Integration SO with DSIEM

[A00279521]

Am looking for a way to integrate SO with Dsiem. I have no clue at all. I can see that one of the output from SO is ElastAlert. does anyone have a good approach of how to go about this.

Regards

Peter

[InfosecGoon]

This DSIEM? https://www.dsiem.org/

[A00279521]

yes

[InfosecGoon]

Looking at the documentation, it appears that you feed information into DSIEM using Logstash -- it would probably be possible to write a Logstash pipeline that takes data collected by Security Onion sensor nodes and forwards it into a DSIEM receiver, but it's not something we've tested.

[A00279521]

Yes, information are fed to DSIEM using Logstash, but in DSIEM the information are parsed by Logstash whereas in Security Onion the information are parsed by Elasticsearch. I do not know if this will be an issue, am just thinking aloud here because DSIEM also has to store the information after normalization in Elasticsearch. I have been able to integrate DSIEM to an existing ELK stack which works fine. Am very new to SO, maybe if you give a step by step approach of how to create template indices in Elasticsearch in SO, that might be a good starting point, because I could not get much help from the SO documentation, on how to do that. I think this is a great project we can collaborate on.

Thanks very much while I await your response.

[weslambert]

Are you referring to having events sent to DSIEM for processing, then sent back to Security Onion to be indexed? I'm trying to understand why else you would want to know about Elasticsearch index templates.

[A00279521]

Dsiem clone's event stored in Elasticsearch, before processing them, by creating another logstash pipeline. The process data are then are also stored in Elasticsearch. my question was , how do you for instance configure an index template, say "suricata-*" in elasticsearch of SO. I can see in the SO document "index template and component template" which is confusing to me.