Skip to main content

Integrations

S
Written by Sergey Bayrachny

With Integrations, you can connect various ticketing, storage, knowledge management, and communication systems in order to use respective automation features across the SOC Prime Platform.

Currently, we support integration with Confluence and GitHub. Other systems will be added later.

Integrations

Confluence

To set up an integration with your Confluence instance, follow these steps:

  1. Go to Account > Platform Settings > Integrations and click Add Integration in the upper right corner.

  2. In the modal that appears, name your integration, select Confluence as the integration type, and choose if you want to share the integration with other users from your team.

  3. Set the configuration:

    • URL of your Confluence domain. Paste the domain of your Confluence, for example https://companyname.atlassian.net

    • Username. Enter the email of the user with proper permissions in your Confluence (can view or edit parent pages under which documentation is going to be created).

    • API token. Enter the token generated according to this instruction by the Username you specify in this integration.

    • Space name. Enter the key of the space where the use case documentation is going to be created. You can find it in the URL of that space after spaces/

    • Parent Pages. Specify the titles of the pages under which you want to create child pages with use case documentation (note that a title should not include special characters). You'll be able to select a parent page defined here when creating a document via Uncoder AI.

  4. Click Save Changes.

  5. On the Integrations page, click the Check Connection icon for your newly created integration.

    • If the status is Connected, your integration is ready for use

    • If the status is Disconnected, refer to the error message shown after clicking Check Connection or the tooltip displayed on hovering the status to find out and resolve the issues.

Once you've set up a Confluence integration, you can use it to automatically document use cases based on a rule's intelligence and metadata in Uncoder AI. You can learn how to do it here.

GitHub

You can configure an integration with GitHub for Automation and direct deployment from a Sigma rule page to push detection content to your GitHub repo rather than deploying it directly into your SIEM, making the SOC Prime Platform part of your CI/CD flow.

You can push content to your repo:

  • Manually from a rule page. The Deploy to Repository button is shown on the rule page for content platforms you selected during your Integration setup.

  • Automatically via Automation. Set up a Job that will push the content of your choice to your repo. For your GitHub Integration to become available in the Data Plane field in the Job settings, first select Platform and Content Type that match the values you've set in the Content Platform field during your Integration setup.

The GitHub integration supports the following content formats:

  • Microsoft Sentinel Rule

  • Microsoft Sentinel Query

  • Elastic Detection Rule (Lucene)

  • Elastic Detection Rule (EQL)

  • Elastic Watcher

  • Elastic Saved Search

  • Google SecOps Rule

  • Falcon LogScale Alert

  • Splunk Alert

  • Sumo Logic Query

  • LimaCharlie

Currently, GitHub integration is not available by default. If you want it enabled for your company, please reach out to your SOC Prime Customer Success Manager.

  1. Click Add Data Plane on the Account > Platform Settings > Integrations page.

  2. Name your profile, select GitHub as your platform, and choose if you want to share the profile with your teammates. A shared Integration will be available for using, viewing, and editing to all users from your organization.

  3. Select where your Integration will be used:

    • Automation and direct deployment from a Sigma rule page

    Currently, only one option is available for this platform.

  4. Fill in the fields that appeared in the Configuration section:

    • Repository: Provide the name of your repository. Note that the integration is supported only for private repositories

    • GitHub Token: Provide your personal access token. You can learn how to create it here

    • Source Branch: The name of the branch to pull content from

    • New Branch: The name of the branch to push content to. Leave this field empty to commit directly to the source branch

    • Content Platform: Content formats you're going to work with in Automation. Additionally, the tabs of selected platforms on a rule page will include a Push to GitHub button

  5. Set the Show Advanced checkbox if you want to make optional advanced settings:

    • Assignee: The name of the GitHub user pull requests are assigned to

    • Label: Add a GitHub label that will be attached to pull requests

    • Auto Merge: Choose whether you want to merge pull requests automatically

    • Auto Delete Branch: Choose whether you want to automatically delete the branch after the pull request is merged (when Auto Merge is enabled)

    • Commit Message Template: Provide a template for a commit message

    • Path to Upload: Provide the path to the folder the content should be uploaded to. If no value is entered, the root folder indicated in the New Branch field is used

    • Download Path: Provide the path to the folder the content should be downloaded from. If no value is entered, the root folder indicated in the Source Branch field is used

    • File Formats: Choose file formats of the content you're going to push to your repository

  6. Click Save Changes.

Azure DevOps

You can configure integration with Azure DevOps for Automation to push detection content to your Azure DevOps repository instead of directly deploying into your SIEM, integrating SOC Prime Continuous Content Delivery as part of your CI/CD flow.

