Awake Integrations

This section provides a high level review of the categories of 3rd party products often integrated in a deployment of the NDR platform. Where a category of integration requires configuration or provides visible functionality in the NDR user interface, this section provides those details. Within each category details unique to specific products in the category are provided where applicable.

SPANs, Network Taps, and Tap Aggregation Platforms

Switch SPAN ports, electrical, optical, or virtual network taps, and tap aggregation platforms are all methods of creating copies of network traffic to send to the NDR Platform. These products/features usually integrate transparently with the NDR platform, simply delivering the traffic the customer desires to the monitoring port on an NDR sensor.

Tap aggregation platforms provide the most flexible methods for aggregating and selecting traffic for security analysis. The Arista DANZ Monitoring Fabric (DMF) is a particularly capable and flexible tap aggregation platform that partners well with the Arista NDR, providing additional features such as extended forensic packet capture retention.

DMF Recording Node Integration

DANZ Monitoring Fabric (DMF) is a next-generation network packet broker (NPB) designed for pervasive, organization-wide visibility and security.

The Awake Security integration with DMF replaces the Awake Sensors on-promise packet store with the DMF packet broker, so that a PCAP file is pulled from the DMF Controller Node. This integration can greatly increase the packet store retention time.

The Arista Operations team must perform the following tasks to configure the Awake Nucleus to query DMF Controller Node for PCAP retrieval for the replaced Awake Sensor:
  • Enable firewall to allow outgoing traffic to the DMF Controller Node IP.
  • Add the DMF Controller Node IP to the Awake Nucleus config.
  • Create Authentication Token in the DMF Controller Node for Awake Nucleus to invoke DMF Controller Node API, and copy the Token to the Awake Nucleus config.
  • Copy the DMF Controller Node to SSL Cert to the Awake Nucleus config.
  • Add configuration of DMF controller in the Awake Nucleus hubsensor config.

For required assistance, please contact the Arista support team by sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it. or visit https://www.arista.com/en/support/customer-support.

Security Information and Event Managers (SIEMs)

Security Information and Event Managers (SIEMs) typically collect security-relevant data such as alert records from multiple detection solutions to present a unified picture of the security posture of the organization.

The Arista NDR platform integrates into a SIEM by forwarding adversarial model match notifications to the SIEM using Common Event Format (CEF), Log Event Extended Format (LEEF), or JSON webhook. Sufficient data is included in the adversarial model match notifications for the SIEM to construct deep links back into the Arista NDR platform to view the full context of the event.

In addition to forwarding the model match data using standard protocols, Arista provides a Microsoft Sentinel app.

Configuring Model Match Notifications

Security Information and Event Management (SIEM) is a set of tools and services offering an overall view of an organization's information security. SIEM tools provide real-time visibility across an organization's information security systems, providing event log management that consolidates data from numerous sources.

You can use Awake's Adversarial Modeling Language (AML) to configure and forward model match notifications to SIEM installations. Function definitions with the type:

integrations.ModelMatchNotification -> {}

These are automatically called with the details of an adversarial model match whenever a match is detected. The function type above represents a hook whose input is an adversarial model match notification and whose output is empty; the function is only invoked for its side effects. Awake provides utilities for easily configuring notifications as Common Event Format (CEF) syslog messages, Log Event Extended Format (LEEF) syslog messages, and JSON webhooks.

For example, to forward adversarial model match notifications as CEF events to a SIEM listening for them as UDP messages on port 514, follow these steps:

  1. Navigate to Awake's Detection Management page.
    Figure 1. Platform Dashboard Detection Management

  2. Click + Add New Skill.
  3. Set the Expression field to the expression shown below, modifying as needed:
    integrations.cef.udp
    { destination: "siem.example.com"
    , port: 514
    , severity: Warning
    , awakeHost: “awake.example.com
    } 

    Replace the siem.example.com with the domain name or IP address of the SIEM to forward to, and replace awake.example.com with the domain name or IP address of Awake's installation.

    Note: You can send the SIEM syslog in CEF, LEEF, and JSON formats via TCP and UDP protocols.
  4. Set the Title field to a descriptive name.
  5. Set the Reference Identifier to something easily discoverable, such as integrations. myorg.mysiem as shown in the following figure.
    Figure 2. Add Skill

    Note: Using this naming convention helps ensure that the hook name does not conflict with future vendor-specific utilities that we may distribute.
  6. Click Save.

