致我心中的 “散装”(开源)SIEM(二)
背景
XXX
SIEM v0.2 的不足
XXX
SIEM v0.3 的改进
1. Workflow
XXX
2. Normalized
Workflow
![image-20220218183243830](/Users/canon/Library/Application Support/typora-user-images/image-20220218183243830.png)
Configure
No | File | Script | Log | Note |
---|---|---|---|---|
1 | 60_normalized-general.conf | |||
2 | 61_normalized-alert.conf | |||
3 | 62_normalized-flow.conf | |||
4 | 63_normalized-fileinfo.conf | |||
5 | 64_normalized-http.conf | 64_normalized-http.rb | 64_normalized-http.log | |
6 | 65_normalized-tls.conf |
3. Enrichment
Workflow
![image-20220221134544143](/Users/canon/Library/Application Support/typora-user-images/image-20220221134544143.png)
Configure
No | File | Script | Log | Note |
---|---|---|---|---|
1 | 70_enrichment-general-geo-1-private_ip.conf | |||
2 | 70_enrichment-general-geo-2-public_ip.conf | |||
3 | 71_enrichment-alert-1-direction.conf | 71_enrichment-alert-1-direction.rb | ||
4 | 71_enrichment-alert-2-killChain.conf | 71_enrichment-alert-2-killChain.rb | 71_enrichment-alert-2-killChain.log | |
5 | 71_enrichment-alert-3-cve.conf | 71_enrichment-alert-3-cve.rb | 71_enrichment-alert-3-cve.log | |
6 | 71_enrichment-alert-4-whitelist_ip.conf | 71_enrichment-alert-4-whitelist_ip.rb | 71_enrichment-alert-4-whitelist_ip.log | **** |
KillChain
Suricata
Imput
- Redis template
1 | # key: str killchain:{provider}:{rule id} |
Output
1 | { |
Imperva
Vulnerability
Input
- Redis template
1 | # key: str enrichment:{class}:{cve} |
Output
1 | { |
4. ThreatIntel
Workflow
![image-20220221105601713](/Users/canon/Library/Application Support/typora-user-images/image-20220221105601713.png)
Configure
Shodan
No | File | Script | Log | Note |
---|---|---|---|---|
1 | 85_threatintel-siem-event-1-shodan.conf | 85_threatintel-siem-event-1-shodan.rb |
Input
- Redis template
1 | # key: list spider:{provider}:ioc |
Output
1 | { |
3. Filter
3.1 Whitelist
3.1.1 IP
- Redis template
Input
1 | # key: str whitelist:{class}:{ip} |
Output
1 | { |
Differences
- v0.2
1 | { |
- v0.3
1 | { |
3.1.2 Rule
3.1.2.1 SID
- Redis template
Input
1 | # key: str whitelist:{class}:{provider}:{rule id} |
Workflow
![image-20220224143316558](/Users/canon/Library/Application Support/typora-user-images/image-20220224143316558.png)
Input
- Redis template
1 | # key: str whitelist:{class}:{provider}:{rule name} |
Workflow
![image-20220224150916372](/Users/canon/Library/Application Support/typora-user-images/image-20220224150916372.png)