Skip to content

Latest commit

 

History

History
209 lines (136 loc) · 4.33 KB

07-0-0-Integration.rst

File metadata and controls

209 lines (136 loc) · 4.33 KB
Raw

Integrations

Responders Analyzers how-to-write-analyzer.md how-to-write-automation-node.rst

Energy Logserver SIEM

This integration send alerts from Energy Logserver SIEM to Energy SOAR.

Create API key

Create new (non-admin) user and generate API key.

image

Click Reveal

image

Copy the API key

image

Edit Alert

Add configuration in the Alert service config.

# vi /opt/alert/config.yaml
hive_connection:
  hive_host: https://<Energy_SOAR_IP>/base
  hive_apikey: <api_key>

Restart the Alert service

# systemctl restart alert

Alert rule configuration

Configure details in the alert rule configuration

alert: hivealerter
hive_alert_config_type: classic
hive_alert_config:
  type: "AUDIT"
  source: "SIEM"
  severity: 2
  tags: ["ELS","audit"]
  tlp: 3
  status: "New"
  follow: True
hive_observable_data_mapping:
 - ip: "{match[src_ip]}"
   message: "Source IP address"
   tags: ["src: SIEM"]
 - domain: "{match[username]}"
   message: "Audit username"
   tags: ["src: SIEM"]

Custom message

By default Energy Logserver SIEM send a json with all alert fields. You can customize your message using markdown.

For example:

alert_text: "## Summary\r\n
\r\n\r\n
|  |  |\r\n
|---|---|\r\n
| IP | {} |\r\n
| Rule | {} |\r\n
\r\n\r\n
Log: `{}`\r\n
Full log: \r\n
```\r\n
{}\r\n
```\r\n
"
alert_text_args:
  - data.srcip
  - rule.description
  - full_log
  - previous_output

Preview:

image

Microsoft Exchange

Installation

Download the Exchange integration.

# curl -u'license user:license pwd' \
-O https://repo.energysoar.com/add-ons/synapse.tar.gz

Unpack and install the dependencies.

# tar -zxvf synapse.tar.gz -C /opt
# dnf install -y python3-devel gcc
# /usr/bin/python3 -m pip install -r /opt/synapse/requirements.txt

Install the system service.

# cp "/opt/synapse/synapse@.service" /usr/lib/systemd/system/

Info: The service allows you to run multiple instances. Create a synapse user.

# adduser -r -s /bin/nologin -d /opt/synapse --system synapse

Change permissions.

# chown -R synapse: /opt/synapse

Instance configuration ^^^^^^^^^^^^^^^

# mv /opt/synapse/conf/synapse.conf \
/opt/synapse/conf/synapse.conf.example

# cp /opt/synapse/conf/synapse.conf.example \
/opt/synapse/conf/exchange.conf

Enter the file /opt/synapse/conf/exchange.conf and make the following changes.

Set the API key and user in TheHive section.

user:
api_key:

To do this, create a new technical account. Log in as an admin or soc-admin to the Energy SOAR system. In the case of an admin, click on the organization in which you want to create the user. Then create a new local user.

image

Login: synapse@energysoar.local
Full name: Synapse
Profile: analyst

If the user already exists, you can create an API key by clicking on the following button.

image

Then to copy the key, you need to open it by clicking the Reveal button.

image

In the EWS section, provide data for the technical account from which we will read emails.

username:
password:
auth_type:NTLM
smtp_address:
folder_name:Inbox

Inbox is the main folder to which all emails are usually sent. If the integration is to read emails from another catalog, you should specify it here. In the [Instance] section, change the name from synapse to exchange.

Start the instance

# systemctl enable --now synapse@exchange