SIEM Integration about metta HOT 8 CLOSED

@tbone8621 If it helps I pretty much copied a production system to a VM and installed and configured all the same security tools. Then made sure alerts were sent off normally by manually triggering them. If you can trigger them manually then the actions Metta takes will be sent off successfully.

from metta.

Wouldn't that be on the OS level? Have your image send it's logs to your SIEM to identify what it detects. I guess a separate log file could be generated and sent off but would probably be easier to configure your VM to send it. That is what I did at least.

from metta.

hey @tbone8621 that's super broad. what do you mean specifically? you want the results of the simulation to go into a SIEM? you want some kind of hook to check the SIEM for the results of the simulation? something else?

from metta.

gonna wait for @tbone8621 's reply but right now there is some basic json logging that you could do something with. I suspect this more around automatically checking a SIEM for the results of your action or simulation. It can be done. I ended up creating another celery worker queue that would query our EDR vendor for the results via their API. We're using this internally for more rule QA so this is more of a 1-1 match of action to expected alert. This isnt expressly expected with action files or even with scenarios but you could certainly write them with that in mind, where you expect each action run to end up being an event in your SIEM.

from metta.

I am looking to see if this could be used to trigger my content in my siem. As in validation testing

from metta.

assuming the vagrant you build/use has your instrumentation on it and those logs are getting to the SIEM (if necessary...just depends on what you are using for instrumentation) , I don't see why not. If i'm mis-understanding the question please let me know.

That is the intended use. You run the action or scenario files against vagrants that have your EDR agents, sysmon configs, splunk forwarders, whatever you are using...and that alerts would pop up in your SIEM or you could go hunt for the data in the SIEM. Metta logs exactly what you ran and at what time to help you with this.

from metta.

Thank you that helps, I was just wondering of there was a way to push the data to a siem

from metta.

I think this is closed. @tbone8621 if you still need help please create another issue or i can work with you directly over twitter DM or email.

from metta.