Getting Started with SIEM Integration
This is a guide on how to integrate Araali with supported SIEM products
Install Araali
Follow the instructions in the getting started post
This sets up and authorizes Araalictl for local use.
Integration with ElasticStack
Configure the TCP input plugin to accept json data. Open the existing LogStash config file and add the following to the input plugin list.:
input {
tcp {
port => 9099
codec => "json"
}
}
Restart the LogStash service for the configuration to take effect.
sudo systemctl restart logstash
Check netstat to make sure LogStash has started listening on the chosen port.
sudo netstat -lntp | grep 9099
Start Araali Collector
Start the Araali Collector to submit Araali data to the configured LogStash TCP input port.
./araalictl api -stream-start -stream-tcp=0.0.0.0:9099 -out=json -stream-cnt=1000
Check status
./araalictl api -stream-status
Sentinel Integration
Install logstash on a VM .:
$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
$ sudo apt-get install apt-transport-https
$ echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
$ sudo apt-get update && sudo apt-get install logstash
Install Azure Sentinel Plugin for Logstash on the vm .:
$ sudo /usr/share/logstash/bin/logstash-plugin install microsoft-logstash-output-azure-loganalytics
Figure out workspace id, primary key from Azure log analytics workspace settings as below
Add workspace key to logstash keystore and then create logstash config as below. Finally, restart logstash .:
$ sudo mkdir -p /usr/share/logstash/config
$ sudo /usr/share/logstash/bin/logstash-keystore create
$ sudo /usr/share/logstash/bin/logstash-keystore add WS_KEY
$ cat /etc/logstash/conf.d/araali_sentinel.conf
input {
tcp {
port => 9099
codec => json
}
}
output {
microsoft-logstash-output-azure-loganalytics {
workspace_id => "<your_workspace_id>"
workspace_key => "${WS_KEY}"
custom_log_table_name => "araaliAlertsTable"
plugin_flush_interval => 5
}
}
$ sudo systemctl restart logstash.service
Now start araalictl stream to fetch alerts .:
./araalictl.linux-amd64 api -stream-start -stream-tcp=0.0.0.0:9099 -out=json -stream-cnt=100
Then we should be able to see the logs getting ingested under our workspace in azure sentinel > logs > tables tab
Useful links
https://www.elastic.co/guide/en/logstash/current/installing-logstash.html https://www.elastic.co/guide/en/logstash/7.14/running-logstash.html https://docs.microsoft.com/en-us/azure/sentinel/connect-logstash https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/microsoft-logstash-output-azure-loganalytics https://www.elastic.co/guide/en/logstash/current/working-with-plugins.html https://www.elastic.co/guide/en/logstash/current/keystore.html