Infigo SIEM

SIEM for MSSPs and organizations of every size

Infigo IS was founded in 2005 and since then we have been a dedicated infosec company – we've executed numerous offensive operations, implemented hundreds of security solutions (ours and our partners), and provided consulting services to clients across three continents. Our teams have invested tens of thousands of engineering hours in development, gaining extensive experience in uncovering critical security vulnerabilities, identifying flawed implementations, and recognizing misallocated resources.

We've encountered these issues across a wide range of systems, from small-scale setups to those within billion-dollar enterprises worldwide. These challenges often stem from various sources, including technological shortcomings, unrealistic promises, or compatibility issues. Regardless of the cause, such lapses incur substantial costs in terms of both time and finances for organizations.

And we decided to put an end to that with Infigo SIEM 4.0! You don't have to take our word for it; request a demo (in Splunk Cloud) or trial license (on-premises) and experience it yourself.

You can choose – on-premises or in the cloud


Infigo SIEM (Security Information and Event Management) is available in two versions – on-premises and in the cloud. Both versions deliver identical functionalities, empowering organizations with the freedom of choice that is, more often than not, taken away from them.

Find out more about SIEM in the brochure.

Equipped with advanced features straight out of the box, such as multitenancy, dynamic asset discovery, allowlisting and hidelisting, and a robust threat intelligence module, Infigo SIEM transcends the traditional SIEM functionalities. It stands as more than just a security tool; it's a significant step toward a comprehensive Security Operations Center (SOC).

Infigo IS and Splunk, a great match


We have developed Infigo SIEM on Splunk, the best big data platform out there, leveraging its immense ingestion and data manipulation capabilities with a set of our custom technologies and hundreds of operational scenarios.
Infigo IS has been a Splunk partner since 2009 and was one of the first worldwide partners with Elite Partnerverse Build, Sell, and Manage motions, signifying commitment and a profound technological proficiency and comprehension of Splunk's ecosystem.

Quick Overview

Key Benefits For:

MSSPs

Every Managed Security Service Provider will love multitenancy out of the box; with Infigo SIEM you can easily segregate different tenants (that can have overlapping network ranges), and make SIEM rules trigger per tenant.
Not only that but Infigo SIEM stores alerts per tenant in different indexes so there is no chance of data mixing, and it makes data segregation per role easy to implement.
We support central data collection (data is at the central location and then rules are triggered there), remote data collection (every tenant has their data collection, and rules are triggered there with only the alerts forwarded to the central SOC), and hybrid model (combination of beforementioned models).

Organizations

Large organizations can also derive notable advantages from adopting a multitenancy approach, enabling effective segregation among departments or smaller entities within their operational structure.
However, even small organizations can have large amounts of (digital) assets. In that kind of environment, dynamic asset discovery plays a significant role in SIEM efficiency. Knowing exactly what assets are there helps with precise alert classification and response, keeps down time to response, reduces false positives, enhances incident investigation, and equips your SIEM with the requisite data to fulfill its designated functions effectively.
We leverage a multitude of technologies that are ingested in Splunk, such as NMAP, DHCP, AD, to build an exhaustive asset table, cataloging information about each identified asset within the organizational environment.

Compliance

No matter the size of the organization, no matter the industry, almost everybody falls under regulatory bodies and that means compliance. Infigo SIEM has a robust reporting system that can benefit stakeholders inside and outside of the organization.
Depending on stakeholders' needs reports can be customized. Whether it's security experts, compliance officers, or CEOs, timely and relevant reports can be generated to cater to their specific requirements. Reports can be automatic, ad-hoc, or scheduled, and can be sent through email or ticketing service.

