SIEMonster is built on the best of Open Source tools with extra functionality, integration stability and correlation providing enriching data from the SIEM.
Some of these tools include

Open Distro

Open Distro for Elasticsearch provides a powerful, easy-to-use event monitoring and alerting system, enabling you to monitor your data and send notifications automatically to your stakeholders. With an intuitive Kibana interface and powerful API, it is easy to set up and manage alerts. Build specific alert conditions using Elasticsearch’s query and scripting capabilities. Alerts help teams reduce response times for operational and security events.

Shuffle SOAR

SIEMonster using Shuffle SOAR (Security Orchestration, Automation, and Response). has included the bleeding edge Shuffle SOAR technology that will allow for the creation of workflows that can integrate with applications that form part of the SIEMonster stack, as well as external products that are often found as part of the cyber security toolsets deployed within the enterprise. SIEMonster have auto-wired to Cortex, TheHive & MISP. SOAR give your SIEM automation to create tickets, add Threat Intelligence Information as well as artifacts. SOAR provides automated workflows through a graphical interface with no coding required. Shuffle SOAR has thousands of premade integrations and uses open frameworks. Pulling data via API calls from all your sources makes for integration in hours rather than weeks or months. Raise tickets in commercial products or send emails to key stakeholders – choose from more than 11,000 application APIs to integrate into SIEMonster.

The Hive

TheHive is utilized within the SIEMonster platform as an incident response/case management system. It is meshed with Alerting, MISP, OpenCTI, Patrowl and Cortex to automate the process of incident creation. To make life simpler for SOCs, CSIRTs and CERTs, all information pertaining to a security incident is presented for review. Whilst weighing up and excluding false positives, the SOC team are given an indication of next steps to take.

Cortex

Cortex solves two common problems frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics and incident response:

• How to analyze observables they have collected, at scale, by querying a single tool instead of several?
• How to actively respond to threats and interact with the constituency and other teams?

Cortex can analyze (and triage)observables at scale using more than 100 analyzers. you can actively respond to threats and interact with your constituency and other parties thanks to Cortex responders. Within the SIEMonster platform Cortex is pre-integrated with TheHive and MISP to get you up and running.

MITRE ATT&CK

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Integration within the SIEMonster platform provides detailed information about attacks.

MISP Framework

The Malware Information and Sharing Platform (MISP) is a threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. MISP is used today in multiple organizations to not only to store, share, collaborate on cyber security indicators, malware analysis, but also to use the IoCs and information to detect and prevent attacks, frauds or threats against ICT infrastructures, organizations or people.

Integration within the SIEMonster platform is preconfigured for Cortex,OpenCTI,MISP & Cortex. Feeds for threat intel can be configured for many of the available free sources as well as from subscription sources if required.

Ni-FI

Within the SIEMonster platform NiFi is used to ingest incoming event log data from the Kafka message queue. Various templates have been provided for different endpoint types including but not limited to Active Directory, common firewall and VPN devices, HIDS agents and IDS feeds.

All data flow is visualized allowing the analyst to view in real time the log flows and metrics. Templates are also provided to assist in adding new sources with debug options and data sinks before going into production.

PatrOwl

PatrOwl is an advanced platform for orchestrating Security Operations like Penetration testing, Vulnerability Assessment, Code review, Compliance checks, Cyber-Threat Intelligence / Hunting and SOC & DFIR Operations, including:

• Full-stack security overview (IP to Data)
• Define threat intelligence & vulnerability assessment scans policies
• Orchestrate scans using tailor-made engines
• Collect & aggregate findings
• Contextualize, tracks, prioritize findings
• Check remediation effectiveness

Correlate asset risk value against vulnerabilities, bringing business intelligence and SIEM in closer alignment. Within the SIEMonster platform Patrowl is integrated with Cortex and TheHive. Asset for assessment can be added singly or in bulk using the asset import feature

OpenCTI

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It has been created in order to structure, store, organize and visualize technical and non-technical information about cyber threats.

The structuration of the data is performed using a knowledge schema based on the STIX2 standards. It has been designed as a modern web application including a GraphQL API and an UX oriented frontend. Also, OpenCTI is integrated with MISP, TheHive and MITRE ATT&CK within the SIEMonster platform as well as having a connector for CVE information.

