Brand new API and SIEM feed
20 January 2018
The number of clients is steadily growing, but the first one will always remain special. They’ve been supportive from the start, provided valuable feedback and even put up with me when their timeline was full of crap again because the bots triggered the flood detection on the corporate firewall. So when they ask for a feed for their SIEM, they get a feed for their SIEM.
The SIEM in question, ArcSight, normally ingests messages in Common Event Format (
CEF) and this format is supported on quite a few security products. Their SIEM guy said that
JSON would also be fine. JSON is used a lot for APIs and goes well with the
Elastic Stack. That last one is popular with security people for a reason, and if you’re not familiar with it yet it should be your next stop after this. I decided to support both formats.
There are several options (see
API documentation) available to tweak your feed, but I figure the most common one will be to periodically pull all new events. This is as simple as hitting the endpoint url. The feed endpoint can remember what you already have pulled before and will only send you the difference since then.
I’m sure the API will expand over time, but if you have a cool idea and need something right now, just
contact me.