See what is important with Infigo SIEM

CONTACT US

Additional features

Feature Short description
Correlation The main goal of correlation is to connect mutually independent data sources according to common characteristics, to create order out of chaos.
Enrichment We use multiple steps to give data meaning – using internal and external data to enrich and weight information.
Incident Investigation From high-level overview through specially designed dashboards to a single click drill-down, analysts have all tools they need to see every incident.
Alerting With alert classification, mapped to the MITRE ATT&CK Matrix, and allowlisting and hidelisting, we reduce false positives and give analysts only what is important.
Visualization With a rich and configurable GUI, it is easy to get fast insight into relevant events. Dashboards can present complex searches in a clear graphical form and make any event accessible to a wide range of users.
Web-based GUI GUI access has a role-based control because not every user is privy to every information; it supports internal authentication, LDAP, single sign-on, and scripted authentication for external authentication systems.
Integration No matter what the other network components are, our SIEM will seamlessly integrate with them. It can ingest a wide variety of data, human or machine generated.
Redundancy and High Availability Infigo SIEM can be configured for redundancy and high availability environments; load balancing for fast data searching, index replication (with regards to the local indexing and storage), distributed searches...
And much more... Request a demo (in Splunk Cloud) or trial license (on-premises) and experience it yourself.

Infigo SIEM installation procedure

You will find here documentation for installing Infigo SIEM 4.x on-premises and in the cloud. The necessary components, six of the SIEM-related packets, are hosted on Splunkbase and have to be downloaded from there.
Only the person specified as a license owner can download the applications.

If it suits you better, you can download the installation documentation as a PDF (Cloud or On-Prem).

Introduction


This document will contain all necessary information for successful SIEM installation and upgrade. This document will cover cloud install. At the end of the document there will be a list of additional applications that can be implemented for SIEM clients in order to give them additional usability from SIEM and Splunk. The application will depend on the technologies used by the client so only install appropriate applications if there are available logs.

Minimum specifications for a production deployment


For Splunk Cloud installation it is recommended to use Splunk Victoria Experience. In case that you are installing Splunk and Infigo SIEM directly in AWS or Azure cloud please follow the installation instructions for On Premise install. 

After the installation of Infigo SIEM, make sure to change the setting for Relative concurrency limit for scheduled searches. Go to Settings → Server settings → Search preferences, and set the: "Relative concurrency limit for scheduled searches" to 75%.

Installation


The client should download all six of the SIEM related packets from Splunkbase. Only the person that was specified as license owner can download the applications.

All of the SIEM packets must be installed on the Search head through GUI. In case of the SHC cluster the applications should be automatically replicated to all SHC members.
Additionally install the application Infigo TA SIEM on the indexers. In case of an indexer cluster push the application to the IDX cluster using a Cluster Manager.

License Upload


In Infigo SIEM, on the navigation bar click on SIEM → Infigo licensing and upload the license that was provided to the client.
SHC NOTE: It is necessary to do this step on all of the SHC cluster nodes since the license file is not replicated.

General Configuration


Once the applications are installed go to the UI and click on Infigo SIEM application. This will take you through the quick default configuration wizard, where additional applications will be required for installation and default configuration for installation/upgrade will be performed. 
SHC NOTE: It is necessary to connect to every SHC instance and click on Infigo SIEM app in order to initiate app setup. The setup will be shorter now since it already finished on the first instance.

One the wizard finishes the job, General SIEM Settings page will be opened. In this section every configuration will be explained, and the recommendations for changing it:

SIEM alerts configuration

  • SIEM alerts index: By default all alerts will arrive in this index, and this will be a Catch All index for alerts if there are some misconfigurations with multitenancy. Do not change this without Infigo PS. 
  • Close alerts older then: This setting will automatically put all alerts in closed status after 30 days if they were not classified in time.

SIEM tags configuration

  • Allows the client to choose a default setting for tags in an Alert Review console. By default tags are not shown in the table in Alert Review console.

Threat intelligence configuration

  • global_intel.py - Script used to pull all of the different open source threat intelligence lists and combine them in a single list. Enable this if the instance has access to the internet. 
  • top_1m_intel.py - Script used to pull Cisco Umbrella 1 million list. Enable this if the instance has access to the internet. 

All other settings are related to proxy. Only the clients that use proxy for accessing internet need to set this settings.

WIFI controller configuration

  • soc_org_wifi_controller is a simple macro that specifies an index where the data from WIFI controller is collected.

DHCP Configuration

  • Shows a lookup file with signatures that specify IP Lease and IP renewal. If the client is using something other then Microsoft DHCP in the environment, add the appropriate Event Codes to the table.

