Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🪵 Send logs to XSIAM SoC #4697

Closed
4 tasks
Tracked by #5086
bagg3rs opened this issue Jul 12, 2024 · 7 comments
Closed
4 tasks
Tracked by #5086

🪵 Send logs to XSIAM SoC #4697

bagg3rs opened this issue Jul 12, 2024 · 7 comments
Assignees
@tjemideGH
Labels
story

Comments

@bagg3rs
Copy link
Contributor

bagg3rs commented Jul 12, 2024
edited by darren1988
Loading

User Story

As a SoC
I want security logs from all things
So that we have a central source of security logs in order to process for threats correlations

Value / Purpose

Security Operations Center needs our logs and they will process with Palo Alto Cortex to check for bad things.

Useful Contacts

Rich, Julia

Proposal

Do what MP/CP did see thread

Additional Information

See thread here

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Ingest-Network-Route-53-Logs-from-Amazon-S3

Definition of Done

  • Terraform deployed to enable logs (see thread above MP and CP have done this)
  • Logs sent
  • Logs verified by SoC team
  • Add runbook
@bagg3rs bagg3rs added the story label Jul 12, 2024
@github-actions github-actions bot mentioned this issue Aug 1, 2024
Closed
@github-actions github-actions bot mentioned this issue Aug 19, 2024
Closed
1 task
@darren1988
Copy link

darren1988 commented Aug 19, 2024
edited
Loading

To be refined and planned into next sprint

@YvanMOJdigital
Copy link

Waiting for team to send current error logs before planning this.

@darren1988
Copy link

logs for review:

https://docs.google.com/spreadsheets/d/1QO56aMBeX4rIKKT2loo-6DB0BBIPog5v/edit?gid=2007438121#gid=2007438121

@julialawrence
Copy link
Contributor

Spoke with MP. Their code, while getting the job done is not quite ready to be reused. They're continuing to work on it. Recommend we park until the issues are worked out. If we want to go our own way, we will need a spike first to settle on an approach.

@julialawrence
Copy link
Contributor

Further, Cortex is currently struggling to ingest the logs from MP as the number of entries and the length of individual events aren't being properly tokenized. We might want to await developments on this too.

@tjemideGH
Copy link

tjemideGH commented Sep 27, 2024
edited by bagg3rs
Loading

@darren1988
I have reviewed the incidents, and 71 appear to be false positives, and 17 seem not to be False Positive.

Please see the attached links to my review. I created a new column that explained my rationale for the review. Reason for Potential False Positive and Reason for Medium Severity and Not False Positive

@darren1988 darren1988 moved this from 👀 TODO to 🚀 In Progress in Analytical Platform Oct 2, 2024
@darren1988 darren1988 closed this as completed by moving to 🎉 Done in Analytical Platform Oct 2, 2024
@tjemideGH
Copy link

I have completed the review and send it to SOC for review. The SOC has sent the two 71 false positives, and 17 seem not to be False Positive to MIP to come up with a plan of action. No further action required from AP. The SOC confirmed that this ticket can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tjemideGH tjemideGH

Labels
story
Projects
Analytical Platform
Archived in project
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bagg3rs @YvanMOJdigital @julialawrence @darren1988 @tjemideGH