Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SIEM Integration #11

Closed
tbone8621 opened this issue Mar 23, 2018 · 8 comments
Closed

SIEM Integration #11

tbone8621 opened this issue Mar 23, 2018 · 8 comments

Comments

@tbone8621
Copy link

Still looking into this, but can this be integrated to a SIEM?
@carnal0wnage
Copy link
Contributor

carnal0wnage commented Mar 23, 2018
edited
Loading

hey @tbone8621 that's super broad. what do you mean specifically? you want the results of the simulation to go into a SIEM? you want some kind of hook to check the SIEM for the results of the simulation? something else?

@paragonsec
Copy link
Contributor

Wouldn't that be on the OS level? Have your image send it's logs to your SIEM to identify what it detects. I guess a separate log file could be generated and sent off but would probably be easier to configure your VM to send it. That is what I did at least.

@carnal0wnage
Copy link
Contributor

carnal0wnage commented Mar 23, 2018
edited
Loading

gonna wait for @tbone8621 's reply but right now there is some basic json logging that you could do something with. I suspect this more around automatically checking a SIEM for the results of your action or simulation. It can be done. I ended up creating another celery worker queue that would query our EDR vendor for the results via their API. We're using this internally for more rule QA so this is more of a 1-1 match of action to expected alert. This isnt expressly expected with action files or even with scenarios but you could certainly write them with that in mind, where you expect each action run to end up being an event in your SIEM.

@tbone8621
Copy link
Author

I am looking to see if this could be used to trigger my content in my siem. As in validation testing

@carnal0wnage
Copy link
Contributor

carnal0wnage commented Mar 23, 2018
edited
Loading

assuming the vagrant you build/use has your instrumentation on it and those logs are getting to the SIEM (if necessary...just depends on what you are using for instrumentation) , I don't see why not. If i'm mis-understanding the question please let me know.

That is the intended use. You run the action or scenario files against vagrants that have your EDR agents, sysmon configs, splunk forwarders, whatever you are using...and that alerts would pop up in your SIEM or you could go hunt for the data in the SIEM. Metta logs exactly what you ran and at what time to help you with this.

@tbone8621
Copy link
Author

Thank you that helps, I was just wondering of there was a way to push the data to a siem

@paragonsec
Copy link
Contributor

paragonsec commented Mar 23, 2018
edited
Loading

@tbone8621 If it helps I pretty much copied a production system to a VM and installed and configured all the same security tools. Then made sure alerts were sent off normally by manually triggering them. If you can trigger them manually then the actions Metta takes will be sent off successfully.

@carnal0wnage
Copy link
Contributor

I think this is closed. @tbone8621 if you still need help please create another issue or i can work with you directly over twitter DM or email.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnal0wnage @tbone8621 @paragonsec