Capricorn

Photo posted by chris on Oct 13, 2016

Capricorn server

Capricorn’s primary function is to provide security professionals with real time alert, analysis, triage of events as they come into the organisation. In SIEMonster Capricorn provides a single instance for alerting via email, SNS, Slack and PagerDuty. Think of Capricorn as the visual interface of all alerts, Kibana dashboards and real time events. Kibana provides the dashboard view for the events captured in the database on the cluster Capricorn also runs Alerta and 411 for Incident ticketing. 

Capricorn retains a volatile (short life) stream of data 12/24hrs (configurable up or down) queried from Proteus for instant alerting on rules within your organisation. The security operations staff will respond to these alerts. Alert data is also fed back into the SIEM for long term storage to Kraken and Tiamat. In this way traditional SIEM correlation searches and analysis can be performed over long periods of time.

.

 

Name Origins

The Babylonians connected the Zodiac sign and the constellation with the mythological animal, sort of a mermaid goat. They called it the Goat-Fish. Here is a feature of the goat that deserves special attention in our understanding of this sign. The name 'Capricorn' draws our attention to it and comes from the Latin caper ('goat') and cornu ('horn') - literally 'the Goat's horn'. In the ancient world horns were symbols of royalty, strength and power, as well as fertility and abundance. Cornucopia in mythology was the goat Amalthea who nourished the infant Jupiter with her milk, though the term remains in use today as the 'copious horn' or 'horn of plenty' which symbolises prosperity and growth. The goat is one of the three horned creatures in the zodiac; these were also the creatures celebrated in ancient religious festivals and used in sacrifice to draw power from the gods. The use of the goat as a 'scapegoat' in the biblical ritual of Atonement (seethe star lore of Capricorn) has led to goat deities accumulating a reputation as icons of evil occult powers rather than the neutral symbols of earthly fertility and focused power that was implicit in the older customs.

 

Software Overview Function Table

 

Capricorn

Function

411

Event Management Stream/Alerting Real Time alerts

Kibana

Visualization tool through a Browser (Dashboards)

Minemeld / OSINT

Open Source Threat Intelligence

Slack

Optional Alerting to Mobile Devices for groups of Sec pros privately

Elastalert/Siren

 Alerting system for integration into SMS/Email/Slack etc.

FIR Fast Incident Response

Ticketing system for incidents and investigations

 

Software Detail Function Table

Software

Function

411

411 is an open source logging and event management engine. Due to its’ extensive Stream and Pipeline features and intuitive GUI, alerts can be easily configured by end users. The provided Slack & Pagerduty plugins provide notification to private channels easily viewable on a smart phone or tablet. LDAP Integration is also provided along with role based access for sharing/monitoring of data along with alert visualisation within the 411 dashboard schema.

Kibana

Kibana is Elasticsearch’s data visualization engine, allowing you to natively interact with all your data in Elasticsearch via custom dashboards. Kibana’s dynamic dashboard panels are saveable, shareable and exportable, displaying changes to queries into Elasticsearch in real-time. You can perform data analysis in Kibana’s user interface using pre-designed dashboards or update these dashboards in real-time for on-the-fly data analysis.

Slack 

Security analysts can receive critical alerts outside of the SIEM infrastructure with Slack integration. By using a private channel in Slack, alerts can be sent to a security or management team for the operator to get alerts on their Phone/IPAD or Desktop. Kustodian uses the 411 configuration option to integrate alerting into Slack. Clean messages are sent, containing only relevant ES fields such as who what and when. This is so that alerts can be quickly read from mobile devices, i.e. “Login Failure Rule: Failed login from 93.174.93.17. Apparently, someone from the Netherlands tried to login as aloha”

PA Minemeld / OSINT

SIEMonster provides OSINT (Open-Source Intelligence) threat intelligence gathering from PA Minemeld feed aggregation and support for BRO NIDS and SNORT. OSINT data is sent to the SIEM and is used by security analysts for event context attack prediction, prevention and detective controls with real time visualization and alerting.

 

Elastalert

A secondary alert system, ElastAlert works by querying Elasticsearch with configured rules. It periodically queries Elasticsearch depending on the rule type, which determines when a match is found in Elasticsearch. When a match occurs, it is given to one or more alerts, which take action based on the match. This is configured by a set of rules, each of which defines a query, a rule type, and a set of alerts.

FIR

FIR is tracking system used for bug tracking, help desk ticketing, customer service, workflow processes, change management, network operations. FIR has been included into SIEMonster to record, report, and escalate Incident Responses to other security analysts for example Level 1 support to Level 2 support. Also allows for stock answers, FAQ’s and best practice article storage.

 

 

 

Default IP addresses and Passwords

Server Name

IP Address

Subnet

Gateway

Capricorn

192.168.0.104

255.255.255.0

192.168.0.1

 

 

Host

User

Password

Access

192.168.0.104

siemonster

siemonster

SSH/Local Access

Capricorn Kibana

siemonster

siemonster

https:// 192.168.0.104

411 Alerting

admin

admin

https://192.168.0.104/411

Incident Response

admin

admin

https://192.168.0.104/ir

Minemeld

admin

minemeld

https://192.168.0.104/minemeld

Photo Details

  • File size
  • 286.9 KB
  • Photo size
  • 1500x1200

Outcomes