# BAS Integrations The BAS Integrations page allows you to connect BAS with your other products. This empowers BAS to communicate with the third-party provider to determine if it was able to detect the actions taken when a procedure ran. ![BAS Integrations page](/static/settings_bas_integration_page.png) BAS supports integration with the following products. - [BitDefender GravityZone XDR](#bitdefender-gravityzone-xdr) - [Carbon Black Cloud](#carbon-black-cloud) - [CrowdStrike Falcon](#crowdstrike-falcon) - [DefenseStorm GRID](#defensestorm-grid) - [Microsoft Defender](#microsoft-defender) - [Microsoft Sentinel](#microsoft-sentinel) - [Palo Alto Cortex XDR](#palo-alto-cortex-xdr) - [SentinelOne Singularity](#sentinelone-singularity) - [Splunk Cloud](#splunk-cloud) (with Splunk Enterprise Security) - [Splunk Enterprise](#splunk-enterprise) (with Splunk Enterprise Security) BAS integrations fall into two categories of capabilities. 1. [Event Viewer](/bas/projects/run/index/#using-the-event-viewer-for-integration-data): BAS finds events with a high-probability of relevance, and you provide the final acknowledgement and label for that event while associating it to a play. 2. `Automatic Detection Categorization`: BAS automatically labels/correlates events to the play. - Integrations with Automatic Detection Categorization *also* possess `Event Viewer` capability ## Adding an integration To add an integration, follow the general steps below. See the sections that follow for your exact integration for any specific details. 1. Select the **Add Integration** button at the top right of the page to display the Add Integration right sidebar navigation. ![Add Integrations](/static/bas/integrations/add_integration.png "Add Integrations") 2. Select the Active slider to set the integration to active (blue) or inactive (gray). 3. Select the desired integration from the Vendor drop-down list. 4. Enter a name of your choice in the *Name* and *Description* fields. 5. Enter a value in the *Viewing Cutoff Time* field. This value, in seconds, represents the look-ahead time since a play was run that events are recorded, capturing or resulting in an event, alert, or detection time. 6. In the *Credentials* field group, select from the following options: - Select the *Use Saved Credentials* radio button if you have already created and saved credentials in the BAS [Credential Management page](/settings/bas_credentials/). This option is selected by default and allows you to choose the credential from the *API Client Credentials* drop-down list - Select the *Create New Credentials* radio button to add your product's API credentials on the fly. ![Add BAS credentials](/static/bas/integrations/add_credentials.png/) - Select the **Test Connection** button to confirm your integration connection. ### BitDefender GravityZone XDR Capability: `Automatic Play Verification` Configuring the BitDefender GravityZone XDR integration follows the general instructions above, with the following differences: #### BitDefender GravityZone XDR settings - **API Access URL** (required): Access URL of your BitDefender GravityZone XDR API. - **Company ID** (required): Your BitDefender GravityZone XDR company ID. #### BitDefender GravityZone XDR supported credential types - `API Key [Token]` #### BitDefender GravityZone XDR required permissions and scopes ### Carbon Black Cloud Capability: `Automatic Play Verification` Configuring the Carbon Black Cloud integration follows the general instructions above, with the following differences: #### Carbon Black Cloud settings - **API Base URL** (required): Base URL of your Carbon Black API. - **Organization Key** (required): Your Carbon Black organization key. - This key is found within your Carbon Black Cloud instance on the `API Access` page under `Settings`. #### Carbon Black Cloud supported credential types - `API Key [ID and Secret]`: Regular use; Common - `OAUTH`: When integrating through VMWare #### Carbon Black required permissions and scopes The API key created must have an `access level` with the following permissions: - `Alerts Category`: read - `ThreatMetadata` - `Notes` - `ThreatHunt` - `General information` - `Search`: create, read, execute - `Events` ### CrowdStrike Falcon Capability: `Automatic Play Verification` Configuring the CrowdStrike integration follows the general instructions above, with the following differences: #### CrowdStrike Falcon settings - **API Base URL** (required): Base URL of your CrowdStrike API. #### CrowdStrike Falcon supported credential types - `OAUTH` #### CrowdStrike Falcon required permissions and scopes - `Alerts Scope`: read - `Detections Scope`: read #### CrowdStrike Falcon integration walkthrough This integration requires the Oauth Client credential type. Please refer to the CrowdStrike documentation for generating these credentials in Falcon. !!! Note When creating an API Client, you will need to enable Read access for the Alerts Scope and Detections Scope. !!! Select **Let's Get Started** in the walkthrough below to see how to create a CrowdStrike integration with BAS. {% embed url="https://netspi.navattic.com/9c40w5c" caption="BAS's CrowdStrike integration walkthrough" %} ### DefenseStorm GRID Capability: `Automatic Play Verification` Configuring the DefenseStorm GRID integration follows the general