For more information or assistance, contact the Arista support team by sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it. or visit https://www.arista.com/en/support/customer-support.

Azure Sentinel Integration

The Azure Sentinel integration in Awake Security sends adversarial model matches from the Awake Security Platform to Azure Sentinel.

This integration provides the following benefits:
  • Accelerates threat rectifications with the power of NDR
  • Reduces investigation time and effort
  • Provides increased visibility, especially into unmanaged users, devices, and your network applications

Installing the Azure Sentinel Solution

The Azure Sentinel solution provides network security-focused custom alerts, incidents, and workbooks that align with Azure Sentinel workflows.

Perform the following steps to install the solution:

  1. Log on to Azureportal.
  2. Search for Microsoft Sentinel in services.
    Figure 3. Searching Microsoft Sentinel

  3. Create or Use Existing Workspace.
  4. Navigate to Content Hub under Content management.
  5. Search for Awake Security Arista Networks and click Install.
    Figure 4. Searching Awake Security Arista Networks
  6. On the Awake Security (Arista Networks) - Azure Sentinel Solution page, click Create to start with the configuration.
  7. Under Basics, choose the appropriate Subscription, Resource group and Workspace created earlier and click Next.
    Figure 5. Microsoft Azure - Basics Screen

  8. Under Data Connectors, make sure to install the AristaAwakeSecurity data connector.
  9. Under Workbooks, specify a name for Workbook and click Next.
    Figure 6. Microsoft Azure - Workbooks Screen

  10. Under Analytics, the following three Analytic rules are created:
    • Awake Security - High Match Counts By Device - This query searches for devices with an unexpectedly large number of activity matches.
    • Awake Security - High Severity Matches By Device - This query searches for devices with high severity event(s).
    • Awake Security - Model With Multiple Destinations - This query searches for devices with multiple possibly malicious destinations.
    Figure 7. Azure Sentinel Solution - Analytics Rules

  11. Under Review + create, specify a Name, Email and Phone number and click on Create.
  12. Wait for a few seconds for the deployment to complete and go to the workspace created at Step 3.

Connecting Awake Platform to CEF Collector (Azure Sentinel OMS Agent)

 

Perform the following steps to forward Adversarial model matches to an Azure Sentinel OMS agent (a CEF collector) listening on TCP port 514 at IP address 192.168.0.1 with Awake platform accessible at IP address 172.168.0.1.
  1. Follow the Configuring Model Match Notifications in Awake Documentation and create a new skill like below:
    integrations.cef.tcp 
    { destination: "192.168.0.1", 
    port: 514, 
    secure: false, 
    severity: Warning, 
    skipNullDevice: true,
    awakeHost: “172.168.0.1” }
  2. Set the Title field to a descriptive name like, `Forward Awake Adversarial Model matches to Azure Sentinel'.

    See the image below.

    Figure 8. Connecting Awake Platform to CEF Collector

  3. Set the Reference Identifier to something easily discoverable like, integrations.cef.sentinel-forwarder.
  4. Click Save.
    Within a few minutes of saving the definition and other fields, the system will begin sending new adversarial model matches to the CEF events collector as they are detected.

Accessing Azure Sentinel Workbook

 

The Workbook consists of the following three tabs that allows you to select different Time Range and Sort by options:
  • The Overview Tab
    Figure 9. Azure Sentinel Workbook - Overview Screen
  • The Models Tab
    Figure 10. Azure Sentinel Workbook - Models Screen

  • The Devices Tab
    Figure 11. Azure Sentinel Workbook - Devices Screen

Splunk Integration

Integration of Splunk with Awake consists of the following tasks:

Configuring Splunk

Splunk configuration consists of the following three tasks:

Configuring Splunk HEC

To set up the Splunk HTTP Event Collector (HEC), please follow the Set up and use HTTP Event Collector in Splunk Web guide.

