The SIEMonster Community Edition is a single appliance or Virtual machine, for companies from 1-100 endpoints. It is completely free to use.
SIEMonster is a collection of the best open source security tools and our own development as professional hackers to provide a SIEM for everyone. We showcase the latest and greatest tools for security professionals and our Community Edition v.4 Fully Loaded has it all. Designed for smaller organizations, charities, classrooms or even those who just want to check out our Fully Loaded SIEM. This edition is completely free, for the community and to be supported by the community.
Community Edition gives you the ability to monitor all network assets in an affordable scalable solution. This single server solution makes it easier for organizations who only have 1-100 endpoints. To access the Community Edition you will need to sign up to the Community Portal, which is available via the download button on our website. There you will also find all the resources you will need to help install and learn about SIEMonster. We have created an admin guide and videos for you. You are also encouraged to interact with other Community Edition users for support or just share how you are using the SIEM and even help out another user, after all that’s what Community is all about.
SIEMonster Community Features
Open Distro Elasticsearch
Cortex Threat Analysis
Open CTI Threat Modelling
Open Distro for Elasticsearch provides a powerful, easy-to-use event monitoring and alerting system, enabling you to monitor your data and send notifications automatically to your stakeholders. With an intuitive Kibana interface and powerful API, it is easy to set up and manage alerts. Build specific alert conditions using Elasticsearch’s query and scripting capabilities. Alerts help teams reduce response times for operational and security events.
TheHive is utilized within the SIEMonster platform as an incident response/case management system. It is meshed with Alerting, MISP, OpenCTI, Patrowl and Cortex to automate the process of incident creation. To make life simpler for SOCs, CSIRTs and CERTs, all information pertaining to a security incident is presented for review. Whilst weighing up and excluding false positives, the SOC team are given an indication of next steps to take.
Cortex solves two common problems frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics and incident response:
- How to analyze observables they have collected, at scale, by querying a single tool instead of several?
- How to actively respond to threats and interact with the constituency and other teams?
Cortex can analyze (and triage)observables at scale using more than 100 analyzers. you can actively respond to threats and interact with your constituency and other parties thanks to Cortex responders. Within the SIEMonster platform Cortex is pre-integrated with TheHive and MISP to get you up and running.
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Integration within the SIEMonster platform provides detailed information about attacks.
The Malware Information and Sharing Platform (MISP) is a threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. MISP is used today in multiple organizations to not only to store, share, collaborate on cyber security indicators, malware analysis, but also to use the IoCs and information to detect and prevent attacks, frauds or threats against ICT infrastructures, organizations or people.
Integration within the SIEMonster platform is preconfigured for Cortex,OpenCTI,MISP & Cortex. Feeds for threat intel can be configured for many of the available free sources as well as from subscription sources if required.
Within the SIEMonster platform NiFi is used to ingest incoming event log data from the Kafka message queue. Various templates have been provided for different endpoint types including but not limited to Active Directory, common firewall and VPN devices, HIDS agents and IDS feeds.
All data flow is visualized allowing the analyst to view in real time the log flows and metrics. Templates are also provided to assist in adding new sources with debug options and data sinks before going into production.
PatrOwl is an advanced platform for orchestrating Security Operations like Penetration testing, Vulnerability Assessment, Code review, Compliance checks, Cyber-Threat Intelligence / Hunting and SOC & DFIR Operations, including:
- Full-stack security overview (IP to Data)
- Define threat intelligence & vulnerability assessment scans policies
- Orchestrate scans using tailor-made engines
- Collect & aggregate findings
- Contextualize, tracks, prioritize findings
- Check remediation effectiveness
Correlate asset risk value against vulnerabilities, bringing business intelligence and SIEM in closer alignment. Within the SIEMonster platform Patrowl is integrated with Cortex and TheHive. Asset for assessment can be added singly or in bulk using the asset import feature
OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It has been created in order to structure, store, organize and visualize technical and non-technical information about cyber threats.
The structuration of the data is performed using a knowledge schema based on the STIX2 standards. It has been designed as a modern web application including a GraphQL API and an UX oriented frontend. Also, OpenCTI is integrated with MISP, TheHive and MITRE ATT&CK within the SIEMonster platform as well as having a connector for CVE information.
The initial dashboard will begin immediate import of MISP observables for analysis
Alerting is provided by the OpenDistro Kibana interface, Elastalert with GUI front-end & via Apache Nifi dependent on the use case. 30+ pre-canned alert types are provided to get you up and running. Typical queries include those for anomalies, aggregations, pattern matching along with threat intel/Mitre correlation, Indicators of Compromise (IOCs), NIDS signature matching & asset vulnerabilities. Alerts can be configured to automatically create tickets in the TheHive Incident Response module and to notify stakeholders via most common webhooks or direct email.
Many pre-canned alerts are available in a disabled state to allow you to quickly get up and running. We also provide a Webhook to SMTP connector for Kibana alerts, not available as standard that permits the emailing of alerts
Message Queuing – Kafka
Apache Kafka is a publish/subscribe message queuing system that is utilized within SIEMonster not only for its scalability but also for the following:
- Provides durable, fast and fault tolerant message streaming for handling real time data feeds.
- Compatible with Apache Nifi and the Elastic Beats family agents.
- Enables custom configuration per endpoint group by using topic declarations.
- Improving data governance and guaranteed delivery
- Options for in flight stream data extraction and new stream creation dependent on specific triggers.
- Ability to set data retention periods per use case in case of upstream processing back pressure.
Incoming events are stored initially in Apache Kafka before being processed in Nifi and then sent to Elasticsearch. This provides a buffer in case of bursts in activity while also providing an endpoint by topic management system with options for real time alert stream creation.
SIEMonster internal reporting tool provides a comprehensive tool with automated reporting straight to your inbox. This tool allows automated reports to be generated, and sent to the appropriate person, on any event, such as MacAfee Anti-Virus, detected a virus but did not clean and send these follow up items in a report. Reports are available in PDF or XLS format, including Dashboards snapshots for visualization.
Wazuh is a free and open source platform for threat detection, security monitoring, incident response and regulatory compliance. It can be used to monitor endpoints, cloud services and containers, and to aggregate and analyze data from external sources. Wazuh is used to collect, aggregate, index and analyze security data, helping organizations detect intrusions, threats and behavioral anomalies.
Wazuh is integrated into the Dashboards module of SIEMonster and there are also pre-canned alerts configured.
Suricata is an open source threat detection engine that was developed by the Open Information Security Foundation (OISF). Suricata can act as an intrusion detection system (IDS), and intrusion prevention system (IPS), or be used for network security monitoring. It was developed alongside the community to help simplify security processes. As a free and robust tool, Suricata monitors network traffic using an extensive rule set and signature language. Suricata also features Lua scripting support to monitor more complex threats.
SIEMonster provides a Suricata pipeline that performs packet capture and analysis on the local network interface, acting as a host-based IDS. The resultant data is then sent to Kafka before being ingested by Elasticsearch. The commercial SIEMonster releases extend these capabilities in the form of network and cloud tabs and multi-network interface monitoring.
Alerts can be easily configured for signature matches and there is also a dashboard provided for further IDS analysis.