The Monster Bunch V2
The SIEMonster software is based off a single image. When you download and run the scripts the server then will become that monster. There are currently six monsters in the design that have varying roles:
- Proteus: Log ingestion engine
- Capricorn: Viewer and correlation
- Kraken: Database Cluster Node 1
- Tiamat: Database Cluster Node 2
- Ikuturso: Bro/Tardis Network events
- Hydra: Remote Datacentre/Retail/factory event collector
SIEMonster company’s mascots.
Proteus function in SIEMonster is to queue, filter and process incoming endpoint data, apply rulesets and send the data to both Capricorn for instant alerting and Kraken/Tiamat for long term database storage. Proteus providers cluster health monitoring for Kraken/Tiamat. Proteus has Open Source threat intelligence OSINT installed using MimeMeld by Palo Alto Networks. Proteus also provides OSSEC Wazuh fork Host Intrusion Detection (HIDS)
- In the 4 node instance Proteus is the master node running Elastic Search non data.
- In the 2 node instance Proteus is the master node running Elastic Search with data
In Greek mythology, Proteus is an early sea-god or god of rivers and oceanic bodies of water. Some describe him a specific domain call him the god of “elusive sea change”, which suggests the constantly changing nature of the sea or the liquid quality of water in general. He can foretell the future, but, in a mytheme familiar to several cultures, will change his shape to avoid having to; he will answer only to someone who is capable of capturing the beast. From this feature of Proteus comes the adjective protean, with the general meaning of “versatile”, “mutable”, “capable of assuming many forms”. “Protean” has positive connotations of flexibility, versatility and adaptability.
Capricorn’s primary function is to provide security professionals with real time views of alert, analysis, triage of events as they come into the organization. Capricorn provides a single instance for alerting via email, SNS, Slack etc. Capricorn provides the visual interface of all alerts, dashboards and real time events. Kibana provides the dashboard view for the events captured in the database on the cluster and runs Siren, 411 and FIR for Incident ticketing.
Capricorn retains a volatile (short life) stream of data 12/24hrs (configurable up or down) queried from Proteus for instant alerting on rules within your organisation. The security operations staff will respond to these alerts. Alert data is also fed back into the SIEM for long term storage to Kraken and Tiamat. In this way traditional SIEM correlation searches and analysis can be performed over long periods of time.
The Babylonians connected the Zodiac sign and the constellation with the mythological animal, sort of a mermaid goat. They called it the Goat-Fish. The name ‘Capricorn’ draws our attention to it and comes from the Latin caper (‘goat’) and cornu (‘horn’) – literally ‘the Goat’s horn’. In the ancient world horns were symbols of royalty, strength and power, as well as fertility and abundance. Cornucopia in mythology was the goat Amalthea who nourished the infant Jupiter with her milk, though the term remains in use today as the ‘copious horn’ or ‘horn of plenty’ which symbolizes prosperity and growth. The goat is one of the three horned creatures in the zodiac; these were also the creatures celebrated in ancient religious festivals and used in sacrifice to draw power from the gods. The use of the goat as a ‘scapegoat’ in the biblical ritual of Atonement has led to goat deities accumulating a reputation as icons of evil and occult powers.
Kraken’s primary function is Cluster Node 1 Elastic storing all your long term SIEM data in the database. When a user performs a Kibana search on. “All users who used the word confidential in an email sending to an external email domain” Elastic Search database will locate the entries and present the lookup to the user in Kibana. Cluster Node 2 called Tiamat is identical and provides redundancy for Kraken. The health and controlling of the cluster is done by Proteus. In the event of hardware failure, a cluster node can be bought offline and another replaced.
The Kraken is a legendary sea monster of giant size that is said to dwell off the coasts of Norway and Greenland. A number of authors over the years have postulated that the legend originated from sightings of giant squids that may grow to 12–15 meters (40–50 feet) in length, despite the fact that the creature in the original tales was not described as having tentacles and more closely resembled a whale or crab. The sheer size and fearsome appearance attributed to the kraken have made it a common ocean-dwelling monster in various fictional works.
Tiamat’s primary function is Cluster Node 2 Elastic storing all your long term SIEM data in the database. When a user performs a Kibana search on. “All users who used the word confidential in an email sending to an external email domain” Elastic Search database will locate the entries and present the lookup to the user in Kibana. Cluster Node 1 called Kraken is identical and provides redundancy for Tiamat. The health and controlling of the cluster is done by Proteus. In the event of hardware failure, a cluster node can be bought offline and another replaced.
Tiamat is a primordial goddess of the ocean, mating with Abzû (the god of fresh water) to produce younger gods. She is the symbol of the chaos of primordial creation, depicted as a woman, she represents the beauty of the feminine, depicted as the glistening one It is suggested that there are two parts to the Tiamat mythos, the first in which Tiamat is a creator goddess, through a “Sacred marriage” between salt and fresh water, peacefully creating the cosmos through successive generations. In the second “Chaoskampf” Tiamat is considered the monstrous embodiment of primordial chaos. Some sources identify her with images of a sea serpent or dragon.
Ikuturso role is a network sensor placed away from SIEM sitting in a DMZ or network edge, running BRO and TARDIS, with the ability to block known traffic from OSINT. It also provides Forensic capabilities of known attacks with deep application and network packet inspection.
Iku Turso is a famous monster in Finnish mythology. Iku turso was described as an evil seamonster and is dated back to the 16th century. Iku Turso was described as many different things but mainly symbolizes death and evil. In Finnish the word for octopus, (merituras) is named after Iku Turso and in WW2 the Finns named one of their submarines Iku Turso.
Iku Turso’s appearance is described in many different ways. Some say he is a thousand headed, or a thousand horned, or the one that lives on the edge. In Finnish mythology he is known as the ox of death, the god of war, and the demon of diseases. So he is respected in some ways for being a warrior but overall he symbolizes evil. He is said to be from the far north land of Pohjola, which (according to Finnish mythology) is forever cold and the heart of all evil.
Hydra is used by SIEMonster as a server that collects logs at a customer’s site who requires SIEM as a Service or remote Data centres. Instead of all of the customer’s endpoints sending logs directly into the Azure or AMAZON VPC tunnel, Hydra collects all the logs ensures correct queuing and in the event of a Cloud outage stores the SIEM logs until it comes back online. Hydra then passes the Security events into to Proteus/Capricorn and Kraken/Tiamat.
Hydra or Hydra of Lerna more often known simply as the Hydra, was a serpentine water monster in Greek and Roman mythology. Its lair was the lake of Lerna in the Argolid, which was also the site of the myth of the Danaids. Lerna was reputed to be an entrance to the Underworld and archaeology has established it as a sacred site older than Mycenaean Argos. In the canonical Hydra myth, the monster is killed by Heracles, using sword and fire, as the second of his Twelve Labors. According to Hesiod, the Hydra was the offspring of Typhon and Echidna. It possessed many heads, the exact number of which varies according to the source. Later versions of the Hydra story add a regeneration feature to the monster: for every head chopped off, the Hydra would regrow one or multiple heads. The Hydra had poisonous breath and blood so virulent that even its scent was deadly.