Coordinator – EHT

Participants – FHG, NIC, TLB, IMT, NRD, CEA, TLB.​

The objective of the WP4 is to develop and publish IDMEFv2 open-source tools and preprod SIEM prototype. The development of the open-source SIEM has multiple objectives. a) it will help validate the theory of IDMEFv2 with real implementation , b) it will serve as “running code” for IETF to prove the format is useable, c) it will be used on WP7 for the simulator and WP8 for the pilots and d) by being published as open-source it will promote the format and strengthened the dissemination.

The following tasks are set:

• Task 4.1 Libs & Tools Development is the development of IDMEFv2 libraries and tools to facilitate the development of IDMEFv2 compatible tools.
• Task 4.2 SIEM Core is the development of the core of the prototype (broker, storage, notification and graphs)
• Task 4.3 SIEM Additional Modules progressively adds additional modules:

1. a) a gateway to create a threat Intelligence object out of threat detection alerts,
2. b) an enrichment engine to enrich alerts with internal data like AD, asset inventory and also CTI,
3. c) an aggregation engine to aggregate alerts,
4. d) a correlation engine interpreting scenarios rules,
5. e) a graphical visualisation engine,
6. f) an ticket creation connexion with an asset system (GLPI developed by teclib),
7. g) an analysis and remediation engine with the connexion with an open-source SOAR (Security Orchestration Automation & response.

• Task 4.4 Trusted Threat Detection Information Sharing Gateway is the development of a threat detection information sharing engine. This engine will enable sharing of threat detection information between two or more SOCs with a specific focus on trust establishment and enforcement of usage policies. Deployment in Trusted Execution Environments as well as remote integrity verification enable trusted data exchange and enforcement of security guarantees.
• Task 4.5 Development test and validation is dedicated to test and validation of the tool development and preparation for the simulator then for the pilot.

All the code and programs developed in WP4 will be published with open-source licence on the project GitHub and these publications will be announced through the project communication medias (website, mailing list, social network, etc). The SIEM tools will re-used existing open-source SIEM component but will be adapted to state-of-art technologies: Kakfa broker for the alerts transport, NoSQL database storage, web 4.0 interface, Logstash parsing for the logs, etc.

Deliverables:

• • 1 Specification – M6