SIEM/SOC Integration

All our modules include a powerful feature that injects informational headers for each request.

SIEM/SOC tools provide the possibility to include these headers.

Below is an example for the most famous SIEM/SOC tools.

[[inputs.logparser]]
  files = ["/path/to/access_log"]
  
  from_beginning = false

  [inputs.logparser.grok]
    patterns = ['%{COMBINED_LOG_FORMAT} %{WORD:x-DataDome-isbot} %{WORD:x-DataDome-botname} %{WORD:x-DataDome-botfamily} %{WORD:x-DataDome-captchapassed}' ]
    measurement = "access_log"
# you need to add datadome headers in Elasticsearch output configuration: https://www.elastic.co/guide/en/beats/filebeat/current/elasticsearch-output.html#_literal_headers_literal 

module: nameOfModule
  access:
    enabled: true
    var.paths: ["/path/to/log/access.log"]
# example accessLog : https://www.datadoghq.com/blog/monitor-apache-web-server-datadog
# example add cutom headers : https://docs.datadoghq.com/agent/faq/dogstream/#writing-parsing-functions

logs:
    - type: file
      path: /var/log/apache2/access.log
      service: apache_gob_test
      source: apache
      sourcecategory: http_web_access

ELK use case

Once fileBeat is configured, you can use Kibana to check your data:

Discovery:

Discover botDiscover bot

Discover bot

Creating your specific Kibana dashboard

Bot dashboardBot dashboard

Bot dashboard

TIG use case

Once Telegraf is configured, you can use Grafana to create your dashboard: