SIEM / SOC × NIS2 Agile

Integrazione SIEM / SOC ← NIS2 Agile

Ricevi eventi NIS2 in tempo reale nel tuo SIEM. Incidenti Art.23, rischi HIGH/CRITICAL, variazioni compliance come alert automatici.

SIEM supportati

Splunk Enterprise

HTTP Event Collector (HEC) + custom TA per NIS2 Agile. Dashboard Art.23 precompilata.

Elastic SIEM

Logstash HTTP input + index template NIS2. Alert rule per incident.significant.

IBM QRadar

Universal DSM + webhook-to-syslog bridge. Evento NIS2 → offense QRadar.

Microsoft Sentinel

Logic App webhook receiver → Azure Monitor. Playbook SOAR per Art.23.

Configurazione Webhook NIS2 → SIEM

Configura in NIS2 Agile → Settings → Webhook l'endpoint del tuo SIEM:

# SIEM HEC / HTTP Input endpoint
URL:    https://your-siem.example.com:8088/services/collector   # Splunk HEC
URL:    https://your-elk.example.com:9200/_ingest/pipeline/nis2  # Elastic
Events: incident.created, incident.significant, incident.deadline_warning,
        risk.high_created, compliance.score_changed

Splunk HEC — Bridge PHP

Se il SIEM non supporta nativamente la firma HMAC-SHA256, usa questo bridge come proxy tra NIS2 e Splunk HEC:

// nis2_to_splunk_bridge.php — Deploy su server intermedio

$nis2Secret  = getenv('NIS2_WEBHOOK_SECRET');
$splunkHec   = getenv('SPLUNK_HEC_URL');     // https://splunk:8088/services/collector
$splunkToken = getenv('SPLUNK_HEC_TOKEN');

// 1. Verifica firma NIS2
$body = file_get_contents('php://input');
$sig  = $_SERVER['HTTP_X_NIS2_SIGNATURE'] ?? '';
if (!hash_equals('sha256=' . hash_hmac('sha256', $body, $nis2Secret), $sig)) {
    http_response_code(401); exit;
}

$payload = json_decode($body, true);

// 2. Trasforma in formato Splunk HEC
$splunkEvent = [
    'time'       => $payload['created'],
    'host'       => 'nis2-agile',
    'source'     => 'nis2-agile-webhook',
    'sourcetype' => 'nis2:event',
    'index'      => 'nis2_compliance',
    'event'      => [
        'event_type'  => $payload['event'],
        'event_id'    => $payload['id'],
        'org_id'      => $payload['org_id'],
        'data'        => $payload['data'],
        'api_version' => $payload['api_version'],
    ],
];

// 3. Forward a Splunk HEC
$ch = curl_init($splunkHec);
curl_setopt_array($ch, [
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => json_encode($splunkEvent),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => [
        'Authorization: Splunk ' . $splunkToken,
        'Content-Type: application/json',
    ],
]);
$result = curl_exec($ch);
curl_close($ch);
http_response_code(200);

Elastic — Logstash Pipeline

# logstash/pipelines/nis2.conf
input {
  http {
    port => 8181
    codec => json
    # Aggiungi filtro HMAC-SHA256 con plugin custom
  }
}
filter {
  mutate {
    add_field => { "[@metadata][index]" => "nis2-compliance-%{+YYYY.MM}" }
  }
  date {
    match => [ "[created]", "UNIX" ]
    target => "@timestamp"
  }
}
output {
  elasticsearch {
    hosts => ["https://elasticsearch:9200"]
    index => "%{[@metadata][index]}"
  }
}

Microsoft Sentinel — Logic App

// Azure Logic App — trigger HTTP + azione Send to Log Analytics
{
  "triggers": {
    "When_a_HTTP_request_is_received": {
      "type": "Request",
      "kind": "Http",
      "inputs": { "schema": {} }
    }
  },
  "actions": {
    "Send_Data_to_Log_Analytics": {
      "type": "ApiConnection",
      "inputs": {
        "body": "@{triggerBody()}",
        "headers": { "Log-Type": "NIS2AgileEvent" },
        "host": { "connection": { "name": "@parameters('$connections')['azureloganalyticsdatacollector']" } },
        "method": "post",
        "path": "/api/logs"
      }
    }
  }
}
Art.23 NIS2 + SIEM: Configurare alert SIEM su incident.significant e incident.deadline_warning permette di automatizzare il tracking delle scadenze 24h/72h/30d direttamente nel SOC. Il team può così gestire incidenti NIS2 senza uscire dal workflow SIEM.