PowerDMARC Integration

This document outlines the steps for integrating PowerDMARC with BluSapphire Log collection platform.

#Pre-requisites:

Before proceeding, request the following details from your client:

• API Address: The URL for Power DMARC's API endpoint.

• API Key/Token: The authentication token required to access the Power DMARC API.

Verify the data using CURL command

curl -X GET <API Address with full path>-H 'Authorization: Token <API Token>'

#Backend Configuration:

  1. Pipeline Configuration

    a. Edit the pipelines.yml file located at /opt/lc/conf/collector/gateway-client/pipelines.yml.

    b. Add the following configuration snippet to define a new pipeline named proxy-mail-powerdmarc:

YAML

  • pipeline.id: proxy-mail-powerdmarc

    pipeline.workers: 4 # Number of worker threads for the pipeline (default: 1) pipeline.batch.size: 300 # Number of events processed per batch (default: 100) pipeline.batch.delay: 50 # Delay (in milliseconds) between batches (default: 10)

    path.config: "/opt/lc/pipelines/processors/proxy/mail/powerdmarc/*.conf" # Path to processor configuration files

  1. Input Configuration

    a. Navigate to the directory containing processor configurations:

cd /opt/lc/pipelines/processors/proxy/mail

b. Copy an existing processor directory (e.g., <source_dir>) and rename it to powerdmarc:

cp -r <source_dir> powerdmarc cd powerdmarc

c. Rename the file 01-input-tcp.conf to 01-input-http.conf as Power DMARC uses an HTTP API.

d. Edit 01-input-http.conf with the following content, replacing placeholders with the obtained client details:

input {

http_poller {

urls => {

power_dmarc=> {

method => get

url => "${POWER_API_URL}"

headers => {

"Authorization" => "${POWER_AUTH_TOKEN}"

}

}

}

request_timeout => 60

schedule => { cron => "* * * * * UTC"}

codec => "json"

}

}

3. Filter Configuration

Edit the file 02-metadata-filter.conf with the following content:

filter {

mutate { add_field => { "[@metadata][debug]" => "${DEBUG_PROXY_MAIL_POWERDMARC:False}" } }

mutate { add_field => { "[@metadata][prefix_path]" => "${PREFIX_PATH:logs}" } }

mutate { add_field => { "[@metadata][log_type]" => "${LOG_PROXY_MAIL_POWERDMARC:proxy-mail-powerdmarc}" } }

mutate { add_field => { "[@metadata][client_id]" => "${CLIENT_ID}" } }

mutate { add_field => { "[@metadata][sensor_id]" => "${SENSOR_ID}" } }

}

  1. Blucluster Configuration

    a. Edit the main configuration file /opt/lc/conf/blucluster.conf.

    b. Set the following environment variables:

    • DEBUG_PROXY_MAIL_POWERDMARC=False (or desired value)

    • LOG_PROXY_MAIL_POWERDMARC=proxy-mail-powerdmarc

    c. Add the following section under a designated area (e.g., PowerDMARC configuration):

#PowerDMARC configuration

POWER_API_URL="https://cn.powerdmarc.com/api/v1/audit-logs" POWER_AUTH_TOKEN="Bearer <TOKEN>"

Important: Replace POWER_API_URL and POWER_AUTH_TOKEN with the values obtained from the client.

5. Restart Service Restart the Log collector service:

sudo systemctl restart blu_gc.service 6. Verification

• Check the temporary directory (/optllc/te

PreviousSophos EDR IntegrationNextPerception Point Integration

Last updated