Custom development of SIEM Feeds

Hey everybody,

Before I am going to open a case in the cloud console, I thought I'd ask the community if somebody faced the same question/also wondered.

SIEM Feeds imho are a very powerful feature. The time to onboard stuff with them is incredibly small and there is no additional infrastructure needed to ingest data with this. In a world, where more and more security products become SaaS-based respectively cloud-based it is a no-brainer to use SIEM Feeds instead of a custom piece of code to pull the data from a third party product and ingest it via the Ingestion API.

Does someone know, why it isn't possible to add your own custom Feeds or even modify existing ones, like you can build parser extensions?

There are a few feeds which are NEARLY sufficient for our use cases, but not quite there to use them properly. Let it be a missing attribute which can't be added to the request even though the third party API would allow it. To be a little bit more concrete: E.g. The Qualys VM Feed does not give the opportunity to set tags, which the Qualys VM API could handle.

Is there a plan to allow custom feeds in the future?

Best regards and thanks in advance

Tim

Page 1 / 1

AFAIK, we are not going to have custom feeds. In your specific case you may open a support case to modify the existing feed to add tags. I don't think we are creating new feeds either. We are moving towards having the 3rd party integrations using the APIs available via github where you can see some of the existing integrations.

Thank you very much for the reply!

Besides opening a case, do you know if the public made integrations/feeds at Github will then be open to pull requests which will be deployed into the SIEM? Or will it just be a mirror to understand what's happening inside the integrations?

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded