We just installed graylog and are in the initial set up phase. We want to add event definitions but have not found a way to add them in bulk. We want to avoid adding them manually since there are 100s of them, so we were hoping for some kind of import/export features or something similar. The data sources are from attack.mitre.org (Please see attached picture)
OS: Ubuntu 24.04 LTS
Package Version: Graylog 6.1.8+76bd0f0
I’m a little confused, i dont see anything in the mitre link that actually contains a definition that could be imported, just a description of what needs to be looked for. At the end of the day these need to end up as actual queries that can be run, but also the data needs to be in the proper formats and schema for the events to run against.
Everything in graylog can be done via api, so it can be automated, but what’s the data source.
Now this is the entrie point of the paid version of graylog, it ships with event definitions for mitre, as well as features to integrate to other providers of event definitions like SOC Prime etc.
Can you do this in graylog open, yes, is it probably a ton of work, yep.
Ok, thank you very much. We are still new to graylog so this was a bit confusing. We are looking into Rest API now.