Skip to content

Commit 18da4e9

Browse files
frikkyfrikky
authored
Update extensions.md
1 parent 4896fc2 commit 18da4e9

File tree

1 file changed

+19
-0
lines changed

1 file changed

+19
-0
lines changed

docs/extensions.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ This is documentation for integrating and sending data from third-party services
1212
* [Azure AD - OpenID](#azure-ad)
1313
* [Other SSO providers](#other)
1414
* [Testing SSO](#sso-testing)
15+
* [Detection with Tenzir](#detection-with-tenzir)
1516
* [KMS](#KMS)
1617
* [Native Actions](#native-actions)
1718
* [Webhooks](#webhooks)
@@ -226,6 +227,24 @@ https://github.com/user-attachments/assets/0a927283-d39e-4200-8ba3-654ef6f1b9c1
226227

227228
**Note**: Ensure that the "email" field is included in the SSO response from your SSO provider. If this field is empty, you may encounter errors. The email from your SSO provider will be assigned as the username in Shuffle.
228229

230+
## Detection Manager
231+
The Shuffle Detection Manager is a system introduced in beta in December 2024, allowing Shuffle to work with platforms like Tenzir and other systems to help with Detection Engineering. The goal of the system is not to replace actual detection systems themselves, but to offer a centralized way to control Detection rules across tenants and different tools. As an example, **below is a focus on Sigma rules with Tenzir**. The system is tested with Yara rules, Email detection rules and custom rule systems.
232+
233+
### Testing Tenzir + Sigma
234+
1. **Rule Manager:** At least One Shuffle org
235+
2. **Job Handler:** An Orborus instance running
236+
3. **Detection Handler:** A Tenzir instance running on the same server as Orborus **(no setup needed)**
237+
4. **Log Forwarder:** Any system that can forward logs to Tenzir
238+
239+
To test the Tenzir detection system, it is first important to ensure that your Orborus instance is attached to Shuffle, which can be found on the /admin?tab=Locations path. Below is a BAD instance, where Orborus both says "Stopped" AND Pipelines is crossed out. The first goal is to re-enable these.
240+
241+
<img width="791" alt="A bad instance that is not running" src="https://github.com/user-attachments/assets/263975bf-7e07-4675-bc67-ac308e69ec76" />
242+
243+
### Fixing the pipeline setup
244+
To solve the pipeline issue shown in the previous image, we have to do two things:
245+
1. Start Orborus and get it to the "Running" state
246+
2. Go to /detections/Sigma in the UI, and click "Connect" in the top-right corner.
247+
229248
## KMS
230249
Shuffle by default allows you to store authentication tokens within Shuffle itself, which are encrypted in the database. Since February 2024, we additionally support the use of external KMS systems to handle authentication, which is based on [Native Actions](https://shuffler.io/docs/extensions#native-actions) and [Schemaless](https://github.com/frikky/schemaless). Native Actions run in the background to perform the "Get KMS key" action, and the run of the app is NOT stored.
231250

0 commit comments

Comments
 (0)