Aller au contenu principal

Sekoia XDR Integration

Forward Noxys AI interaction events to Sekoia XDR for centralized European threat detection and incident response.

Overview

This integration enables:

  • Real-time event streaming to Sekoia via webhook
  • Automated threat detection on AI platform usage
  • Incident correlation combining AI and endpoint data
  • EU data residency — All data stays in Europe
  • Compliance reporting for GDPR and EU AI Act

Data Flow:

Noxys Event → Webhook → Sekoia API → Event correlation → Incidents & Alerts

Why Sekoia for European Organizations?

  • EU headquarters in Paris
  • Data residency — All data stored in EU
  • GDPR compliant — No US cloud dependency
  • Specialized in European threats (APTs targeting EU)
  • Supports EU AI Act compliance

Prerequisites

  • Sekoia account with XDR module enabled
  • Sekoia API key (space-level)
  • Noxys admin role
  • HTTPS connectivity

Step 1: Get Sekoia API Credentials

Create API key in Sekoia for Noxys access.

  1. Sekoia Intelligence CenterSettingsAPI
  2. Click Create New API Key
  3. Configure:
    • Name: Noxys AI Firewall
    • Type: API Key
    • Space: Your workspace
  4. Select Scopes:
    • events_write — Create events
    • alerts_write — Create alerts
    • cases_write — Create cases (optional)
  5. Click Generate
  6. Copy the API Key (shown once)

Step 2: Configure Webhook in Noxys

Set up event forwarding to Sekoia.

  1. Noxys Admin PanelIntegrationsWebhooks
  2. Click Create Webhook
  3. Configure:
FieldValue
URLhttps://api.sekoia.io/api/v1/events
EventsSelect: interaction.policy_violated, interaction.high_risk, alert.severity_critical, alert.severity_high
HeadersAdd: Authorization: Bearer <api-key-from-step-1>
Description"Sekoia XDR Integration"
  1. Click Create
  2. Click Test to verify

Step 3: Verify Events in Sekoia

Confirm events are being received.

  1. Sekoia Intelligence CenterEvents
  2. Filter: source="noxys"
  3. Should see recent events:
    • Platform: chatgpt, claude, gemini, etc.
    • Risk score and classifications
    • Policy decisions (Block, Coach, Log)

Step 4: Create Detection Rules

Build threat detection rules in Sekoia.

Rule 1: Block PII on Unvetted Platform

  1. Sekoia XDRDetection & ResponseRules
  2. Click Create Rule
  3. Configure:

Name: "Policy violation on unvetted AI platform"

Logic:

event_type == "interaction.policy_violated"
AND platform_id NOT IN ["chatgpt", "claude", "gemini"]
AND classification_count > 0

Severity: High

Action:

  • Create alert
  • Notify SOC team
  • (Optional) Create case in SOAR
  1. Save & Activate

Rule 2: Repeated High-Risk Interactions

event_type == "interaction.high_risk"
| stats count by user_id
| where count > 5 in last 1 hour
→ Severity: Medium
→ Create alert

Rule 3: Financial Data Exposure

event_type == "interaction.high_risk"
AND classification_type IN ["CREDIT_CARD", "IBAN"]
AND risk_score > 0.9
→ Severity: Critical
→ Create case in SOAR for immediate investigation

Step 5: Create Incident Response Playbook

Automate responses to detected threats.

  1. Sekoia SOARPlaybooksCreate Playbook
  2. Configure:

Trigger: Alert from Noxys (Rule 1 above)

Steps:

  1. Extract user_id and platform_id from event

  2. Query user's recent activity

  3. Check if user has security awareness training

  4. Create incident case

  5. Notify user's manager

  6. Schedule security review meeting

  7. Enable Playbook

Step 6: Build Dashboard

Create visibility dashboard in Sekoia.

  1. Sekoia Intelligence CenterDashboardsCreate
  2. Add widgets:

Widget 1: AI Interaction Volume

Count of events where source="noxys"
Group by platform_id, time

Widget 2: Policy Violations

Count of events where event_type="interaction.policy_violated"
Group by policy_name

Widget 3: High-Risk Interactions

Count of events where risk_score > 0.8
Sparkline showing trend

Widget 4: Top Users with Violations

Count of events by user_id
Top 10 users

Step 7: Integration with Sekoia Cases (SOAR)

Automatically create cases for incident response.

