Comments (8)
@tbone8621 If it helps I pretty much copied a production system to a VM and installed and configured all the same security tools. Then made sure alerts were sent off normally by manually triggering them. If you can trigger them manually then the actions Metta takes will be sent off successfully.
from metta.
Wouldn't that be on the OS level? Have your image send it's logs to your SIEM to identify what it detects. I guess a separate log file could be generated and sent off but would probably be easier to configure your VM to send it. That is what I did at least.
from metta.
hey @tbone8621 that's super broad. what do you mean specifically? you want the results of the simulation to go into a SIEM? you want some kind of hook to check the SIEM for the results of the simulation? something else?
from metta.
gonna wait for @tbone8621 's reply but right now there is some basic json logging that you could do something with. I suspect this more around automatically checking a SIEM for the results of your action or simulation. It can be done. I ended up creating another celery worker queue that would query our EDR vendor for the results via their API. We're using this internally for more rule QA so this is more of a 1-1 match of action to expected alert. This isnt expressly expected with action files or even with scenarios but you could certainly write them with that in mind, where you expect each action run to end up being an event in your SIEM.
from metta.
I am looking to see if this could be used to trigger my content in my siem. As in validation testing
from metta.
assuming the vagrant you build/use has your instrumentation on it and those logs are getting to the SIEM (if necessary...just depends on what you are using for instrumentation) , I don't see why not. If i'm mis-understanding the question please let me know.
That is the intended use. You run the action or scenario files against vagrants that have your EDR agents, sysmon configs, splunk forwarders, whatever you are using...and that alerts would pop up in your SIEM or you could go hunt for the data in the SIEM. Metta logs exactly what you ran and at what time to help you with this.
from metta.
Thank you that helps, I was just wondering of there was a way to push the data to a siem
from metta.
I think this is closed. @tbone8621 if you still need help please create another issue or i can work with you directly over twitter DM or email.
from metta.
Related Issues (19)
- Call MITRE ATT&CK Techniques by their T number HOT 1
- Make sure virtualenv picks up Python 2.7 HOT 1
- python3 support HOT 1
- Celery tasks HOT 2
- test and freeze lib requirements
- change yaml parsing engine to parse RC's atomic testing yaml format
- Feature Request: Kali/Other VM Type HOT 2
- Fix the execution_win_bitsadmin.yml HOT 2
- Small changes to MITRE technique names
- CG no longer has commit access to this repo
- Performing remote attacks using Metta
- run_simulation_yaml.py:220: YAMLLoadWarning: calling yaml.load_all() without Loader=... is deprecated, as the default Loader is unsafe
- Issue with Vagrantfile
- Running start_vagrant_celery.sh issues error No module named 'config'
- scenarios should handle True and true HOT 1
- Add setuid and setgid search for Linux privilege escalation HOT 2
- SSH Key Search Linux CredAccess HOT 1
- SSH Hijacking linux lateral movement addition proposal HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from metta.