set different parameters at the next step since hunting is done via passing a URL, while investigation requires a fully-fledged API integration.

    You can enable the On Prem switch and select one of the following options:

    • Quick Hunt and direct search from a Sigma rule page: Set up your on-prem Splunk Data Plane for queries from Quick Hunt and direct search from a Sigma rule page.

    • Automation and direct deployment from a Sigma rule page: Deploy detection content to your on-prem Splunk Data Plane. In this case, use the certified SOC Prime CCM App for Splunk - Optimized.

    • Attack Detective: Connect to your on-prem Splunk instance for running investigations in Attack Detective. In this case, you also need to install the SOC Prime Attack Detective App for Splunk. For details, see this help article.

    If you want to integrate with a cloud Splunk instance, keep the On Prem switch disabled.

  4. Fill in the fields that appeared in the Configuration section. The exact set of fields depends on your choice in the previous step. Here is the list of the fields when all options have been selected.

    • Splunk URL. The URL of your Splunk web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used).

    • Custom Search App. Optionally fill in this field if you want to run hunting queries (when validating scan results in Attack Detective and/or running queries from Quick Hunt and direct searches from a rule page) in an app other than Search. If the field is left empty, the default Search app is used.

    • Default period. The default period for search.

    • Splunk Username

    • Splunk Password

    • Splunk API URL

      Note:

    • For integration with an on-prem Splunk instance, the required credentials are as follows:

      • Splunk URL (the URL of your Splunk web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used))

      • Attack Detective API key. Generate an Attack Detective API key needed to configure the input in the SOC Prime Attack Detective App for Splunk.

    • To use the Data Plane for Attack Detective, in your Splunk instance create a user and assign it a standard User role. Alternatively, you can create a custom role similar to a User role with capabilities to read all indexes and run queries since these capabilities are sufficient for Attack Detective.

  5. Optionally, select the following settings:

    • Default Config. Select an alternative data schema used in your Data Plane. You'll see content tailored to it by default for this Data Plane in Quick Hunt.

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in Quick Hunt and Automation to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

  7. Check the connection status of the newly created Data Plane on the Data Planes page:

    • If the status is Connected, the Data Plane integration is ready for use.

    • If the status is Disconnected, see the information in the tooltip and check the entered credentials.

Google SecOps

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select Google SecOps as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select the Environment Type:

    1. Cloud BackStory API. Old API that will be phased out. Select it only if you don't have the newer version yet.

    2. Cloud Chronicle API. New API all users will be switched to gradually. Use it by default.

Configuration for Cloud Chronicle API

  1. Select where your Data Plane will be used:

    • Quick Hunt and direct search from a Sigma rule page

    • Automation and direct deployment from a Sigma rule page

    • Attack Detective

    You can choose one or multiple options. Depending on your choice, you'll need to set different parameters at the next step since hunting is done via passing a URL, while deployment and investigation require a fully-fledged API integration.

  2. Fill in the fields that appeared in the Configuration section. The exact set of fields depends on your choice in the previous step. Here is the list of the fields when all options have been selected.

    • Region

    • Instance ID. This is your Customer ID from Google SecOps

    • Google SecOps URL. The URL of your Google SecOps web console that you can copy from your browser

  3. Import the JSON file with the credentials for your service account. The following fields will be automatically propagated based on the JSON:

    • Project ID

    • Private Key ID

    • Private Key

    • Client Email

    • Client ID

    • Auth URI

    • Token URI

    • Auth Provider x509 Cert URL

    • Client x509 Cert URL

    • Universe Domain

    Note:

    Learn how to get credentials here. Note that for Attack Detective, your Google SecOps service account should have the Chronicle API Viewer permission, while for automation the Chronicle API Editor permission is required.

  4. Optionally, set the following setting:

    Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in Quick Hunt, Automation, and Attack Detective to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  5. Click Save Changes.

  6. Check the connection status of the newly created Data Plane on the Data Planes page:

    • If the status is Connected, the Data Plane integration is ready for use.

    • If the status is Disconnected, see the information in the tooltip and check the entered credentials.

Configuration for Cloud BackStory API

  1. Select where your Data Plane will be used:

    • Quick Hunt and direct search from a Sigma rule page

    • Automation and direct deployment from a Sigma rule page

    • Attack Detective

    You can choose one or multiple options. Depending on your choice, you'll need to set different parameters at the next step since hunting is done via passing a URL, while deployment and investigation require a fully-fledged API integration.

  2. Fill in the fields that appeared in the Configuration section. The exact set of fields depends on your choice in the previous step. Here is the list of the fields when all options have been selected.

