SolCyber Knowledgebase

SolCyber Service Features

Mon, 01 Jan 0001 00:00:00 +0000

Advanced Email Protection #

Proactive blocking of malicious emails including SPAM, Phishing and BEC

Assist in integration with mail platform
Migration and maintenance of white list and black lists
Monitoring of high risk users against BEC
SOC triage on quarantine release to reduce risk

Endpoint Detection and Response #

Prevention, detection and response capabilities at the endpoint.

Remote assist in roll out of agent and associated troubleshooting
Management of security policies including enabling blocking mode
Detection, mitigation and quarantining of malware and behavioral detections.
Collect detailed telemetry used in alert triage and incident investigations:
- ex. network connections, registry modifications, file creation and modification, DNS requests, processes, etc
Ability to network quarantine devices, when necessary
Remote command line access for containment and additional triage

Phishing Simulation and Training #

Harden your weakest link, your employees. Service is designed to be practical so users actually learn and don’t treat it as another compliance exercise.

Roles and Responsibilities

Mon, 01 Jan 0001 00:00:00 +0000

Where SolCyber Helps #

Detect and respond to threats against the traditional IT infrastructure
Visibility into security posture and continuous advice on how to improve your overtime
Ensure all the bundled tools are working optimally and constantly adjusted based off threats
Evaluate the performance of all tools regularly and update as needed based off changes in technology and threats
Answer questions and provide advice around security best practices
Support compliance efforts with included controls and communicate to auditors where needed

Where to Focus Your Resources #

Own security strategy and augment SolCyber’s capabilities
Coordinate response with our analysts when needed
Security architecture such as zero trust implementation
Personalized security:
Application security / Devsecops
Anti fraud
Supply chain risk
Insider risk
Compliance and other regulations

Onboarding Guide

Mon, 01 Jan 0001 00:00:00 +0000

Intro#

This document serves as a high-level guide to help customers understand the SolCyber onboarding process.

Objectives#

Transition security operations to SolCyber.
Get to know your team.
Establish roles and responsibilities.
Understand the process and timelines.

Key Stakeholders#

Role	Customer/SolCyber	Main Responsibility
Customer Success	SolCyber	Ensure success of onboarding and point of contact for all non-security related queries
Lead Analyst	SolCyber	Primary security contact
Project Lead	Customer	Lead contact for on-boarding to help coordinate between the different parties
Security Lead	Customer	Lead contact to work with the SolCyber SOC
Email Admin	Customer	Assist with deployment of Advanced Email Protection
IT Desktop Admin	Customer	Assist with deployment of Endpoint Persistence Agent
Network Admin	Customer	Assist with deployment of Lateral Movement Detection node

Key Milestones and Timeline#

Supported Products and Platforms

Mon, 01 Jan 0001 00:00:00 +0000

In general, the SolCyber foundational technology stack supports the following:

Operating Systems

Windows 10/11
Windows Server 2012/2016/2019
MacOS Catalina/Big Sur/Monterey
Linux (most distros)
Limited Support for Windows 7/8

Email Platforms

Microsoft Exchange/Office 365
Google Workspace

Data Ingestion#

SolCyber SOC Platform supports the ingestion of telemetry data from the following platforms. Please work with your Customer Success representative to onboard additional sources or contact sales to purchase additional EPS buckets.

Recommended Logs

Mon, 01 Jan 0001 00:00:00 +0000

Securonix is a powerful platform that enables our analysts to detect and triage incidents. It can collect data from a host of technologies to enable our SOC to:

Provide additional context for a primary indicator
Enable unique detection of threats

We’re solely focused on providing better security so we recommend only sending us logs that provide high security value. If you have logs that you want to setup specific alerts for, that works as well. Here’s what we recommend sending over and why.

Log Ingestion Appliance - Virtual

Mon, 01 Jan 0001 00:00:00 +0000

SolCyber uses a log ingestion appliance to consume logs from your on-premise sources. We offer a virtual appliance or a hardware appliance.

Virtual log ingestion appliances can be deployed for most hypervisors:

VMWare: using a SolCyber-provide OVA file.
Hyper-V and other hypervisors: Using a SolCyber-provided deployment script that can be run after configuring a VM running a supported Operating System

Log Ingestion Appliance Setup Guide - VMware#

Prerequisites #

Ensure that the following prerequisites are met before you proceed:

Log Ingestion Appliance - Hardware

Mon, 01 Jan 0001 00:00:00 +0000

Prerequisites #

Ensure that the following prerequisites are met before you proceed:

Requirement Type Requirement Description

Server Operating System RHEL 8+, Ubuntu 22.04

Firewall Ports SNYPR Console Please ensure that your firewall allows the Ingestion Appliance to communicate outbound on TCP/443

Firewall Ports KAFKA Brokers Please ensure that your firewall allows the Ingestion Appliance to communicate outbound on TCP/9093

Firewall Ports Ingester Heartbeat and Management Please ensure that your firewall allows the Ingestion Appliance to communicate outbound on TCP/9993

Firewall Ports

Syslog sources

SolCyber will instruct you as to which ports will be in use for data ingestion.

Securonix Hub (Legacy)

Mon, 01 Jan 0001 00:00:00 +0000

The Securonix Hub is Securonix’s new ingestion agent that replaces the existing Remote Ingestion Node (RIN). If the .tar file you received from us contains “SecuronixHubAgent”, use the follow documentation to install the software.

Customers can set up their own Hubs using a VM/hardware or purchase a Hub appliance from SolCyber.

Server Recommendation #

The following table describes Securonix Hub sizing recommendations:

Privacy Policy

Mon, 01 Jan 0001 00:00:00 +0000

Last updated: May 13, 2021

This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.

We use Your Personal data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.

1Password

Mon, 01 Jan 0001 00:00:00 +0000

You can set up Events Reporting if you’re an owner, administrator, or part of a group with the View Administrative Sidebar permission.

You must have at least a Business account to export logs.

Create Events Reporting Integration#

Sign in to your 1Password account, click Integrations in the sidebar, and choose Other.
Give the integration a name. We suggest “Securonix”.
Click Add Integration

Supply a name for the token. We suggest “Securonix token”.
Expires After - choose 2 years. (note the screenshot below shows “never”, we do not recommend this)
Events to Report - select:
- Sign-in attempts
- Item usage events
Click Issue Token

Provide SolCyber with the token via an encrypted email or onetimesecret.com

SentinelOne

Mon, 01 Jan 0001 00:00:00 +0000

Log in to the SentinelOne Management Console using the Administrator username for the account.
Copy and save the URL of your login.
Note: The host URL information will be similar to the following: https://usa-partners.sentinelone.net/
In the Management Console, click Settings > USERS.
Select your admin user account and click Generate API token.

