Skip to content

Lastline Integration Guide🔗

Syslog notifications must be configured in the Lastline Portal in order to send logs via syslog to the Taegis™ XDR Collector. Please follow the instructions in this guide to enable logging for your sensors.

Connectivity Requirements🔗

Source Destination Port/Protocol
Lastline Sensor XDR Collector (mgmt IP) UDP/514

Data Provided from Integration🔗

Normalized Data Out-of-the-Box Detections Vendor-Specific Detections
LastLine Auth NIDS

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configuration Instructions🔗

Consider the following requirements when completing the configuration steps:

  • SIEM Server Location — The IP address of the XDR Collector
  • SIEM Server Port — 514
  • Protocol — UDP
  • Format — LEEF
  • Include PCAP — Enabled

To configure logging in the Lastline Portal, please follow these instructions:

  1. In the Lastline Portal, select Admin from the main menu, and then alter your view from Accounts to Notifications.

    Lastline

  2. On the Notifications page, select Syslog, and then select the + Add a notification icon above the table.

    Lastline

  3. In the Create Syslog Notification section, complete the following:

    • Select the License if you have more than one.
    • Select the Sensor for which you would like to set up logging.
    • Leave the remaining standard settings.

    Lastline

  4. In the SIEM Server Settings section, complete the following:

    • SIEM Server Location — Enter the IP address of the XDR Collector.
    • SIEM Server Port — 514
    • SIEM Hostname — Leave blank.
    • Transport protocol — UDP
    • SIEM Source — Select either Manager or Sensor as the originating source, dependent on your network topography.
    • SIEM Log Format — LEEF
    • Include pcap — Enabled

    Lastline

  5. In the Triggers section, complete the following:

    • Select the toggle to enable Audit Triggers and then check Audit Event.
    • Select the toggle to enable Intrusion Triggers and then check Intrusion Event.
    • Leave the remaining default settings.

    Lastline

  6. Scroll down and select Save. A Syslog Notification Configuration Summary window displays, from which you can choose to Send Test Notification, Edit the configuration, or Close to return to the Syslog Notifications page.