Additional configuration

  • Shows links to the built-in docs that will specify the requirements for additional SIEM rules that require extra configurations to work that is usually requires help from the client.

Macro configuration 

  • In Infigo SIEM navigate to SIEM → Documentation → Alert Center → Manage SIEM Macros. Check all of the macros with a Mandatory Macro Change and change the value of the macro to appropriate value if needed through Splunk UI: Settings → Advanced search → Search macros

Data-model acceleration 

  • Based on the resources and available data in the client environment enable the acceleration of CIM data-models. In Splunk cloud be careful when enabling the acceleration it would be advisable to only enable datamodels of high importance.
Data Model Acceleration Period
Authentication 1 Month
Change 1 Month
Email 2 Weeks
Endpoint 1 Month
Intrusion Detection 2 Weeks
Malware 2 Weeks
DNS 2 Weeks
Network Session 2 Weeks
Network Traffic 1 Week
Web  1 Week
  • For acceleration provided in the guideline take in the consideration that additional required disk space can be calculated by the following formula: License_Size * 1.5. For example acceleration for license size of 100 GB should not take up more then 150 GB
  • Based on the accelerated data-models change summariesonly* macros specified in infigo_sa_siem_alert_center, change the values from summariesonly=false to summariesonly=true.

Role Assignment

In order for users to have the ability to use Infigo SIEM, three roles have been devise. Make sure to assign this roles to appropriate users, do not inherit the roles.  

  • infigo_siem_admin → User can do anything in Infigo SIEM
  • infigo_siem_analyts → User has access to anything except for the configuration page
  • infigo_siem_user → Users can't whitelist alerts and edit rules. Also they do not have access to some of the advanced features.

Configuring multitenancy MANDATORY

Infigo SIEM supports multitenancy and the feature is enabled by default since rules and dashboards are multitenant aware and require this information otherwise they would not work properly. 
In order for SIEM rules and dashboards to work, it is mandatory to introduce one indexed field called source_tenant. This indexed field needs to exist in every source that is collected in Splunk, and it can be created in a number of ways. Here we will cover few scenarios with different architectures.

Single instance architecture

In case of a Single Instance Splunk deployment, that does not have any Heavy Forwarders sending data from different organizations/tenants, the easies and simplest solution is to simple create a new application with the following inputs.conf stanza:
Inputs.conf stanza
[default]
_meta = source_tenant::name_of_your_tenant
 
This stanza will tell all arriving data to add field source_tenant with the specified value. It is recommended to keep the naming simple. In case of Infigo, we would have a following stanza:
Inputs.conf stanza
[default]
_meta = source_tenant::infigo_production
 
This will add a field source_tenant with a value infigo_production to every event.

Environment with two organizations sending data to a central Indexer cluster who is also a tenant

In this example we are having 3 companies: Infigo Central, Infigo West, and Infigo East. Infigo West and Infigo East are sending data to Infigo Central for log storage and security monitoring by MSSP. 
In order to distinguish the SIEM alerts that are triggering, every organization will be a tenant. Here is an example architecture diagram for the provided example.


On Heavy Forwarder in Infigo East the inputs.conf configuration would be:
Inputs.conf stanza
[default]
_meta = source_tenant::infigo_east
 
On Heavy Forwarder in Infigo West the inputs.conf configuration would be:
Inputs.conf stanza
[default]
_meta = source_tenant::infigo_west
 
On Heavy Forwarder in Infigo Central the inputs.conf configuration would be:
Inputs.conf stanza
[default]
_meta = source_tenant::infigo_central

Heavy forwarder in Infigo Central is necessary because adding default inputs.conf stanza on indexers would result in duplication of source_tenant fields for Infigo East and Infigo West. So the data from Infigo East would have "infigo_east" and "infigo_central" as value in source tenant. 
If having a Heavy forwarder is not an option in Infigo Central, it is possible to remove it, but in that scenario all forwarders and other inputs in Infigo Central need to have _meta stanza for every host that is sending data. This is easy for Forwarders since you can simply push the [default] stanza to them with Deployment server.