Note: Awake Security recommends enabling SSL in the Splunk global HEC settings.
Configuring Awake Skills
Perform the following steps to forward Awake Adversarial Model matches to a Splunk HEC endpoint (port 8808 and IP address 192.168.0.1):
  1. Navigate to the Detection Management Skills page in the Awake UI.
    Figure 12. Awake Skills Screen

  2. Click + Add New Skill. The Add Skill dialog box opens.
    Figure 13. Add Skills Dialog Box

  3. Update the Expression field as provided below:
    integrations.json.splunkHEC callParams { useHttps: true , host: "192.168.0.1" , port: "8808", token: "<Token>" , source: "<Awake Nucleus IP Address>", skipNullDevice: true }
  4. Update the Title field to a descriptive name like, Forward Awake Adversarial Model match result to Splunk HEC.
  5. Set the Reference Identifier to something easily discoverable like, integrations.splunk.<Splunk Hostname>.
  6. Click Save.
    Note: Within a few minutes of saving the definition and other fields the system will begin sending new model match results to the Splunk HEC endpoint as they are detected.
Installing Awake Security Application

Search for the Awake Security Application and install it from the Browse More Apps page of Splunk Enterprise UI.

Note: You can also download and install it from the Splunkbase - Awake Security Application.

Using the Awake Security Splunk Application

The Awake Security Splunk Application consists of the following tabs:
Awake Security Dashboard
The Awake Security Dashboard provides an overview of the Adversarial model matches that have occurred over a selected period, with views of overall match counts, the match breakdown by Adversarial model name, and the match breakdown by device name. These views provide rich starting points for further investigation of potential threats.
Figure 14. Awake Security Dashboard Screens

Note: The statistics table in Models and Devices tabs can also help us redirect to the respective event on the Awake Platform.
Reports
The Awake Security Dashboard provides a report of the top 10 Adversarial model matches that have occurred for the past day for devices with the following parameters:
  • Top 10 High Match Counts - Devices with unexpectedly large number of risky activity matches
  • Top 10 High Severity Matches - Devices with high severity events
  • Top 10 Model Matches With Multiple Destinations - Devices communicating with multiple possible malicious destinations
Figure 15. Reports Screen

However, you can create new reports, modify, and delete existing reports.

Perform the following steps to add an action for a report:
  1. Click the Edit dropdown menu on the required report row.
  2. Click Edit Schedule. Splunk pops-up the Edit Schedule dialog box.
    Figure 16. Edit Schedule Dialog Box

  3. Under Trigger Actions, click the + Add Actions dropdown menu.
  4. Select the required action.
  5. Click Save.
Alerts
It creates alerts based on the Adversarial model matches that have occurred for the past hour for devices with the following parameters:
  • High Match Counts By Device - Devices with unexpectedly large number of risky activity matches
  • High Severity Matches By Device - Devices with high severity events
  • Model Matches With Multiple Destinations By Device - Devices communicating with multiple possible malicious destinations
    Figure 17. Alert Screen

However, you can create new alerts, modify, and delete existing alerts.

Perform the following steps to add an action for an alert:
  1. Click the Edit dropdown menu on the required alert row.
  2. Click Edit Alert. Splunk pops-up the Edit Alert dialog box.
    Figure 18. Edit Alert Dialog Box

  3. Under Trigger Actions, click the + Add Actions dropdown menu.
  4. Select the required action.
  5. Click Save.
Search
By using the Splunk Search Processing Language (SPL), you can further filter results.
Figure 19. Search Screen

On Expanding the event, you can then use Event Action > Awake Security: Pivot to [Activities / Devices / Device Detail] to redirect to the Awake platform to view the detailed device and session activity results corresponding to the Adversarial model match.

Sumo Logic

Sumo Logic is a cloud-native, multi-tenant platform that helps you make data-driven decisions and reduces your time to investigate security and operational issues by making data aggregation easier across your stack of applications. It provides real-time analytics to help you rapidly identify and resolve potential cyber attacks, detect and prevent breaches, and reduce compliance costs.

Sumo Logic Setup

EAQL Skill
Arista uses the awake-push-integrations-service service to forward the syslog events to the collector as shown below:
  1. From the dashboard open Detection Management page.
  2. Click + Add New Skill.
  3. Set the Expression as:
    Hosted Collector
    integrations.json.httpsWithHost { callParams | verifyCerts = true } [| HTTPS |] {headers: [], host: ">", port: 443, path: "" , skipNullDevice: <true/false> , awakeHost: ""}
    
    Installed Collector
    integrations.json.httpsWithHost { callParams | verifyCerts = false } [| HTTP |] {headers: [], host: ">", port: , path: "" , skipNullDevice: <true/false> , awakeHost: ""}
    
  4. Set the Title. For example, Forward events to Sumo Logic.
  5. Set the Reference Identifier. For example, integrations.awake.sumo.
  6. Click Save.

Once you save the definition, within few minutes the system begins to send events to the platform.

