• Reads through the Redis or log files events in JSON format from Suricata NIDS, Wazuh HIDS, Modsecurity WAF, ElasticStack MetricBeat
• Based on filtering policies, Collector retrieves high priority events from data streams created by security sensors, makes aggregation and normalization for these events. This allows to simplify the management of alerts and incidents, reduces noise from minor events
• High priority events (alerts) are immediately sent to the central node
• Log events (NetFlow, DNS, SSH sessions) can be redirected to the Log Management platform
• Metrics of monitored hosts (CPU, HDD, Memory, etc.) can be persisted to the MySQL database
• All log events are sent to the Controller pre-accumulated in a compressed data set, this implements the "Anti-flooding" algorithm to prevent large bursts of events on the controller side
• In case of loss of communication between remote and central nodes, the Collector saves all alerts locally in a file

• Alertflex web management console includes various reports designed specifically for the analysis of alerts from Host and Network IDS, WAF and Netflow statistics.
• Also, it provides reports based on events from Wazuh HIDS (using OVAL CVE DB and OpenSCAP tools) about Linux software vulnerabilities and host configuration files, for compliance with security policies, standards or hardening guides.
• Alertflex performs a reputation for IP addresses, DNS records, MD5 and SHA1 file hashes extracted from security events. Creates alert, in case of suspicion values of data.
• To implement the Threat Intelligence functionality, a direct connection to the MISP database is used (by default, MISP includes 50 free feeds, more than 1400000 IOC indicators of compromise in the database).

• Assignments of different statuses for alerts and incidents
• Logs of history for incidents (incident workflow)
• Creates an incident through the REST API for external incident management platforms (TheHive or FIR)
• Sends of E-mail, Slack or Twilio SMS notifications to a group of users about the selected incident.
• Sends active response to HIDS.

Alertflex components recognize the Host IDS agent namespace inside the Alerts and Netflow events, which are generated by the Network IDS. This allows Alertflex to perform an integrated analysis and correlation of events for Network and Endpoint

Additionally, Alertflex can enrich of events about suspicious network connections by info about applications are connected with the connections. This process is based on events from Sysmon for Windows and Auditd for Linux, received via Wazuh IDS.

Alertflex provides the functionality of the orchestrator for several third-party applications/cyber security platforms. The system integrates with the following open source products: OWASP ZAP, Nmap, MISP, VirusTotal, TheHive Project, FIR, Cuckoo sandbox, Graylog.

• Automation tasks for check files in malware analysis sandbox
• Based on the MISP IOC DB, creates lists of blocking malicious IP addresses and automatically propagates them to Wazuh IDS and Suricata IDS
• Centralized update of IDS rules for a remote nodes
• Remote configuration of IDS nodes via SSH/SFTP protocol