Ziele

Canary

What is it good for?

The Canary destination lets you to synchronise the scarlet source addresses into your ignore lists, which means you can avoid any false-positives from the normal scarlet scanning.

How do I obtain access credentials?

Canary uses a Domain Hash and Auth Token as credentials. To obtain them, follow these steps:

Login to Canary as an admin user.
Select the setup icon in the top-right corner of the screen.
From the menu, select Global Settings, and then API
Make sure that Enable API, is set.
If everything works as expected, the new Domain Hash and Auth Token will now be displayed.

Confluence

What is it good for?

The Confluence destination is a great place to document your attack surface. Everything is timestamped, and the version history settings within Confluence make it easy to track changes over time.

How do I obtain access credentials?

Confluence uses an API User and API Token as credentials. To obtain them, first create a new user with minimal access privileges (this will be the API User), then follow these steps:

Login to Confluence as the new user.
Select the profile icon in the top-right corner of the screen.
From the menu, select Settings, and then Password
Select Create and manage API tokens, then select the Create API Token button.
Enter scarlet for the label, and then select the Create button.
If everything works as expected, the new API Token will now be displayed.

The Confluence URI can be obtained by creating a new page for the attack surface data, and then browsing to it. The URI will look a bit like:

https://{server}/wiki/spaces/IT/pages/6237622/attack+surface

which can be converted to an API URI like:

https://{server}/wiki/rest/api/content/6237622

How do I restrict access to a Confluence instance?

If your firewall technology supports dynamic rules (most do) then create a rule that limits the source to dispatcher.scarlet.ae

Discord

What is it good for?

The Discord destination is rate-limited, so only really good for moderate usage. When being rate limited, messages can also be discarded or displayed in an unexpected order, which might be confusing. To help avoid this, we'd recommend separating the different event classes into different channels (sending the asset events to one channel, and the general scarlet events to another).

How do I obtain access credentials?

Discord uses a Webhook as credentials. To create one, follow these steps:

Login to Discord.
From the menu, select your server, then Server settings.
From the menu, select Integrations, then the Create webhook button.
Enter scarlet for the name, select the channel you wish to use, then select the Save button.
If everything works as expected, you should be able to select the Copy Webhook URL button.

Elasticsearch

What is it good for?

The Elasticsearch destination is good for all types of events and all levels of volume. Everything is timestamped, and the Elastic Common Schema (ECS) standard that we use is well supported by third-party tools and scripts.

How do I obtain access credentials?

Elasticsearch uses an API ID and API key as credentials. To create them, follow these steps:

Login to Elasticsearch.
From the menu, select API console.
Select PUT, /scarlet, and
{}
Select the Submit button.
Select POST, /_security/api_key, and
{
    "name": "scarlet",
    "role_descriptors": {
        "role": {
            "cluster": [ "all" ],
            "index": [ {
                "names": [ "scarlet" ],
                "privileges": [ "write" ]
            } ]
        }
    }
}
Select the Submit button.
If everything works as expected, the new API ID and API key will now be displayed.

How do I restrict access to an Elasticsearch instance?

If your firewall technology supports dynamic rules (most do) then create a rule that limits the source to dispatcher.scarlet.ae

Qualys

What is it good for?

The Qualys destination is a great place to send your attack surface data. scarlet will synchronise all your assets and virtual hosts into Qualys, and update any asset descriptions to make them clear and easy to identify.

How do I obtain access credentials?

Qualys uses an API User and API Password as credentials. To create them, follow these steps:

Login to the Qualys Portal, then select the Vulnerability Management (VM) module.
From the menu, select Users.
Select the New button, then User.
Select the User Role tab, then set User Role to Manager.
Complete the rest of the details as required.
Select the Save button.
If everything works as expected, you will be sent an email to complete the process, and at the end the new API User and API Password will be displayed.

The Qualys URI can be obtained by selecting Help, then About. The API host is in the Security Operations Center (SOC) section of the page, and this should be converted into a standard URI, which will look something like:

https://qualysapi.qg2.apps.qualys.eu

Sentinel

What is it good for?

The Sentinel destination is good for all types of events and all levels of volume. Everything is timestamped, and the Elastic Common Schema (ECS) standard that we use is well supported by third-party tools and scripts.

How do I obtain access credentials?

Sentinel uses a Webhook as credentials. To create one, follow these steps:

Login to the Azure Portal.
From the search bar, select Logic Apps.
Select the Add button.
Complete the details as required.
Select the Review and create button, then the Create button.
Select the Go to Resource button.
From the menu, select Logic app designer.
When the templates are displayed, select the When a HTTP request is received option.
The first step should now be displayed, with the webhook URI set to URL will be generated after save.
Select the New step button, then the Azure Log Analytics Data Collector button.
Set the JSON Request body option to Body, then set Custom Log Name to scarlet.
Finally, from the menu, select the Save option.
If everything works as expected, you should be able to click back on the first, HTTP step, where the new Webhook will now be displayed.

Slack

What is it good for?

The Slack destination is rate-limited, so only really good for moderate usage. When being rate limited, messages can also be discarded or displayed in an unexpected order, which might be confusing. To help avoid this, we'd recommend separating the different event classes into different channels (sending the asset events to one channel, and the general scarlet events to another).

How do I obtain access credentials?

Slack uses a Webhook as credentials. To create one, follow these steps:

Login to Slack.
From the menu, select More, then Apps.
Add the Incoming Webhook if the app is not listed.
Select the Incoming Webhook app, then the Configuration button.
Select the Add to Slack button.
Select the channel you wish to use, then Add incoming webhooks integration button.
If everything works as expected, the new Webhook will now be displayed.

Splunk

What is it good for?

The Splunk destination is good for all types of events and all levels of volume. Everything is timestamped, and the Elastic Common Schema (ECS) standard that we use is well supported by third-party tools and scripts.

How do I obtain access credentials?

Splunk uses an HEC token as credentials. To create one, follow these steps:

Login to Splunk.
From the menu, select Settings and Data inputs.
Select the Add new button next to HTTP Event Collector.
Enter scarlet for the name, then select the Next button.
Select the Review button.
Select the Submit button.
If everything works as expected, the new HEC token will now be displayed.

How do I restrict access to a Splunk instance?

If your firewall technology supports dynamic rules (most do) then create a rule that limits the source to dispatcher.scarlet.ae

Teams

What is it good for?

The Teams destination is rate-limited, so only really good for moderate usage. When being rate limited, messages can also be discarded or displayed in an unexpected order, which might be confusing. To help avoid this, we'd recommend separating the different event classes into different channels (sending the asset events to one channel, and the general scarlet events to another).

How do I obtain access credentials?

Teams uses a Webhook as credentials. To create one, follow these steps:

Login to Teams.
From the menu, select your team, the ... next to the name, then Manage team.
Select the Apps tab, and if the Incoming Webhook app is not listed, then add it.
Select the Channels tab, select the channel you wish to use, the ... next to the name, then Connectors.
Select the Incoming Webhook app, then the Configure button.
Enter scarlet for the name, then select the Create button.
If everything works as expected, the new Webhook will now be displayed.