Copy and save the token

Note: You will need to provide this token to SolCyber.

Crowdstrike

Mon, 01 Jan 0001 00:00:00 +0000

CrowdStrike Falcon Streaming API#

Click Create new API Client.
Enter a name in Client Name.

Example: Securonix_client.

Select the Read right for the following options:
- Detections
- Incidents
- Event streams
Click Create. The API client is now created.

DUO Security

Mon, 01 Jan 0001 00:00:00 +0000

Note that only administrators with the Owner role can create or modify an Admin API application in the Duo Admin Panel.

Securonix supports ingestion of the following types of DUO logs:

Duo Security Administrator
Duo Security Authentication

Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate the entry for Admin API in the applications list. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You’ll need to provide these credentials to SolCyber via onetimesecret.com or other secure methods.
The required permissions are:
- Grant read log
- Grant read information

EntraID (aka Azure Active Directory) User Import

Mon, 01 Jan 0001 00:00:00 +0000

Login to Azure portal.
Locate App registrations using the Search bar from Dashboard.

Click New Registration from the App registrations screen to register an application.

Provide the following details in the Register an application screen:

Name: Securonix AzureAD Users
Supported account Types: Select the Accounts in this organizational directory only option.

Click Register.
Make a copy of Application (client ID) and Directory (tenant ID) for the application from the Application screen.

EntraID (AzureAD) Risky Users and Detections

Mon, 01 Jan 0001 00:00:00 +0000

An Azure P1 or P2 license is required to ingest Azure Risky Users events.

An Azure P2 license is required to ingest Azure Risky Detection events.

Logon to the Azure portal as an admin and search for Apps registration from the top search bar.

EntraID (aka Azure Active Directory) Audit/Sign In

Mon, 01 Jan 0001 00:00:00 +0000

MS Entra (aka Azure Active Directory) Audit/Sign In#

You must have an MS Entra ID P1 or P2 license in order to export Entra/Azure Active Directory Sign In logs. These logs provide us visibility into all authentication attempts to Azure AD accounts and are an important source of intel in the case of compromised accounts. We recommend that customers either move to a different M365 license or, at a minimum, purchase an Azure P1 license as an add on, especially if the company uses AzureAD as an IDP for Single Sign On.

Google Directory

Mon, 01 Jan 0001 00:00:00 +0000

Follow the documentation for Google Workspace in the Cloud Services/SaaS category:

Google WorkspaceComplete the following steps to configure the Google Workspace connection using OAuth2.0

JumpCloudSSO

Mon, 01 Jan 0001 00:00:00 +0000

Log in to the JumpCloud SSO portal: https://console.jumpcloud.com
Click the circle in the top right corner of the screen.

Click API Settings. Your API key will appear.

Warning: Because Jumpcloud has only one API key per site, any change will stop your JumpCloud datasource from ingesting data. Please communicate this impact with your SolCyber administrators.

Okta System Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Navigate to the Okta login screen and sign in with your credentials.

Click API > Tokens from the navigation menu.

Click Create Token.

Enter a name for your token, then click Create Token.

The token name above will be used within SNYPR when you set up the Okta connector.

Make a note of the Token Value then click OK, got it.

Dropbox

Mon, 01 Jan 0001 00:00:00 +0000

Visit the App Console tab, then follow the directions.
Select Full Dropbox under the Choose the type of access you need section.
Copy and save the App Key.
Click Show to copy and save the App secret. You will need to sen the App Key and App Secret to SolCyber.
In the app console under Redirect URLs add the following: https://a1t1amos.securonix.net/Snypr/connectionType/generateOauthCode

Slack

Mon, 01 Jan 0001 00:00:00 +0000

Create an App#

You must be logged in as the Owner of your organization and you must have at least an Enterprise account.

Log in to your Slack account using the following link: https://api.slack.com/apps.
Click Create New App.
Provide the appropriate app name in the search bar and then select the workspace.
Select OAuth & Permissions from the left navigation.

Google Workspace

Mon, 01 Jan 0001 00:00:00 +0000

Note: The steps described in this section are specific to Google and the configuration steps can change. Please consult Google documentation for the latest information.

Navigate to the Google Developers Console: https://console.developers.google.com.
Logon using an account with admin privileges.
Click Create Project.
Enter a project name (ex: “Securonix-Logs”), select the correct organization and location.

Click Create.
Select the new project that you created from the top section of the screen.

Office 365 (Azure AD, Exchange, Sharepoint, General)

Mon, 01 Jan 0001 00:00:00 +0000

Logon to the Azure portal as an admin and search for Apps registration from the top search bar.

Click + New registration.

Enter the following information on the Register an application screen:
- Name: Securonix-O365
- Supported account types: Accounts in this organizational directory only (Single Tenant)

Click Register. You will be redirected to the newly created application screen.

Copy the Application (client) ID and Directory (tenant) ID. You will need to provide these to SolCyber.

Salesforce (Login and EventLog)

Mon, 01 Jan 0001 00:00:00 +0000

Customers with Enterprise, Unlimited, or Performance Edition Salesforce organizations will be able to onboard Login events, but not the Salesforce EventLog, unless the Event Monitoring Add-On is purchased.

Create Application#

Click Setup on the top navigation menu.

Slack (Audit)

Mon, 01 Jan 0001 00:00:00 +0000

You must be logged in as the Owner of your Enterprise Grid organization to install the app.

Log in to your Slack account using the following link: https://api.slack.com/apps.
Provide the appropriate app name in the search bar, and then select the workspace.
Click Create New App.
Provide an app name (ex: Securonix Connector) in the search bar and then select the workspace.

Zoom

Mon, 01 Jan 0001 00:00:00 +0000

Verify Admin Permissions#

Ensure you are a Zoom account admin or a developer with role-based permissions to:
- View/edit Server-to-Server OAuth apps
- Add scopes to apps

Create a Server-to-Server OAuth App#

Go to the Zoom App Marketplace.
Click Develop (top-right dropdown) > Build Server-to-Server App.
Name your app and click Create.

Configure App Credentials#

Under App Credentials, copy the:
- Account ID
- Client ID
- Client Secret

You will need to provide these credentials to SolCyber.