Setup Dashboard and Alerts

Prior to Import

Replace the Awake source category with the source category configured for the collector.

To Import

Steps to import the content are provided here; Export and Import Content in the Library

Post Import

For each Alert, Edit and set the alert type as per the requirement as shown;

Syslog Integration (CEF/LEEF)

This section describes how to add push integration and troubleshooting.

Adding a Push Integration

Awake's system uses EAQL to configure and forward Adversarial model matches to SIEM installations for our customers.

Specifically, any EAQL definition of the following EAQL type:
```
integrations.ModelMatchNotification -> {}
```

This will automatically run on any model match notifications generated by our system. The above function type represents a hook whose input is an Adversarial model match and whose output is empty (the function is only invoked for its side effects).

Awake's EAQL package contains predefined utilities for creating such hooks. For example, if you want to forward model match notifications as CEF events to a SIEM listening for them as UDP messages on port 514 (i.e. Syslog), follow the steps below:

  1. Navigate to Awake's Detection Management page.
  2. Click on + Add New Skill.
  3. Set the Expression field to this:
    ```
    integrations.leef.udp
    { destination: "siem.example.com"
    , port: 514
    , severity: Warning
    , awakeHost: “awake.example.com””
    }
    ```

    replacing siem.example.com with the domain name or IP address of the SIEM to forward to and replacing awake.example.com with the domain name or IP address of our product's installation.

  4. Set the Title field to a descriptive name. For example, Forward Adversarial model match to IBM QRadar if the destination were a QRadar installation.
  5. Set the Reference Identifier to something easily discoverable. For example, `integrations.${CUSTOMER_NAME}.${SIEM_NAME}`. Using this naming convention will help ensure that the hook name doesn't conflict with future vendor-specific utilities that we might distribute.
  6. Click Save.

    Once you save the definition, within a few minutes the system begins to send all-new model match notifications to the specified SIEM address.

    You can find other useful utilities for integrations by browsing the `integrations` module hierarchy in our product's Detection Management page.

    Figure 20. Adding Push Integration

Troubleshooting

Adversarial model matches are generated with infrequent bursts, so you might not see model matches show up in the destination SIEM for up to an hour even if you configured everything correctly. However, you can (and should) send test model matches using our product's workbench to diagnose connectivity issues during the initial installation.

We store a sample model match notification under the reference identifier `integrations.ModelMatchNotification.example`, and you can invoke the integration skill you created on that sample payload in the workbench.

For example, if the hook you installed is named `integrations.exampleCustomer.exampleSIEM` then you can test that integration skill on the sample payload by issuing this command in the workbench:
integrations.exampleCustomer.exampleSIEM integrations.ModelMatchNotification.example

execute the command then check if the sample payload shows up in the customers SIEM product. If things fail, then amend the integration skill as necessary and/or reissue the above command until the model match notification shows up successfully in the destination SIEM.

Elasticsearch Integration

Awake supports integration with Elasticsearch, where Analysts can monitor and incorporate granular alerts from Awake into their Elasticsearch instance.

Integrates Logs and Network Data

Elasticsearch is a distributed search and analytic engine used by thousands of organizations worldwide to store, search, and analyze high volumes of data in real time. Built on a foundation of deep network analysis, the Arista NDR Platform provides a broad perspective on the organization's attack surface and the critical business assets that are parts of it. Awake tracks every asset as it moves across your network and autonomously builds an understanding of the relationships and similarities between entities. This tracking and situational awareness goes beyond just the known and managed assets that feed telemetry into a solution like Elasticsearch.

Bringing this unique visibility from Awake into Elasticsearch amplifies the latter's analytic capabilities and in turn provides security teams with rich contextual data for efficient detection, threat hunting, and rapid incident response. For instance, Awake's Understanding the Device Entity and the Entity Tracker identifies, profiles, and tracks all the devices, users, and applications with just a network connection. For example, rather than working with an IP address, security analysts operate on a device that perhaps had half a dozen IP addresses over the past few days. But thanks to Awake, all of those IPs are behaviorally associated with a single device, thus simplifying and decluttering the analyst workflow. As seen in the screenshots below, sending this type of information into Elasticsearch now enables this entity-centric view to be used in correlation with operational data collected from other IT and security solutions. In addition, Awake's detections of attacker tactics, techniques, and procedures (TTPs) are also reported into Elasticsearch, as highlighted below. This allows teams to track these threats through the rest of their infrastructure. The image below is from Elasticsearch's capture mode:
Figure 21. Elasticsearch

Here is another perspective from Elasticsearch, this time a detailed analysis screen:
Figure 22. Elasticsearch Detail Analysis

With the information they need at their fingertips, security analysts empowered by the combination of Awake Security and Elasticsearch can focus on risk management and decision making rather than data gathering and analysis. The correlated information can then trigger additional response actions, including blocking domains or IPs at the firewall or proxy. All of this can be accomplished automatically in an instant.

