SIEM

Expand all | Collapse all

Send Incident between Supervisors (creating a mini Super of Super(s))

  • 1.  Send Incident between Supervisors (creating a mini Super of Super(s))

    Posted 16 days ago
    Edited by Hugo Pinto 15 days ago

    Hi,

    We share with you guys, another MSSP that want to centralize incidents between multiple supervisors, with drill down.

    Supervisot A: Organization ID 2000
    Supervisor B: Organization ID 3000

    In this case we want to send incidents from Supervisor A -> Supervisor B

    Step 1) Create incident notification policy,

    Step 2 ) Call a Python Procces to collect XML tree from the incident.

    Step 3) Collect RAW Event into a String.

    Step 4) Add a string "phcustid=3000, "
                 Note: phcustid is the ID of the Organization on Supervisor B.

    Step 5) merge message from step3 and step 2 it will be like this
                Note: <1> phcustid=3000, <123> 12-10-12 Fortigate raw......

    Step 6) Go to Admin -> Organization -> Incluide IP address of Super A

    Note: current we are working on Parser for phCustID and Multipleclients in same supervisor.


    Then you will see on Supervisor B, the incomming message from Supervisor A, and auto mapping to the wanted organization on Supervisor B, the message will be parsed as the original Syslog, and the analysts can drill down for user, and other events.

    This is only happend because of the Parser PHToolBox, that collects phcustid and then pass to the other messages.

    In this case when incidents is trigerred, will keep the parsing and MitreFramework, etc... 

    Enjoi

    Hugo Pinto
    Claranet Portugal



  • 2.  RE: Send Incident between Supervisors (creating a mini Super of Super(s))

    Posted 15 days ago
    We share a Development script, not a final one.

    Please fill all IP settings for this to work.

    We are developing to send bizService to, for Multiple Geolocations in same tenant (like a sub-tenant but using biz service).

    HP


  • 3.  RE: Send Incident between Supervisors (creating a mini Super of Super(s))

    Posted 15 days ago
      |   view attached
    change the extension of the file to Python. (py)

    Attachment(s)