Exporting Sguil Events For Ticket Generation

132 views
Skip to first unread message

Brandon Stephens

unread,
Apr 10, 2018, 2:28:56 PM4/10/18
to security-onion
All,

Has anyone modified the Sguil config to create tickets in an enterprise ticketing solution? I have some automation ideas but am not quite positive what the SO capability is to tie into an API, specifically Service Now. See ideal workflow below and please comment with any helpful questions or suggestions.

1 - Right click on event in Sguil
2 - Select "create ticket"
3 - This action will kick off a script that will compile all fields displayed in Sguil, execute the Wireshark executable, then ships all info and pcap file to Service Now's API.

thanks,

BS

Wes Lambert

unread,
Apr 10, 2018, 3:06:37 PM4/10/18
to securit...@googlegroups.com
Hi Brandon,

I have not done this, but I have used Elastalert/Python to automatically generate events/tickets/cases in various endpoint systems (MISP/TheHive/GRR/FIR).

I can take a look at it when I get a chance -- its not too hard to add custom pivots, but POST'ing to a web service, etc might be a little bit different/more difficult natively.

Thanks,
Wes


--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Brandon Stephens

unread,
Apr 10, 2018, 4:15:24 PM4/10/18
to security-onion
On Tuesday, April 10, 2018 at 3:06:37 PM UTC-4, Wes wrote:
> Hi Brandon,
>
>
> I have not done this, but I have used Elastalert/Python to automatically generate events/tickets/cases in various endpoint systems (MISP/TheHive/GRR/FIR).
>
>
> I can take a look at it when I get a chance -- its not too hard to add custom pivots, but POST'ing to a web service, etc might be a little bit different/more difficult natively.
>
>
> Thanks,
> Wes
>
>
> On Tue, Apr 10, 2018 at 2:28 PM, Brandon Stephens <brandonst...@gmail.com> wrote:
> All,
>
>
>
> Has anyone modified the Sguil config to create tickets in an enterprise ticketing solution? I have some automation ideas but am not quite positive what the SO capability is to tie into an API, specifically Service Now. See ideal workflow below and please comment with any helpful questions or suggestions.
>
>
>
> 1 - Right click on event in Sguil
>
> 2 - Select "create ticket"
>
> 3 - This action will kick off a script that will compile all fields displayed in Sguil, execute the Wireshark executable, then ships all info and pcap file to Service Now's API.
>
>
>
> thanks,
>
>
>
> BS
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

Thanks for the quick reply Wes. From what I understand at this point is that Service Now accepts email and rest API ingestion better than other methods. Rather than trying to reinvent the wheel I thought I would check the community for similar experiences as this type of work flow (regardless of tool) should be fairly common at enterprise level companies.

I have a certain logic in mind, and it all starts with adding that pivot to sguil which seems pretty straight-forward. My thought was to write a script that grabs all fields/files that I want, then add it to the .tk file. Xscript should run, hit my script and then execute but accurately exporting from SO so that it is imported into a third party tool seems like it could be tricky.

Антони Андонов

unread,
Apr 11, 2018, 4:28:41 AM4/11/18
to security-onion
Hello,

I was looking for the same thing. This would be great addition. Currently we also need to pick exact events and get information from them to another system (FIR or Hive). When we automatically generate tickets, there are too many false positives or things we don't currently need to investigate.

So if somebody knows a way or has smarter way to manually choose what is sending to another system, would be great to share it.

Brandon Stephens

unread,
Apr 11, 2018, 7:33:56 AM4/11/18
to security-onion
I think the modification of the sguil.tk file would be fairly simple given that you have a python script for example that gathered the information you want populated into your ticket.

The challenge I am finding is the 3rd party integration. Email is a common ingestion method for most ticketing systems I have worked with. I am looking into some sort of smtp add-on that would take the output from the python script and send it to an internal relay which would in turn create a ticket.

For now, my thoughts are around all basic fields in Sguil plus a pcap file as an attachment. If I get this ironed out here I will gladly post a resolution.

BS
Reply all
Reply to author
Forward
0 new messages