Setting up Threat Detection Integration

This document helps you to onboard Threat Detection on your cloud environment.

  1. Log into your Horangi Storyfier platform - Warden.
  2. Click on the gear icon at the top left. On the left panel, click on Integrations.

Screenshot 2022-05-12 at 11.33.05 AM

3. Click the [ADD] button on the cloud provider in the Cloud Account Setup section.

Add AWS S3 Bucket Logs Connector

  1. On the Integrations page, look for the AWS S3 Bucket Logs Connector row and click ADD.Screenshot 2022-05-12 at 11.33.05 AM copy
  2. Click ADD NEW S3 BUCKET LOGS CONNECTOR
    Screenshot 2022-05-12 at 12.13.16 PM
  3. Next, choose a scenario based on your current infrastructure and click NEXT to see step by step guide for all necessary setup. (click here to preview step by step guide for each scenario on how to set up your prerequisite AWS infrastructure)
    Screenshot 2022-05-12 at 12.19.21 PM
  4. Next, fill up the details of your S3 Bucket.
    1. Name - Name of your integration
    2. Account ID - 12 Digit AWS Account ID where S3 bucket that receives cloudtrail logs is located
    3. Bucket Name - S3 Bucket where CloudTrail Logs and other log types are delivered
    4. KMS Key  - provide KMS Key ARN
    5. SNS Topic ARN - SNS Topic used to retrieve S3 Event Notifications from.
  5. After filling up the necessary information, next, we are creating an IAM Role to allow Horangi Access into your S3 Bucket with CloudFormation.
  6. Click on the LAUNCH CLOUDFORMATION STACK button. You can review our CloudFormation template here.
    CloudFormation Page
  7. After reviewing all the parameters, check the “I acknowledge that AWS CloudFormation might create IAM resources” box.
  8. Go to the Output tab and get the LogProcessingRoleArn field and paste it in Step 2 of the AWS S3 Log Connector.
    CloudFormation Outputs
  9. Once the connection is successful, you will be able to view your integration on the Integrations page.
    Screenshot 2022-05-12 at 12.23.40 PM
    Name of Log Connector

Now, click here to go to Warden to set up Threat Detection Integration.


Add GCP Logs Ingestion

  1. On the Integrations page, look for the GCP Logs Ingestion and click ADD
    Screenshot 2022-05-12 at 1.58.21 PM
  2. Click ADD NEW GCP LOGS INGESTION CONNECTOR
    Screenshot 2022-05-12 at 2.04.37 PM
  3. Next, follow step by step guide on the onboarding page to create a service account and a Pub/Sub Topic for integration.  (click here to preview step by step guide)
  4. Fill up the details of your Google Cloud information for integration.
    1. Google Cloud Organization Name - Name of your integration
    2. Project ID - Project id in your Google Cloud Platform
    3. Topic ID - horangi-warden-gcp-logs-integration-topic that you created in the Pub/Sub for this Integration.
    4. Subscription ID  - horangi-warden-gcp-logs-integration-subscription that you created in the Pub/Sub Subscription for this Integration.
    5. API Credentials
  5. After filling up the necessary information, click ADD to finish the integration. Once the connection is successful, you will be able to view your integration on the Integrations page.

Now, click here to go to Warden to set up Threat Detection Integration.

Add Huawei Cloud Logs Integration

  1. On the Integrations page, look for the Huawei Cloud Logs Integration and click ADD
    Screenshot 2022-05-12 at 6.17.36 PM
  2. Click ADD NEW HUAWEI CLOUD LOGS INTEGRATION
    Screenshot 2022-05-12 at 6.20.20 PM
  3. Next, follow step by step guide on the onboarding page. (click here to preview step by step guide)
  4. Fill up the details of your Huawei Cloud information created for integration.
    - Region field should be the region where you would like to enable the CTS log ingestion and create the cloud resources related to this onboarding.

     
  5. After filling up the necessary information, click COMPLETE to finish the integration. Once the connection is successful, you will be able to view your integration on the Integrations page.

Now, click here to go to Warden to set up Threat Detection Integration.

 


Offboarding

When you offboard threat detection from your AWS environment, Warden will stop receiving events from the particular S3 bucket.

To offboard threat detection from your AWS environment, you will need to remove the S3 Log Connector from your Horangi account.

  1. Log into your Horangi Storyfier platform.
  2. Click on the gear icon at the top left. On the left panel, click on Integrations. Look for the AWS S3 Bucket Logs Connector row and click ADD.
    Topbar
    AWS Log Connector
  3. Select the View button for the S3 Bucket Log Connector that you want to offboard.
    Name of Log Connector
  4. Now, click on the DELETE CONNECTION button on the bottom left.
    Details of Log Connector
  5. After clicking DELETE CONNECTION, select DELETE CONNECTOR in the next pop-up window.Delete Connector