Create SIEM apps

[frikky]

Using the App creator, OpenAPI or Python directly:

Minimal use-cases (if possible):

• Search
• Send event TO SIEM
• Get Search results
• Create Saved Search
• Create Alert from Search (sends webhook / something else)

If applicable (same as case management):

• List Incidents
• Get Incident
• Update incident
• Add comment

Workflow example to add:

• Search for some data, then filter the data, before creating A ticket (cases) and sending messages (comms) for each result.

For each item in the list below, we want the following:

• A name with a link to the app on https://shuffler.io
• Whether it's been built at all (checkmark)
• A link to an input workflow (sending from SIEM to Shuffle)
• A search workflow for how to search in the SIEM

Items

• Splunk - Input Workflow - Search Workflow - Documentation - Public app
• QRadar
• ArcSight
• Elasticsearch (ELK)
• Logpoint
• MDATP
• Azure Sentinel
• Sumologic
• Logz.io
• RSA NetWitness
• Datadog #301
• Logarithm
• Security onion
• Rapid7 IDR
• FortiSIEM
• Securonix
• Wazuh #298
• Seceon
• Microsoft Sentinel
• Fluency
• CyberShark
• ExaBeam
• AlertLogic
• ManageEngine EventLog Analyzer
• New Relic
• Logit.io
• Solarwinds Security Event Manager
• Sematext
• Servicepilot

[pooki3bear]

Which functions would be included in a minimum product for SIEM (other than on-demand or prepared search)?

[frikky]

@pooki3bear I don't want to say that any "minimum product" is required to be added as app necessarily. For SIEM, it initially would just be search.

What would be interesting though, would be to find out how to use Sigma to create a good integration for either one of these 👍

I can share a spreadsheet if you'd like more insight into what we have outlined

[dhaval055]

https://github.com/Shuffle/openapi-apps/blob/master/sumologic-api.yaml

[dhaval055]

No.	Tool	Accessibility	Is a demo required?	APIs
1	LogPoint	No direct access available.	Yes	docs
2	RSA NetWitness	No direct access available.	Yes	docs
3	Logrhythm	No direct access available.	Yes	docs
4	Securonix	No direct access available.	Yes	docs
5	Seceon	No direct access available.	Yes
6	ManageEngine EventLog Analyzer	APIs not available at the moment.	No
7	ExaBeam	No direct access available.	Yes	reference
8	Fluency	No free access available.	No	docs, Postman collection
9	New Relic	Free trial available	No	docs
9	Solarwinds Security Event Manager	Free trial available, No APIs available	No
9	Blumira	Free trial available, No APIs available	No

[winhigh]

for example if i have my own siem how do i push logs to shuffle so that i can build my SOAR

[frikky]

for example if i have my own siem how do i push logs to shuffle so that i can build my SOAR

Hey,

there's quite a few ways, but the main things are:

• Can you do alert forwarding, e.g. with webhooks?
• Do you have a search API?

[winhigh]

No. I'm new to this tool could you please let us know what are the possible ways to push my logs to shuffle interface.

search API for , To be honest i need to learn everything

do you have any possible ways to redirect my another system logs to shuffle , if successfully redirect also , how do i see those logs in shuffle so that i can co relate with other tools like yara.

[frikky]

No. I'm new to this tool could you please let us know what are the possible ways to push my logs to shuffle interface.

search API for , To be honest i need to learn everything

do you have any possible ways to redirect my another system logs to shuffle , if successfully redirect also , how do i see those logs in shuffle so that i can co relate with other tools like yara.

We don't typically deal with logs directly, and instead focus on alerts from the SIEM. In this case though, I'd do something like this if I were to handle logs directly with Shuffle tho (we are planning for this ;))

1. Set up a syslog listener (e.g. with Tenzir)
2. When syslogs are found, bucket them
3. Forward to Shuffle over HTTP with a Webhook when you got e.g. 1000 logs bucketed

Shuffle itself isn't meant for this kind of thing, so we suggest you use a SIEM and forward alerts instead :)

[winhigh]

hey frikky,

yeah even i know shuffle isn't designed for logs but i wanted to co relate logs with yara rules or other tool so that it can detect malicious IPs and sing shuffle alerts and automation i can block them.

So basically my idea is to automate my security.

[winhigh]

I'm planning to send logs to Shuffle machine using rsyslog or ossec and collect them using webhooks ?

is it possible ?

[frikky]

I'm planning to send logs to Shuffle machine using rsyslog or ossec and collect them using webhooks ?

is it possible ?

We got something cooking for this. It's not directly possible right now, but soon~ :)

[winhigh]

Hi Frikky,

Actually, I tried sending alerts to shuffle from wazuh tool as you demonstrated in the video but I can't able to get those level three alerts in json.

PS: could you provide me the video, Showcasing alerts after setting with webhooks

https://medium.com/@ilyes_abdelhadi_86557/wazuh-shuffle-integration-3dc0b7db439
Followed these instructions.