Simplify and Automate Cybersecurity Monitoring

Alerts filtering, prioritization and visualization

The Alertflex implements security events management functions for a distributed hub of security sensors (Suricata NIDS, Wazuh HIDS, Falco CRS, Modsecurity WAF). Its are based on the next modern levels: Collection (Alertflex collector), Streaming (ActiveMQ), Analysis (Alertflex controller), Storage (MySQL), Access (Alertflex controller and console).

  • Alertflex Collector (Altprobe) receives through the Redis or directly from log files IDS events from Suricata NIDS, Wazuh HIDS, Modsecurity WAF, Falco CRS in JSON format.

  • Based on filtering policies, Collector extracts high priority events, makes aggregation and normalization for them. It allows to simplify the management of alerts, reduces noise from minor events.

  • The Collector immediately sends high priority events (alerts) to the central node.

  • For implementing the “Anti-flooding” algorithm which prevents large bursts of events on the central node side, the Collector sends to Controller large size info (NetFlow, statistics, reports) inside of pre-accumulated and compressed data blocks.

  • The Controller saves alerts in Alertflex database (MySQL).

  • The Controller can redirect alerts to Graylog, ElasticStack, OpenDistro log management platforms.

  • Provides a REST API and STIX-shifter interface for access to alerts.

  • The web management console provides various reports and web-form for alerts search.

Detection intrusions, vulnerabilities and misconfigurations

For Threat Detection, the Alertflex uses Controller based integration with the Cyber Threat Intelligence platform MISP. For finding vulnerabilities and assets misconfigurations, Alertflex performs a comprehensive analysis of different reports from security sensors and remote vulnerability scanners.

  • The Alertlex performs reputation checks for IP addresses, DNS records, MD5 and SHA1 hashes of files. Creates an alert, in case of suspicious data has been found.

  • Performs analysis of different reports (OpenSCAP, OWASP ZAP, Nessus, Nmap, Wazuh SCA, Docker Bench, etc). Generates alert if a new vulnerability, misconfigurations, processes, packages or user has been found.

  • For advanced WEB analytics can be used Grafana that connected with Alertflex Database (MySQL).

Integrated analysis network, containers and hosts

Putting together security events from Falco CRS (Container Runtime Security), Wazuh (Host IDS) and Suricata (Network IDS) provides an integrated analysis of network, containers, and hosts.

  • The Alertflex components recognize the Wazuh HIDS agent's namespace inside of the Suricata NIDS alerts and Netflow events. It allows you to perform a correlation of security events for Network and Endpoints.

  • Additionally, Alertflex can recognize of fields process id and process name inside events of PacketBeat (ElasticStack). Matching these events with alerts from Suricata IDS gives you the possibility to trace of the suspicious network session from NIDS to an application/process on the host.

Security operations automation and response

Alertflex works as a security orchestrator for several third-party applications/cybersecurity platforms. The system can integrate into one solution the next open source products: OWASP ZAP, Nmap, Nessus, MISP, Cuckoo Sandbox, Graylog, ElasticStack and more.

  • Can periodically run scanning of remote files in Malware Analysis Sandbox (Cuckoo, Hybrid Analysis, VMRay)

  • IDS centralized management for rules, configs, filtering policies, IP address blocking lists.

  • Integrates with SAST and DAST tools (Nmap, Nessus, SonarQube, OWASP ZAP)

  • Automatically run remote scripts via SSH and SFTP protocols.