A common misunderstanding in the securities and integrations field that we often hear is the belief that once two apps have been integrated that the work is done.
While true, the bulk of the coding and development work has already been deployed, operators should always bear in mind that any integration should be thoroughly tested as part of the final vetting process of the deployment.
The goal of this article is to help users understand how data flows when we configure an integration. The integration is frequently between an endpoint detection platform or an extended detection and response (the acronyms EDR and XDR are commonly used within the cybersecurity domain) with a SIEM or SOAR. This article will also illustrate some common integration test cases. The term EDR and XDR are used interchangeably in the text ahead.
SIEM/SOAR and EDR or XDR Integration Setup
When connecting these two products, the integration is typically installed on the SIEM/SOAR.
At the most basic level, when an EDR is integrated with a SIEM/SOAR, the APIs of the former are periodically called to fetch the data. Though, it is worth noting that while most of the time the data is pulled using the API, there are some integrations where the XDR pushes the data to the SIEM/SOAR via TCP and UDP ports.
In any event, there are two formats of the data that flow from EDR’s to SIEM/SOAR and can be distinguished by the mode in which the XDR and SIEM/SOAR are connected:
- API: JSON
- TCP/UDP : Syslog
The Figure below shows the pull and the push of the data:
Common Test Cases for SIEM/SOAR and ExecutionXDR Integrations
In the table below, we detailed some of the most common recommended test cases and how to follow through with their execution. By having your team run through this list, it can help ensure that foundational issues are caught at the inception of the deployment.
The list above should be read as the typical low hanging fruit of testing any new integration between your SIEM/SOAR and XDR. As such, do not take this as a comprehensive list. Depending on your setup, your team may need to perform additional checks to ensure its deployment is error-free.
Considering venturing into security automation and integration - particularly between a SIEM/SOAR and an EDR/XDR? Metron has experience integrating multiple security tools with primary systems, along with setting up automation components.
If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organisation, please send a note to friends@metronlabs.com.