A common misunderstanding in the securities and integrations field that we often hear is the belief that once two apps have been integrated that the work is done.
While true, the bulk of the coding and development work has already been deployed, operators should always bear in mind that any integration should be thoroughly tested as part of the final vetting process of the deployment.
The goal of this article is to help users understand how data flows when we configure an integration. The integration is frequently between an endpoint detection platform or an extended detection and response (the acronyms EDR and XDR are commonly used within the cybersecurity domain) with a SIEM or SOAR. This article will also illustrate some common integration test cases. The term EDR and XDR are used interchangeably in the text ahead.
SIEM/SOAR and EDR or XDR Integration Setup
When connecting these two products, the integration is typically installed on the SIEM/SOAR.
At the most basic level, when an EDR is integrated with a SIEM/SOAR, the APIs of the former are periodically called to fetch the data. Though, it is worth noting that while most of the time the data is pulled using the API, there are some integrations where the XDR pushes the data to the SIEM/SOAR via TCP and UDP ports.
In any event, there are two formats of the data that flow from EDR’s to SIEM/SOAR and can be distinguished by the mode in which the XDR and SIEM/SOAR are connected:
- API: JSON
- TCP/UDP : Syslog
The Figure below shows the pull and the push of the data:
Common Test Cases for SIEM/SOAR and XDR Integrations
In the table below, we detailed some of the most common recommended test cases and how to follow through with their execution. By having your team run through this list, it can help ensure that foundational issues are caught at the inception of the deployment.
|Check the Historical Polling feature for the app.||The app. should fetch/poll all the events for given 'n' number of historical days|
|Check the Incremental Polling feature for the app.||Once the Historical poll is complete, the app performs incremental polling in a loop and looks up for newly created events in real-time.|
|Check the app. logs for process-flow/errors||Once the application is configured, monitor the logs for all further activities.|
|Check the updated timestamp in state file (QRadar specific)||The timestamp for the next poll is written in the state file of QRadar app’s container. The state file should be checked to determine whether the timestamp is updated or not.|
|Check the count of events transmitted from client with received events||The number of events polled into the SIEM/SOAR platform should match the count of events in the XDR|
|Upgrade the new version of app over installed version||If there is a new app version, install the app by overriding the currently installed app that has the older version.|
|Test the app. with all authentication modes available||Configure and test the app with all available authentication modes (Basic, JWT etc)|
|Stress testing - Send 1 Million or more events to the app to check load balancing||Create or send 1M events (telnet/csv files/simulator) to the app and check the responsiveness, loading time of dashboards, etc.|
|Test the app. functionality with proxy network||Configure the app. with proxy (squid proxy) credentials and check if the EDR’s API calls are directed via proxy.|
The list above should be read as the typical low hanging fruit of testing any new integration between your SIEM/SOAR and XDR. As such, do not take this as a comprehensive list. Depending on your setup, your team may need to perform additional checks to ensure its deployment is error-free.
Considering venturing into security automation and integration - particularly between a SIEM/SOAR and an EDR/XDR? Metron has experience integrating multiple security tools with primary systems, along with setting up automation components.
If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organisation, please send a note to firstname.lastname@example.org.