Environment with two organizations sending only SIEM alerts to a central Indexer cluster who is also a tenant 

In this example again we have three organization but each of them have their own SIEM instance that is running the alerts, but central SOC is in Infigo Central, so the Infigo West and East will forward only the alerts to the Infigo Central
This architecture requires a setup procedure as described for the single instance for each organization. Alerts that arrive in Infigo Central will already have a field source_tenant from the sister organizations and everything will work as intended. 
This architecture increases the difficulty for investigation on the sister companies since the central SOC does not have access to the underling data. This can be mitigated by implementing federated searching. More about that can be read in official Splunk documentation.

Configuring SIEM multitenancy indexes MANDATORY

In order to maintain separation of alerts based on tenant it is mandatory to define an index for each tenantIndex definitions MUST exist on both SIEM Search Head and Indexers
Indexes MUST be named in the following manner: _siem_alerts
In our example above, that would relate to:
  • infigo_central_siem_alerts
  • infigo_west_siem_alerts
  • infigo_east_siem_alerts

This index definitions need to exist on both Search Heads and Indexers. 
In case of the architecture where only the alerts are being forwarded to central SOC, make sure that the alerts for appropriate tenant arrive in the corresponding index.

Enabling and configuring SIEM rules

Most of the SIEM rules and dashboard are leveraging CIM datamodels for searching the data. Make sure that all of the security data is mapped to CIM datamodels in order to get maximum information from your SIEM. 

List of SIEM rules is available in Infigo SIEM → Alert Center → Rule Manager. Information about required log sources  for specific rules are available in built-in documentation in Infigo SIEM navigate to SIEM → Documentation → SIEM Rules, where every rule is documented under its appropriate security domain. Enable the rules based on available log sources in the client environment. There are searches in infigo_sa_siem_content that begin with prefix Lookup Gen, this indicates that this search is generating a lookup table for specific rule, and those are enabled by default.

Once the rules are running find noisiest rules and perform whitelisting of false positives, if the alert generates more then 500 alerts daily it can be considered a good candidate for whitelisting. Good place to see which combination of results is generating highest number of alerts would be SIEM Incident Audit dashboard available under SIEM tab in navigation bar. Under the panel Most Active Rules Split by Asset there are rules with common noisy field values, if the values indicate that this is an false positive perform allowlisting through the Alert Console. Whitelisting process is described in documentation SIEM → Documentation → Alert Center → Allowlist false positive alerts. Some alerts may be harder to whitelist where clients assistance will be required to determine if specific behavior is expected in the environment.

Collecting asset and identity data

Infigo SIEM supports both automatic and static collection of asset information. In Infigo SIEM in navigation bar go to SIEM → Documentation → Automatic Collection of Asset and Identity Data to find all different ways to collect asset and identity data in Splunk. Implement as many collection methods specified in the document as this will make asset data as precise as possible. This document will reference three applications that can be pushed to forwarders for data collection. Please download them here: asset_discovery_suf_apps.zip.

Implementation Validation

  • Once all data has been onboarded and normalized to CIM go through every SIEM dashboard and note if any panel is not working. If its for any other reason then the lack of data or bad parsing report the problems to siem@infigo.is
  • Verify that assigning of alerts works in Alert Review console. 
  • Verify that the following tables have data, and if they do not troubleshoot why there is no data.
Lookup Table Filled By
soc_org_assets Created by search Lookup Gen - IAM - Asset - Merge Assets
soc_org_assets_ad Requires configured Splunk Supporting Add-on for Active Directory
soc_org_assets_nmap Requires collected NMAP data as described in Collecting asset and identity data
soc_org_assets_splunk Requires collected data from Splunk agents as described in Collecting asset and identity data
soc_org_identities Created by search Lookup Gen - IAM - Identities - Merge Identities
soc_org_identities_ad Requires configured Splunk Supporting Add-on for Active Directory
soc_org_networks Created by search Lookup Gen - IAM - Network - Merge Network Zone
soc_org_network_agents Requires collected data from Splunk agents as described in Collecting asset and identity data