To get started, all you need is:
  • The Elasticsearch server address.
  • The Elasticsearch username and password.

This gets your integration up and running in minutes. Contact Awake or your customer success manager if you would like to see this integration in action.

See also:

IT Ticketing Systems

Ticketing systems are typically used to track progress on an issue from start to finish, facilitating collaboration among a group working the issue by tracking status updates, comments, etc.

The Arista NDR platform integrates with ticketing systems through model match notifications as described for SIEMs above.

See the Configuring Model Match Notifications section for adding a SIEM push integration.

ServiceNow Integration

Awake supports integration with the ServiceNow ticketing module, which lets you monitor alerts from Awake in your ServiceNow instance. Once configured, the Awake appliance pushes all of the periodic threat behavior results to ServiceNow incidents.

To configure ServiceNow support, give your sales engineer the following information necessary to connect to and authenticate with your server:
  • The ServiceNow server address.
  • The username and password of a service account that Awake can use to authenticate against the server.
Note: The account must have proper rights to create incidents in ServiceNow.

Logging Into ServiceNow

  • The first time you log into ServiceNow, you will see the welcome screen. What is shown here is from the New York release of ServiceNow.
    Figure 23. ServiceNow Opening Screen

  • From the left side menu, search for “Incidents” under All Applications by typing “Incident” in the Filter Navigator search box.
    Figure 24. ServiceNow Incidents

  • Next, select the icon on the far left to select Service Desk - Incidents:
    Figure 25. Service Desk - Incidents

  • ServiceNow retrieves a list of incidents that are known to the Service Desk. Note that there is one incident ticket per model/device pair:
    Figure 26. Servicenow Incident List

  • Click one of the incidents to see details.
    Figure 27. Servicenow Incident Details

  • You can now edit the incident as part of your usual workflow.

Return to the Awake Integrations.

Security Orchestration, Automation, and Response (SOAR) Platforms

Security Orchestration, Automation, and Response (SOAR) platforms focus on automating security analysis workflows among multiple cooperating products.

Most SOAR systems provide features to receive notifications and call APIs in other products that are compatible with the CEF, LEEF, or webhook model match notifications and REST APIs of the Arista NDA platform, enabling SOAR customers to develop the automation they desire. Arista has developed plugin modules that streamline data connectivity and automation development work in the Splunk Phantom product and the Palo Alto Networks Demisto product.

Demisto Integration

Awake runs as an integration instance within Demisto. These instructions are for an Awake end user, approaching from the Demisto context.

To quote Demisto: "Demisto is a leading Security Orchestration, Automation, and Response (SOAR) platform that helps security teams accelerate incident response, standardize and scale processes, and learn from each incident while working together."

For administrators setting up Awake access for the first time, see Admin Instructions below.

Begin by Running Demisto

Start your Demisto session.

Load Awake from the Settings Screen

  1. If you are not on the Settings screen, click Settings at the bottom left of your Demisto screen.
  2. On the Settings screen, click inside the Search integration dialog box:
    Figure 28. Search Integration

  3. Type awake into the search box.
    You should see Awake listed as a Demisto integration.
    Figure 29. Demisto Integration

  4. You can now integrate Awake commands into your Demisto workflow.

The Awake Security Commands

On the Awake Security line, there is a link that enables you to show the Awake commands that have been integrated into the Demisto environment. Click Show Commands.
Figure 30. Show Commands

 

This integration imports events as incidents in Demisto. The commands are:
  • awake-pcap-download Download a PCAP.
  • awake-query-activitiesQuery activities.
  • awake-query-devices Query devices.
  • awake-query-domains Query domains.
  • deviceLook up a device.
  • domainLook up a domain.
  • email Look up an email address.
  • ipLook up an IP address.

