We share with you guys, another MSSP that want to centralize incidents between multiple supervisors, with drill down.
Supervisot A: Organization ID 2000
Supervisor B: Organization ID 3000
In this case we want to send incidents from Supervisor A -> Supervisor B
Step 1) Create incident notification policy,
Step 2 ) Call a Python Procces to collect XML tree from the incident.
Step 3) Collect RAW Event into a String.
Step 4) Add a string "phcustid=3000, "
Note: phcustid is the ID of the Organization on Supervisor B.
Step 5) merge message from step3 and step 2 it will be like this
Note: <1> phcustid=3000, <123> 12-10-12 Fortigate raw......
Step 6) Go to Admin -> Organization -> Incluide IP address of Super A
Note: current we are working on Parser for phCustID and Multipleclients in same supervisor.
Then you will see on Supervisor B, the incomming message from Supervisor A, and auto mapping to the wanted organization on Supervisor B, the message will be parsed as the original Syslog, and the analysts can drill down for user, and other events.
This is only happend because of the Parser PHToolBox, that collects phcustid and then pass to the other messages.
In this case when incidents is trigerred, will keep the parsing and MitreFramework, etc...