Copyright © 2015-2020 Infopercept Consulting Property of Infopercept Consulting Contact: info@infopercept.com
A robust integration platform that seamlessly connects SIEM with Case Management for advanced threat detection and incident response automation.
Reference: Using SIEM and Case Management for Threat Protection
- OSSEC/SIEM installation
- Case Management instance running
- Python 3.x environment
- Administrative access
- Clone the repository
cd /opt/
sudo git clone https://github.com/infopercept/siem2cm.git- Install dependencies
sudo /var/ossec/framework/python/bin/pip3 install -r /opt/siem2cm/requirements.txt- Deploy integration scripts
sudo cp /opt/siem2cm/custom-invinsense2cm.py /var/ossec/integrations/custom-invinsense2cm.py
sudo cp /opt/siem2cm/custom-invinsense2cm /var/ossec/integrations/custom-invinsense2cm- Set permissions
sudo chmod 755 /var/ossec/integrations/custom-invinsense2cm.py
sudo chmod 755 /var/ossec/integrations/custom-invinsense2cm
sudo chown root:ossec /var/ossec/integrations/custom-invinsense2cm.py
sudo chown root:ossec /var/ossec/integrations/custom-invinsense2cmEdit /var/ossec/etc/ossec.conf and add the following integration block:
<integration>
<name>custom-invinsense2cm</name>
<hook_url>http://localhost:9000</hook_url>
<api_key>YOUR_CM_API_KEY</api_key>
<alert_format>json</alert_format>
</integration>| Parameter | Description | Example |
|---|---|---|
| name | Integration identifier (do not modify) | custom-invinsense2cm |
| hook_url | Case Management instance URL | http://localhost:9000 |
| api_key | Case Management API key with alert creation permissions | YOUR_API_KEY |
| alert_format | Data format for alerts (do not modify) | json |
Restart OSSEC to apply changes:
sudo /var/ossec/bin/ossec-control restartEnable detailed logging by modifying /var/ossec/integrations/custom-invinsense2cm.py:
# Change from:
debug_enabled = False
# To:
debug_enabled = TrueControl alert volume by setting severity thresholds:
# In /var/ossec/integrations/custom-invinsense2cm.py
# SIEM rules threshold (default: 0)
lvl_threshold = 5
# Suricata rules threshold (default: 3)
suricata_lvl_threshold = 3Events with severity levels equal to or greater than these thresholds will be forwarded to Case Management.
# View integration logs
tail -f /var/ossec/logs/integrations.log
# Check for errors
grep ERROR /var/ossec/logs/integrations.logMonitor Case Management dashboard for incoming alerts from SIEM integration.
-
API Key Security
- Create a dedicated Case Management user for integration
- Grant minimal permissions (alert creation only)
- Rotate API keys regularly
-
Network Security
- Use HTTPS for Case Management connection
- Implement firewall rules between SIEM and Case Management
- Monitor integration logs for anomalies
-
Alert Management
- Configure appropriate thresholds to prevent alert fatigue
- Regularly review and tune detection rules
- Implement alert deduplication where necessary
एषः प्रकल्पः SIEM तथा Case Management इत्येतयोः मध्ये सेतुः अस्ति। सुरक्षा-घटनानां स्वचालित-प्रबन्धनाय एतत् साधनम् उपयुज्यते।
१. कोड-संग्रहस्य प्रतिलिपिः
cd /opt/
sudo git clone https://github.com/infopercept/siem2cm.git२. आवश्यक-साधनानां स्थापना
sudo /var/ossec/framework/python/bin/pip3 install -r /opt/siem2cm/requirements.txt३. संरचना-समायोजनम्
- ossec.conf फाइले एकीकरण-खण्डं योजयन्तु
- API कुञ्जी स्थापयन्तु
- सेवां पुनः प्रारभन्तु
- lvl_threshold: घटना-स्तरस्य न्यूनतम-सीमा
- debug_enabled: विस्तृत-लॉगिंग-सक्रियकरणम्
- suricata_lvl_threshold: Suricata-नियमानां सीमा
यदि कश्चित् दोषः दृश्यते, तर्हि:
- /var/ossec/logs/integrations.log फाइलं परीक्षताम्
- debug_mode सक्रियं कुर्वन्तु
- API कुञ्जी प्रमाणीकरणं परीक्षताम्
For issues, questions, or contributions:
- Email: info@infopercept.com
- GitHub Issues: Report a bug
- Wiki: Documentation & FAQs
© 2015-2020 Infopercept Consulting. All rights reserved.