AWS Cloudtrail

Mon, 01 Jan 0001 00:00:00 +0000

If you already have your Cloud Trail configured, please skip to the “Creating a New SQS” section.

Creating a Cloud Trail configuration#

Access your AWS Console and select the Cloud Trail service.
Click Create trail
Enter the name you want to provide for this trail in the Trail Name field.
Select Enable for all accounts in my organization if you have multiple accounts.

Azure Monitor

Mon, 01 Jan 0001 00:00:00 +0000

Register an Azure Active Directory Application #

Open Azure Active Directory in the Azure Portal.
Click App registrations.
Click New Registration.
Provide an appropriate name and select Single tenant as the account scope.

Capture the Application Name, as it will be used in the next steps.
Click Register.
Click on the new application created in the App registration Page.
Copy Client ID and Tenant ID.
Create an API access key using the following steps:

Google Cloud Platform (GCP)

Mon, 01 Jan 0001 00:00:00 +0000

Create a Log Sink Destination#

Create a new project that will house the Log Sink#

1. In the Google Cloud console, go to Menu > IAM & Admin > Create a Project.

2. In the Project Name field, enter a descriptive name for your project. We suggest “SolCyber Log Sink”

3. In the Location field, click Browse to display potential locations for your project. Then, click Select.

4. Click Create. The Google Cloud console navigates to the Dashboard page and your project is created within a few minutes.

Data Loss Prevention

Mon, 01 Jan 0001 00:00:00 +0000

Microsoft Office 365 DLP

Cisco Umbrella (DNS)

Mon, 01 Jan 0001 00:00:00 +0000

Log into Umbrella with the following URL: https://dashboard.umbrella.com/
Obtain your organization ID directly from the Umbrella dashboard after you log in to that particular organization.

Example: If https://dashboard.umbrella.com/o/1331454/#/overview is the URL, then 1331454 is your organization ID .
Navigate to Admin > API Keys.
Select the Legacy keys tile section and, then click on the Umbrella Reporting section.
Select on Generate Token.
Copy your Key & Secret and send to SolCyber via protected means such as an encrypted email or a tool like onetimesecret.com.

AWS Guard Duty

Mon, 01 Jan 0001 00:00:00 +0000

Retrieve the Detector ID #

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

You will need to provide the detectorID to SolCyber.

Authorize the IAM User #

Create an IAM service account to user for Securonix log ingestion. You may already have one if you have previously configured CloudTrail logs for Securonix.
Authorize the IAM User using the steps under Change permissions for an IAM user. When prompted during the configuration, attach the AmazonGuardDutyReadOnlyAccess AWS managed policies to the authorized user.
Copy and save the Secret Key, and Access ID and provide these values to SolCyber.

Azure Security Center

Mon, 01 Jan 0001 00:00:00 +0000

Open the Azure Active Directory resource in the Azure Portal.
Click App registrations > New Registration.
Provide a name, and select the account scope to Single tenant.
Click Register.
Click on the new application created on the App registration screen.
Copy the Client ID and Tenant ID, and then click View API permissions.
Click Add a permission, and then click the Microsoft Graph API.

Azure Firewall

Mon, 01 Jan 0001 00:00:00 +0000

Create an Azure Event Hub Namespace and Event Hub#

Azure Portal: Navigate to the Azure Portal.
Create a Namespace: Search for “Event Hubs” and create a new Event Hub namespace.
Create an Event Hub: Within the namespace, create an Event Hub (e.g., “firewall-logs”).

Configure Azure Firewall to Send Logs to Event Hub#

Azure Firewall Policy: Go to the Azure Firewall policy associated with your firewall.
Diagnostic Settings: Under “Diagnostics”, create a new diagnostic setting.

Cisco ASA

Mon, 01 Jan 0001 00:00:00 +0000

NOTE: Be sure to make a backup of your current ASA configuration before performing any changes.

Configure logging using the ASDM GUI#

Ensure logging is enabled. Visit Configuration > Features > Properties > Logging > Logging Setup. Check the Enable logging check box in order to enable syslog output.

Configure the external Syslog Server: Choose Syslog Servers under Logging and click Add in order to add a syslog server. Enter the IP of your Remote Ingestion Node (RIN), choose UDP, and enter 1514 (or another port if instructed by SolCyber) in the Add Syslog Server box and choose OK when you are done. Be sure to leave “Log messages in Cisco EMBLEM format” unchecked.

Enable Log Sending: choose Logging Filters in the logging section. This presents you with each possible logging destination and the current level of logs that are sent to those destinations. Choose Syslog Servers and click Edit.

Select Filter on Severity and Informational. Click OK.
Click Apply - this will apply the new settings. If you experience any issues with connectivity after applying the new config, revert to your backup config.

Configure Logging Using the CLI#

text

logging enable
logging host <interface_name> <sensor_ip> udp
logging permit-hostdown
logging timestamp
logging device-id hostname
no logging emblem

The <interface_name> argument specifies the interface through which you access your Remote Ingestion Node (RIN). The sensor_ip argument specifies the IP address of the RIN.

Fortinet FortiGate

Mon, 01 Jan 0001 00:00:00 +0000

NOTE: Be sure to make a backup of your current FortiGate configuration before performing any changes. From the GUI: System > Configuration > Backup. From the CLI: execute backup config flash <revision-comment>.

Configure Logging Using the CLI#

text

config log syslogd setting
 set status enable
 set server "<INGESTER_IP>"
 set port <Solcyber will provide you with the specifc port to use>
 set mode udp
 set facility local7
 set format cef
 set enc-algorithm disable
end

config log syslogd filter
 set severity information
 set forward-traffic enable
 set local-traffic enable
 set multicast-traffic enable
 set sniffer-traffic enable
 set anomaly enable
 set voip enable
 set filter-type include
end

config log eventfilter
 set event enable
 set system enable
 set vpn enable
 set user enable
 set router enable
 set wireless-activity enable
 set endpoint enable
 set ha enable
 set compliance-check enable
 set security-rating enable
end

To log allowed traffic on an existing firewall policy from the CLI:

SonicWall Firewall

Mon, 01 Jan 0001 00:00:00 +0000

Pre-requisites:

Must have GMS server or On-Prem Analytics server installed and configured.

Have an Address Object Created on the Firewall for SonicWall Analytics system.

