Onboards structured log sources into SIEM platforms (Splunk, Elastic, Sentinel, QRadar) via collector configuration (rsyslog, Splunk Forwarder), parsing, normalization, and validation for SOC security monitoring.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
日志源接入(Log Source Onboarding)是将新数据源集成到 SIEM 平台以实现安全监控和检测的系统化过程。规范的接入流程需要规划数据源、配置采集 Agent、构建解析器、将字段归一化到通用 Schema,并验证数据质量。英国 NCSC 建议优先接入安全价值相对于摄入成本最高的日志源。
Onboards log sources into SIEM platforms: prioritizes high-value sources, configures collectors/parsers, normalizes fields to CIM schema, and validates for SOC security monitoring.
Onboards log sources into SIEM platforms like Splunk, Elastic, Sentinel, QRadar by configuring collectors, parsers, normalization, and validation. Prioritizes critical sources (Active Directory, firewalls, EDR) for SOC security visibility.
Customizes and tests Grok parsing rules for LimaCharlie USP, Cloud Sensor, and External adapters. Generates patterns from sample logs, validates against test data, and deploys configurations for new log sources, troubleshooting, or field extraction changes.
Share bugs, ideas, or general feedback.
日志源接入(Log Source Onboarding)是将新数据源集成到 SIEM 平台以实现安全监控和检测的系统化过程。规范的接入流程需要规划数据源、配置采集 Agent、构建解析器、将字段归一化到通用 Schema,并验证数据质量。英国 NCSC 建议优先接入安全价值相对于摄入成本最高的日志源。
| 来源 | 日志类型 | 安全价值 |
|---|---|---|
| Active Directory | 安全事件日志 | 认证、权限提升 |
| 防火墙 | 流量日志 | 网络访问、C2 检测 |
| EDR/AV | 终端告警 | 恶意软件、进程执行 |
| VPN/远程访问 | 连接日志 | 未授权访问 |
| DNS 服务器 | 查询日志 | C2 信标、数据渗漏 |
| 邮件网关 | 邮件安全日志 | 网络钓鱼、商业邮件欺诈(BEC) |
| 来源 | 日志类型 | 安全价值 |
|---|---|---|
| Web 代理 | HTTP/HTTPS 日志 | 基于 Web 的攻击、数据渗漏 |
| 云平台(AWS/Azure/GCP) | 审计日志 | 云安全态势 |
| 数据库服务器 | 审计/查询日志 | 数据访问、SQL 注入 |
| DHCP/IPAM | 地址分配日志 | 资产追踪 |
| 文件服务器 | 访问日志 | 数据访问监控 |
| 来源 | 日志类型 | 安全价值 |
|---|---|---|
| 应用服务器 | 应用日志 | 应用层攻击 |
| 打印服务器 | 打印日志 | 数据丢失防护 |
| 门禁/物理访问 | 门禁日志 | 物理安全关联 |
| 网络设备(交换机/路由器) | Syslog | 网络异常 |
1. 识别日志源:
- 系统类型和版本
- 日志格式(syslog、CEF、JSON、Windows 事件等)
- 日志量估算(EPS — 每秒事件数)
- 网络位置和防火墙要求
2. 评估安全价值:
- 该来源能帮助检测哪些威胁?
- 覆盖哪些 MITRE ATT&CK 技术?
- 是否已有 SIEM 解析器?
