Connect to Data Sources

Data sources, e.g., an EDR, a SIEM, a firewall, provide raw or processed data for hunting. Kestrel hunt steps such as GET and FIND generate code or queries to retrieve data, e.g., system logs or alerts, from data sources.

Kestrel Data Source Abstraction

Kestrel manages data sources in a two-level abstraction: a data source registers at a Kestrel Data Source Interface, which defines the way how a set of data sources are queried and ingested into Kestrel. In other words, Kestrel manages multiple data source interfaces at runtime, each of which manages a set of data sources with the same query method and ingestion procedure. Learn more about the abstraction in Kestrel Interfaces.

Kestrel by default ships with the two most common data source interfaces:

Setup STIX-shifter Data Source

Once you get credentials of a data source, you need to tell Kestrel how to use them to connect. In other words, you need to create a profile for each data source. The profile:

  • names the data source to refer to in a huntbook,

  • specifies which STIX-shifter connector to use,

  • specifies how to connect to the data source,

  • gives additional configuration if needed for data source access.

Check STIX-shifter Data Source Interface for details and examples of adding data source profiles.