Skip to content

Illusive Active Defense Suite

Overview

This article explains how to ingest to Hunters your Illusive Active Defense Suite logs.


Ingestion to Hunters

Illusive Active Defense Suite exports logs in the Common Event Format (CEF).

For Hunters to ingest these logs, they should be collected to a Cloud Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

This can be done by logging in to the Illusive Console, enabling CEF logging via Syslog and sending the logs to a Syslog server owned by you, and then shipping the logs from the Syslog server to the shared cloud storage service with on-prem logging solutions such as Fluentd.

Supported Format

The format supported by Hunters for the ingestion of Illusive logs is CEF.

Please make sure you do not manipulate the events in your on-prem logging pipeline, so the files will arrive to the shared cloud storage service as CEF lines without unnecessary fields or wrappers.