1. Expel Help Center
  2. Connect Your Technology
  3. A-C Integrations

Arista NDR (via Webhook) Setup for Workbench

This guide covers how to set up Arista NDR with Workbench via Webhook.

Prerequisites

  1. You must have admin access in Workbench to set up this integration.
  2. You must have user and role creation privileges in Arista NDR.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Add a New User Account in Arista NDR
  2. Add Arista NDR as a Security Device in Workbench
  3. Configure Forwarding Alerts from Arista NDR to Expel

Step 1: Add a New User Account in Arista NDR

  1. Log in to Arista NDR.
  2. Select the Settings (gear) icon in the top right.
  3. Select Users from the dropdown.
    settings-users.png
  4. On the Manage Users & Roles page, select Add New User.
  5. Configure the New User as follows:
    • Username - enter "expel_analyst".
    • Display Name - enter "Expel Analyst".
    • Email - enter "soc+<Your_Organization_Name>@expel.io".
      • For example, if your organization were Acme Corp, the format would be "soc+acme_corp@expel.io".
    • Initial Password - specify a password for the new account.
    • Confirm Password - confirm the new account password.
  6. Still in the New User window, select the Roles & Capabilities tab.
    roles-and-capabilies.png
  7. Clear the default role and use the dropdown to assign the Tier 3 Analyst role.
  8. Select Save.

Step 2: Add Arista NDR as a Security Device and Obtain Webhook Credentials in Workbench

Now that you have the necessary credentials, you can configure the integration in Workbench.

Note
If your device is on-prem, you will need to add each Nucleus individually based on the below instructions.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “Arista” and then select the Arista NDR (via Webhook) integration.
    arista-cloud-new-device.png
  5. A configuration pane displays. Complete the fields as follows:
    • Where is your device? - select Cloud or On-Prem (on-premises) installation. 
      • For On-Prem, choose the assembler that will be forwarding the logs.
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Arista NDR”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • For now, skip the Webhook fields.
    • Server URL - enter the URL used to log in to Arista NDR. 
      • For On-Prem, this value will be the IP rather than the cloud console URL.
    • Arista NDR API login username - enter the username created in Step 1.
    • Arista NDR API login password - enter the password created in Step 1.
  6. Select Save.
  7. On the console access screen, select Set up now (recommended) from the dropdown and provide your Arista console URL and the user credentials from Step 1.
  8. Select Save.
  9. On the Security Devices page, select the dropdown arrow for the Arista NDR device you just onboarded and select Edit.
    edit-security-device.png
  10. In the Connection Settings section, webhook credentials have been automatically generated and  populated. Copy and save the URL and credentials for use in the next step.
    webhook-creds.png

Step 3: Configure Forwarding Alerts from Arista NDR to Expel

Now that you have the webhook credentials, you can configure alert forwarding to Expel's Workbench by adding a new Skill in Arista NDR. 
 

Note
If your device is on-prem, you will need to configure the skill on each Nucleus for each Security Device integration.

  1. In Arista NDR, use the sidebar to navigate to Manage Detections > Skills.
  2. Select + Create.
  3. On the Add Skill page, configure the fields as follows:

    • Expression - enter the code snippet provided below, substituting <TOKEN> and <PATH> according to your webhook credentials.

      For <TOKEN>, you will need to generate a base64 encoded TOKEN from the webhook username and password. See below for instructions:

      • Windows: In Powershell, run the following command:
        [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("username:password"))
      • Linux: In Terminal, run the following command:
        echo -n "username:password" | base64

      • Mac: In Terminal, run the following command:
        echo -n "username:password" | base64

         

        For <PATH>, capture the URI from the generated webhook URL: 
        (https://push-ingest.opsv2.expel.io/<PATH>).

        Note: Be sure to include "Basic" in front of the token (without the <>) and leading forward slash in front of the path (without the <>).

      integrations.json.https 
  true  
  { headers: [{fst: "Authorization", snd: "Basic <TOKEN>" }] // Content-Type: application/json is added by default 
  , host: "push-ingest.opsv2.expel.io"
  , path: "/<PATH>" 
  , port: 443 
  }


      Example:
      code_Example2.png

    • Name - enter "Send alerts to Expel".
    • Reference Identifier - enter a unique identifier of your choice.
  4. Select Save.
  5. If possible, trigger an alert in Arista or ensure an alert is received in Workbench to verify the configuration was successful.
    • To check if alerts are coming through in Workbench, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check, and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.
    • To check on the status of the device in Workbench, navigate to Organization Settings > Security Devices. Select the downward arrow for your device in the first column and choose View details.
       

 

Related articles