Alerts filtering, prioritization and visualization¶
- Receives through the Redis or directly from log files an IDS events in JSON format from Suricata NIDS, Wazuh HIDS, Modsecurity WAF, Falco CRS.
- Based on filtering policies, collector retrieves high priority events, makes aggregation and normalization. It allows to simplify the management of alerts, reduces noise from minor events.
- Collector immediately send high priority events (alerts)to the central node.
- For implementing the “Anti-flooding” algorithm which prevents large bursts of events on the controller side, all large size info (NetFlow, statistics, metrics) is sent to the Controller in pre-accumulated and compressed data sets.
- In case of loss of communication between the collector and central node, the Collector saves all alerts locally in a file.
- Saves alerts in Alertflex database (MySQL)
- Can redirect alerts to Graylog, ElasticStack, OpenDistro log management platforms
- Provides a REST API for managing of alerts
- Web management console provides various reports designed specifically for the analysis of alerts - dashboards, alert history, search and timeline web-forms
- For advanced alert analysis users can create categories profiles which correlate alerts according to selected categories
- Filtering policies management allows to create, edit and upload a filtering policy to collectors from the Web console
Detection intrusions, vulnerabilities and misconfigurations assets¶
- Performs a reputation checks for IP addresses, DNS records, MD5 and SHA1 hashes of files. Creates an alert, in case of suspicious data has been found.
- Performs analysis of different reports (OpenSCAP, OWASP ZAP, Nmap, Wazuh SCA, etc). Generates alert if a new vulnerability, misconfigurations, processes, packages or user has been found.
- Provides advanced Web analytics for HIDS, NIDS, WAF, CRS
Integrated analysis network, containers and hosts¶
- Alertflex components recognize the Wazuh HIDS agents namespace inside the Suricata NIDS Alerts and Netflow events. It allows Alertflex to perform correlation of events for Network and Endpoints
- Additionally, Alertflex can process network events from Sysmon (Windows), Auditd (Linux), PacketBeat (Elastic) to gather information on what host application initiated the network session.
- Putting together events from Falco CRS (Container Runtime Security) with events from HIDS and NIDS provides an integrated analysis of network, containers and hosts.
- Alertflex provides the functionality of the orchestrator for several third-party applications/cybersecurity platforms. The system can integrate into one solution the next open source products: OWASP ZAP, Nmap, RITA, MISP, TheHive Project, Cuckoo Sandbox, Graylog, ElasticStack and more.
- Assigns different statuses to alerts and incidents
- Records history an incident (incident workflow)
- Can create an incident through the REST API on external incident management platforms (TheHive or JIRA)
Additionally, Alertflex implements incident response profiles that automatically apply for all new alerts. In case, parameters of alert matching to the predefined criteria of the profile, Alertflex performs the action indicated in the profile:
- Sends of E-mail, Slack or Twilio SMS notifications to a group of users
- Automatically sends alert to external incident management platforms
- Executes playbooks
Alertflex implements liner playbooks which are sequentially executing the different type of jobs:
- Run scripts on remote hosts/agents
- Copy/move of files between hosts
- Send files from hosts to Sandbox for malware analysis
- Perform of scans (OWASP ZAP, Nmap and etc)
- Update of rules and IP blocking lists for IDS
- Generate an email reporting