Chronicle SOAR Services To Monitor

Siemplify.Connectors.service – runs connectors inside Siemplify
Siemplify.Server.ETL.DataProcessingEngine.service – responsible for the ingestion of the JSON cases that contains the alert raw data event
Siemplify.Server.Indexer.service – indexes the data in Siemplify platform
Siemplify.Server.PlaybookActions.service – Responsible for playbooks running (Automation)
Siemplify.Server.PythonExecution.service – the python service is responsible for the python code. In other words, for all our actions/jobs/connectors/ written in Python, the service will make sure python is running correctly.
Siemplify.Server.service – Responsible for the whole platform server components, for example, login, settings and etc.

Additional Services to Monitor

PostgreSQL – is the database service. Typically named ‘postgresql-10.service’.
Nginx – responsible for the web application interface.
Postfix – responsible for sending email.

Check status of each service

systemctl status <service_name>
For example: systemctl status Siemplify.Connectors.service

Obtain additional system logs

journalctl -u <service_name> -r
For example: journalctl -u Siemplify.Connectors.service -r

The following commands are available for use:
‘-r’ to view the logs in reverse chronological order to see the newest at the top.
‘-u’ to show just the entries from a specific service.
‘-n 50’ to view just 50 entries
‘-f’ to continue streaming the logs in real-time.
‘—utc’ to view in UTC time format. ‘q’ to exit.

To write the logs output to a file – use the following command:
journalctl -u Siemplify.Server.service -r > /tmp/service.txt

Note that BEFORE running the commands to use the logs, you need to set the host server timezone to UTC. After doing this, the logs will also appear with the UTC timestamp (which may be different from the timezone of the local security analyst).

Logs

Webserver logs can be found in /var/log/nginx/. Specifically the ‘access’ and ‘error’ logs.
DB logs are in /var/lib/pgsql/10/data/log/
Databases are at /var/lib/pgsql/10/data

More path Logs:

Connector logs can be found at:
/opt/siemplify/siemplify_server/Scripting/SiemplifyConnectorExecution/

Job Logs can be found at:
/opt/siemplify/siemplify_server/Scripting/SiemplifyJob/

Structure of Siemplify Logs is as follows

Postgres Log configuration can be found at:
/var/lib/pgsql/10/data/log

For more information on postgres logs, click here.

Databases

Tips:

  • Chronicle SOAR utilizes Postgres which listens on port 5432
  • pgAdmin4 can be downloaded as client to connect to to the DB
  • If you modify a table in the pgAdmin UI hit F6 to save the change
  • From a terminal ‘psql’ can also be used to connect to the DB

Siemplify_agents_db – Contains information about configured Publishers and Remote Agents.
Siemplify_command_center_db – Contains information for Command Center incidents.
Siemplify_configuration_db – Contains platform configuration parameters.
Siemplify_dashboards_db – Contains Dashboard data model and widget definitions.
Siemplify_entityexplorer_db – Contains custom entity properties?
Siemplify_homepage_db – Contains Analyst Homepage entries (contacts, notes, links, etc.).
Siemplify_integrations_db – Contains action, connector, and integration configurations.
Siemplify_jobs_db – Contains configured Jobs definitions, Job parameters, Job history, etc.
Siemplify_layout_view_db – Contains layout view element definitions.
Siemplify_metadata_db – Contains many of the configuration parameters available under Settings
Siemplify_monitoring_db – Contains audit data, task history, playbook execution summary, timing statistics.
Siemplify_notifications_db – Contains homepage announcements, User & System notifications.
Siemplify_ontology_db – Contains visual family definitions, field mappings, and Ontology data models.
Siemplify_orchestration_db – Contains playbook definitions and parameters.
Siemplify_queues_db – Contains case ingestion queue, Indexer queue, and Workflow queue.
Siemplify_report_system_db – Contains report templates, report schedules, and report logs.
Siemplify_search_everything_db – Contains tables for searching and Tableau.
Siemplify_simulation_db – Contains simulated alert templates and test alerts created in the platform.
Siemplify_system_db – Contains alerts and cases ingested into the platform.
Siemplify_usecases_db – Includes use cases installed from the marketplace.

Jobs

Chronicle SOAR uses Jobs internally to execute monitoring tasks at defined intervals (essentially cron jobs). These can be accessed from the main screen by selecting the cog in the top right and selecting Jobs. Additional jobs can be written and will be scheduled for execution by Chronicle SOAR at any desired interval.

Path Exclusions

The following paths need to be excluded during scanning

/opt/siemplify/

/var/lib/pgsql/10/data/