Energy Logserver SIEM

This integration send alerts from Energy Logserver SIEM to Energy SOAR.

Create API key

Create new (non-admin) user and generate API key.

Click Reveal

Copy the API key

Edit Alert

Add configuration in the Alert service config.

# vi /opt/alert/config.yaml
  hive_host: https://<Energy_SOAR_IP>/base
  hive_apikey: <api_key>

Restart the Alert service

# systemctl restart alert

Alert rule configuration

Configure details in the alert rule configuration

alert: hivealerter
hive_alert_config_type: classic
  type: "AUDIT"
  source: "SIEM"
  severity: 2
  tags: ["ELS","audit"]
  tlp: 3
  status: "New"
  follow: True
 - ip: "{match[src_ip]}"
   message: "Source IP address"
   tags: ["src: SIEM"]
 - domain: "{match[username]}"
   message: "Audit username"
   tags: ["src: SIEM"]

Custom message

By default Energy Logserver SIEM send a json with all alert fields. You can customize your message using markdown.

For example:

alert_text: "## Summary\r\n
|  |  |\r\n
| IP | {} |\r\n
| Rule | {} |\r\n
Log: `{}`\r\n
Full log: \r\n
  - data.srcip
  - rule.description
  - full_log
  - previous_output