Adding Custom Security Technologies

Security Technologies information will show up in MSV Director detections in the job results and reports.
AbdElHafez_0-1735238834826.png

Their metadata is already defined in MSV under Director Settings > Security Technologies > Default Config

For example this is an excerpt from the definition for Crowdstrike Falcon

AbdElHafez_1-1735238967538.png

The definition provided gives us some info on how the tool is idenfieid ;

  • Metadata : vendor name,  logo, type ,...
  • Discovery: This is how the Actor/Director infer that Crowdstrike Falcon exists on a host/in the logs. The discovery is done via the "endpoint"  (If MSV actor detects a service with the name "CSFalconService") or via Splunk (If MSV Director fetched events with a field name called _sourcetype with value "crowdstrike:falconhost:json").
  • Prevention: This is how the Actor/Director can confirm that the event was blocked by the security technology. Done using Regex within the log fields. In this example MSV Director will report that the tool blocked the action when "Blocked" or "Terminated" kewords exist in the SIEM log description field.

The easiest way to define a custom security technology is to use the "Add Template" option, then copy paste a similar template into the "Client-Specific Config" tab.

AbdElHafez_2-1735239354237.png

Clicking on the square icon will allow you to edit or add JSON keys to the definition file. The file definition is a YAML file that can be imported/exported for version control and backup.

AbdElHafez_3-1735239387762.png

AbdElHafez_4-1735239454305.png

 


 

 

 

0 0 164
0 REPLIES 0