    • Google SecOps URL. The URL of your Google SecOps web console that you can copy from your browser

    • Project ID

    • Private Key ID

    • Private Key

    • Client Email

    • Client ID

    • Auth URI

    • Token URI

    • Auth Provider x509 Cert URL

    • Client x509 Cert URL

    • Region

    Note:

    To use the Data Plane integration for Automation and direct deployment from a Sigma rule page, you need to have API access under the Google SecOps subscription with the appropriate permissions to read and deploy resources (or only read resources in case of Attack Detective). Request the Google SecOps API credentials from your reseller or dedicated Google Partner Team. When you have the credentials, import them by clicking Import JSON at the bottom of the Configuration section.

  3. Optionally, set the following setting:

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in Quick Hunt, Automation, and Attack Detective to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  4. Click Save Changes.

  5. Check the connection status of the newly created Data Plane on the Data Planes page:

    • If the status is Connected, the Data Plane integration is ready for use.

    • If the status is Disconnected, see the information in the tooltip and check the entered credentials.

Configuration for Cloud Chronicle API with WIF

  1. Select where your Data Plane will be used:

    • Quick Hunt and direct search from a Sigma rule page

    • Automation and direct deployment from a Sigma rule page

    You can choose one or multiple options. Depending on your choice, you'll need to set different parameters at the next step since hunting is done via passing a URL, while deployment requires a fully-fledged API integration.

  2. Fill in the fields that appeared in the Configuration section.

    If you have selected Quick Hunt and direct search from a Sigma rule page, fill in the Google SecOps URL field by providing the URL of your Google SecOps web console that you can copy from your browser.

    If you have selected Automation and direct deployment from a Sigma rule page, fill in the following fields:

    • Google SecOps Project Number

    • Google SecOps Service Account Email

    • Region

    • Instance ID

    • Project ID

    • Azure Tenant ID

    • Azure Client ID

    • Azure Client Secret

    • WIF Pool ID

    • WIF Provider ID

    Learn how to get credentials here.

  3. Optionally, set the following setting:

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in Quick Hunt and Automation to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  4. Click Save Changes.

  5. Check the connection status of the newly created Data Plane on the Data Planes page:

    • If the status is Connected, the Data Plane integration is ready for use.

    • If the status is Disconnected, see the information in the tooltip and check the entered credentials.

IBM QRadar

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select IBM QRadar as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

    Note:

    The On Prem switch is enabled by default. This setting cannot be changed because currently only on-prem QRadar is supported. To connect Attack Detective to your on-prem instance, you also need to install the SOC Prime Attack Detective App for IBM QRadar. For details, see this help article.

  3. Select where your Data Plane will be used:

    • Attack Detective

    Currently, only one option is available for this platform.

  4. Fill in the fields that appeared in the Configuration section.

    • IBM QRadar URL. The URL of your IBM QRadar web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used).

    • Attack Detective API key. Generate an Attack Detective API key needed to configure the SOC Prime Attack Detective App for IBM QRadar.

  5. Optionally, make the following setting:

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. These profiles will be applied automatically in Attack Detective to queries with matching log sources if Share to Company and Make Default settings are enabled in them. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

CrowdStrike Endpoint Security

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select CrowdStrike Endpoint Security as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select where your Data Plane will be used:

    • Quick Hunt and direct search from a Sigma rule page

    Currently, only one option is available for this platform.

  4. Fill in the fields that appeared in the Configuration section.

    • CrowdStrike Endpoint Security URL. The URL of your CrowdStrike Endpoint Security web console that you can copy from your browser.

  5. Optionally, select the following settings:

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in the Quick Hunt module to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

Microsoft Defender for Endpoint

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select Microsoft Defender for Endpoint as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select where your Data Plane will be used:

    • Quick Hunt and direct search from a Sigma rule page

    • Attack Detective

    You can choose one or multiple options. Depending on your choice, you'll need to set different parameters at the next step since hunting is done via passing a URL, while deployment and investigation require a fully-fledged API integration.

  4. Fill in the fields that appeared in the Configuration section. The exact set of fields depends on your choice in the previous step. Here is the list of the fields when all options have been selected.

    • Directory ID

    • Application ID

    • Client Secret

    Notes:

    • If you're going to use the Data Plane integration in Quick Hunt and direct search from a Sigma rule page, you don't need to provide any credentials or other parameters. To integrate with your instance via web, we use a default URL. After drilling down to your Data Plane for search, you'll need to log in.

    • If you're going to use the Data Plane integration in Attack Detective, click How To Get Credentials at the bottom of the Configuration section to see instructions on where to find the required credentials in your instance. To ensure the required permissions are in place in your instance, create an AAD Web-Application and assign it the AdvancedQuery.Read.All permission.

  5. Optionally, select the following settings for Quick Hunt:

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in the Quick Hunt module to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

  7. Check the connection status of the newly created Data Plane on the Data Planes page:

    • If the status is Connected, the Data Plane integration is ready for use.

    • If the status is Disconnected, see the information in the tooltip and check the entered credentials.

AWS OpenSearch

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select AWS OpenSearch as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select where your Data Plane will be used:

    • Quick Hunt and direct search from a Sigma rule page

    • Attack Detective

    You can choose one or multiple options. Depending on your choice, you'll need to set different parameters at the next step since hunting is done via passing a URL, while running investigations requires a fully-fledged API integration. An integration configured for Attack Detective will include support for hunting.

