Data Source Integration for XDR
Note
To use these features, you can add the XDR package to your instance of the Cybereason platform for an additional cost. Contact your Customer Success Manager for details about this package.
Cybereason XDR enables you to retrieve log sources from various other platforms and ingest the details from these log sources into the platform. As a result, you can broaden your security coverage beyond traditional endpoint machines without the need to install numerous other sensors throughout your network.
Cybereason XDR works with Google Chronicle to retrieve and ingest log sources. Once your integration platform sends data, the native Google Chronicle data parsers and collectors read and sort the data from the log sources. Following the Chronicle data ingestion, Cybereason XDR takes the data from your Chronicle instance and imports the data into the Cybereason detection and correlation engine.
As part of the data ingestion, Cybereason XDR ingests numerous events from all your data sources, some of which are malicious and others that are not malicious. These events report activity from the connected integrations, including related information about these events. Cyberaeson XDR ingests all these events to enable the Cybereason platform to find connections between different events. When Cybereason XDR imports the data, the detection and correlation engine applies Cybereason XDR’s proprietary detection rules to detect potentially or likely malicious events. These detections find activities of interest that may not be immediately obvious from a basic analysis and listing of all events. You then see these detections as Suspicious events and XDR MalOps. You can analyze these events and MalOps to see items that require your attention.
In addition, the platform’s detection and correlation engine, identity management service, and threat classification service enrich events with identity and additional security context data. For example, when you view XDR data , you can view enrichment information related to the user accounts and identities associated with the MalOp. You can also see security enrichment with the MITRE ATT&CK tactics, techniques, and sub-techniques for an event, both for malicious and non-malicious activities. For details on the MITRE ATT&CK matrix, see MITRE ATT&CK Knowledge Base.
The full integration process involves steps on the Cybereason XDR side and the integrated platform side:
Area |
Description |
|---|---|
Cybereason XDR |
You add and configure Cybereason XDR integrations in the Cybereason Connect screen. If the integration sends log sources through a cloud feed, you can configure the connection to the other platform directly in the Connect screen. For integrations that do not use a cloud feed, such as firewalls, you install an on-site collector agent that collects the logs and securely forwards these logs to Cybereason XDR. For details on how to use the Cybereason Connect screen, see Use Cybereason Connect. For details on how to how to install an on-site collector, see Add an On-Site Integration. |
Integrated platform |
You also enable log forwarding in each integrated platform. The steps to enable this log forwarding differ depending on the integrated platform. For details on how to configure these exports, select your integrations from the Cybereason Integrations page and select the Configure tab from the integration documentation page. |
Once you add and configure the integration, the Cybereason platform, through your Google Chronicle instance, retrieves the log sources from other platforms.
For a full, up-to-date list of the available integrations and the required information and configuration for each integration, see the Cybereason Connect screen in your Cybereason environment or the Cybereason Integrations page.