====== Mentat ======

//**Mentat** is a distributed modular [[https://en.wikipedia.org/wiki/Security_information_and_event_management|SIEM]] (Security Information and Event Management System) designed to monitor networks of all sizes. Its architecture enables reception, storage, analysis, processing and response to a great volume of security incidents originating from various sources, such as honeypots, network probes, log analysers, third party detection services, etc. The **Mentat** system has been developed as an open-source project.//

----

This is the official website for the Mentat system as an open project. If you are looking for information about the Mentat system as a service operated by [[https://www.cesnet.cz/?lang=en|CESNET, a.l.e.]] please go to the [[https://csirt.cesnet.cz/en/services/mentat|website of Mentat system]] managed by [[https://csirt.cesnet.cz/en/index|CESNET-CERTS]] security team.

----

Most network operators take care of their network and perform some kind of network monitoring. In order to keep their network under control and secure, they usually apply a combination of various passive and proactive methods ([[https://en.wikipedia.org/wiki/Intrusion_detection_system|IDS, IPS]], [[https://en.wikipedia.org/wiki/Honeypot_(computing)|honeypots]], probes). The biggest of them have a [[https://en.wikipedia.org/wiki/Computer_emergency_response_team|CSIRT/CERT]] or some other type of a security team to watch over the network and deal with any issues arising.

[[https://www.cesnet.cz/?lang=en|CESNET]] is in the same position. [[https://www.cesnet.cz/?lang=en|CESNET]] operates a large high-speed network, called [[https://www.cesnet.cz/services/ip-connectivity-ip/cesnet2-network/?lang=en|CESNET2]], with a rich international connectivity and approximately 400 000 users. The [[https://www.cesnet.cz/services/ip-connectivity-ip/cesnet2-network/?lang=en|CESNET2]] network is carefully and systematically monitored by means of various tools, technologies and services. These generate a great deal of warnings – network anomalies, security events and incidents etc. Besides that, we receive the alerts about the problems in our network from third party services such as [[https://www.shadowserver.org/|ShadowServer]]. On top of that, we have a [[https://en.wikipedia.org/wiki/Computer_emergency_response_team|CSIRT]] team the members of which use the [[https://www.otrs.com/|OTRS]] ticket tracking system to handle any incidents. To look for relevant information in multiple places manually is rather time consuming. Thus, our biggest motivation to develop the //Mentat// system was to consolidate event sources, event persistent storage and event processing. 

Thus, the //Mentat// system is a platform enabling to unify the collation and subsequent processing and managing of various detected security events coming from a wide range of different detection systems. Prior to developing our own custom solution we tested the existing open source [[https://en.wikipedia.org/wiki/Security_information_and_event_management|SIEM]] systems (e.g. [[https://www.prelude-siem.org/|Prelude SIEM]]). However we ended up implementing our own solution that reflects our needs the best. 

{{ ::mentat-overview.png?nolink |Přehled systému Mentat}}

//Mentat// is designed as a distributed modular system with the emphasis on security, extendability and scalability. The core of the system is implemented similarly to the [[http://www.postfix.org/|Postfix MTA]]. It consists of many simple modules/daemons, each of is responsible for performing a particular ‘simple’ task. This approach enables smooth parallelization and extendability. All modules use the same core service framework, which makes implementing new modules an easy task. 

The whole system is implemented in [[https://www.python.org/|Python3]] and uses the [[https://www.postgresql.org/|PostgreSQL]] as persistent data storage. It uses the [[https://idea.cesnet.cz/en/index|IDEA]] data model, which is based on [[http://www.json.org/|JSON]] format and was specifically designed to describe and contain a wide range of different security events and with further extendability in mind. Mentat itself does not have any network communication protocol for receiving events/messages directly. Instead it relies on the services of [[https://warden.cesnet.cz/en/index|Warden]] security information exchange platform.

Currently, the working prototype of the //Mentat// system is being operated successfully as a service for customers and partners of [[https://www.cesnet.cz/?lang=en|CESNET, a.l.e.]]. It accepts events from many internal and external sources. The system processes approximately 2 million events per day. The crucial and most apparent component of the entire system is an automatic reporter module which distributes information about security incidents directly to the responsible administrators within the [[https://www.cesnet.cz/services/ip-connectivity-ip/cesnet2-network/?lang=en|CESNET2]] network (//AS2852//).