I've been working with SIEMs for more than 10 years and I had this idea quite some years ago to do a quick self-installing syslog collector appliance much like enterprise SIEM vendors do, but more simpler and hardened. The idea was to provide a simple self-installable platform that can be used standalone, or for an MSSP to control and be a "blackbox" for the customer.
What it does
Create a self-installable ISO file that when booted in a system it will automatically install a Centos 7 based system that will be hardened, and will install the Microsoft CEF Agent (MMA Agent + rsyslog conf) configured and set up against the workspace of the user choice. From boot to the system appearing in the Azure Portal and receiving CEF logs happens in less than 3 minutes.
How I built it
As simple and elegant as possible, using 90%-ish bash and a little bit of python to handle SHA512 salted passwords.
Challenges I ran into
Too many variables and scenarios, which meant too many try-and-error.
Accomplishments that I'm proud of
This is something like the licensed and paid enterprise collectors, but free in a closed appliance format that is easy and quick to install. As far as I know and searched there is no thing like this. it also allows a template system to make other types of systems.
What I learned
A lot more advanced sed's regex, how to circumvent bash's limitations, how the anaconda system installer works behind the scenes.
What's next for Self-installing hardened linux CEFsyslog collector appliance
Expand the azure sentinel template to automatically create and upload custom workbooks through the API, and maybe create an ARM template for this. Expand the template functionalities of the program. Do a penetration testing scenario and harden the appliance even more.