python-apps
python-apps copied to clipboard
Shuffle
Create SIEM apps
Using the App creator, OpenAPI or Python directly:
Minimal use-cases (if possible):
- Search
- Send event TO SIEM
- Get Search results
- Create Saved Search
- Create Alert from Search (sends webhook / something else)
If applicable (same as case management):
- List Incidents
- Get Incident
- Update incident
- Add comment
Workflow example to add:
- Search for some data, then filter the data, before creating A ticket (cases) and sending messages (comms) for each result.
For each item in the list below, we want the following:
- A name with a link to the app on https://shuffler.io
- Whether it's been built at all (checkmark)
- A link to an input workflow (sending from SIEM to Shuffle)
- A search workflow for how to search in the SIEM
Items
- [x] Splunk - Input Workflow - Search Workflow - Documentation - Public app
- [x] QRadar
- [ ] ArcSight
- [x] Elasticsearch (ELK)
- [x] Logpoint
- [x] MDATP
- [x] Azure Sentinel
- [x] Sumologic
- [x] Logz.io
- [ ] RSA NetWitness
- [x] #301
- [ ] Logarithm
- [x] Security onion
- [x] Rapid7 IDR
- [x] FortiSIEM
- [x] Securonix
- [x] #298
- [x] Seceon
- [x] Microsoft Sentinel
- [ ] Fluency
- [x] CyberShark
- [x] ExaBeam
- [x] AlertLogic
- [x] ManageEngine EventLog Analyzer
- [x] New Relic
- [ ] Logit.io
- [x] Solarwinds Security Event Manager
- [ ] Sematext
- [x] Servicepilot
Which functions would be included in a minimum product for SIEM (other than on-demand or prepared search)?
@pooki3bear I don't want to say that any "minimum product" is required to be added as app necessarily. For SIEM, it initially would just be search.
What would be interesting though, would be to find out how to use Sigma to create a good integration for either one of these :+1:
I can share a spreadsheet if you'd like more insight into what we have outlined
| No. | Tool | Accessibility | Is a demo required? | APIs |
|---|---|---|---|---|
| 1 | LogPoint | No direct access available. | Yes | docs |
| 2 | RSA NetWitness | No direct access available. | Yes | docs |
| 3 | Logrhythm | No direct access available. | Yes | docs |
| 4 | Securonix | No direct access available. | Yes | docs |
| 5 | Seceon | No direct access available. | Yes | |
| 6 | ManageEngine EventLog Analyzer | APIs not available at the moment. | No | |
| 7 | ExaBeam | No direct access available. | Yes | reference |
| 8 | Fluency | No free access available. | No | docs, Postman collection |
| 9 | New Relic | Free trial available | No | docs |
| 9 | Solarwinds Security Event Manager | Free trial available, No APIs available | No | |
| 9 | Blumira | Free trial available, No APIs available | No |
for example if i have my own siem how do i push logs to shuffle so that i can build my SOAR
for example if i have my own siem how do i push logs to shuffle so that i can build my SOAR
Hey,
there's quite a few ways, but the main things are:
- Can you do alert forwarding, e.g. with webhooks?
- Do you have a search API?
No. I'm new to this tool could you please let us know what are the possible ways to push my logs to shuffle interface.
search API for , To be honest i need to learn everything
do you have any possible ways to redirect my another system logs to shuffle , if successfully redirect also , how do i see those logs in shuffle so that i can co relate with other tools like yara.
No. I'm new to this tool could you please let us know what are the possible ways to push my logs to shuffle interface.
search API for , To be honest i need to learn everything
do you have any possible ways to redirect my another system logs to shuffle , if successfully redirect also , how do i see those logs in shuffle so that i can co relate with other tools like yara.
We don't typically deal with logs directly, and instead focus on alerts from the SIEM. In this case though, I'd do something like this if I were to handle logs directly with Shuffle tho (we are planning for this ;))
- Set up a syslog listener (e.g. with Tenzir)
- When syslogs are found, bucket them
- Forward to Shuffle over HTTP with a Webhook when you got e.g. 1000 logs bucketed
Shuffle itself isn't meant for this kind of thing, so we suggest you use a SIEM and forward alerts instead :)
hey frikky,
yeah even i know shuffle isn't designed for logs but i wanted to co relate logs with yara rules or other tool so that it can detect malicious IPs and sing shuffle alerts and automation i can block them.
So basically my idea is to automate my security.
I'm planning to send logs to Shuffle machine using rsyslog or ossec and collect them using webhooks ?
is it possible ?
I'm planning to send logs to Shuffle machine using rsyslog or ossec and collect them using webhooks ?
is it possible ?
We got something cooking for this. It's not directly possible right now, but soon~ :)
Hi Frikky,
Actually, I tried sending alerts to shuffle from wazuh tool as you demonstrated in the video but I can't able to get those level three alerts in json.
PS: could you provide me the video, Showcasing alerts after setting with webhooks
https://medium.com/@ilyes_abdelhadi_86557/wazuh-shuffle-integration-3dc0b7db439 Followed these instructions.