-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SIEM Integration #11
Comments
hey @tbone8621 that's super broad. what do you mean specifically? you want the results of the simulation to go into a SIEM? you want some kind of hook to check the SIEM for the results of the simulation? something else? |
Wouldn't that be on the OS level? Have your image send it's logs to your SIEM to identify what it detects. I guess a separate log file could be generated and sent off but would probably be easier to configure your VM to send it. That is what I did at least. |
gonna wait for @tbone8621 's reply but right now there is some basic json logging that you could do something with. I suspect this more around automatically checking a SIEM for the results of your action or simulation. It can be done. I ended up creating another celery worker queue that would query our EDR vendor for the results via their API. We're using this internally for more rule QA so this is more of a 1-1 match of action to expected alert. This isnt expressly expected with action files or even with scenarios but you could certainly write them with that in mind, where you expect each action run to end up being an event in your SIEM. |
I am looking to see if this could be used to trigger my content in my siem. As in validation testing |
assuming the vagrant you build/use has your instrumentation on it and those logs are getting to the SIEM (if necessary...just depends on what you are using for instrumentation) , I don't see why not. If i'm mis-understanding the question please let me know. That is the intended use. You run the action or scenario files against vagrants that have your EDR agents, sysmon configs, splunk forwarders, whatever you are using...and that alerts would pop up in your SIEM or you could go hunt for the data in the SIEM. Metta logs exactly what you ran and at what time to help you with this. |
Thank you that helps, I was just wondering of there was a way to push the data to a siem |
@tbone8621 If it helps I pretty much copied a production system to a VM and installed and configured all the same security tools. Then made sure alerts were sent off normally by manually triggering them. If you can trigger them manually then the actions Metta takes will be sent off successfully. |
I think this is closed. @tbone8621 if you still need help please create another issue or i can work with you directly over twitter DM or email. |
Still looking into this, but can this be integrated to a SIEM?
The text was updated successfully, but these errors were encountered: