Energy Logserver SIEM

This integration send alerts from Energy Logserver SIEM to Energy SOAR.

Create API key

Create new (non-admin) user and generate API key.


Click Reveal


Copy the API key


Edit Alert

Add configuration in the Alert service config.

# vi /opt/alert/config.yaml
  hive_host: https://<Energy_SOAR_IP>/base
  hive_apikey: <api_key>

Restart the Alert service

# systemctl restart alert

Alert rule configuration

Configure details in the alert rule configuration

alert: hivealerter
hive_alert_config_type: classic
  type: "AUDIT"
  source: "SIEM"
  severity: 2
  tags: ["ELS","audit"]
  tlp: 3
  status: "New"
  follow: True
 - ip: "{match[src_ip]}"
   message: "Source IP address"
   tags: ["src: SIEM"]
 - domain: "{match[username]}"
   message: "Audit username"
   tags: ["src: SIEM"]

Custom message

By default Energy Logserver SIEM send a json with all alert fields. You can customize your message using markdown.

For example:

alert_text: "## Summary\r\n
|  |  |\r\n
| IP | {} |\r\n
| Rule | {} |\r\n
Log: `{}`\r\n
Full log: \r\n
  - data.srcip
  - rule.description
  - full_log
  - previous_output



Microsoft Exchange


Download the Exchange integration.

# curl -u'license user:license pwd' \

Unpack and install the dependencies.

# tar -zxvf synapse.tar.gz -C /opt
# dnf install -y python3-devel gcc
# /usr/bin/python3 -m pip install -r /opt/synapse/requirements.txt

Install the system service.

# cp "/opt/synapse/synapse@.service" /usr/lib/systemd/system/

Info: The service allows you to run multiple instances. Create a synapse user.

# adduser -r -s /bin/nologin -d /opt/synapse --system synapse

Change permissions.

# chown -R synapse: /opt/synapse

Instance configuration

# mv /opt/synapse/conf/synapse.conf \

# cp /opt/synapse/conf/synapse.conf.example \

Enter the file /opt/synapse/conf/exchange.conf and make the following changes.

Set the API key and user in TheHive section.


To do this, create a new technical account. Log in as an admin or soc-admin to the Energy SOAR system. In the case of an admin, click on the organization in which you want to create the user. Then create a new local user.

Login: synapse@energysoar.local
Full name: Synapse
Profile: analyst

If the user already exists, you can create an API key by clicking on the following button.


Then to copy the key, you need to open it by clicking the Reveal button.


In the EWS section, provide data for the technical account from which we will read emails.


Inbox is the main folder to which all emails are usually sent. If the integration is to read emails from another catalog, you should specify it here. In the [Instance] section, change the name from synapse to exchange.

Start the instance

# systemctl enable --now synapse@exchange