The Alertflex implements security events management functions for a distributed hub of security sensors (Suricata NIDS, Wazuh HIDS, Falco CRS, Modsecurity WAF). Its are based on the next modern levels: Collection (Alertflex collector), Streaming (ActiveMQ), Analysis (Alertflex controller), Storage (MySQL), Access (Alertflex controller and console).
Alertflex Collector (Altprobe) receives through the Redis or directly from log files IDS events from Suricata NIDS, Wazuh HIDS, Modsecurity WAF, Falco CRS in JSON format.
Based on filtering policies, Collector extracts high priority events, makes aggregation and normalization for them. It allows to simplify the management of alerts, reduces noise from minor events.
The Collector immediately sends high priority events (alerts) to the central node.
For implementing the “Anti-flooding” algorithm which prevents large bursts of events on the central node side, the Collector sends to Controller large size info (NetFlow, statistics, reports) inside of pre-accumulated and compressed data blocks.
The Controller saves alerts in Alertflex database (MySQL).
The Controller can redirect alerts to Graylog, ElasticStack, OpenDistro log management platforms.
Provides a REST API and STIX-shifter interface for access to alerts.
The web management console provides various reports and web-form for alerts search.
The Alertlex performs reputation checks for IP addresses, DNS records, MD5 and SHA1 hashes of files. Creates an alert, in case of suspicious data has been found.
Performs analysis of different reports (OpenSCAP, OWASP ZAP, Nessus, Nmap, Wazuh SCA, Docker Bench, etc). Generates alert if a new vulnerability, misconfigurations, processes, packages or user has been found.
For advanced WEB analytics can be used Grafana that connected with Alertflex Database (MySQL).
The Alertflex components recognize the Wazuh HIDS agent's namespace inside of the Suricata NIDS alerts and Netflow events. It allows you to perform a correlation of security events for Network and Endpoints.
Additionally, Alertflex can recognize of fields process id and process name inside events of PacketBeat (ElasticStack). Matching these events with alerts from Suricata IDS gives you the possibility to trace of the suspicious network session from NIDS to an application/process on the host.
Can periodically run scanning of remote files in Malware Analysis Sandbox (Cuckoo, Hybrid Analysis, VMRay)
IDS centralized management for rules, configs, filtering policies, IP address blocking lists.
Integrates with SAST and DAST tools (Nmap, Nessus, SonarQube, OWASP ZAP)
Automatically run remote scripts via SSH and SFTP protocols.