-
Notifications
You must be signed in to change notification settings - Fork 48
Receiving Alerts
After installing SCOT, the next step is actually getting it to receive alerts from your detection systems. There are two main ways to achieve this:
- Use the the REST API to pump JSON into SCOT.
- Send E-mail messages to an account that SCOT can access.
Method 1, REST API, is by far the easiest, but may not be possible for all detection systems. Method 2, E-mail, is supported by most detection systems, but will require more work for you on the backend. The E-mail system also has the benefits of "store-and-forward" architecture that is very resilient. In other words, if you are upgrading the SCOT server or encounter a hardware failure, the e-mail infrastructure will "queue" up the incoming alerts for you and will not lose data. Please note that if you choose to use E-mail, you will need to have confidence in your e-mail infrastructure from a security and reliability point of view. Finally, you can mix and match the methods if you desire.
Here is a Curl example of how to create an Alertgroup. (See documentation for Alert vs Alertgroup distinction)
curl -X POST https://example.name.tld/scot/api/v2/alertgroup -d'{
"message_id": "32characterMessageId",
"subject": "Detectotron3k Alert: Bad Stuff Found",
"data": [
{ "column1name": "row1column1value", "column2name": "row1column2value" },
{ "column1name": "row2column1value", "column2name": "row2column2value" }
],
"tag": [ "your", "tags", "here" ],
"source": [ "detectotron3k", "ids" ],
"columns": [ "column1name", "column2name" ]
}'
This command will create an alertgroup in SCOT that consists of two alerts. The alertgroup will appear in the "Alert" section of the SCOT UI. When you click upon the alertgroup, the two rows from the "data" attribute, will appear in the detail window of the SCOT UI.
SCOT includes a program bin/alerts.pl that is designed to be stared by cron periodically. Assuming you have configured it appropriately in the etc/mail.cfg.pl file, it will make an IMAP connection to your e-mail server and request all unseen messages from the INBOX. It then parses each e-mail message received and inserts one alertgroup for each message. SCOT also creates one or more associated alerts based on the data in the e-mail message.
alerts.pl uses parsing modules in lib/Scot/Parser to digest the e-mail message. The following parsers are provided with SCOT:
This parser accepts alert e-mails from Splunk. The splunk alert must be configured to send the data in HTML format for this parser to work. The Splunk data from the alert is presented in a table consisting of one or more rows. The table header cells are the attribute names and the td's become the attribute values. Each row will generate an alert that is associated with the Alertgroup generated by the e-mail.
This parser generates an Alertgroup from an e-mail generated by Sourcefire or Snort.
This parser generates Alertgroups from FireEye alerts.
This basic parser takes the body of the e-mail and generates an Alertgroup consisting on a single alert containing the body of the alert.
You can create your own parsers (share them with the project and we'll include them) to handle detection e-mails other than those above. The best way to create your own is to start from a copy of either Generic.pm or Splunk.pm (if the email is HTML based) and place the result in lib/Scot/Parser. All parsers in this directory will be attempted based on the result of the will_parse method.