Enterprise SIEM Platform Integration

Topics

• Splunk Integration

• QRadar Integration

• Threat Intelligence Integration

• Cloud Security Platform Integration

• Enterprise Directory Integration

Splunk Integration

Energylogserver SIEM provides bi-directional integration with Splunk Enterprise and Splunk Cloud platforms, enabling data sharing, alert forwarding, and centralized security operations.

Configuration Requirements

Prerequisites:

• Splunk Enterprise 8.x or Splunk Cloud platform.

• Splunk HTTP Event Collector (HEC) enabled and configured.

• Network connectivity between Energylogserver and Splunk infrastructure.

• Appropriate authentication credentials and API tokens.

ELS Network Node Configuration

Building on the Network Probe configuration, configure Splunk output:

# Splunk HEC Output Configuration
output {
  splunk_hec {
    url => "https://splunk.company.com:8088"
    token => "${SPLUNK_HEC_TOKEN}"
    index => "els_security_data"
    source => "energy_logserver"
    sourcetype => "els:json"
    
    # SSL Configuration
    cacert => "/opt/els/ssl/splunk-ca.crt"
    
    # Batch Configuration for performance
    batch_count => 1000
    idle_flush_time => 5
    
    # Error Handling
    codec => json_lines
  }
}

Data Forwarding Setup

Step-by-Step Configuration:

1. Enable Splunk HEC

   • Configure HTTP Event Collector in Splunk Web interface.

   • Generate authentication token for Energylogserver integration.

   • Configure appropriate index permissions.

2. Configure ELS Output Pipeline

   • Create dedicated output pipeline for Splunk data forwarding.

   • Configure field mapping and data transformation rules.

   • Test connectivity and data flow.

3. Set Up Index Mapping

   • Configure appropriate Splunk indexes for different data types.

   • Implement source type classification for optimal Splunk parsing.

   • Establish data retention policies aligned with both platforms.

Alert Synchronization

Splunk to ELS Alert Import:

# Splunk Search API Configuration
input {
  http_poller {
    urls => {
      splunk_alerts => {
        method => get
        url => "https://splunk.company.com:8089/services/search/jobs/export"
        headers => {
          Authorization => "Bearer ${SPLUNK_API_TOKEN}"
        }
        body => {
          search => "search index=security_alerts | where _time > relative_time(now(), \"-1h\")"
          output_mode => "json"
        }
      }
    }
    request_timeout => 60
    interval => 300
    codec => "json"
  }
}

QRadar Integration

IBM QRadar integration enables bidirectional data exchange and unified security operations between QRadar SIEM and Energylogserver platforms.

QRadar API Configuration

Prerequisites:

• IBM QRadar 7.4.x or higher.

• QRadar API access with appropriate security tokens.

• Network connectivity and firewall configuration.

• API rate limiting considerations.

Authentication Setup:

# QRadar API Token Configuration
curl -X POST "https://qradar.company.com/api/auth/user_roles" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -H "SEC: ${QRADAR_SEC_TOKEN}" \
  -d '{
    "name": "ELS_Integration_Role",
    "capabilities": ["ADMIN", "SEM", "EVENTVIEWER"],
    "user_role_id": 1000
  }'

Event Forwarding Configuration

QRadar to ELS Event Import:

# QRadar Events Input Pipeline
input {
  http_poller {
    urls => {
      qradar_events => {
        method => get
        url => "https://qradar.company.com/api/siem/events"
        headers => {
          SEC => "${QRADAR_SEC_TOKEN}"
          Version => "14.0"
        }
        body => {
          range => "items=0-999"
          filter => "starttime > ${LAST_SYNC_TIME}"
        }
      }
    }
    request_timeout => 120
    interval => 60
    codec => "json"
  }
}

SOAR Platform Integration

Energylogserver SIEM supports integration with Security Orchestration, Automation, and Response (SOAR) platforms for automated incident response.

Custom SOAR Connector Example (Python)

import requests
import json

class ELSAPIConnector:
    def __init__(self, els_host, api_key):
        self.els_host = els_host
        self.api_key = api_key
        self.headers = {
            'Content-Type': 'application/json',
            'Authorization': f'ApiKey {api_key}'
        }
    
    def standardize_event(self, event):
        # Standardize event format for SOAR
        standardized = {
            '@timestamp': event.get('timestamp', datetime.now().isoformat()),
            'event_type': event['type'],
            'source_ip': event.get('src_ip'),
            'destination_ip': event.get('dst_ip'),
            'severity_level': event['severity'],
            'event_description': event['description'],
            'origin_system': event.get('source_system', 'unknown')
        }
        return standardized
    
    def send_security_event(self, event, index_name='security-events'):
        standardized_event = self.standardize_event(event)
        
        url = f"https://{self.els_host}:9200/{index_name}/_doc"
        
        response = requests.post(
            url,
            headers=self.headers,
            data=json.dumps(standardized_event),
            verify=True
        )
        
        return response.json()

# Usage Example
connector = ELSAPIConnector('els.company.com', 'VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw==')

# Send security event
event = {
    'type': 'network_intrusion',
    'src_ip': '192.168.1.100',
    'dst_ip': '10.0.0.50',
    'severity': 'high',
    'description': 'Suspicious network activity detected',
    'source_system': 'custom_ids'
}

result = connector.send_security_event(event)
print(f"Event indexed: {result['_id']}")

Threat Intelligence Integration

Integrate with threat intelligence providers to enhance AI capabilities and enrich security data.

Cloud Security Platform Integration

Native integration with AWS Security Hub, Azure Sentinel, and Google Chronicle for cloud-based security operations.

Enterprise Directory Integration

LDAP and Active Directory integration for extended user management.