Providing additional value to SIEM implementations

It is recommended to provide a customer with additional content with SIEM integrations in order to enrich the usage of Splunk and Infigo SIEM.
Here are the list of applications that can be installed additionally to the client environment in order to enrich usage of Splunk and SIEM based on the ingested data:
Application Ingested Data
Blue team app for Office 365 and Azure Azure Audit Logs and o365 Message Trace
Splunk Dashboard Examples Any
Palo Alto Networks App for Splunk Palo Alto 
Fortinet FortiGate App for Splunk Fortinet
Cisco Networks App for Splunk Enterprise Cisco
Boss of the SOC (BOTS) Investigation Workshop for Splunk Any

Introduction


This document will contain all necessary information for successful SIEM installation and upgrade. This document will cover on premise install. Search Head cluster installation is performed normally as for any other Splunk application that needs to be pushed through the deployer. Furthermore at the end of the document there will be a list of additional applications that can be implemented for SIEM clients in order to give them additional usability from SIEM and Splunk. The application will depend on the technologies used by the client so only install appropriate applications if there are available logs.

Minimum specifications for a production deployment


Infigo SIEM requires some minimum specification that you can increase according to your needs and usage. These specifications also apply to a single instance deployment of Infigo SIEM.
Review the following minimum system and hardware requirements before installing Infigo SIEM:
Machine role Minimum CPU Minimum RAM
Search head 16 CPU cores 24 GB
Indexer 16 CPU cores 16 GB

The minimum hardware specifications to run Infigo SIEM for search head cluster peers is the same as those required by standalone deployments.
After the installation of Infigo SIEM, make sure to change the setting for Relative concurrency limit for scheduled searches. Go to Settings → Server settings → Search preferences, and set the: "Relative concurrency limit for scheduled searches" to 75%. 

Installation


The client should download all six of the SIEM related packets from Splunkbase. Only the person that was specified as license owner can download the applications.

All of the SIEM packets must be installed on the Search head. In case of the Splunk Search Head cluster, push all of the applications to SHC with a deployer.
Additionally install the application Infigo TA SIEM on the indexers. In case of an indexer cluster push the application to the IDX cluster using a Cluster Manager.

License Upload


In Infigo SIEM, on the navigation bar click on SIEM → Infigo licensing and upload the license that was provided to the client.
SHC NOTE: It is necessary to do this step on all of the SHC cluster nodes since the license file is not replicated.

General Configuration 


Once the applications are installed go to the UI and click on Infigo SIEM application. This will take you through the quick default configuration wizard, where additional applications will be required for installation and default configuration for installation/upgrade will be performed. 
SHC NOTE: It is necessary to connect to every SHC instance and click on Infigo SIEM app in order to initiate app setup. The setup will be shorter now since it already finished on the first instance.
Once the wizard finishes the job, General SIEM Settings page will be opened. In this section every configuration will be explained, and the recommendations for changing it:

SIEM alerts configuration


  • SIEM alerts index: By default all alerts will arrive in this index, and this will be a Catch All index if there are some misconfigurations with multitenancy. Do not change this without Infigo PS. 
  • Close alerts older then: This setting will automatically put all alerts in closed status after 30 days if they were not classified in time.

SIEM tags configuration


  • Allows the client to choose a default setting for tags in an Alert Review console. By default tags are not shown in the table in Alert Review console.

Threat intelligence configuration


  • global_intel.py - Script used to pull all of the different open source threat intelligence lists and combine them in a single list. Enable this if the instance has access to the internet. 
  • top_1m_intel.py - Script used to pull Cisco Umbrella 1 million list. Enable this if the instance has access to the internet. 

All other settings are related to proxy. Only the clients that use proxy for accessing internet need to set this settings.

WIFI controller configuration

  • soc_org_wifi_controller is a simple macro that specifies an index where the data from WIFI controller is collected.

DHCP Configuration

  • Shows a lookup file with signatures that specify IP Lease and IP renewal. If the client is using something other then Microsoft DHCP in the environment, add the appropriate Event Codes to the table.

Additional configuration

  • Shows links to the built-in docs that will specify the requirements for additional SIEM rules that require extra configurations to work that is usually requires help from the client.

Macro configuration 

  • In Infigo SIEM navigate to SIEM → Documentation → Alert Center → Manage SIEM Macros. Check all of the macros with a Mandatory Macro Change and change the value of the macro to appropriate value if needed through Splunk UI: Settings → Advanced search → Search macros

Data-model acceleration

  • Based on the resources and available data in the client environment enable the acceleration of CIM data-models. This should be enabled if the client supports the hardware requirements for Infigo SIEM.

