built4tech

In this last video, I show how to create a parser for the SIEM to be able to understand the information received, and how to disable aggregation so each twitter message generates and unique event. This is a good way to maintain a continuous flow of events specially interested when performance is measured.

In this second video, I will show how to create a workflow blueprint. The workflow created, does the following steps: Collect information from twitter and filter them by some keywords, in order to do this certain credentials must be obtained from the twitter api (Consumer secret and access token secret), the sensible information is not shown on the video. Next step is pull key attributes, from the twitter json string, so we don't have to deal with the information we are not interested in, in this example I am extracting user name, language used and message information. Next, we check that it is in fact a twitter message and if so we route the information to the next step. Next , the traffic flow is transformed into a json string Last step is to send the information as the message string of a syslog event to the receiver. In the SIEM receiver we create a Data Source and log the unknown syslog information as unknown, in the next post I will create a parser so the...

From Wikipedia:  Apache NiFi   is a  software project from the Apache Software Foundation designed to automate the flow of data between software systems. In this set of videos I will show the process of installation of Nifi, configuration of a flow where I will collect information from twitter, then it will be transformed into a Json stream and last It will be sent to McAfee SIEM where a Data source will be previously created, in the last video of this series I will show how to create a custom parser to "understand" the information sent. The following video covers the installation process of Nifi, using docker. In order to download the docker image go to https://hub.docker.com/r/apache/nifi/ and follow the instructions, the video however covers the process.

In this post I will show you how to install McAfee SIEM and its most important components for the first time. These are the different components that I want to install: Enterprise Security Manager (ESM): This is the main component, contains the Embedded Data Base (EDB) which is the proprietary Data Base used by McAfee SIEM to store all the parsed information, and also the web application from which all the management of the platform (configuration, alerting, reporting) will be made. Enterprise Log Manager (ELM): This component response for the compliance use case, it is  in charge of storing the raw information for long time retention Receiver (ERC): Is the component that connect the Data sources, which the ESM and the ELM, data sources can send the information to the ERC (Ex. syslog data sources) or we can configure the RCV to collect information from the data sources (Ex. Windows Management Instrumentation) Advanced Correlation Engine (ACE), it is the component in charg...