Trigger Alarm to see Threat Intel Enriched Data

[chiraggl]

Hi DSIEM Team,

While I was trying to test and implement your solution, I figured out the index siem_alarms created based on the triggered Suricata rules while carrying out the basic ICMP flood attack. But I am not able to trigger any of the Threat Intel Sources such as Alien Vault OTX which should show up as a SIEM alarm along with the enriched data for the malicious Public IP. I have followed the following guide for installation [https://github.com/defenxor/dsiem/blob/master/docs/installation.md] and running your solution using docker containers based on the provided guide.

Do I need to make any extra configuration changes or enable any other settings to get the SIEM alarms along with an enriched Threat Intel data from sources such as Alien Vault OTX?

[mmta]

Hi, by default we only support threat intel integration with Moloch Wise (https://github.com/aol/moloch/wiki/WISE). Moloch WIse is a threat intel aggregator supporting various sources (including Alienvault OTX) built for Moloch, but it can be used as a standalone system as well.

So you will need to install Moloch Wise first and configure it to use Alienvault OTX (supplying your OTX key in the Wise's config file). I have a Docker version of Wise here https://github.com/mmta/docker-wise.

Or alternatively, to see all the integration working right out of the box, you can try the Dsiem demo environment first here https://github.com/defenxor/dsiem/tree/master/demo.

[ridhadabbous]

@mmta hi bro can i use the demo directly in reel environment with new source if yes ! what kind of configuration i should do

[mmta]

You can use the demo to learn more about the architecture and perhaps copy some of its configuration, but I would advise against using it on a real environment.