Lastline Integration Guide
Syslog notifications must be configured in the Lastline Portal in order to send logs via syslog to the Taegis™ XDR Collector. Please follow the instructions in this guide to enable logging for your sensors.
Connectivity Requirements ⫘
| Source | Destination | Port/Protocol |
|---|---|---|
| Lastline Sensor | XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integration ⫘
| Antivirus | Auth | DHCP | DNS | Encrypt | Filemod | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| LastLine | Y | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configuration Instructions ⫘
Consider the following requirements when completing the configuration steps:
- SIEM Server Location — The IP address of the XDR Collector
- SIEM Server Port — 514
- Protocol — UDP
- Format — LEEF
- Include PCAP — Enabled
To configure logging in the Lastline Portal, please follow these instructions:
- In the Lastline Portal, select Admin from the main menu, and then alter your view from Accounts to Notifications.
Navigate to Admin > Notifications
- On the Notifications page, select Syslog, and then select the + Add a notification icon above the table.
Select + Add a notification
- In the Create Syslog Notification section, complete the following:
- Select the License if you have more than one.
- Select the Sensor for which you would like to set up logging.
- Leave the remaining standard settings.
Create Syslog Notification
- In the SIEM Server Settings section, complete the following:
- SIEM Server Location — Enter the IP address of the XDR Collector.
- SIEM Server Port — 514
- SIEM Hostname — Leave blank.
- Transport protocol — UDP
- SIEM Source — Select either Manager or Sensor as the originating source, dependent on your network topography.
- SIEM Log Format — LEEF
- Include pcap — Enabled
SIEM Server Settings
- In the Triggers section, complete the following:
- Select the toggle to enable Audit Triggers and then check Audit Event.
- Select the toggle to enable Intrusion Triggers and then check Intrusion Event.
- Leave the remaining default settings.
Enable Audit and Intrustion Triggers
- Scroll down and select Save. A Syslog Notification Configuration Summary window displays, from which you can choose to Send Test Notification, Edit the configuration, or Close to return to the Syslog Notifications page.