Integrations#

The Admin > Integrations category provides access to the configuration views for the various third-party integrations that can be enabled in Scrutinizer.

Click on an integration type below to learn more:

ASA ACL Descriptions

Add/edit ASA firewall credentials for ACL description retrieval

Endace Probes

Configure Endace packet capture appliances for deep packet inspection and forensics

Email Server

Configure SMTP server settings for email notifications and reports

Flow Log Ingestion

Configure and manage Azure, AWS, OCI, or GCP flow log ingestion sources

Product Connectors

Enable/disable and configure third-party integrations for Explore > Exporters view

STIX-TAXII

Add and manage STIX-TAXII threat intelligence feeds

ServiceNow

Configure and manage ServiceNow instances for incident/ticket generation via notifications and collections

Viptela Settings

Enable/disable and configure Viptela integration for Cisco vManage devices

ASA ACL Descriptions#

ASA ACL Descriptions integration allows Scrutinizer to retrieve Access Control List (ACL) descriptions from Cisco ASA firewalls via SSH, providing additional context for security policy analysis and reporting.

ASA firewall credentials are added from the Admin > Integrations > ASA ACL Descriptions page as follows:

  1. In the ASA ACL Description configuration tray, enter the Enable password to be used. If left blank, the SSH password will be used.

  2. Enter the username and password that will be used to SSH into ASA firewalls.

  3. [Optional] Tick the Only Active toggle to exclude any ACLs with a hit count of 0 to improve collection time.

  4. Click Save.

Hint

To delete one or more ASA ACL Descriptions entries, select them using the checkboxes, and then use the Delete button displayed in the main view or in the Bulk Actions tray.


Endace Probes#

Endace Probes integration allows Scrutinizer to connect with Endace packet capture appliances for deep packet inspection and forensics. For more information, refer to the Endace section of this documentation.

Endace Probes are added from the Admin > Integrations > Endace Probes page as follows:

  1. In Endace Probe configuration tray, enter the following details:

    • Description: Name/description of the probe.

    • IP Address: The hostname or IP address of the Endace appliance.

    • Port: The Endace Vision API port to connect to the probe. The default is 443.

    • User: Username for the Endace Vision API.

    • Password: Password for the Endace Vision API.

  2. [Optional] Click Test to check the connectivity and authentication with the Endace Probe.

  3. Click Save.

Hint

To delete one or more Endace probes entries, select them using the checkboxes, and use the Delete button in the main view or in the Bulk Actions tray.


Flow Log Ingestion#

Scrutinizer can be configured to ingest flow logs from cloud data sources, enabling seamless visibility between on-prem and cloud-based assets.

Data sources are added from the Admin > Integrations > Flow Log Ingestion page as follows:

  1. Click the + button to open the configuration tray for a new data source:

  2. Select the service/type of data source to be added.

  3. Enter the required details in the secondary tray.

  4. [Optional] Click Test to verify that Scrutinizer can access the data source.

  5. Click Save to save the data source configuration.

Once flows originating from a cloud data source are being ingested, any exporters reported–either as part of flow contents or in attached metadata–will be added to Scrutinizer. These devices can then be used similarly to regular exporters in Scrutinizer’s functions (e.g., reports, network maps, Security Groups, etc.).

Hint

To delete one or more flow log ingestion sources, select them using the checkboxes, and then use the Delete button displayed in the main view or in the Bulk Actions tray.

For further information and additional set-up steps for specific cloud providers, see the corresponding sections below:


Product Connectors#

Product Connector provides a generic third-party product integration connector for external tools and dashboards. This enables you to create links to third-party applications and pass variables in URLs for a seamless data exchange between Scrutinizer and external platforms.

A Product Connector can be added from the Admin > Integrations > 3rd Party Integration page as follows:

  1. Click the + button, then select Product Connector from the dropdown menu to open the configuration tray for a new Product Connector.

