Configuring Stormshield products for Stormshield XDR

Ensure that logs are sent to SLS:

• Over TCP port 514,

• In RFC5424 format.

For more information, refer to:

• The Syslog tab section in the relevant version of the SNS user guide:

  • The most recent SNS V4.x,

  • SNS V4.3 LTSB.

• The section Getting the logs from an SNS firewall in the SLS deployment guide that corresponds to your hypervisor:

  • OVA,

  • Hyper-V VHD.

Ensure that logs are sent to SLS:

• With a Warning severity,

• Over TCP port 514,

• In raw JSON format.

For more information, refer to:

• The section Creating groups of agent handlers in the SES Evolution administration guide,

• The section Getting the logs from SES Evolution in the SLS deployment guide that corresponds to your hypervisor:

  • OVA,

  • Hyper-V VHD.

1. In SLS, go to Settings > Configuration > Enrichment Sources and click on Add.

2. Select CSV from the menu on the left.

3. Enter SES_Alllogs in the Name field and select semicolon-separated in the Delimiter field.

4. Import the file SES_AllLogs.csv from the scenario package.

5. Click on Save.

1. In SLS, go to Settings > Knowledge Base > Lists and Tables.

2. Select Tables from the drop-down menu on the top left side and click on Add.

3. Create a table entitled THREATS_TABLE with entries having a lifetime of 30 minutes, then click on Save.

4. Create a table entitled THREATS_TABLE_12H with entries having a lifetime of 12 hours, then click on Save.

5. Create a table entitled TRIGGERED_ALARMS_TABLE with entries having a lifetime of 30 minutes, then click on Save.

1. In SLS, go to Settings > Knowledge Base > Macros and click on Import.

2. Import the file macros.xdr.xxx.pak from the scenario package.

3. Click on Submit.

1. In SLS, go to Settings > Knowledge Base > Lists and Tables.

2. Select List from the drop-down menu on the top left side and click on Import.

3. Import the file definedlist.xdr.xxx.pak from the scenario package.

4. Click on Submit.

1. In SLS, go to Settings > Knowledge Base > Alert Rules and click on Import.

2. Import the file alertrules.xdr.xxx.pak from the scenario package, starting with alertrules.

3. You can click on the bell to enable notifications. For more information, refer to the section Creating Incident from Alert Rule on the SLS user guide.

4. Click on Submit.

Incidents will then appear in the Incident menu when rule conditions are met.