SIEVA is a tool which provides visibility to data ingested by SIEMs, using artificial intelligence, SIEVA analyses the information contained in the logs, classifies such information according to the MITRE ATT&CK framework data sources, and provides a high level view of the ATT&CK Matrix, colour coded to reflect which tactics and techniques can be monitoried with the current information of the system. SIEVA also provides a detailed view of the data analysed on each individual Elasticsearch Index.
This project is currently under development
The current version is a stable MVP which requires adjustment and fine tunning before it can be deployed to a production environemnt
Docker (recommended 20.x or latest)
ElasticSearch 7.x (recommended 7.17.x)
Download repository
Modify the following sections according to your environemnt, changing <server_ip> with the IPv4 of the server where the application is deployed:
/nav-app/src/environments/environment.prod.ts line 3:
apiURL: "http://<server_ip>",
nav-app/src/assets/config.json line 163:
"urls": ["http://<server_ip>:8081/loadConfig"]
cd sieva
docker-compose up -d --build --quiet
The application can be accessed in server_ip:9000 and the plots data in server_ip:9001
curl http://server_ip:8081/train?train_pairs={["webserver" : ["webproxy-squid", "webserver-generic", "webserver-nginx"]]}
Call this endpoint in order to re-train the model with the existent data.
parameters
: train_pairs
-> Dictionary made out of training-label : [train-index0, train-index1, ...]
returns
: json
with the path where the model has been saved
"model path" : "data/model/model.bin"
curl http://server_ip:8081/predict?predict_idxs=["classification_validate_dataset"]
Call this endpoint to perform a prediction with the pre-trained model over the indexes provided as a parameter.
parameters
: predict_idxs
-> List made out of [predict-index0, predict-index1, ...]
returns
: json
with:
- The % of the category split
- The MITRE techniques to use
- The path to the predictions file created
"classification_validate_dataset": {
"Category Split: Data types" : "\"{\\\"dns\\\":25.4433544759,\\\"webserver\\\":24.3785048969,\\\"evtx\\\":23.0140914828,\\\"firewall\\\":13.7913198383,\\\"identity\\\":12.6204246617,\\\"dhcp\\\":0.7523046444}\"",
"Techniques" : {
"T1001": "#8cdd69",
"T1001.001": "#8cdd69",
"..." : "..."
},
"Predictions Results / Path to predictions" : {
"Path to predictions": "data/predictions/predictions.txt"
}
}
This code has been developed within the innovation project SIEVA: SIEM visibility assesment.
This project has received funding from the European Union’s GÉANT Innovation Programme 2022 research and innovation programme under grant agreement No SER-22-109.
More information about the grant at https://community.geant.org/community-programme-portfolio/innovation-programme/
This code has been developed by Fundació Privada Internet i Innovació Digital a Catalunya (i2CAT).
i2CAT is a non-profit research and innovation centre that promotes mission-driven knowledge to solve business challenges, co-create solutions with a transformative impact, empower citizens through open and participative digital social innovation with territorial capillarity, and promote pioneering and strategic initiatives.
i2CAT aims to transfer research project results to private companies in order to create social and economic impact via the out-licensing of intellectual property and the creation of spin-offs.
Find more information of i2CAT projects and IP rights at https://i2cat.net/tech-transfer/
This code is licensed under the terms AGPLv3. Information about the license can be located at link.
If you find that this license doesn't fit with your requirements regarding the use, distribution or redistribution of our code for your specific work, please, don’t hesitate to contact the intellectual property managers in i2CAT at the following address: techtransfer@i2cat.net