Skip to content

How to develop a new integration

Before starting, make sure that the integration you want to develop does not exist

  1. Check our Integration catalog
  2. Check also our roadmap portal for upcoming integrations
  3. If you still have doubts, ask our Support for confirmation

What is your usecase?

  • You want to ingest data from a product not supported by Sekoia, go to this section
  • You want to modify an existing intake, go to this section
  • You want to create a new automation, go to this section

List of development usecases

Usecase 1. You want to ingest data from a product not supported by Sekoia

Step 1. Understand the general concepts

Warning

For this usecase, you must already be able to forward your data into Sekoia SOC platform with an existing ingestion methods

Before starting, read this overview of intake format to get a grasp of the general concepts.

Step 2. Create your custom intake

To ingest a format of data, you will first create a custom format with the custom parser editor. A custom format describe the way data are extracted from an event.

Create a custom format to describe the format of the data to extract:

  • Start by creating a custom format
  • Write the parser of the custom format by following this guide

Info

Additional resources to support development:

  • Best practices for Authentications logs
  • An E-learning module for the development of custom format is available in our training catalog, you can request an access here

Once you are done, you will create a custom intake based using this custom format. A custom intake is an instance of your custom format.

  1. Click on the + Intake from the Intakes homepage
  2. Choose the custom format that you have created (you can search for custom format by its name)
  3. Click on the Create button of the custom format
  4. Provide an intelligible name
  5. Select the entity to which you want to associate the corresponding data
  6. Click on Create
  7. Find your newly created source of events as well as the intake key in the Intakes homepage

You have now successfully ingested data from a new product. If you would like to share your custom format to the cybersecurity community or let Sekoia handle the maintenance of this custom format, proceed to the next step.

Step 3. Homologate your custom format in the Sekoia catalog (optional)

If you have created a new format and want Sekoia to manage its maintenance, you can request homologation for your custom format. Once approved, the format will be added to Sekoia's public catalog.

Info

To homologate your custom format, you will need to contribute through our Github repository

Usecase 2. You want to modify an existing intake

You would like to parse additional fields in an existing intake or modify the way existing fields are extracted. To do this, you can create a custom format based on an existing intake:

  1. Click on the + Intake from the Intakes homepage
  2. Search for the intake you wish to modify
  3. Click on the See format button at the top right of the card
  4. Click on the Duplicate button at the top right of the custom parser editor
  5. Modify the parser by using this guide

Once you have finished your modifications, create a custom intake based on this new custom format.

Usecase 3. You want to create a new automation

Warning

Please note that all automations are available in the public library of the Sekoia SOC platform, making them accessible to other Sekoia customers. We are currently working on implementing private automations.

Step 1. Understand the general concepts

Before developing a new playbook trigger or playbook action, read this overview of automations to get a grasp of the general concepts of automations.

Step 2. Create your automation

Once you have acquired a basic understanding of automations:

Step 3. Homologate your automation in the Sekoia catalog

The last step is to homologate your automation in order to make it available in the automation library.