- Ransomware detections: Malicious executables, brute force attempts, vulnerable drivers, and more
- Artifact enrichment: SHA256 hashes, file paths, IPs, and DNS records are automatically extracted for further enrichment
- Endpoint inventory: Devices with the Halcyon agent installed are synced as endpoints
Prerequisites
Before setting up this integration, ensure you have:- A Halcyon account with admin privileges
- Your Halcyon account username and password
- Your Tenant ID (if using a multi-tenant or MSSP setup)
Step 1: Gather Your Credentials
You will need the following information from your Halcyon account:| Field | Description |
|---|---|
| Username | Your Halcyon admin account username |
| Password | Your Halcyon admin account password |
| Tenant ID | (Optional) Your Halcyon tenant UUID. Required for multi-tenant or MSSP setups. |
Step 2: Add the Integration in Wirespeed
- Log in to Wirespeed and navigate to Integrations > Add Integration
- Search for and select Halcyon
- Enter your Username, Password, and optionally your Tenant ID
- Click Integrate to complete the setup
What Gets Synced?
Alerts (Detections)
Wirespeed ingests alerts from Halcyon. Each alert is enriched with:- Artifacts: File hashes (SHA256), file paths, IP addresses, and DNS records from the alert
- Assets: Affected devices associated with the alert
Devices (Endpoints)
All devices with the Halcyon agent are synced as endpoints, including hostname, operating system, and online status.Troubleshooting
Authentication Errors
If you see authentication errors:- Verify your username and password are correct
- Ensure your account has admin privileges
- If using a multi-tenant setup, confirm the Tenant ID is correct
No Alerts Appearing
If alerts aren’t showing up:- Alerts may take a few minutes to appear after initial setup
- The initial sync pulls up to the newest 5,000 alerts
- Verify that alerts exist in your Halcyon console
Additional Resources
On first sync, Wirespeed fetches up to the newest 5,000 alerts.