Create SIEM apps

Question

Create SIEM apps

frikky opened this issue 4 years ago · comments

Frikky commented 4 years ago

Using the App creator, OpenAPI or Python directly:

Minimal use-cases (if possible):

Search
Send event TO SIEM
Get Search results
Create Saved Search
Create Alert from Search (sends webhook / something else)

If applicable (same as case management):

List Incidents
Get Incident
Update incident
Add comment

Workflow example to add:

Search for some data, then filter the data, before creating A ticket (cases) and sending messages (comms) for each result.

For each item in the list below, we want the following:

A name with a link to the app on https://shuffler.io
Whether it's been built at all (checkmark)
A link to an input workflow (sending from SIEM to Shuffle)
A search workflow for how to search in the SIEM

Items

pooki3bear · Answer 1 · Wed Dec 09 2020 19:34:06 GMT+0800 (China Standard Time)

Which functions would be included in a minimum product for SIEM (other than on-demand or prepared search)?

Frikky · Answer 2 · Wed Dec 09 2020 21:15:14 GMT+0800 (China Standard Time)

@pooki3bear I don't want to say that any "minimum product" is required to be added as app necessarily. For SIEM, it initially would just be search.

What would be interesting though, would be to find out how to use Sigma to create a good integration for either one of these 👍

I can share a spreadsheet if you'd like more insight into what we have outlined

Dhaval Dave · Answer 3 · Fri Jun 17 2022 19:21:51 GMT+0800 (China Standard Time)

https://github.com/Shuffle/openapi-apps/blob/master/sumologic-api.yaml

Dhaval Dave · Answer 4 · Wed Aug 03 2022 15:29:22 GMT+0800 (China Standard Time)

No.	Tool	Accessibility	Is a demo required?	APIs
1	LogPoint	No direct access available.	Yes	docs
2	RSA NetWitness	No direct access available.	Yes	docs
3	Logrhythm	No direct access available.	Yes	docs
4	Securonix	No direct access available.	Yes	docs
5	Seceon	No direct access available.	Yes
6	ManageEngine EventLog Analyzer	APIs not available at the moment.	No
7	ExaBeam	No direct access available.	Yes	reference
8	Fluency	No free access available.	No	docs, Postman collection
9	New Relic	Free trial available	No	docs
9	Solarwinds Security Event Manager	Free trial available, No APIs available	No
9	Blumira	Free trial available, No APIs available	No

winhigh · Answer 5 · Thu Dec 07 2023 20:34:23 GMT+0800 (China Standard Time)

for example if i have my own siem how do i push logs to shuffle so that i can build my SOAR

Frikky · Answer 6 · Thu Dec 07 2023 22:30:04 GMT+0800 (China Standard Time)

for example if i have my own siem how do i push logs to shuffle so that i can build my SOAR

Hey,

there's quite a few ways, but the main things are:

Can you do alert forwarding, e.g. with webhooks?
Do you have a search API?

winhigh · Answer 7 · Fri Dec 08 2023 12:16:43 GMT+0800 (China Standard Time)

No. I'm new to this tool could you please let us know what are the possible ways to push my logs to shuffle interface.

search API for , To be honest i need to learn everything

do you have any possible ways to redirect my another system logs to shuffle , if successfully redirect also , how do i see those logs in shuffle so that i can co relate with other tools like yara.

Frikky · Answer 8 · Sat Dec 09 2023 07:44:18 GMT+0800 (China Standard Time)

No. I'm new to this tool could you please let us know what are the possible ways to push my logs to shuffle interface.

search API for , To be honest i need to learn everything

do you have any possible ways to redirect my another system logs to shuffle , if successfully redirect also , how do i see those logs in shuffle so that i can co relate with other tools like yara.

We don't typically deal with logs directly, and instead focus on alerts from the SIEM. In this case though, I'd do something like this if I were to handle logs directly with Shuffle tho (we are planning for this ;))

Set up a syslog listener (e.g. with Tenzir)
When syslogs are found, bucket them
Forward to Shuffle over HTTP with a Webhook when you got e.g. 1000 logs bucketed

Shuffle itself isn't meant for this kind of thing, so we suggest you use a SIEM and forward alerts instead :)

winhigh · Answer 9 · Sat Dec 09 2023 12:34:38 GMT+0800 (China Standard Time)

hey frikky,

yeah even i know shuffle isn't designed for logs but i wanted to co relate logs with yara rules or other tool so that it can detect malicious IPs and sing shuffle alerts and automation i can block them.

So basically my idea is to automate my security.

winhigh · Answer 10 · Sat Dec 09 2023 12:42:53 GMT+0800 (China Standard Time)

I'm planning to send logs to Shuffle machine using rsyslog or ossec and collect them using webhooks ?

is it possible ?

Frikky · Answer 11 · Fri Dec 15 2023 23:12:06 GMT+0800 (China Standard Time)

I'm planning to send logs to Shuffle machine using rsyslog or ossec and collect them using webhooks ?

is it possible ?

We got something cooking for this. It's not directly possible right now, but soon~ :)

winhigh · Answer 12 · Mon Dec 18 2023 18:52:31 GMT+0800 (China Standard Time)

Hi Frikky,

Actually, I tried sending alerts to shuffle from wazuh tool as you demonstrated in the video but I can't able to get those level three alerts in json.

PS: could you provide me the video, Showcasing alerts after setting with webhooks

https://medium.com/@ilyes_abdelhadi_86557/wazuh-shuffle-integration-3dc0b7db439
Followed these instructions.