Navigate to Device > Log > Syslog
Select Syslog Servers and Click Add
Select the Name or IP address of the Syslog server from the dropdown. Enter the port provided by SolCyber.

Cisco Meraki Firewall Syslog

Mon, 01 Jan 0001 00:00:00 +0000

Go to Network-wide > Configure > General.
Click Add a syslog server to define a new server.
- Server IP: The Securonix Hub IP address.
- Port: generally, we will use udp port 1514. The SolCyber team may specify another port to use if 1514 is already in use on the Hub.
- Roles: The roles to send to the server.
Choose the type of events to export:
- Event Log: The messages from the dashboard under Monitor > Event Log.
- Flows: Inbound and outbound traffic flow-generated syslog messages that include the source, destination, and port numbers.
- URL: HTTP GET requests generating syslog entries.

Microsoft Windows

Mon, 01 Jan 0001 00:00:00 +0000

Note 1: A Remote Ingestion Node (RIN) is required to receive Windows logs.

Note 2: If you already have a Windows Event Forwarding infrastructure in place, please work with the SolCyber SOC to devise the best method to ship and ingest your Windows logs.

Install NXLog#

NXLog is an open-source, lightweight log shipper. We will use NXlogs to send your Windows security logs to the RIN via syslog.

GitHub

Mon, 01 Jan 0001 00:00:00 +0000

SolCyber will provide you will a webhook URL to use.

Login to Github and select your organization under which all the repositories are available.
Go to the Settings page for the organization that needs to be monitored.
Select Webhooks > Add Webhook from the left section of the screen.
Enter the webhook URL, select “Enable SSL verification” and select “Send me everything.”

Web Application Firewall

Mon, 01 Jan 0001 00:00:00 +0000

F5 Networks F5ASM Web Application Firewall

Web Proxy

Mon, 01 Jan 0001 00:00:00 +0000

Squid Proxy
ZscalerProxy

Web Server

Mon, 01 Jan 0001 00:00:00 +0000

Apache Software Foundation Webserver
Microsoft IIS Server

Data Source Token Renewal

Mon, 01 Jan 0001 00:00:00 +0000

During the onboarding process for your SolCyber service, authentication was set up to allow SolCyber to receive your identity provider logs. Theses tokens are usually set to expire two years after set up. In order to ensure that log ingestion does not lapse, you will need to provide SolCyber with a new token before the existing token expires.

Office365/Azure Active Directory#

Visit the MS Entra App Registrations section of the Azure admin portal.
Select All applications
Search for the following apps:

Note: the apps your org created may not have the exact same names, but they should be similar to this

Guide to DMARC, DKIM, and SPF

Mon, 01 Jan 0001 00:00:00 +0000

This article aims to provide a complete guide to implementing SPF, DKIM, and DMARC for your organization, and suggest the best practices for doing so. It is written in hopes that this will clear up confusion about what steps to take to achieve an effective DMARC deployment to secure business email and improve email deliverability.

A quick rundown on benefits of implementing SPF, DKIM, and DMARC:

stops email spoofing/phishing from your domain;
provides important information about the emails you sent, which can be used get all legitimate emails properly authenticated;
improves sender reputation and email deliverability; your legitimate emails are more likely to reach the inbox.

Target audience: marketers, brand owners, domain owners, domain administrators, IT administrators, etc. and anyone who wants to prevent attackers from sending malicious emails using their domains.

O365 Email Security Deployment and Configuration Guide

Mon, 01 Jan 0001 00:00:00 +0000

Phishing is the root cause of 95% of security breaches that lead to financial loss and brand damage. SolCyber uses Cloudflare Email Security (formerly Area1), a cloud based service that stops phishing attacks, the #1 cybersecurity threat, across all traffic vectors - email, web and network.

With globally distributed sensors & comprehensive attack analytics, Cloudflare Email Security proactively identifies phishing campaigns, attacker infrastructure, and attack delivery mechanisms during the earliest stages of a phishing attack cycle. Using flexible enforcement platforms, Cloudflare Email Security allows customers to take preemptive action against these targeted phishing attacks across all vectors - email, web and network; either at the edge or in the cloud.

Google Workspace Email Security Deployment and Configuration Guide

Mon, 01 Jan 0001 00:00:00 +0000

PhishArm Button Deployment: Office365

Mon, 01 Jan 0001 00:00:00 +0000

The PhishArm button (provided by Right-Hand Cybersecurity) is used to report suspicious email directly to the SolCyber SOC. The reported email will be sent as an attachment to the SolCyber SOC. The email will also be moved to the user’s junk folder.

Admin Configuration#

Go to Settings - Click Integrated Apps and Choose Upload Custom apps

Under Deploy New App select Choose how to upload app Upload manifest File(.xml) provided to you by SolCyber.

PhishArm Add-in Deployment: Google Workspace

Mon, 01 Jan 0001 00:00:00 +0000

The PhishArm plug-in (provided by Right-Hand Cybersecurity) is used to report suspicious email directly to the SolCyber SOC. The reported email will be sent as an attachment to the SolCyber SOC. The email will also be moved to the user’s spam folder.

Install Phisharm Plug-in For Entire Domain (or specific OUs)#

Log in to the Google Workspace Admin portal. In the left-hand menu, click Apps > Google Workspace Marketplace Apps > Apps List.

Utilizing the BEC List

Mon, 01 Jan 0001 00:00:00 +0000

Area1’s BEC (Business Email Compromise) list provides an additional layer of security to complement your email protection measures protects against these attacks by adding an attribute to any spoofed email messages matching the email addresses you provide. It serves as a valuable tool in identifying potential attackers attempting to impersonate high-level executives within an organization, with the intention of triggering malicious actions.

What is Business Email Compromise?#

BEC emails are a major concern for most companies, as they employ sophisticated phishing techniques that do not rely on typical indicators of malicious messages such as links or attachments. Instead, these emails exploit the power dynamics within a company by using the names of key individuals, esteemed customers, and even board members to deceive employees into carrying out fraudulent activities, such as unauthorized money transfers.

Text Add-Ons for Spoofs

Mon, 01 Jan 0001 00:00:00 +0000

Sometimes, emails identified as suspicious can be legitimate. This is a common case for emails that are flagged as a SPOOF. SolCyber does not quarantine emails labeled as “SPOOF”, however, we do recommend that customers add an extra layer of protection by enabling an optional add-on.

These text add-ons display in the subject and/or body of an email when a user receives an email that has been determined to be a “classic” SPOOF by Area1.