The main commands are:

  • device/ip/email/domain - Get details for that item (analogous to a details page in Awake, such as device details or domain details).
  • awake-query-domain, awake-query-activity, awake-query-device - These queries correspond to the query results in the three tabs in the Awake workbench.
  • awake-pcap-download - This is a convenient utility to download a packet capture file (PCAP) from the Awake system.

The usual workflow for Awake interactive commands is to do user queries for a list of domains, activities, or devices using one of the awake-query-domain, awake-query-activity, or awake-query-device commands. Then if you want more detail on one of those results, proceed to the device/ip/email/domain commands.

For example, to list devices whose domain fits the profile of one created by a domain-generating algorithm, and are thus suspect, make the following query:

awake-query-devices query="domain.is_dga == true"

Note that the Demisto command awake-query-devices precedes the Awake CLI command query="domain.is_dga == true".

Admin Instructions

The remainder of this document is intended for the Administrator who sets up Awake.

Setting up an Awake Account on Demisto

To set up Awake as an authorized plug-in for Demisto, you need:

  • Name - "Awake Security"
  • Credentials - The login name on the Awake Security server
  • Password - The password on the Awake Security server
  • Awake Security server address - The HTTPS URL for the server
To begin, click the Gear icon at the far right of the Awake line. You can then enter the Name, Credentials, and so on.
Figure 31. Setting Up An Awake Account

We recommend checking the boxes for Verify server certificate and Fetch incidents.

You should always click Test to be certain that your connection to the Awake server is live. Demisto responds with a success message to confirm, or a diagnostic message if there is a failure. The success message looks like this:
Figure 32. Success

Now you can:
  • Return to the Awake Integrations section.
  • Use the Awake integration within Demisto, as described above.

Endpoint Detection and Response (EDR) Systems

Endpoint Detection and Response (EDR) systems monitor activity on instrumented hosts and detect threats based on memory and host file contents, process behavior, etc.

The Arista NDR platform integrates with the Crowdstrike, SentinelOne, and Carbon Black EDR systems. Integration allows the NDR to present additional device information from the EDR platform as well as respond to security incidents by isolating compromised hosts from the network until they can be remediated.

SentinelOne Integration

To quote SentinelOne: "The SentinelOne Endpoint Protection Platform (EPP) unifies prevention, detection, and response in a single purpose-built agent powered by machine learning and automation. It provides prevention and detection of attacks across all major vectors, rapid elimination of threats with fully automated, policy-driven response capabilities, and complete visibility into the endpoint environment with full-context, real-time forensics."

Begin by Opening SentinelOne

If your security staff has already installed and enabled SentinelOne, you will see it on the EntityIQ Device Profile Page where it is visible on the sidebar. v
Figure 33. SentinelOne Sidebar

If you do not see it there, contact your security staff to request that they add you to the authorized users.

See also: Awake Integrations.

Configuring SentinelOne Integration

Perform the SentinelOne API Configuration and Awake Appliance Configuration procedures to configure SentinelOne Integration.

SentinelOne API Configuration
Perform the following tasks to configure SentinelOne API:
  1. Navigate to your SentinelOne instance, and configure a new API.
  2. From the SentinelOne menu, select API Clients and Keys.
  3. Click Add New API Client to configure the API.
  4. Add a name and description for your API.
  5. Enable Read and Write access for the Hosts API Scope.
  6. Save the CLIENT ID and SECRET on your local drive.
    Note: You will need both later in the configuration.
Awake Appliance Configuration
Perform the following steps to configure your Awake appliance:

 

  1. Connect to your Awake Appliance, and edit the configuration.nix file, usually found at /etc/nixos/configuration.nix.
  2. Make sure there is an entry like the following.
    integrations = {
    enable = true;
    SentinelOne = {
    enable = true;
    address = "<api url>"; // example: address = "https://api.
    us-2.sentinelone.com/";
    clientId = "<client id>"; // This is the Client ID for the API
    you just created
    clientSecret = "<client secret>"; // This is the Client Secret
    for the API you just created
    };
    };
    Note: If the integrations entry already exists, then just add the sentinelone entry within it.
  3. Redeploy your machine, with a command like e2e-upgrade --command switch.
    You have now configured Awake's SentinelOne Integration.

Accessing SentinelOne Integration

Awake's SentinelOne integration works by associating our EntityIQ Device Profile pages with SentinelOne Falcon's Hosts, exposing additional context and actionability within the EntityIQ Device Profile for devices that have an associated Host.