  2. Select New from the dropdown list to create a new connector.

Hint

Alternatively, select an existing connector from the dropdown list to edit its configuration.

  1. Enter a descriptive name for the connector in the Label field.

  2. Enter the target URL for the third-party tool or dashboard.

  3. Click Save.

Hint

To delete one or more connectors, select them using the checkboxes, and then use the Delete button displayed in the main view or in the Bulk Actions tray.


STIX-TAXII#

Scrutinizer can be configured to ingest threat intelligence from external sources using the STIX and TAXII standards.

Threat intelligence feeds are added and/or managed as follows:

  1. Navigate to Admin > Integrations > STIX-TAXII to open the configuration tray.

  2. Fill in the following fields:

    • Feed Name: A descriptive name for the STIX-TAXII feed.

    • API Root: The TAXII server API root URL provided by the threat intelligence vendor.

    • Collection ID: The Collection ID associated with the TAXII feed.

    • Category: Specify a category to help organize this feed within Scrutinizer.

    • User: Username required to authenticate to the TAXII server.

    • Password: The corresponding password for the user account.

  3. Click Save.

  4. [Optional] Click the Test button to verify that Scrutinizer can access the feed with the configured settings.

After the feed has successfully been added, Scrutinizer will attempt to pull the lists from the TAXII server every time the host reputation list download service runs.

Once imported, STIX-TAXII threat intelligence will be added to Scrutinizer’s (IP only) and the ML Engine’s (IP and domain) reputation algorithms for alarm and event reporting under their respective alarm policies.

Additional tips#

  • Import IP watchlists only. All other indicators will be ignored but can cause the import of IP indicators to fail.

  • Don’t attempt to import IP watchlists that use complex boolean logic to trigger matches.

  • The feature will ingest only independent IP indicators. It will ignore more complex ones.

Note

A complicated indicator included with more basic ones will not prevent them from being imported.


ServiceNow#

The ServiceNow integration allows users to create and manage troubleshooting tickets by automatically linking incident reports to the related data in Scrutinizer.

ServiceNow instances are added/configured as follows:

  1. Navigate to Admin > Integrations > ServiceNow to open the configuration tray.

  2. Enter the following details for the ServiceNow instance to be added:

    • Unique name for the instance (used only within Scrutinizer)

    • Instance URL

    • Username to be used to connect to the ServiceNow instance

    • Password associated with the username

    Important

    The ServiceNow user registered in Scrutinizer must be assigned the sn_incident_write role.

  3. Verify that the details entered are correct, and then click Save.

  4. [Optional] Click the Test button to confirm that the ServiceNow instance has been correctly configured.

Once ServiceNow integration has been enabled, the ServiceNow instance name will be added as an option when managing collections or configuring notification profiles for alarm policies.


Viptela Settings#

The Viptela Settings option configures integration with Cisco SD-WAN (Viptela) to collect topology and policy information via API. This integration enables SD-WAN topology visualization and policy enforcement monitoring in Scrutinizer. Viptela flow data is collected via API, which can be enabled as follows:

  1. Navigate to Admin > Integrations > Viptela Settings to open the configuration tray for a new Viptela integration entry.

  2. Tick the checkbox to enable the Viptela integration and configure the following required fields:

    • Viptela vManage NMS (or Cisco Catalyst SD-WAN Manager) IP address or hostname

    • Password for the login account to use for API requests

    • Port to use for API requests (default: 8443)

    • Username for the login account to use for API requests (must have full read access)

  3. If necessary, configure the following optional fields:

    • Maximum number of Viptela API requests that can be processed concurrently (default: 10)

    • Maximum number of records that should be returned by each Viptela API request (default: 1000)

    • Protocol to use for API requests (default: HTTPS)

  4. Click the Test button to verify that Scrutinizer is able to access the Viptela SD-WAN API with the provided credentials.

  5. Click Save.

Once saved, the summary table will refresh to display the new Viptela integration entry. Additional SD-WAN-related report types and topology visualization features will become available.