D3 Security connector and action

edit

D3 Security connector and action

edit

The D3 Security connector uses axios to send a POST request to a D3 Security endpoint. The connector uses the run connector API to send the request. You can use the connector for rule actions.

Prerequisites

edit

To use a D3 Security connector, you must first configure a webhook key in your D3 SOAR environment. To generate an API URL and a token in D3 Security: 1. Log in to your D3 SOAR environment. 2. Navigate to Configuration. 3. Navigate to Integration > Search for “Kibana”. Click “Fetch Event”. 4. Select the "Enable Webhook" checkbox. 5. Click Set up Webhook Keys. 6. Under Event Ingestion, Click +. Select the site for the webhook integration, then click Generate. 7. Copy the Request URL and Request Header Value to configure the Kibana connector

Create connectors in Kibana

edit

You can create connectors in Stack Management > Connectors. For example:

D3 Security connector
Connector configuration
edit

D3 Security connectors have the following configuration properties:

Name
The name of the connector.
URL
The D3 Security API request URL.
Token
The D3 Security token

Create preconfigured connectors

edit

If you are running Kibana on-prem, you can define connectors by adding xpack.actions.preconfigured settings to your kibana.yml file. For example:

xpack.actions.preconfigured:
  my-d3security:
    name: preconfigured-d3security-connector-type
    actionTypeId: .d3security
    config:
      url: https://testurl.com/elasticsearch/VSOC/api/Data/Kibana/Security%20Operations/CreateEvents
    secrets:
      token: superlongtoken

Config defines information for the connector type.

url
A URL string that corresponds to the D3 Security API URL.

Secrets defines sensitive information for the connector type.

token
A string that corresponds to D3 Security API Token.

Test connectors

edit

You can test connectors with the run connector API or as you’re creating or editing the connector in Kibana. For example:

D3 Security params test

The D3 Security actions have the following configuration properties.

Body

A typeless payload sent to the D3 Security API URL. For example:

this can be any type, it is not validated

Connector networking configuration

edit

Use the Action configuration settings to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use xpack.actions.customHostSettings to set per-host configurations.