When you navigate to an EntityIQ Device Profile page, Awake uses attributes we know about the device in order to query the SentinelOne API for matching Falcon Hosts. The method for querying the SentinelOne API is found in a local flowchart that Awake can make available on request.

When a Falcon host match is found, View SentinelOne Host Details and Contain options are displayed on the EntityIQ Device Profile sidebar when you hover the cursor on the SentinelOne popup menu icon.

The Contain option allows you to contain (or lift containment, depending on the status of the host) on a SentinelOne Falcon host straight from the EntityIQ Device Profile Page. Upon selecting Contain (or Lift Containment) and confirming your choice, Awake uses the SentinelOne API to contain that SentinelOne Host, allowing direct action to be taken on hosts straight from the Awake API.

CrowdStrike Falcon Integration

Carbon Black Integration

To quote Carbon Black: "Cybersecurity has become a big data problem. Solving it requires sophisticated analytics and the computational power and agility of the cloud. With the Cb Predictive Security Cloud platform, we are transforming cybersecurity with a new generation of cloud-delivered security solutions designed to protect against the most advanced threats."

Begin by Opening Carbon Black

Your security staff should have already installed Carbon Black. If it is enabled, you should see it on the EntityIQ Device Profile Page where it is visible on the sidebar.
Figure 34. Device Profile Page

If you do not see it there, contact your security staff to request that they add you to the authorized users.

Isolating Your Device Quickly

  • From the Awake Device Profile, isolate your device by clicking the down-arrow next to the Carbon Black listing, and then clicking Isolate device. You will be asked to confirm your choice.
    Figure 35. Isolate Device

  • When the device you isolated is safe, you can remove the isolation in the same way you activated it, except that this time you click Remove device isolation.
    Figure 36. Remove Isolation

Open the EDR Details Screen for Carbon Black

  • Click the down-arrow next to the Carbon Black listing, and then click View EDR details.
    Figure 37. View Details

  • The Carbon Black Endpoint Detection and Response (EDR) opening screen then loads. From there, follow your customary Carbon Black procedures.
    Figure 38. Carbon Black Endpoint Detection and Response

Return to the Awake Integrations page.

Threat Intelligence Services

Threat intelligence services monitor the evolution of the general Internet threat environment and distribute information about current threats and the associated threat actors. Typically the most actionable data they distribute are lists of identifiers such as IP addresses, domain names, and file hashes that are known to be malicious. These lists can be formatted into a CSV import format for use in the Arista NDR product.

See the Importing Files Showing Indicators Of Compromise (IOC) section for details on importing IOCs from threat intelligence providers.

Firewalls and Other Network Enforcement Points

Firewalls provide another method of responding to an incident to limit the damage by isolating compromised devices on the network.

The Arista NDR platform provides a flexible system of policy lists that can contain IP addresses, domains, and URLs. Convenient interactions allow for the addition and removal of lists and list elements enabling accurate maintenance with minimal effort.

Firewalls integrate with the NDR platform by periodically retrieving one or more lists and incorporating the items on those lists into the enforced firewall policy as configured in the firewall policy. The mapping of information in the NDR policy list to the format required by the firewall is specified in configuration data. A standard configuration supporting the Palo Alto Networks firewall External Dynamic List (EDL) feature is provided. Mappings to other firewall formats are easy to implement.

Policy List-Based Response Integration

Palo Alto Networks (PAN) advanced firewall features easily integrate the results of security analysis into firewall policies. One such feature is External Dynamic Lists, which configures a firewall policy to pull a list of specific identifiers (for PAN IP addresses/CIDR ranges, domains, and URLs) from a remote HTTP location to incorporate into the policy.

The Arista NDR Platform can integrate with the Palo Alto Networks (PAN) firewall features with relatively low effort, thereby addressing the commonly requested active response use cases such as cutting off the access of systems infected with ransomware. All that is required is to manage lists of the appropriate types of values and serve them over appropriately authenticated HTTP. The ability to manage named lists of values as required by this integration is also useful for other purposes in the ASP, such as the definitions of networks used for specific purposes, and many others.