Windows Agent Installation

Mon, 01 Jan 0001 00:00:00 +0000

Installation of Windows agent version 23.4 and above DOES NOT require a system reboot.

If you are installing any agent version before 23.4, a system reboot is required to complete installation.

Install with interactive GUI wizard#

Run the installation package and enter the Site Token when prompted in the installation wizard.

MacOS - Manual Installation

Mon, 01 Jan 0001 00:00:00 +0000

No reboot is required for installation on macOS endpoints

Step One: Install the Agent#

Option 1: Install using the command line#

Save the Site Token in a plain text file in a folder named /tmp along with the Installer package.
- Name the Token file: com.sentinelone.registration-token
Run the installer. Example:
- $ sudo /usr/sbin/installer -pkg Desktop/tmp/SentinelXXXX.pkg -target /Library/

Option 2: Install using the GUI Wizard#

Run the installation package and enter Site Token when prompted in the installation wizard.

MacOS - Installation with MDM Tools

Mon, 01 Jan 0001 00:00:00 +0000

SentinelOne officially tests the installation and management of the macOS Agent only with Jamf and Workspace ONE. If you use a different MDM solution, make sure that the MDM solution supports these features:

Deployment of macOS .pkg.
Deployment of macOS system configuration profiles.
Deployment of admin-configured tool/script.

Agent Installation#

You will likely need to push a script to deploy the MacOS SentinelOne agent, since a site token is required. Please refer to your MDM documentation, or contact the vendor support for guidance on the best way to install the agent. Below is a sample script.

MacOS - Installation with Jamf

Mon, 01 Jan 0001 00:00:00 +0000

Installing a Package with Jamf#

Launch Jamf and log in.
Click Settings > Computer Management > Packages.
Click +New.
Upload the SentinelOne Agent PKG file to Jamf.
Set the Category to Packages.
Click Save.
Click Settings > Computer Management > Scripts.

Enter these lines, with your values for the Site or Group Token and SentinelAgent_macos_version.pkg:

text

sudo echo "token" > /Library/Application\ Support/JAMF/Waiting\ Room/com.sentinelone.registration-token
sudo /usr/sbin/installer -pkg /Library/Application\ Support/JAMF/Waiting\ Room/SentinelAgent_macos_version.pkg -target /

Example:

Linux Agent Installation

Mon, 01 Jan 0001 00:00:00 +0000

No reboot is required for installation on Linux endpoints

Option 1: Deploy Agent with a Configuration File#

Version 21.5+ of the Linux Agent supports an easier deployment. Rather than run the commands to install, associate, activate, and then set a proxy (if applicable), you can set one configuration file to use these variables.

1. Create a configuration file with the installation parameters, each on a separate line.

Supported Operating Systems

Mon, 01 Jan 0001 00:00:00 +0000

Windows#

Microsoft Windows Operating System Versions#

Windows OS	Details
Windows Server Core	2019, 2016, 2012
Windows Server	2022, 2019, 2016, 2012 R2, 2012, 2008 R2 SP1
Windows Storage Server	2016, 2012 R2, 2012
Windows 7 SP1, 8, 8.1, 10, 11	32/64-bit

Minimum Hardware Requirements#

Minimum	Recommended
1 GHz CPU or better	Dual-core. You can install on a single-core CPU, but performance will not be optimal.
1 GB RAM or more	3 GB recommended
2 GB free disk space on the Windows partition	If you are taking VSS snapshots, add an additional 10%.

CPU micro-architectures such as x86_32, ARM, RISC, MIPS are not supported by SentinelOne components

Windows Agent Installer Command Line Options

Mon, 01 Jan 0001 00:00:00 +0000

If you are installing an agent version 21.x or lower, please use the legacy command line options.

Example Usage:

CMD

text

SentinelOneInstaller.exe -q -b -t <site_token>

Powershell

text

./SentinelOneInstaller.exe -q -t <site_token>

-b, --reboot_on_need

Optional. Automatically reboot the endpoint when required to continue with the installation.
-t`` site_Token or group_Token is the site token or group token.
-q, --qn

Optional unless you use a deployment tool to install the Agent (then it is mandatory).

Interoperability Exclusions

Mon, 01 Jan 0001 00:00:00 +0000

The SentinelOne agent can sometimes present interoperability issues with other applications, either SentinelOne prevents another application from operating properly, or another application prevents the SentinelOne agent from operating properly. In the SentinelOne console, the SolCyber SOC can add exclusions that will prevent SentinelOne from interacting with certain files and directories to prevent such issues.

The following list represents applications that SentinelOne provides some out-of-the-box interoperability exclusions for. Please let us know if you use any of the following applications on devices where you plan to install the S1 agent.

Uninstalling/Disabling SentinelOne

Mon, 01 Jan 0001 00:00:00 +0000

Due to the tamper protection feature in the SentinelOne agent, the easiest way to uninstall or disable the agent is to open a ticket with the SolCyber SOC. We will send an uninstallor disable command to the device. In instances when the device in question is offline or otherwise unreachable by the SentinelOne console, local uninstalls/disable can be performed, but each device’s unique passphrase is required to complete the action due to the tamper protection. The SolCyber SOC can provide you with the passphrase.

SentinelOne Data Collection List

Mon, 01 Jan 0001 00:00:00 +0000

Management Console Data Collection#

The SentinelOne Agent collects these datasets:

Hardware data:
- Machine type
- Architecture
- Memory
- CPU information
- Core count
- Mac address
Solutions conﬁguration information: Customer instance settings (including users emails, phone numbers)
User and device data:
- Agent ID
- Endpoint Name
- Workgroup/domain
- User name
- Disk encryption state
- Installed applications - installation time, size, publisher and version.
- OS type
- OS version
- SentinelOne Agent version
- SMTP username
- User login/out time
- External devices control rules
- Firewall control rules, and event notiﬁcations (such as details of blocked application events)
- Notiﬁcation of interface connection (USB/Bluetooth) and hardware information
Integrations to the Console and global conﬁguration of connected endpoints
Process activity:
- Time of machine activity
- Running processes (name, ID, CPU usage, memory)
- Full ﬁle path
- In cases of suspected threats, the SentinelOne Agent collects for each process:
  - File metadata
  - Hash
  - File type
  - Certiﬁcate (for veriﬁed or not)
  - Command-line arguments
  - Network access metadata only: IP Address; protocol
  - Registry: created keys; deleted keys; modiﬁed key names
- Network Data:
  - Internal network IP address
  - Public IP address (if running cloud-based management)
  - Inbound/Outbound connections, metadata only (source, target, port, and application)
- Fetched Files:
  - Any ﬁle fetched by user (encrypted at rest, deleted after 72 hours)

Cloud Data#

SentinelOne collects the data of the cloud service provider for each Linux and K8s Agent that is recognized as a server (Sentinels > Endpoints > Machine Type = Server ).