Data Model Acceleration Period
Authentication 1 Month
Change 1 Month
Email 2 Weeks
Endpoint 1 Month
Intrusion Detection 2 Weeks
Malware 2 Weeks
DNS 2 Weeks
Network Session 2 Weeks
Network Traffic 1 Week
Web  1 Week
  • For acceleration provided in the guideline take in the consideration that additional required disk space can be calculated by the following formula: License_Size * 1.5. For example acceleration for license size of 100 GB should not take up more then 150 GB.  
  • Based on the accelerated data-models change summariesonly* macros specified in infigo_sa_siem_alert_center, change the values from summariesonly=false to summariesonly=true.

Role Assignment

In order for users to have the ability to use Infigo SIEM, three roles have been devise. Make sure to assign this roles to appropriate users, do not inherit the roles.  

  • infigo_siem_admin → User can do anything in Infigo SIEM
  • infigo_siem_analyts → User has access to anything except for the configuration page
  • infigo_siem_user → Users can't whitelist alerts and edit rules. Also they do not have access to some of the advanced features.

Configuring multitenancy MANDATORY

Infigo SIEM supports multitenancy and the feature is enabled by default since rules and dashboards are multitenant aware and require this information otherwise they would not work properly. 
In order for SIEM rules and dashboards to work, it is mandatory to introduce one indexed field called source_tenant. This indexed field needs to exist in every source that is collected in Splunk, and it can be created in a number of ways. Here we will cover few scenarios with different architectures.

Single instance architecture 


In case of a Single Instance Splunk deployment, that does not have any Heavy Forwarders sending data from different organizations/tenants, the easies and simplest solution is to simple create a new application with the following inputs.conf stanza:
Inputs.conf stanza
[default]
_meta = source_tenant::name_of_your_tenant
 
This stanza will tell all arriving data to add field source_tenant with the specified value. It is recommended to keep the naming simple. In case of Infigo, we would have a following stanza:
Inputs.conf stanza
[default]
_meta = source_tenant::infigo_production
 
This will add a field source_tenant with a value infigo_production to every event.

Environment with two organizations sending data to a central Indexer cluster who is also a tenant 


In this example we are having 3 companies: Infigo Central, Infigo West, and Infigo East. Infigo West and Infigo East are sending data to Infigo Central for log storage and security monitoring by MSSP. 
In order to distinguish the SIEM alerts that are triggering, every organization will be a tenant. Here is an example architecture diagram for the provided example.

On Heavy Forwarder in Infigo East the inputs.conf configuration would be:
Inputs.conf stanza
[default]
_meta = source_tenant::infigo_east

On Heavy Forwarder in Infigo West the inputs.conf configuration would be:
Inputs.conf stanza
[default]
_meta = source_tenant::infigo_west
 
On Heavy Forwarder in Infigo Central the inputs.conf configuration would be:
Inputs.conf stanza
[default]
_meta = source_tenant::infigo_central
 
Heavy forwarder in Infigo Central is necessary because adding default inputs.conf stanza on indexers would result in duplication of sorce_tenant fields for Infigo East and Infigo West. So the data from Infigo East would have "infigo_east" and "infigo_central" as value in source tenant. 

If having a Heavy forwarder is not an option in Infigo Central, it is possible to remove it, but in that scenario all forwarders and other inputs in Infigo Central need to have _meta stanza for every host that is sending data. This is easy for Forwarders since you can simply push the [default] stanza to them with Deployment server.

Environment with two organizations sending alerts to a central Indexer cluster who is also a tenant 


In this example again we have three organization but each of them have their own SIEM instance that is running the alerts, but central SOC is in Infigo Central, so the Infigo West and East will forward only the alerts to the Infigo Central
This architecture requires a setup procedure as described for the single instance for each organization. Alerts that arrive in Infigo Central will already have a field source_tenant from the sister organizations and everything will work as intended. 
This architecture increases the difficulty for investigation on the sister companies since the central SOC does not have access to the underling data. This can be mitigated by implementing federated searching. More about that can be read in official Splunk documentation.

