Additional Log Source Support
Support for additional log sources (including custom or application-specific log sources) by submitting a Log Source Request in the Armor Support Portal. Armor will configure ingestion using either the native platform-supported ingestion methods (such as syslog/CEF) or API-based integrations. The process of adding these additional use cases is described below in the section titled “SIEM Rule Lifecycle.”
Overview
Log source support has two major components: schemas and parsers. Schemas define the data model to which data incoming log events are mapped and parsers are the code modules that actually perform the mapping. Armor can create these for you on a professional services basis to add support for your custom or unsupported log sources.
Schemas
Schemas comprise the information model used in our XDR+SOC deployments and define the data structure in which data should be stored or to which data should be projected. This uniform data model ensures that entities are consistently represented and can be consistently queried with regards to property names and types.
Alignment to Open Frameworks
Where possible, Armor aligns to open frameworks and only augments them with custom fields or constructs when absolutely necessary. Our primary base model is the Open-Source Security Events Metadata (OSSEM) and property definitions and conventions are sourced from this framework by default.
Additional, implementation-specific fields (where applicable) may also be sourced from any of these supported frameworks:
- Azure Sentinel Information Model (ASIM)
- Elastic Common Schema (ECS)
- Google Chronicle Unified Data Model
Parsers
Parsers are the platform-specific code modules that are deployed to map data from the raw ingestion format into a format that is compatible with the target schema for each log source. These code modules may be deployed either in the ingestion pipeline to transform data during ingest and store it in the desired format, or may be deployed in the analytics plane where data is dynamically projected into the desired format.
Sample Timeline
| Step | Description | Timeframe* |
|---|---|---|
| Schema Identification | Based on the new log source’s classification, Armor will identify whether or not it matches an existing schema or if a new schema needs to be created. | < 1 day |
| Schema Creation | If one or more new schemas are required, Armor will source a representative sample of the device’s logs and extract the relevant field data and build a schema. | 2-10 days |
| Parser Creation | Parsing code is written to translate raw logs from the new log source into the data model defined in the new and/or an existing schemas. | 2-10 days |
| Ingestion Configuration | Ingestion of the new log source’s events are configured using the appropriate ingestion method (described above). | 1-2 days |
* This information is provided as a general reference and is not intended to be a service guarantee. Each use case is unique and a customized statement of work and use case-specific timeline will be provided prior to commencing work. These timelines may be accelerated on an as-needed basis if an imminent threat exists or is likely to exist.