The initial dashboard will begin immediate import of MISP observables for analysis

Alerting

Alerting is provided by the OpenDistro Kibana interface, Elastalert with GUI front-end & via Apache Nifi dependent on the use case. 30+ pre-canned alert types are provided to get you up and running. Typical queries include those for anomalies, aggregations, pattern matching along with threat intel/Mitre correlation, Indicators of Compromise (IOCs), NIDS signature matching & asset vulnerabilities. Alerts can be configured to automatically create tickets in the TheHive Incident Response module and to notify stakeholders via most common webhooks or direct email.

Many pre-canned alerts are available in a disabled state to allow you to quickly get up and running. We also provide a Webhook to SMTP connector for Kibana alerts, not available as standard that permits the emailing of alerts

Message Queuing – Kafka

Apache Kafka is a publish/subscribe message queuing system that is utilized within SIEMonster not only for its scalability but also for the following:

1. Provides durable, fast and fault tolerant message streaming for handling real time data feeds.
2. Compatible with Apache Nifi and the Elastic Beats family agents.
3. Enables custom configuration per endpoint group by using topic declarations.
4. Improving data governance and guaranteed delivery
5. Options for in flight stream data extraction and new stream creation dependent on specific triggers.
6. Ability to set data retention periods per use case in case of upstream processing back pressure.

Incoming events are stored initially in Apache Kafka before being processed in Nifi and then sent to Elasticsearch. This provides a buffer in case of bursts in activity while also providing an endpoint by topic management system with options for real time alert stream creation.

Reporting

SIEMonster internal reporting tool provides a comprehensive tool with automated reporting straight to your inbox. This tool allows automated reports to be generated, and sent to the appropriate person, on any event, such as MacAfee Anti-Virus, detected a virus but did not clean and send these follow up items in a report. Reports are available in PDF or XLS format, including Dashboards snapshots for visualization.

Wazuh

Wazuh is a free and open source platform for threat detection, security monitoring, incident response and regulatory compliance. It can be used to monitor endpoints, cloud services and containers, and to aggregate and analyze data from external sources. Wazuh is used to collect, aggregate, index and analyze security data, helping organizations detect intrusions, threats and behavioral anomalies.

Wazuh is integrated into the Dashboards module of SIEMonster and there are also pre-canned alerts configured.

Suricata

Suricata is an open source threat detection engine that was developed by the Open Information Security Foundation (OISF). Suricata can act as an intrusion detection system (IDS), and intrusion prevention system (IPS), or be used for network security monitoring. It was developed alongside the community to help simplify security processes. As a free and robust tool, Suricata monitors network traffic using an extensive rule set and signature language. Suricata also features Lua scripting support to monitor more complex threats.

SIEMonster provides a Suricata pipeline that performs packet capture and analysis on the local network interface, acting as a host-based IDS. The resultant data is then sent to Kafka before being ingested by Elasticsearch. The commercial SIEMonster releases extend these capabilities in the form of network and cloud tabs and multi-network interface monitoring.

Alerts can be easily configured for signature matches and there is also a dashboard provided for further IDS analysis.

Every user has a behavioral fingerprint – that is, a unique, nuanced way they use their own computer. Behavioral fingerprints can be monitored to detect when something changes and risk increases, when the user just isn’t behaving like they usually do. SIEMonster can integrate existing UEBA behavioral analytics products like Dark Trace and correlate, provide Incident Response, SOAR functions and actioned reports.

AI and subsets Machine & Deep Learning along with Neural Networks – terms often used by Security marketing vendors. The effectiveness of these tools can be limited by integration strategy, widening the gap between what can be considered benign and that which requires immediate action.

SIEMonster strives to close this gap through innovation to not only reduce false positives but apply counteraction and extend automation, reducing the load on the typical SOC analyst.

The ultimate SIEM tool, SIEMonster is not only affordable and customizable, but becomes the pulse of your organization’s security posture. With the ability to absorb third party endpoint protection data, SIEMonster can perform correlation instantly against other events and data. One of our customers said to us, “We get an alert, so what, can you kill the threat as well, as we just don’t have the staff?” This is what spurred us on to achieve autonomous counteractive strategies to shutdown critical threats. Applying real time analysis of SIEMonster event alert streams, Threat Intelligence, Deep Learning combined with Human Based Behavior traits and Honeypot data is a good start. By adding active Threat Hunting to the mix along with common IOC recognition and utilizing the Mitre Att&ck™ Framework, accuracy of threat recognition becomes sufficient to kill attacks. Without human intervention users can be disabled, IP addresses blocked and assets shut down, effectively removing the threat and reducing the workload of security administrators within the SOC.