You can push content to your repository via SOC Prime Automation capabilities by creating a Job to deploy content selected with a List to your repository. Note that the functionality of pushing an individual rule from a rule's page is still in development.

For an Azure DevOps Integration to become available in the Data Plane field within the Job settings, first select the Platform and Content Types that match the values that were configured in the Content Platform field during the Integration setup.

The Azure DevOps integration supports the following content formats:

  • Microsoft Sentinel Rule

  • Microsoft Sentinel Query

  • Elastic Detection Rule (Lucene)

  • Elastic Detection Rule (EQL)

  • Elastic Watcher

  • Elastic Saved Search

  • Google SecOps Rule

  • Falcon LogScale Alert

  • Splunk Alert

  • Sumo Logic Query

  • LimaCharlie

To configure integration, follow these steps:

  1. Click Add Integration on the Account > Platform Settings > Integrations page.

  2. Name your profile, select Azure DevOps as your platform, and choose if you want to share the profile with your teammates. A shared Integration will be available to use, view, and edit for all users in your organization.

  3. Ensure that the checkbox next to Automation and direct deployment from a Sigma rule page is set.

  4. Fill in the fields in the Configuration section:

    • Repository: Provide the path to your repository that includes the name of your organization and the name of your repository

    • Personal Access Token: Provide your personal access token. You can learn how to create it here. Note: in terms of permissions, full access to code is required while all other permissions can be set to Read

    • Source Branch: The name of the branch to pull content from (default: main)

    • New Branch: The name of the branch to push content to. Leave this field empty to commit directly to the source branch

    • Content Platform: Content formats you're going to work with in Automation

  5. Set the Show Advanced checkbox if you want to make optional advanced settings:

    • Assignee: The name of the Azure DevOps user pull requests are assigned to (default: SOCPrime)

    • Tag: Add an Azure DevOps tag that will be attached to pull requests

    • Auto Merge: Choose whether you want to merge pull requests automatically, not selecting this means that you will manually manage the merge of the SOC Prime content into your repository.

    • Auto Delete Branch: Choose whether you want to automatically delete the branch after the pull request is merged (when Auto Merge is enabled)

    • Commit Message Template: Provide a template for a commit message

    • Path to Upload: Provide the path to the folder the content should be uploaded to. If no value is entered, the root folder indicated in the New Branch field is used

    • Download Path: Provide the path to the folder the content should be downloaded from. If no value is entered, the root folder indicated in the Source Branch field is used

    • File Formats: Choose file formats of the content you're going to push to your repository

  6. Click Save Changes.

MISP

You can set up the MISP integration to easily search for IOCs and CTI events on your MISP server with Uncoder acting as an agent. MISP is an open-source threat intelligence platform formerly known as Malware Information Sharing Platform, which allows organizations to share, store, and correlate IOCs, malware samples, and other cybersecurity information.

To set up the MISP integration:

  1. Go to Account > Platform Settings > Integrations and click Add Integration in the upper right corner.

  2. In the modal that appears, in the Profile Details section:

    1. Provide the name of the profile in the Integration Name field

    2. Select MISP from the Select Integration dropdown

    3. Turn on the Share to Company toggle if you want to share the profile across the company

  3. In the Configuration section:

    1. Paste your MISP URL to the MISP URL field

    2. Enter the token in the API Key field. You can learn how to create it here.

  4. Select Save Changes.

  5. On the Integrations page, click the Check Connection icon for your newly created integration.

    • If the status is Connected, your integration is ready for use.

    • If the status is Disconnected, refer to the error message shown after clicking Check Connection or the tooltip displayed on hovering the status to find out and resolve the issues.

Check Connection

The status of your connection to the Confluence Integration you've set up is automatically checked on a schedule. The result of the check is displayed in the Status column.

Hover over the status to see the check details:

  • Connected: The time of the most recent check is displayed

  • Disconnected: You can see both the time of the most recent check and the error message received from the server

You can also launch the connection check manually. To do it, click the Check Connection icon on the right.

Did this answer your question?