  1. Create webhook that triggers case creation:

    • Trigger: alert.severity_critical event
    • Action: Create case in Sekoia SOAR
    • Case template: "AI Platform Violation"

  2. Case automatically includes:

    • Event details
    • User information
    • Policy violation context
    • Recommended response actions

  3. Assign case to SOC analyst for investigation

Step 8: Verify Integration

Confirm end-to-end integration is working.

  1. In Noxys:
    • Create test interaction with high PII count
    • Trigger a policy violation
  2. In Sekoia:
    • Check events appear in 1-2 seconds
    • Verify detection rules trigger
    • Confirm alerts are created
  3. Test notification flow:
    • Check email/Slack notification received
    • Verify case created (if applicable)

Advanced: Threat Intelligence Integration

Connect Sekoia's threat intelligence to Noxys policies.

  1. In Sekoia: Extract IOCs (Indicators of Compromise)

    • Malicious AI platforms
    • Known phishing domains using AI
    • Suspicious URLs

  2. In Noxys: Create policy blocking these IOCs

    • platform_id in [malicious_iocs]
    • Action: Block

  3. Automatically update blocklist when new IOCs discovered

Compliance & Audit

Sekoia provides compliance reporting:

  1. Sekoia Intelligence CenterComplianceReports
  2. Generate reports for:
    • GDPR compliance
    • EU AI Act mapping
    • Data processing audit
  3. Export for internal audit

Cost Considerations

Sekoia pricing:

  • XDR module: €500-2000/month (depends on events/month)
  • SOAR module: Add €1000+/month (for automation)
  • Threat Intelligence: Included

Event volume estimation:

  • 100 events/day from Noxys
  • Typical XDR cost: €800-1500/month

Troubleshooting

Events Not Appearing in Sekoia

  1. Verify webhook is active
    • Noxys: IntegrationsWebhooks → Status
  2. Check API key is correct
    • Regenerate if needed
  3. Verify webhook URL is exactly:
    • https://api.sekoia.io/api/v1/events
  4. Test webhook:
    • Click Test button
    • Check response status
  5. Review Sekoia API logs:
    • SettingsAPI Activity

Alerts Not Creating

  1. Verify detection rules are Enabled
  2. Check rule logic with test event
  3. Verify rule severity matches your alert threshold
  4. Review Sekoia logs for rule evaluation errors

Cases Not Being Created

  1. Verify SOAR module is enabled
  2. Check playbook is Active
  3. Test playbook manually with sample event
  4. Review SOAR logs for execution errors

Best Practices

  1. Start with critical events only:

    • Send policy_violated and alert.severity_critical+
    • Skip routine interaction.created events
    • Reduces noise, improves signal-to-noise ratio

  2. Create targeted rules:

    • One rule per threat type
    • Test with 1-week historical data first
    • Monitor for false positive rate

  3. Use playbooks for automation:

    • Automate routine triage
    • Create cases for high-severity incidents
    • Reduce MTTR

  4. Regular rule review:

    • Monthly: Review rule effectiveness
    • Quarterly: Update rules based on new threats
    • Remove rules causing too many false positives

  5. Monitor integration health:

    • Weekly: Check event volume
    • Check for delivery failures
    • Verify detection rules are firing

EU AI Act Compliance

Sekoia helps with EU AI Act compliance:

  1. Track AI usage through Noxys events
  2. Document classifications using Sekoia storage
  3. Report audit trails for regulatory reviews
  4. Maintain records for 3+ years (EU requirement)

All data stays in EU data centers, meeting sovereignty requirements.

Disabling Integration

To disable Sekoia integration:

  1. IntegrationsWebhooks → Delete webhook
  2. No more events are sent to Sekoia
  3. Existing events remain in Sekoia
  4. Detection rules can be disabled or deleted

To re-enable:

  1. Follow configuration steps again
  2. Events resume flowing to Sekoia

Support & Resources