Agent Troubleshooting

Mon, 01 Jan 0001 00:00:00 +0000

When troubleshooting issues with SentinelOne agents, a SolCyber SOC engineer will usually open a ticket with SentinelOne support. To expedite resolution, we ask that some data or log collection be done on the device so that we can provide the details to SentinelOne support.

Windows#

To collect installation logs from Windows endpoints:#

In File Explorer, enter:
- C:\Windows\Temp\
- %temp%
  
  This redirects to C:\Users\<USER>\AppData\Local\Temp\ where <USER> is the logged-in user.
In each of these file paths, look for sentinelinstaller files. The file path can be different configuration of your operating system.

SentinelOne Endpoint Actions

Mon, 01 Jan 0001 00:00:00 +0000

In the SolCyber Customer Portal, you can run an Endpoint report to show any SentinelOne agents that are missing a necessary permission, or require an action (such as rebooting) to restore full functionality to the agent. Please use the chart below to find a description for the most common values found in the “Action Needed” column of this report. If your report contains an action that is not listed here, please contact the SOC at soc@SolCyber.com so that we can assist.

VSS Writer Exclusions

Mon, 01 Jan 0001 00:00:00 +0000

⚠️ Important Security Notice: Excluding VSS Writers removes SentinelOne protection from that data. Only exclude writers when absolutely necessary for backup compatibility.

Overview#

This guide shows you how to exclude specific VSS Writers from SentinelOne protection to resolve compatibility issues with backup software using the SentinelCtl command line method.

The SentinelOne agent protects VSS shadow copies from malicious changes and deletion. However, some backup applications may require specific VSS Writers to be excluded from SentinelOne monitoring to function properly.

DNS Filter - Endpoint Deployment

Mon, 01 Jan 0001 00:00:00 +0000

Testing Encouraged

A standalone installation is recommended when initially testing the Roaming Client on your computers/network. DNSFilter recommends 1-2 days of testing with one or more computers to ensure smooth operation before performing a mass deployment. One area we strongly recommend testing is the resolution of local domains.

DNS Filter - Network Deployment

Mon, 01 Jan 0001 00:00:00 +0000

Below you will find the basic steps to deploy DNS Filter to your Network. You can find more options and details in the official DNS Filter knowledge base.

Step One: Provide Your Site Static IP(s) to SolCyber#

Before you make any changes to your network, please provide us with your static IP(s). If this is not done first, DNS Filter will not expect traffic from your location and will deny DNS requests until the IP is added.

Uninstall Uptycs

Mon, 01 Jan 0001 00:00:00 +0000

Windows#

Option 1: Uninstall Using the MSI Installer#

If you have the MSI installer file, run the following command to uninstall:

msiexec /i <osquery msi file complete path>

Option 2: Uninstall Using the product code#

If you do not have the MSI installer file, you can uninstall using the product code.

Obtain the product code:
Get-WmiObject Win32_Product | Select-Object Name, IdentifyingNumber | findstr -i osquery
Run the following command:
msiexec /x <PRODUCT-CODE>

Option 3#

wmic is not installed in Windows 11 by default - use option 1 or 2 for Windows 11 devices

Attivo Removal

Mon, 01 Jan 0001 00:00:00 +0000

Uninstalling the Attivo Agent#

The following are the recommended steps to remove the Attivo agent from any Windows system.

Download the Attivo_Win32.zip binary file and transfer to the endpoint
Open the downloaded zip file and extract all files
Open Command Prompt as Administrator
From the Command Prompt, change directory to the location of the unzipped folder that contains the files extracted
Run the following command and press Enter:

windowssetup.exe /ua /force

Phishing Simulation Whitelisting - Office 365

Mon, 01 Jan 0001 00:00:00 +0000

IPs to Whitelist:

52.74.95.172

SolCyber partners with a company named Right-Hand to run phishing simulations. The IP addresses you will be whitelisting will belong to Right-Hand, and the phishing campaigns will be run by SolCyber.

Step 1: Setup IP Allow List #

Visit https://security.microsoft.com/antispam and select “Connection filter policy (Default)”

Click on Edit connection filter policy and add the Right-Hand IP(s) listed above.
Click Save.

Step 2: ByPass Clutter & Spam Filtering#

To ensure our messages will bypass your Clutter folder as well as spam filtering within Microsoft’s EOP, follow the steps below.

Phishing Simulation Whitelisting - Google Workspace

Mon, 01 Jan 0001 00:00:00 +0000

To ensure phishing simulation emails are delivered to your users’ inboxes, please follow the following whitelisting steps.

Content Compliance Filter#

Navigate to Google Workspace Admin Console and, from the left menu navigate to Apps → Google Workspace → Gmail.
Click on Compliance Tab and then click on Configure for Content compliance.
A new tab will open and add the following values.
1. Set Right Hand Spam Filter Bypass as the name for the rule or name it based on your choice or convention.

Active Directory Assessment Setup

Mon, 01 Jan 0001 00:00:00 +0000

SolCyber will perform a bi-annual assessment of your Active Directory environment(s) and provide a report and analysis of critical findings. This documentation covers running the assessment tool for on-premise Active Directory. If you have an Azure Active Directory environment that you would like assessed, please see the Azure Active Directory Assessment Setup.

