Configuring Stormshield products for Stormshield XDR
Before Stormshield XDR is set up, Stormshield products must be configured in a certain way.
Checking the configuration used for log reception
![Closed](../../Skins/Default/Stylesheets/Images/transparent.gif)
Ensure that logs are sent to SLS:
-
Over TCP port 514,
-
In RFC5424 format.
For more information, refer to:
-
The Syslog tab section in the relevant version of the SNS user guide:
-
The section Getting the logs from an SNS firewall in the SLS deployment guide that corresponds to your hypervisor:
![Closed](../../Skins/Default/Stylesheets/Images/transparent.gif)
Ensure that logs are sent to SLS:
-
With a Warning severity,
-
Over TCP port 514,
-
In raw JSON format.
For more information, refer to:
-
The section Creating groups of agent handlers in the SES Evolution administration guide,
-
The section Getting the logs from SES Evolution in the SLS deployment guide that corresponds to your hypervisor:
Configuring SLS
![Closed](../../Skins/Default/Stylesheets/Images/transparent.gif)
-
In SLS, go to Settings > Configuration > Enrichment Sources and click on Add.
-
Select CSV from the menu on the left.
-
Enter SES_Alllogs in the Name field and select semicolon-separated in the Delimiter field.
-
Import the file SES_AllLogs.csv from the scenario package.
-
Click on Save.
![Closed](../../Skins/Default/Stylesheets/Images/transparent.gif)
-
In SLS, go to Settings > Knowledge Base > Lists and Tables.
-
Select Tables from the drop-down menu on the top left side and click on Add.
-
Create a table entitled THREATS_TABLE with entries having a lifetime of 30 minutes, then click on Save.
-
Create a table entitled THREATS_TABLE_12H with entries having a lifetime of 12 hours, then click on Save.
-
Create a table entitled TRIGGERED_ALARMS_TABLE with entries having a lifetime of 30 minutes, then click on Save.
![Closed](../../Skins/Default/Stylesheets/Images/transparent.gif)
-
In SLS, go to Settings > Knowledge Base > Macros and click on Import.
-
Import the file macros.xdr.xxx.pak from the scenario package.
-
Click on Submit.
![Closed](../../Skins/Default/Stylesheets/Images/transparent.gif)
-
In SLS, go to Settings > Knowledge Base > Lists and Tables.
-
Select List from the drop-down menu on the top left side and click on Import.
-
Import the file definedlist.xdr.xxx.pak from the scenario package.
-
Click on Submit.
![Closed](../../Skins/Default/Stylesheets/Images/transparent.gif)
-
In SLS, go to Settings > Knowledge Base > Alert Rules and click on Import.
-
Import the file alertrules.xdr.xxx.pak from the scenario package, starting with alertrules.
-
You can click on the bell to enable notifications. For more information, refer to the section Creating Incident from Alert Rule on the SLS user guide.
-
Click on Submit.
Incidents will then appear in the Incident menu when rule conditions are met.