Configuring SIEM multitenancy indexes MANDATORY


In order to maintain separation of alerts based on tenant it is mandatory to define an index for each tenantIndex definitions MUST exist on both SIEM Search Head and Indexers
Indexes MUST be named in the following manner: <source_tenant>_siem_alerts
In our example above, that would relate to: 

  • infigo_central_siem_alerts
  • infigo_west_siem_alerts
  • infigo_east_siem_alerts

This index definitions need to exist on both Search Heads and Indexers. 
In case of the architecture where only the alerts are being forwarded to central SOC, make sure that the alerts for appropriate tenant arrive in the corresponding index.

Enabling and configuring SIEM rules


Most of the SIEM rules and dashboard are leveraging CIM datamodels for searching the data. Make sure that all of the security data is mapped to CIM datamodels in order to get maximum information from your SIEM. 
List of SIEM rules is available in Infigo SIEM → Alert Center → Rule Manager. Information about required log sources  for specific rules are available in built-in documentation in Infigo SIEM navigate to SIEM → Documentation → SIEM Rules, where every rule is documented under its appropriate security domain. Enable the rules based on available log sources in the client environment. There are searches in infigo_sa_siem_content that begin with prefix Lookup Gen, this indicates that this search is generating a lookup table for specific rule, and those are enabled by default.
Once the rules are running find noisiest rules and perform whitelisting of false positives, if the alert generates more then 500 alerts daily it can be considered a good candidate for whitelisting. Good place to see which combination of results is generating highest number of alerts would be SIEM Incident Audit dashboard available under SIEM tab in navigation bar. Under the panel Most Active Rules Split by Asset there are rules with common noisy field values, if the values indicate that this is an false positive perform allowlisting through the Alert Console. Whitelisting process is described in documentation SIEM → Documentation → Alert Center → Allowlist false positive alerts. Some alerts may be harder to whitelist where clients assistance will be required to determine if specific behavior is expected in the environment.

Collecting asset and identity data


Infigo SIEM supports both automatic and static collection of asset information. In Infigo SIEM in navigation bar go to SIEM → Documentation → Automatic Collection of Asset and Identity Data to find all different ways to collect asset and identity data in Splunk. Implement as many collection methods specified in the document as this will make asset data as precise as possible. This document will reference three applications that can be pushed to forwarders for data collection. Please download them here: asset_discovery_suf_apps.zip.

Implementation Validation


  • Once all data has been onboarded and normalized to CIM go through every SIEM dashboard and note if any panel is not working. If its for any other reason then the lack of data or bad parsing report the problems to siem@infigo.is
  • Verify that assigning of alerts works in Alert Review console. 
  • Verify that the following tables have data, and if they do not troubleshoot why there is no data.
Lookup Table Filled By
soc_org_assets Created by search Lookup Gen - IAM - Asset - Merge Assets
soc_org_assets_ad Requires configured Splunk Supporting Add-on for Active Directory
soc_org_assets_nmap Requires collected NMAP data as described in Collecting asset and identity data
soc_org_assets_splunk Requires collected data from Splunk agents as described in Collecting asset and identity data
soc_org_identities Created by search Lookup Gen - IAM - Identities - Merge Identities
soc_org_identities_ad Requires configured Splunk Supporting Add-on for Active Directory
soc_org_networks Created by search Lookup Gen - IAM - Network - Merge Network Zone
soc_org_network_agents Requires collected data from Splunk agents as described in Collecting asset and identity data

Providing additional value to SIEM implementations


It is recommended to provide a customer with additional content with SIEM integrations in order to enrich the usage of Splunk and Infigo SIEM.
Here are the list of applications that can be installed additionally to the client environment in order to enrich usage of Splunk and SIEM based on the ingested data:
Application Ingested Data
Blue team app for Office 365 and Azure Azure Audit Logs and O365 Message Trace
Splunk Dashboard Examples Any
Palo Alto Networks App for Splunk Palo Alto 
Fortinet FortiGate App for Splunk Fortinet
Cisco Networks App for Splunk Enterprise Cisco
Boss of the SOC (BOTS) Investigation Workshop for Splunk Any