Actions and Integrations

This section describes some of the two-way integrations available in Sift Security CloudHunter.

Required Policy in AWS

Actions in AWS are generally triggered using a cross-account role or IAM access key to invoke a lambda through an API gateway. The policy requires for the role or access key to trigger the lambdas is as follows, where the account number and endpoint must be changed to reflect the settings in your account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "execute-api:*"
      ],
      "Resource": [
        "arn:aws:execute-api:*:[YOUR-ACCOUNT-NUMBER]:[YOUR-API-ID]/*"
      ]
    }
  ]
}

Generic REST API Integration

This integration provides a method to integrate any external application that has a REST API with Sift Security.

Features

  • REST Methods supported: GET, POST, PUT, DELETE
  • Authentication Methods supported: Basic Auth, Digest Auth, OAuth 1.0 and No Auth
  • We JSON encode all key-value pairs provided to the agent. We chose JSON since it covers a large portion of available APIs that we typically integrate with.

Setup

Navigate to Configuration > Integrations, and click on the edit button next to ‘Generic REST API Integration’

  1. Step-1: Provide/Edit the integration name

  2. Step-2: Provide the Section and Section Element where you want the integration to appear

  3. Step-3: Add any new fields as you need. Do not change/edit the fields method and auth. Note that the other fields you create here are going to be displayed in the UI, and will be passed as query-string parameters in JSON format if it is a GET request, and as body parameters in JSON format if this is a POST, PUT or DELETE request.

  4. Step-4: This is where we setup the endpoints for the integration and the authentication parameters. Providing a url is essential. Other than that, please provide the parameters that are required for the authentication method you choose, and delete all other environment variables.

    • For No Auth, there is nothing to do.
    • For Basic Auth and Digest Auth, provide values for username and password.
    • For OAuth 1.0, provide values for key, secret, token and token_secret.

Export to AWS SNS

This describes the integration between Sift Security and the AWS SNS Service.

Assumptions

  • The customer already has a topic (and thus the ARN for the SNS topic) and subscription setup in their AWS environment
  • The customer is using one of three methods to provide authentication to this integration:
    • Providing the access key ID, and secret access key id
    • Providing role based access (i.e., providing the role arn and external id alongwith access key ID and secret access key id)
    • Attaching the role permissions to the instance

Setup and Functionality

  1. To set it up, navigate to the Configuration tab in the Sift Security UI, followed by the Integrations section. Click on the edit button (‘pencil’ icon) next to the Agent Name Export to AWS SNS

    1. Navigate to step 4 of the wizard and provide authentication information:

      1. Provide the TopicArn (this is the topic resource number from AWS)
      2. If you’re using the key based access, fill in the values of aws_access_key_id, aws_region_name, and aws_secret_access_key.
      3. If you’re using role based access, fill in the values of aws_access_key_id, aws_region_name, aws_secret_access_key, aws_role_arn and aws_external_id.
      4. If you’re planning to attach a role to the AWS instance this integration is operational on, there is nothing to be done other than providing the TopicArn.
    2. Hit Submit

Other Integrations

Sift Security provides multiple third party integrations out of the box, and provides a framework for creating new integrations. The existing integrations can be configured through the Integrations tab.

ServiceNow
In addition to ingesting data from ServiceNow, Sift Security can pull data on-demand during an investigation, and create or modify incidents from within the Sift Security UI. This functionality is automatically enabled as soon as the ServiceNow integration is configured.
CarbonBlack
Enables mitigative actions to be taken directly from the graph canvas. For example, you can select a workstation and isolate it from the network. Setting up the CarbonBlack integration i

We also provide a rich plugin framework that enables customers to write their own plugins, described in API Integrations.

  • Write plugins in AWS Lambda to trigger actions in the cloud.
  • Write plugin in a language of your choice, such as Python.
  • Plugin framework supports querying for information from Sift Security and feeding results back through our ingestion pipeline.

Sift Security also provides API access to our internal data described in Sift Security APIs.

  • Sift Security API for querying alerts.
  • Elasticsearch REST API for querying the index.
  • Gremlin REST API for querying the graph.