  4. Fill in the fields that appeared in the Configuration section. The exact set of fields depends on your choice in the previous step. Here is the list of the fields when all options have been selected.

    • OpenSearch URL. URL of your OpenSearch Dashboard web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used).

    • Default period. Period for search.

    • OpenSearch Host. The Host of your OpenSearch Dashboard where you will be able to drill-down from SOC Prime Platform

    • OpenSearch Port. The Port of your OpenSearch Dashboard where you will be able to drill-down from SOC Prime Platform (9200 by default)

    • OpenSearch Login and OpenSearch Password OR API Key

      Note: For using Attack Detective, you need to provide the following permissions in your instance:

      • Cluster permissions: cluster_composite_ops_ro, cluster_monitor

      • Index permissions (select * for the index pattern): read, indices:data/read/get, indices:data/read/search*, manage

      • Tenant permissions (select * for the tenant pattern): allowed_actions: kibana_all_read

  5. Optionally, make the following settings:

    • Provide Index Pattern IDs for different events and make them default.

    • Default Config. Select an alternative data schema used in your Data Plane. You'll see content tailored to it by default for this Data Plane in Quick Hunt.

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in the Quick Hunt module to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

ArcSight

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select ArcSight as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select where your Data Plane will be used:

    • Quick Hunt and direct search from a Sigma rule page

    Currently, only one option is available for this platform.

  4. Fill in the fields that appeared in the Configuration section.

    • ArcSight Logger URL. The URL of your Micro Focus ArcSight Logger web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used).

    • Default period. Period for search.

  5. Optionally, select the following setting:

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in the Quick Hunt module to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

Carbon Black

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select Carbon Black as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select where your Data Plane will be used:

    • Quick Hunt and direct search from a Sigma rule page

    Currently, only one option is available for this platform.

  4. Fill in the fields that appeared in the Configuration section

    • Carbon Black Cloud Console URL. URL of your Carbon Black Cloud Console that you can copy from your browser. The field is pre-filled with a default value you can change as needed.

  5. Optionally, select the following settings for Quick Hunt:

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in the Quick Hunt module to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

Coralogix

  1. Click Add Data Plane on the Account > Platform Settings > Data Planes page.

  2. Name your profile, select Coralogix as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.

  3. Select where your Data Plane will be used:

    • Automation and direct deployment from a rule page

    Currently, only one option is available for this platform.

  4. Fill in the fields that appear in the Configuration section.

    • Region

    • API Key ID

    • API Key

    Note: You can learn how to get credentials here.

  5. Optionally, make the following settings:

    • Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically in Automation to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.

  6. Click Save Changes.

  7. Check the connection status of the newly created Data Plane on the Data Planes page:

    • If the status is Connected, the Data Plane integration is ready for use.

    • If the status is Disconnected, see the information in the tooltip and check the entered credentials.

Check Connection

The status of your connection to the Data Plane you've set up is automatically checked on a schedule. The result of the check is displayed in the Status column on the Account > Platform Settings > Data Planes page.

Hover over the status to see the check details:

  • Connected: The time of the most recent check is displayed

  • Disconnected: You can see both the time of the most recent check and the error message received from the server

You can also launch the connection check manually. To do it, click the Check Connection icon on the right.

The command checks the connection for the Attack Detective and Automation integration and is available for the following platforms:

Automation

Attack Detective

Microsoft Sentinel

✔ (cloud)

Google SecOps

N/A

CrowdStrike Endpoint Security

N/A

N/A

Elastic Stack

✔ (cloud & on-prem)

Splunk

N/A

N/A

Falcon LogScale

N/A

Sumo Logic

✔ (cloud)

Microsoft Defender for Endpoint

N/A

N/A

AWS OpenSearch

N/A

N/A

ArcSight

N/A

N/A

CarbonBlack

N/A

N/A

Amazon Athena

N/A

✔ (cloud)

IBM QRadar

N/A

N/A

Note: Quick Hunt integration type does not support connection check since it does not rely on API.

If the connection is healthy, you'll see a confirmation popup at the top of the screen and the status will be Connected.

If the check shows there's no connection, you'll see a modal warning about the failure and providing its reason. In this case, the status will be Disconnected.

For Elastic Stack, check details include info on Kibana and Elastic connections individually.

Edit or Delete a Data Plane Integration

To edit or remove a Data Plane integration:

  1. Go to the Account > Platform Settings > Data Planes page.

  2. Select the tab with your Data Plane:

    • My if it was you who has created the Data Plane profile

    • Company if the Data Plane profile has been shared by your teammate

  3. Find the desired Data Plane and click the Edit icon or Delete icon on the right.

  4. Update the Data Plane profile settings and save changes, or confirm the deletion.

Did this answer your question?