elasticmachine
commented
9 months ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Open wick-ipedia opened 9 months ago
elasticmachine
commented
9 months ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
wick-ipedia
commented
9 months ago We are okay to limit the source of these events to read from Amazon S3 for MVP
Summary:
Design and implement an integration between Symantec Endpoint Security's Event Streaming Service and Elastic Stack to allow real-time ingestion, normalization, and analysis of security event data using the Elastic Common Schema (ECS).
Business Context:
With the increasing number of cyber threats, organizations need to have an efficient way to monitor, analyze, and respond to security events occurring across their IT ecosystem. Symantec Endpoint Security, a leading cybersecurity platform, provides a stream of valuable security event data that can be leveraged for deeper analysis and threat hunting when integrated with Elastic's powerful search and analytics capabilities.
Goals:
Enable users to stream selected security event data from Symantec Endpoint Security directly into Elastic Stack via the Symantec Event Stream API or read events from a cloud storage bucket.
Map Symantec's Integrated Cyber Defense Schema to Elastic Common Schema to ensure compatibility and facilitate advanced data analysis.
Provide a seamless setup and configuration experience for administrators.
Epic Description:
This epic will produce an Elastic-certified integration that can consume events streamed from Symantec Endpoint Security. The integration will allow users to specify which events to send to Elastic Stack and support the mapping of these events to the Elastic Common Schema for effective data correlation, analysis, and visualization.
User Stories:
Event Stream Configuration
As an administrator, I want to select and configure the event types from Symantec Endpoint Security that I wish to stream to Elastic, so that I can control the volume and relevance of data for analysis.
Event Normalization
As a security analyst, I need the event data from Symantec to be normalized according to the Elastic Common Schema, so that I can perform correlated searches and analysis across different data sources.
Integration Setup Wizard
As an administrator, I want an easy-to-use setup wizard for mapping Symantec events to ECS, so that I can quickly integrate Symantec Event Streaming with Elastic without extensive manual configuration.
Real-Time Data Streaming
As a security analyst, I need real-time event data streaming from Symantec to Elastic, so I can react promptly to potential threats and reduce response times.
Documentation and Best Practices Guide
As a user, I need comprehensive documentation and a best practices guide for the integration setup, so I can ensure it is configured accurately and efficiently for my environment.
Support for Integrated Cyber Defense Schema
As a security analyst, I need the integration to support Symantec's Integrated Cyber Defense Schema, so the data can be effectively mapped and utilized in Elastic.
Error Handling and Monitoring
As an administrator, I need the integration to have robust error handling and monitoring capabilities, so I can troubleshoot and ensure the integrity of the event data stream.
Acceptance Criteria:
[ ] The integration is capable of connecting to Symantec Event Streaming API or cloud storage buckets where event data is stored.
[ ] The integration allows for the selection of event types to be streamed based on administrative preference.
[ ] A mapping between Integrated Cyber Defense Schema and ECS is established, allowing for the normalization of event data.
[ ] Real-time event streaming is supported, providing timely data for analysis and response.
[ ] Documentation, including a setup guide and best practices, is provided to assist in the implementation and maintenance of the integration.
[ ] Robust error handling and integration health monitoring are included.
Success Criteria:
Success will be evaluated based on the ability to successfully stream selected events from Symantec to Elastic in real-time, the accuracy of event mapping to ECS, ease of integration setup and administration, and positive feedback from beta testers and early adopters.
Additional Context:
The event types in the blue box are already covered by the Symantec EDR integration. The goal of this integration would be to map and consume the other event types available for streaming by the SES service.