Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create SIEM apps #21

Open
23 of 29 tasks
frikky opened this issue Oct 10, 2020 · 13 comments
Open
23 of 29 tasks

Create SIEM apps #21

frikky opened this issue Oct 10, 2020 · 13 comments
Assignees
@yogeshgurjar127
Labels
Search SIEM

Comments

@frikky
Copy link
Member

frikky commented Oct 10, 2020
edited by yogeshgurjar127
Loading

Using the App creator, OpenAPI or Python directly:

Minimal use-cases (if possible):

  • Search
  • Send event TO SIEM
  • Get Search results
  • Create Saved Search
  • Create Alert from Search (sends webhook / something else)

If applicable (same as case management):

  • List Incidents
  • Get Incident
  • Update incident
  • Add comment

Workflow example to add:

  • Search for some data, then filter the data, before creating A ticket (cases) and sending messages (comms) for each result.

For each item in the list below, we want the following:

  • A name with a link to the app on https://shuffler.io
  • Whether it's been built at all (checkmark)
  • A link to an input workflow (sending from SIEM to Shuffle)
  • A search workflow for how to search in the SIEM

Items

  • Splunk - Input Workflow - Search Workflow - Documentation - Public app
  • QRadar
  • ArcSight
  • Elasticsearch (ELK)
  • Logpoint
  • MDATP
  • Azure Sentinel
  • Sumologic
  • Logz.io
  • RSA NetWitness
  • Datadog #301
  • Logarithm
  • Security onion
  • Rapid7 IDR
  • FortiSIEM
  • Securonix
  • Wazuh #298
  • Seceon
  • Microsoft Sentinel
  • Fluency
  • CyberShark
  • ExaBeam
  • AlertLogic
  • ManageEngine EventLog Analyzer
  • New Relic
  • Logit.io
  • Solarwinds Security Event Manager
  • Sematext
  • Servicepilot
@frikky frikky added the hacktoberfest https://hacktoberfest.digitalocean.com/ label Oct 10, 2020
@pooki3bear
Copy link
Contributor

Which functions would be included in a minimum product for SIEM (other than on-demand or prepared search)?

@frikky
Copy link
Member Author

frikky commented Dec 9, 2020

@pooki3bear I don't want to say that any "minimum product" is required to be added as app necessarily. For SIEM, it initially would just be search.

What would be interesting though, would be to find out how to use Sigma to create a good integration for either one of these 👍

I can share a spreadsheet if you'd like more insight into what we have outlined

@frikky frikky added the SIEM label Feb 25, 2021
@frikky frikky mentioned this issue Feb 25, 2021
Open
@frikky frikky added Search and removed hacktoberfest https://hacktoberfest.digitalocean.com/ labels Mar 1, 2021
This was referenced Mar 16, 2021
Closed
Closed
Closed
Closed
@frikky frikky assigned frikky and gaurav-m92 and unassigned frikky Apr 8, 2021
@frikky frikky assigned dhaval055 and unassigned gaurav-m92 May 25, 2022
@dhaval055
Copy link
Member

https://github.com/Shuffle/openapi-apps/blob/master/sumologic-api.yaml

@dhaval055
Copy link
Member

dhaval055 commented Aug 3, 2022
edited
Loading

No. Tool Accessibility Is a demo required? APIs
1 LogPoint No direct access available. Yes docs
2 RSA NetWitness No direct access available. Yes docs
3 Logrhythm No direct access available. Yes docs
4 Securonix No direct access available. Yes docs
5 Seceon No direct access available. Yes
6 ManageEngine EventLog Analyzer APIs not available at the moment. No
7 ExaBeam No direct access available. Yes reference
8 Fluency No free access available. No docs, Postman collection
9 New Relic Free trial available No docs
9 Solarwinds Security Event Manager Free trial available, No APIs available No
9 Blumira Free trial available, No APIs available No

@winhigh
Copy link

winhigh commented Dec 7, 2023
edited
Loading

for example if i have my own siem how do i push logs to shuffle so that i can build my SOAR

@frikky
Copy link
Member Author

frikky commented Dec 7, 2023

for example if i have my own siem how do i push logs to shuffle so that i can build my SOAR

Hey,

there's quite a few ways, but the main things are:

  • Can you do alert forwarding, e.g. with webhooks?
  • Do you have a search API?

@winhigh
Copy link

winhigh commented Dec 8, 2023

No. I'm new to this tool could you please let us know what are the possible ways to push my logs to shuffle interface.

search API for , To be honest i need to learn everything

do you have any possible ways to redirect my another system logs to shuffle , if successfully redirect also , how do i see those logs in shuffle so that i can co relate with other tools like yara.

@frikky
Copy link
Member Author

frikky commented Dec 8, 2023

No. I'm new to this tool could you please let us know what are the possible ways to push my logs to shuffle interface.

search API for , To be honest i need to learn everything

do you have any possible ways to redirect my another system logs to shuffle , if successfully redirect also , how do i see those logs in shuffle so that i can co relate with other tools like yara.

We don't typically deal with logs directly, and instead focus on alerts from the SIEM. In this case though, I'd do something like this if I were to handle logs directly with Shuffle tho (we are planning for this ;))

  1. Set up a syslog listener (e.g. with Tenzir)
  2. When syslogs are found, bucket them
  3. Forward to Shuffle over HTTP with a Webhook when you got e.g. 1000 logs bucketed

Shuffle itself isn't meant for this kind of thing, so we suggest you use a SIEM and forward alerts instead :)

@winhigh
Copy link

winhigh commented Dec 9, 2023

hey frikky,

yeah even i know shuffle isn't designed for logs but i wanted to co relate logs with yara rules or other tool so that it can detect malicious IPs and sing shuffle alerts and automation i can block them.

So basically my idea is to automate my security.

@winhigh
Copy link

winhigh commented Dec 9, 2023

I'm planning to send logs to Shuffle machine using rsyslog or ossec and collect them using webhooks ?

is it possible ?

@frikky
Copy link
Member Author

frikky commented Dec 15, 2023

I'm planning to send logs to Shuffle machine using rsyslog or ossec and collect them using webhooks ?

is it possible ?

We got something cooking for this. It's not directly possible right now, but soon~ :)

@winhigh
Copy link

winhigh commented Dec 18, 2023

Hi Frikky,

Actually, I tried sending alerts to shuffle from wazuh tool as you demonstrated in the video but I can't able to get those level three alerts in json.

PS: could you provide me the video, Showcasing alerts after setting with webhooks

https://medium.com/@ilyes_abdelhadi_86557/wazuh-shuffle-integration-3dc0b7db439
Followed these instructions.

@frikky frikky assigned yogeshgurjar127 and unassigned dhaval055 Apr 22, 2024
@ayush0033
Copy link

ayush0033 commented Oct 15, 2024
edited
Loading

Using the App creator, OpenAPI or Python directly:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yogeshgurjar127 yogeshgurjar127

Labels
Search SIEM
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@frikky @dhaval055 @pooki3bear @ayush0033 @gaurav-m92 @yogeshgurjar127 @winhigh