SIEM Integration

Panoptica's SIEM integration enables you to export security finding and attack path information in JSON format. This allows you to periodically get all of your attack path and security finding information into your SIEM system.

The results are generated upon each completed scan, excluding dismissed/snoozed data.

๐Ÿ“˜

Alternative SIEM Method

If you would like to use S3 bucket offloading as a source for the SIEM results, follow the two walk-throughs at the bottom in Next Steps.

SIEM JSON Schema

The following illustrates the SIEM JSON schema.

{
	"type": "object",
	"properties": {

		"labels": {"type": "array"}, # The labels the main assets of the finding or attack paths has
		"alert_id": {"type": "string"}, # Lightspin's Finding ID
       "asset_id": {"type": "string"},# Your asset unique id
        "provider": {# AWS, KUBE (Kubernetes), Azure, or GCP
		      "type": "string",
		      "enum": ["AWS","KUBE","AZURE","GCP"]
		    },
		"resolved": {"type": "boolean"},# True for a resolved finding; otherwise, false.
		"severity": {# Information, Low, Medium, High, or Critical (the calculated severity level)
				      "type": "string",
				      "enum": ["Information","Low", "Medium", "High", "Critical"]
				    },
		"tenant_id": {"type":"string", "pattern": "^id"}, # Your tenant ID
	    "account_id": {# Comma-separated list of account IDs
	      "type": "string",
	      "maxLength": 50,
	      "minLength": 1
	    },
	    "description": {"type": "string"}, # Description of the security finding
	    "resource_type": {"type": "string", "enum": ["Compute", "Data", "Identity", "Network", "Service", "Storage"]},
	    "risk_params": {"type": "object", # This will appear only if the detection type is attack path.  
	    	"properties": {
	    		"risk_score": {# The score calculated by Lightspin (0-100)
	    			"type":"integer", 				      
	    			"maximum": 100,
				    "minimum": 0
				},
				"workload": {"$ref": "file://~/home/itayrekler/Desktop/SIEM_JSON_schemes/workloads.json"},
				"risk_definitions": { "$ref": "file://~/home/itayrekler/Desktop/SIEM_JSON_schemes/risk_definitions.json"}
				}},
	    "risk_category": {
	    	"type": "string", 
	    	"enum":["Administrator Access Compromise", "Cross Account", "Data Exposure", 
	    	"Neglected Resource", "Privilege Escalation", "Risky Configurations", "Subdomain Takeover", "Vulnerable Public Workload"]},
	    "detection_type": {"type": "string", "enum": ["security_finding", "attack_path", "other"]},# Single-value field (detection type)
	    "attack_scenario": {"type": "string"}, # Name of the security finding
	    "related_resources": {"type": "array", "items": {"type": "array", "items": {"type": "string"}}},# Assets and resourced affected by the security finding
	   	"detection_timestamp": {"type": "string","format": "date-time"},# Last seen timestamp
	   	"first_seen_timestamp": {"type": "string","format": "date-time"}# Date when asset was first added
	},
	"if": 
	{
		"properties": {
			"detection_type": {"const":"attack_path"}
		}, 
		"required": ["detection_type"]
	}, 
	"then": {"required": ["risk_params"]}
		
}

For SIEM integration with Panoptica, you will need to perform an API call to return an array of JSON files. The JSON below is an example of each one of these files.

Attack Path JSON Example:

{
	"labels": [],
	"alert_id": "133ba1251ece80abf9786cce93f128a59ac82d0dc1c4b6022cea3bd4faf35992",
	"asset_id": "/subscriptions/478eca4c-a0dd - 4378 - 9 ea1 - e716f3df0be3 / resourceGroups / or - test - rg / providers / Microsoft.Compute / virtualMachines / webapp02 ",
	"provider ": "AZURE ",
	"resolved ": true,
	"severity ": "Medium ",
	"tenant_id ": "id - e2d41eba ",
	"account_id ": "478 eca4c - a0dd - 4378 - 9 ea1 -e716f3df0be3 ",
	"description ": "Privately accessible virtual machine has a risky role definition attached, leading to administrator access compromise in the subscription.",
	"risk_params ": {
		"workload ": {
			"events ": null,
			"malware ": [],
			"secrets ": [],
			"identity ": [],
			"security_findings ": [],
			"threat_intelligence": {
				"network_scanners": []
			},
			"vulnerabilities_list": ["CVE-2016-1585", "CVE-2019-17041", "CVE-2019-17042", "CVE-2021 - 33574 ", "CVE - 2021 - 35942 "],
			"vulnerabilities_count ": 5
		},
		"risk_score ": 69,
		"risk_definitions ": {
			"network ": {
				"network_exposure ": "PRIVATE",
				"networking_method ": null,
				"internet_reachable ": false
			}
		}
	},
	"resource_type ": "Compute ",
	"risk_category ": "Administrator Access Compromise ",
	"detection_type ": "attack_path ",
	"attack_scenario ": "An attacker with network access to the virtual machine can compromise the subscription by achieving administrative privileges.",
	"related_resources ": [
		["VirtualMachine ", " / subscriptions / 478 eca4c - a0dd - 4378 -9 ea1 - e716f3df0be3 / resourceGroups / or - test - rg / providers / Microsoft.Compute / virtualMachines / webapp02 "]
	],
	"detection_timestamp": "2022-06-05 19:21:47.944416+00:00",
	"first_seen_timestamp": "2022-04-27 15:04:08.664098+00:00"
}

Security Finding Example:

{
            "labels": [],
            "alert_id": "48f4959604ec12c1e92d010c301508f6ddef4fbebd7efa0279a4d8eafe0d05bf",
            "asset_id": "https://www.googleapis.com/compute/v1/projects/lightspin-demo/zones/us-east1-b/instances/gp196-public-instance",
            "provider": "GCP",
            "resolved": false,
            "severity": "Medium",
            "tenant_id": "id-e2d41eba",
            "account_id": "lightspin-demo",
            "description": "VM instance with a configuration that allows project-wide SSH keys.",
            "resource_type": "Compute",
            "risk_category": "Risky Configuration",
            "detection_type": "security_finding",
            "attack_scenario": "Attacker can attempt to connect to an instance using the SSH keys configured for the project.",
            "related_resources": [
                [
                    "ComputeEngine",
                    "https://www.googleapis.com/compute/v1/projects/lightspin-demo/zones/us-east1-b/instances/gp196-public-instance"
                ],
                [
                    "Firewall",
                    "https://www.googleapis.com/compute/v1/projects/lightspin-demo/zones/us-east1-b/instances/gp196-public-instance/firewall"
                ],
                [
                    "ServiceAccount",
                    "serviceAccount:gp196-storage-service-account@lightspin-demo.iam.gserviceaccount.com"
                ],
                [
                    "PublicIP",
                    "35.237.128.78"
                ]
            ],
            "detection_timestamp": "2022-07-14 11:03:35.444341+00:00",
            "first_seen_timestamp": "2022-04-26 07:36:22.299300+00:00"
        }

Once you get this array, you will need to parse it based on your needs.

Note that each JSON represents either a security finding or attack path.

The API relies on /api/analysis/siemresults.