System Requirements#

To facilitate assessment of Active Directory, the SentinelOne Identity Agent must be installed on a single domain-joined device that can communicate with the Domain Controller(s). The device is referred to as the “AD Connector”. It is not advised to install the Identity Agent on the Domain Controller itself. The system requirements for the AD Connector are listed below:

Exposures Assessed - Azure AD Assessment

Mon, 01 Jan 0001 00:00:00 +0000

Exposure	Required Azure AD License
Azure AD Tenant without User Risk Policies enabled	Premium P1
Standard users without Multi Factor authentication	Premium P2
New Azure AD Local Admin Added to Azure AD Devices	Premium P2
Subscription Admin Users without MFA enabled	Premium P2
High Number of Subscription Owners in the Tenant	Premium P2
Tenant with Legacy Authentication Methods Enabled	Premium P2
Azure AD Tenant without Sign-In Risk Policies enabled	Premium P2
Privileged Users without Multi-Factor Authentication (MFA)	Premium P2
Self Service Password Reset (SSPR) Is Disabled	Premium P2
Guest Users Found in the Azure AD	Premium P2
Custom Banned Password not configured for the Tenant	Premium P2
Block Legacy Authentication with Conditional Access	Premium P2
On-Prem Active Directory Password Protection Disabled	Premium P2
New Classic Administrators Added Recently	Requires subscription
External Accounts with Dangerous Permissions on Subscription	Requires subscription
New Delegated Permissions Added Recently	Free license
Global Administrator Role Must Be Assigned to at Least 3 Cloud-Only Accounts	Free license
Restrict Access to Azure Portal with conditional access	Free license
Password Sync feature is disabled for Tenant	Free license
Usage of Smart Lockout in Azure AD	Free license
High Number of Users in Privileged Azure AD Roles	Free license
Stale service principals with password credentials	Free license
Active Directory Privileged users with Privileged roles in Azure	Free license
Active Directory Privileged users synced to Azure	Free license
Unlimited Sessions allowed for Portal Sessions	Free license
Non Usage of Administrative Unit to delegate Tasks	Free license
Standard Users Allowed to Invite External Users	Free license
New Azure AD Application registered	Free license
New App role Assignment Detected	Free license
Standard Users Allowed to Create Apps	Free license
Azure AD Trusted IP Configuration changes	Free license
Security Defaults Disabled for Administrators and Users	Free license
Users Are Allowed to Consent to Applications	Free license
Microsoft Accounts in Administrator Roles	Free license
Short Lived User Accounts found in Tenant	Free license
Standard Users Allowed to Create Security Groups	Free license
Admin Consent Workflow is Disabled for Enterprise Applications	Free license
Stale Devices in Azure AD	Free license
Recent Changes to Azure Administrator roles	Free license
Non-Usage of Managed Identity for Azure Resources	Free license
Service Principals with Azure AD admin Roles	Free license
Azure AD Applications with Write Graph App Roles	Free license
Azure AD User with Application Owner Permissions	Free license
Non-Admin users Sign-in & usage of Azure AD PowerShell	Free license
Azure AD Users with Password Set to Never Expire	Free license

AWS Cloud Security Configuration

Mon, 01 Jan 0001 00:00:00 +0000

According to Gartner, the #1 threat to cloud infrastructure is entitlements and permissions. Identifying risky permissions and misconfigurations is difficult. SolCyber partners with Ermetic Security to monitor customer’s cloud security posture. Ermetic enables you to address the #1 risk to your cloud infrastructure – identities – by detecting and prioritizing risky entitlements and misconfigurations at scale. Ermetic allows SolCyber to continuously discover a customer’s cloud asset inventory and applies full-stack analytics to identify risk accurately and in context. SolCyber can help customers manage access permissions, ensure cloud compliance and shift left on least privilege, thereby reducing cloud attack surface.

Azure Cloud Security Configuration

Mon, 01 Jan 0001 00:00:00 +0000

Single Sign On Configuration

Mon, 01 Jan 0001 00:00:00 +0000

Azure Active Directory (SAML)#

In the Azure portal, navigate to Enterprise applications, and then add a New application.
Click Create your own application, and then enter a name for the app.
Select the default value of Integrate any other application you don’t find in the gallery (Non-Gallery) and then click Create.
On the app Overview page that displays, in the Set up single sign on step, click Get started.
Choose SAML as the SSO method.

iVerify Setup

Mon, 01 Jan 0001 00:00:00 +0000

iVerify Elite offers comprehensive mobile device security for you and your organization, ensuring robust protection against known threats and uncovering indicators of compromise.

We recommend that iVerify be deployed in environments where all end user devices (computers and company-provided phones) are managed by an endpoint or mobile device management tool. This makes deployment and management of iVerify much easier.