3. 估算摄入成本:
- 每日量(GB)
- License 影响(按 GB 或按 EPS 计费)
- 存储保留要求
# rsyslog 接收 syslog 的配置
# /etc/rsyslog.d/10-siem-collection.conf
# UDP 接收
module(load="imudp")
input(type="imudp" port="514" ruleset="siem_forwarding")
# TCP 接收
module(load="imtcp")
input(type="imtcp" port="514" ruleset="siem_forwarding")
# TLS 接收
module(load="imtcp" StreamDriver.AuthMode="x509/name"
StreamDriver.Mode="1" StreamDriver.Name="gtls")
input(type="imtcp" port="6514" ruleset="siem_forwarding")
ruleset(name="siem_forwarding") {
# 转发到 SIEM
action(type="omfwd" target="siem.company.com" port="9514"
protocol="tcp" queue.type="LinkedList"
queue.filename="siem_fwd" queue.maxdiskspace="1g"
queue.saveonshutdown="on" action.resumeRetryCount="-1")
}
# Splunk Universal Forwarder 上的 inputs.conf
[WinEventLog://Security]
disabled = 0
index = wineventlog
sourcetype = WinEventLog:Security
evt_resolve_ad_obj = 1
checkpointInterval = 5
[WinEventLog://System]
disabled = 0
index = wineventlog
sourcetype = WinEventLog:System
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
index = wineventlog
sourcetype = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
renderXml = true
[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
index = wineventlog
sourcetype = XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"CloudTrailToSIEM": {
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"TrailName": "siem-cloudtrail",
"S3BucketName": "company-cloudtrail-logs",
"IsLogging": true,
"IsMultiRegionTrail": true,
"IncludeGlobalServiceEvents": true,
"EnableLogFileValidation": true,
"EventSelectors": [
{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [
{
"Type": "AWS::S3::Object",
"Values": ["arn:aws:s3"]
}
]
}
]
}
}
}
}
# props.conf
[custom:firewall:logs]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z
MAX_TIMESTAMP_LOOKAHEAD = 30
TRANSFORMS-firewall = firewall_extract_fields
FIELDALIAS-src = src_addr AS src_ip
FIELDALIAS-dst = dst_addr AS dest_ip
EVAL-action = case(fw_action=="allow", "allowed", fw_action=="deny", "blocked", true(), "unknown")
EVAL-vendor_product = "Custom Firewall"
LOOKUP-geo = geo_ip_lookup ip AS dest_ip OUTPUT country, city, latitude, longitude
# transforms.conf
[firewall_extract_fields]
REGEX = ^(\S+)\s+(\S+)\s+action=(\w+)\s+src=(\S+):(\d+)\s+dst=(\S+):(\d+)\s+proto=(\w+)\s+bytes=(\d+)
FORMAT = timestamp::$1 hostname::$2 fw_action::$3 src_addr::$4 src_port::$5 dst_addr::$6 dst_port::$7 protocol::$8 bytes::$9
| 原始字段 | CIM 字段 | 数据模型 |
|---|---|---|
| src_addr | src_ip | Network_Traffic |
| dst_addr | dest_ip | Network_Traffic |
| dst_port | dest_port | Network_Traffic |
| fw_action | action | Network_Traffic |
| bytes_sent + bytes_recv | bytes | Network_Traffic |
| user_name | user | Authentication |
| login_result | action | Authentication |
| process_path | process | Endpoint |
# 验证事件是否正在到达
index=new_source earliest=-1h
| stats count by sourcetype, host, source
# 检查字段提取质量
index=new_source earliest=-1h
| stats count(src_ip) as has_src count(dest_ip) as has_dest count(action) as has_action count by sourcetype
| eval src_coverage=round(has_src/count*100,1)
| eval dest_coverage=round(has_dest/count*100,1)
| eval action_coverage=round(has_action/count*100,1)
# 验证 CIM 合规性
| datamodel Network_Traffic search
| search sourcetype=new_sourcetype
| stats count by source, sourcetype
# 检查时间戳解析问题
index=new_source earliest=-1h
| eval time_diff=abs(_time - _indextime)
| stats avg(time_diff) as avg_lag max(time_diff) as max_lag by host
| where avg_lag > 300
# 验证现有关联搜索是否适用于新来源
index=new_source sourcetype=new_sourcetype
| tstats count from datamodel=Authentication by _time span=1h
| timechart span=1h count
# 创建特定于该来源的检测规则
[New Source - Authentication Anomaly]
search = index=new_source sourcetype=new_sourcetype action=failure \
| stats count by src_ip, user \
| where count > 10