Adding a Policy List

Following are the steps to add a policy list:
  1. Click on the System Management section of the product UI as shown.
    Figure 39. System Management

  2. Click on the Policy Lists tab on the System Management page this page presents a table of all the policy list entries, next, click the +Add Policy tab on the right-hand top corner of the Policy Lists page, and from the drop-down select the policy type you wish to configure.
    Figure 40. Policy List Overview

    Figure 41. Add policy List Row

  3. The Add New Domain section allows users to configure a policy using a Domain name.
    Figure 42. Add Domian Page

  4. The Add New IP Address section allows users to configure a policy using an IP address.
    Figure 43. Add IP Address

  5. The Add New URL section allows users to configure a new policy using an URL name.
    Figure 44. Add URL Page

Add a Device to an Existing Policy List

  1. Click on the device either in the dashboard or Workbench to navigate to the EntityIQ Device Profile page
  2. Under the Firewall Policy Lists pane click the drop down to pick the Policy List that the device need to be added to.
  3. Click ok on the dialogue box.
  4. Navigate to the Policy List page to see the Device added to the Policy List.

Adding IP to a Policy List Page

Following are the steps to add an IP address from “Policy List” tab under System Preferences.
  1. Click on the System Management section of the product UI as shown.
    Figure 45. System Management

  2. Click on the Policy Lists tab on the System Management page this page presents a table of all the policy list entries, next, click the +Add Policy tab on the right-hand top corner of the Policy Lists page, and from the drop-down select the policy type you wish to configure.
    Figure 46. Policy List Overview

    Figure 47. Add policy List Row

  3. Include the following details:
    Figure 48. Add IP Address

    1. IP address(Manually copy the IP address from workbench or dashboard or Device Entity IQ details).
    2. Add Device from the drop down or copying manually.
    3. Set an expiration date.
    4. Add a new policy name or select an existing policy from drop down.
    5. Add Reason.
    6. Click Save.
    7. The Policy List appears in the Policy List Page.
    8. Click on the Device name to navigate to the EntityIQ Device Page page.The Policy List is seen under Firewall Policy List.

Adding Domain to a Policy List Page

Following are the steps to add an Domain from “Policy List” tab under System Preferences.
  1. Click on the System Management section of the product UI as shown.
    Figure 49. System Management

  2. Click on the Policy Lists tab on the System Management page this page presents a table of all the policy list entries, next, click the +Add Policy tab on the right-hand top corner of the Policy Lists page, and from the drop-down select the policy type you wish to configure.
    Figure 50. Policy List Overview

    Figure 51. Add policy List Row

  3. Include the following details in the dialogue box:
    Figure 52. Add Domian Page

    1. Domain Name (Manually copy the Domain from workbench,dashboard or Entity IQ Domain Profile).
    2. Add Device from the drop down or copying manually (This can be used as a reference point to check for policy violations in the work bench).
    3. Set an expiration date.
    4. Add a new policy name or select an existing policy from drop down.Adding to an existing policy list will result in the addition of a new entry in the Policy List table with the same name.
    5. If wildcard characters are included in the domain name,toggle the wildcard switch so that firewall specific wild card can be sent in Policy List.
    6. Add Reason
    7. Click Save
    8. The Policy List appears in the Policy List Page
    9. Click on the Device name to navigate to the EntityIQ Device Page page.The Policy List can be seen under Firewall Policy List.

Adding URL to a Policy List Page

Following are the steps to add an URL from “Policy List” tab under System Preferences.
  1. Click on the System Management section of the product UI as shown.
    Figure 53. System Management

  2. Click on the Policy Lists tab on the System Management page this page presents a table of all the policy list entries, next, click the +Add Policy tab on the right-hand top corner of the Policy Lists page, and from the drop-down select the policy type you wish to configure.
    Figure 54. Policy List Overview

    Figure 55. Add policy List Row

  3. Include the following details in the dialogue box:
    Figure 56. Add URL Page

    1. Add URL (Manually copy the Domain from workbench)
    2. Add Device from the drop down or copying manually (This can be used as a reference point to check for policy violations in the work bench)
    3. Set an expiration date.
    4. Add a new policy name or select an existing policy from drop down. Adding to an existing policy list will result in the addition of a new entry in the Policy List table with the same name.
    5. If wildcard characters are included in the URL, toggle the wildcard switch so that firewall specific wild card can be sent in Policy List.
    6. Add Reason
    7. Click Save
    8. The Policy List appears in the Policy List Page
    9. Click on the Device name to navigate to the EntityIQ Device Page page.The Policy List can be seen under Firewall Policy List

Identity Providers

The NDR platform integrates with identity providers that support OpenID Connect (OIDC). The Arista deployment team handles identity provider configuration during deployment. Contact Arista Support for assistance.