DPM Log Ingestion Node

Mon, 01 Jan 0001 00:00:00 +0000

Specs and Requirements#

Requirement Type	Requirement	Description
Server	CPU	Small: 4x CPU Med: 8x CPU
Server	RAM	Small: 8 GB Medium: 24 GB
Server	Disk 1	75 GB root HD
Server	Disk 2	Small: 200 GB unformatted HD Medium: 600 GB unformatted HD
Network	Reserved IP for each node	If deploying an ingestion mesh, please also reserve an IP for the software load balancer
Firewall Ports	Remote Management	Please ensure that your firewall allows the Ingestion Appliance(s) to communicate outbound on UDP/9993
Firewall Whitelisting	Node Health and Management	Please allow the nodes access to the following FQDNs on TCP/443: Abnormal Email Security Mon, 01 Jan 0001 00:00:00 +0000 Step 1: Access Abnormal Security Platform # Log in to Abnormal Security Dashboard: Navigate to your Abnormal Security Management Dashboard. Go to Settings > API Access. Enable API Access: Ensure API access is enabled for your organization. Verify that you have the necessary permissions to create API tokens. Step 2: Generate API Credentials # Create API Token: Navigate to Settings > API Access in your Abnormal Security dashboard. Click “Generate New Token” or “Create API Key”. Enter a descriptive name for the token (e.g., “SolCyber Integration”). Select the appropriate permissions for threat data access: `threats:read` - Read access to threat data `threats:list` - List threats `threats:get` - Get individual threat details Note API Credentials: Copy the API Base URL and Access Token from the API settings. These will be used in the SolCyber integration. Store the access token securely as it cannot be retrieved again. You will need to provide this information to SolCyber. Step 3: Configure Threat Data Access # Set up Threat Data Permissions: Ensure your API token has access to the threat data you want to ingest. Verify that threat data is being generated and is accessible via the API. Test API Connectivity: Use Postman or cURL to test API requests to Abnormal Security. Verify that you can successfully retrieve threat data using your credentials. Step 4: Network Configuration # Whitelist Databahn IPs: Add Databahn’s IP addresses to your Abnormal Security tenant’s allowed IPs if IP restrictions are enabled. Contact Databahn support for the specific IP ranges. Configure Rate Limits: Review and adjust API rate limits if necessary to accommodate your data ingestion needs. Abnormal Security Integration Reference Cisco Duo Mon, 01 Jan 0001 00:00:00 +0000 Note that only administrators with the Owner role can create or modify an Admin API application in the Duo Admin Panel. Ingestion of the following types of DUO logs is supported: Duo Security Administrator Duo Security Authentication Log in to the Duo Admin Panel and navigate to Applications. Click Protect an Application and locate the entry for Admin API in the applications list. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You’ll need to provide these credentials to SolCyber via onetimesecret.com or other secure methods. The required permissions are: Grant read log Grant read information Grant read resource Cisco Umbrella Mon, 01 Jan 0001 00:00:00 +0000 To facilitate log export to a SIEM, you must configure Umbrella logs to be stored in an AWS S3 bucket. We strongly recommend the use of your own S3 bucket, as the Cisco-managed option will have it’s token reset every 90-days. Create an S3 Bucket# When you set up your Amazon S3 bucket, you must add a bucket policy which accept uploads from Umbrella. Copy the following preconfigured JSON and substitute your S3 bucket name for `bucketname`. Then, paste the Umbrella S3 bucket policy into your Amazon S3 bucket policy. Cisco Meraki Firewall Mon, 01 Jan 0001 00:00:00 +0000 Go to Network-wide > Configure > General. Click Add a syslog server to define a new server. Server IP: The Datahan Collector IP address. Port: The SolCyber team will specify the port to use. Roles: The roles to send to the server. Choose the type of events to export: Event Log: The messages from the dashboard under Monitor > Event Log. Flows: Inbound and outbound traffic flow-generated syslog messages that include the source, destination, and port numbers. URL: HTTP GET requests generating syslog entries. Fortinet Fortigate Firewall Mon, 01 Jan 0001 00:00:00 +0000 Microsoft Azure Security Center Mon, 01 Jan 0001 00:00:00 +0000 Open the Azure Active Directory resource in the Azure Portal. Click App registrations > New Registration. Provide a name, and select the account scope to Single tenant. Click Register. Click on the new application created on the App registration screen. Copy the Client ID and Tenant ID, and then click View API permissions. Click Add a permission, and then click the Microsoft Graph API. Click Application permissions, search for SecurityEvents, and then select SecurityEvents.Read.All. Microsoft EntraID Events Mon, 01 Jan 0001 00:00:00 +0000 Login to Azure portal. Locate App registrations using the Search bar from Dashboard. Click New Registration from the App registrations screen to register an application. Provide the following details in the Register an application screen: Name: SolCyber AzureAD Users Supported account Types: Select the Accounts in this organizational directory only option. Click Register. Make a copy of Application (client ID) and Directory (tenant ID) for the application from the Application screen. Click API Permission. Click Add a permission. A new Request API Permissions screen is displayed. Select Microsoft Graph from the Request API permissions screen. Office 365 (Azure AD, Exchange, SharePoint, General) Mon, 01 Jan 0001 00:00:00 +0000 Log in to the Azure portal as an admin and search for App registrations in the top search bar. Click + New registration. Enter the following details on the Register an application page: Name: SolCyber-O365 Supported account types: Accounts in this organizational directory only (Single Tenant) Click Register. You will be redirected to the new application overview screen. Copy the Application (client) ID and Directory (tenant) ID. You will need to provide these to SolCyber. Palo Alto Firewall Mon, 01 Jan 0001 00:00:00 +0000 Step 1. Create a Syslog Server Profile # Navigate to: Device > Server Profiles > Syslog Configure the following: Syslog Name: Enter a name for the syslog profile (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. Name: Click Add and enter a name for the syslog server (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. Qualys Vulnerability Management Mon, 01 Jan 0001 00:00:00 +0000 Log into Qualys Console: Navigate to your Qualys Security Operations Center (SOC) Sign in with your administrative credentials Create Service Account: Go to Users > Users Click New > User Provide username and strong password While creating the new user: Assign the user a Manager role. Open the User Role side tab. From the role drop-down, select Manager. Enable the option for API access so the role supports API usage. Complete the user creation process and save the user. You will need to provide the following information to SolCyber: Sailpoint Mon, 01 Jan 0001 00:00:00 +0000 Step 1: Create Sailpoint Application # Log in to Sailpoint IdentityNow: Navigate to your Sailpoint IdentityNow tenant. Go to Admin > Applications. Create New Application: Click “Create Application”. Enter a name for your application (e.g., “SolcyberIntegration”). Select “OAuth Client” as the application type. Click “Create”. Step 2: Configure Application Settings # Grant API Access: In the “OAuth Scopes” section of your application, enable the following scopes: `sp:scopes:default` `sp:read:audit-events` `sp:read:activity-events` `sp:read:account-activity` `sp:read:tenant-settings` Note Application Credentials: Copy the Client ID and Client Secret from the application settings. Note your Base URL (e.g., `https://your-tenant.identitynow.com`). You will need to provide this information to SolCyber. Step 3: Configure Log Collection # Enable Audit Logging: Go to Admin > Audit Configuration in your Sailpoint IdentityNow tenant. Ensure audit logging is enabled for the following events: Authentication events Authorization events User management events Role and permission changes Access reviews and certifications Configure Activity Logging: Go to Admin > Activity Configuration. Enable activity logging for: User login/logout events Application access events Data access events Administrative actions Configure Account Activity Logging: Go to Admin > Account Activity Configuration. Enable account activity logging for: Account provisioning and deprovisioning events Account attribute changes Account status changes Account access and modification events Step 4: Network Configuration # Whitelist Databahn IPs: Add Databahn’s IP addresses to your Sailpoint tenant’s allowed IPs if IP restrictions are enabled: 3.229.112.66 3.223.27.127 52.201.54.124 52.203.151.207 Configure CORS (if needed): If using web-based authentication flows, ensure CORS is properly configured. Sailpoint Integration Reference Zscaler ZPA Mon, 01 Jan 0001 00:00:00 +0000 Go to Configuration & Control > Private Infrastructure > Log Streaming Service > Log Receivers. Click Add Log Receiver. The Add Log Receiver window appears. In the Add Log Receiver window, configure the following tabs: Log Receiver On the Log Receiver tab: Name: Enter a name for the log receiver. The name cannot contain special characters, with the exception of periods (.), hyphens (-), and underscores ( _ ). Description: Optional. Domain or IP Address: Enter IP address for the log receiver. TCP Port: Enter the TCP port number provided by SolCyber. TLS Encryption: Select DISABLED. App Connector Groups: Choose the App Connector groups that can forward logs to the receiver, and click Done. Click Next.