instructions above, with the following differences: #### DefenseStorm GRID settings - **API Base URL**: Base URL of your DefenseStorm GRID API. #### DefenseStorm GRID supported credential types - `API Key [ID and Secret]` #### DefenseStorm GRID required permissions and scopes The input token created must be for the API. ### Microsoft Defender Capability: `Event Viewer` Configuring the Microsoft Defender integration follows the general instructions above, with the following differences: #### Microsoft Defender settings - **Tenant ID** (required): Directory (tenant) ID - Found on the `Application Registration` page under `Essentials` in Microsoft Security #### Microsoft Defender supported credential types - `OAUTH` #### Microsoft Defender required permissions and scopes The client secrets created must be for an `Application` that has been assigned the following permissions in `Microsoft Entra ID`: - `Microsoft Graph` - `SecurityAlert.Read.All`: application - `SecurityEvents.Read.All`: application - `SecurityIncident.Read.All`: application - `ThreatHunting.Read.All`: application - `User.Read`: delegated ### Microsoft Sentinel Capability: `Event Viewer` Configuring the Microsoft Sentinel integration follows the general instructions above, with the following differences: #### Microsoft Sentinel settings - **Tenant ID** (required): Directory (tenant) ID - Found on the `Application Registration` page under `Essentials` in Microsoft Security #### Microsoft Sentinel supported credential types - `OAUTH` #### Microsoft Sentinel required permissions and scopes The client secrets created must be for an `Application` that has been assigned the following permissions in `Microsoft Entra ID`: - `Microsoft Graph` - `SecurityAlert.Read.All`: application - `SecurityEvents.Read.All`: application - `SecurityIncident.Read.All`: application - `ThreatHunting.Read.All`: application - `User.Read`: delegated ### Palo Alto Cortex XDR Capability: `Event Viewer` Configuring the Palo Alto Cortex XDR integration follows the general instructions above, with the following differences: #### Palo Alto Cortex XDR settings #### Palo Alto Cortex XDR supported credential types - `API Key [ID and Secret]`: Can be set to `Advanced` or `Standard` #### Palo Alto Cortex XDR required permissions and scopes The API key created must have `view` access for the following permissions: - `Components` -> `INVENTORY` -> `Agents` -> `Agent Administration` - `Components` -> `CASES & ISSUES` ### SentinelOne Singularity Capability: `Event Viewer` Configuring the SentinelOne Singularity integration follows the general instructions above, with the following differences: #### SentinelOne Singularity settings - **API Base URL** (required): Base URL of your SentinelOne Singularity API. #### SentinelOne Singularity supported credential types - `API Key [Token]` #### SentinelOne Singularity required permissions and scopes The API key created must be for a `User` or `Service user` assigned a `Role` with the following permissions: - `Endpoint Threats`: view - `Threat Intelligence`: view ### Splunk Cloud Capability: `Automatic Play Verification` Configuring the Splunk Cloud integration follows the general instructions above, with the following differences: #### Splunk Cloud settings - **API Authorization Scheme** (required): - Splunk - Oauth (Bearer) - **API Base URL** (required): Base URL of your Splunk Cloud API - Splunk typically recommends the default port `8089` - **Events search** (required): Pre-populates with the following, editable search string from which to pull security-related events: - `(index=windows_events sourcetype=windows_security) OR (index=linux_logs sourcetype IN (linux_audit,linux_secure))` - This search string is a typical default configuration for Splunk Enterprise Security - **Alerts search**: Optional search string from which to pull security-related **alerts** #### Splunk Cloud supported credential types - `API Key [Token]` ### Splunk Enterprise Capability: `Automatic Play Verification` Configuring the Splunk Enterprise integration follows the general instructions above, with the following differences: #### Splunk Enterprise settings - **API Authorization Scheme** (required): - Splunk - Oauth (Bearer) - **API Base URL** (required): Base URL of your Splunk Enterprise API - Splunk typically recommends the default port `8089` - **Events search** (required): Pre-populates with the following, editable search string from which to pull security-related events: - `(index=windows_events sourcetype=windows_security) OR (index=linux_logs sourcetype IN (linux_audit,linux_secure))` - This search string is a typical default configuration for Splunk Enterprise Security - **Alerts search** Optional search string from which to pull security-related **alerts** #### Splunk Enterprise supported credential types - `API Key [Token]` ## Editing an integration To edit the active/inactive status, description, API base URL, and/or API client credentials, follow the steps below. 1. Select the **Edit** button for any of your current integrations to open the Edit Integration right sidebar navigation. ![Edit Integrations](/static/bas/integrations/edit_integration.png "Edit Integrations") 2. Edit any field values and select the **Save** button to save them and return focus to the main Integration page.