Third Party Integrations
In addition to Network Visibility and Host Visibility, you may want to pull in data from other third party systems. You can do that via Elastic integrations which support many of the most common products and services. You can read more about Elastic integrations at https://docs.elastic.co/integrations.
Adding an Integration
New integrations can be added to existing policies to provide increased visibility and more comprehensive monitoring.
Tip
When adding a new integration, it is important that you add it to an appropriate policy.
If an integration pulls the data, you should add it to the Fleet Server policy. Depending on complexity and log volume, it might make sense to stand up a Fleet Node and add your integrations to it.
If an integration receives data pushed to it (for example: receiving syslog), consider adding it to the Fleet Server policy. If that is not feasible, then you can add it to the Grid Nodes policy but make sure to set the firewall rules correctly so that you are not opening ports on all of your nodes.
To add an integration to an existing policy:
From the main Fleet page, click the
Agent policies
tab.Select the desired agent policy.
Click the
Add Integration
button.Follow the steps for adding the integration.
Note
If the integration is designed to listen on a port to receive data, it will most likely default to listening on localhost
only. Depending on how you are sending data to the integration, you may need to change that to 0.0.0.0
so that it can receive data from other hosts.
For examples of this process, please see the NetFlow and pfSense sections.
Adding a Custom Integration
A custom integration can be added by adding an integration such as the Custom Logs
integration. You can specify various settings relative to the data source and define additional actions to be performed.
Supported Integrations
The current release of Security Onion supports the following Elastic integrations:
Elastic Integration |
Elastic Documentation |
---|---|
1password |
|
apache |
|
auditd |
|
auth0 |
|
aws |
|
azure |
|
barracuda |
|
barracuda_cloudgen_firewall |
https://docs.elastic.co/en/integrations/barracuda_cloudgen_firewall |
carbonblack_edr |
|
cef |
|
checkpoint |
|
cisco_asa |
|
cisco_duo |
|
cisco_ftd |
|
cisco_ios |
|
cisco_ise |
|
cisco_meraki |
|
cisco_umbrella |
|
citrix_adc |
|
citrix_waf |
|
cloudflare |
|
crowdstrike |
|
darktrace |
|
elasticsearch |
|
endpoint |
|
f5_bigip |
|
fim |
|
fireeye |
|
fleet_server |
|
fortinet |
|
fortinet_fortigate |
|
gcp |
|
github |
|
google_workspace |
|
http_endpoint |
|
httpjson |
|
iis |
|
imperva_cloud_waf |
|
journald |
|
juniper_srx |
|
kafka_log |
|
lastpass |
|
log |
|
m365_defender |
|
microsoft_defender_endpoint |
https://docs.elastic.co/en/integrations/microsoft_defender_endpoint |
microsoft_dhcp |
|
microsoft_sqlserver |
|
mimecast |
|
mysql |
|
nginx |
|
o365 |
|
okta |
|
osquery_manager |
|
panw |
|
proofpoint_tap |
|
pulse_connect_secure |
https://docs.elastic.co/en/integrations/pulse_connect_secure |
redis |
|
sentinel_one |
|
snort |
|
snyk |
|
sonicwall_firewall |
|
sophos |
|
sophos_central |
|
symantec_endpoint |
|
system |
|
tcp |
|
tenable_io |
|
tenable_sc |
|
ti_abusech |
|
ti_anomali |
|
ti_cybersixgill |
|
ti_misp |
|
ti_otx |
|
ti_recordedfuture |
|
ti_threatq |
|
udp |
|
vsphere |
|
windows |
|
winlog |
|
zscaler_zia |
|
zscaler_zpa |
Note
These integrations have been added over the course of several different releases.
Security Onion 2.4.10 supports the following Elastic integrations:
aws
azure
cloudflare
elasticsearch
endpoint
fleet_server
fim
github
google_workspace
log
osquery_manager
redis
system
tcp
udp
windows
1password
Security Onion 2.4.20 supports these additional Elastic integrations:
apache
auditd
barracuda
cisco_asa
crowdstrike
darktrace
f5_bigip
fortinet
fortinet_fortigate
gcp
http_endpoint
httpjson
juniper
juniper_srx
kafka_log
lastpass
m365_defender
microsoft_defender_endpoint
microsoft_dhcp
netflow
o365
okta
panw
pfsense
sentinel_one
sonicwall_firewall
symantec_endpoint
ti_abusech
ti_misp
ti_otx
ti_recordedfuture
zscaler_zia
zscaler_zpa
Security Onion 2.4.30 supports these additional Elastic integrations:
auth0
carbonblack_edr
checkpoint
cisco_duo
cisco_meraki
cisco_umbrella
fireeye
mimecast
pulse_connect_secure
snyk
sophos
sophos_central
tenable_sc
vsphere
Security Onion 2.4.40 supports these additional Elastic integrations:
cisco_ftd
cisco_ios
cisco_ise
iis
microsoft_sqlserver
mysql
proofpoint_tap
snort
ti_anomali
ti_threatq
Security Onion 2.4.50 supports these additional Elastic integrations:
citrix_adc
citrix_waf
nginx
winlog
Security Onion 2.4.60 supports these additional Elastic integrations:
journald
ti_cybersixgill
Security Onion 2.4.70 supports these additional Elastic integrations:
CEF
Security Onion 2.4.100 supports these additional Elastic integrations:
tenable_io
Security Onion 2.4.110 supports these additional Elastic integrations:
barracuda_cloudgen_firewall
imperva_cloud_waf
More Information
Note
You can read more about Elastic integrations at https://docs.elastic.co/integrations.