The platform takes variety of inputs from the network and processes it to give results. These inputs can be:

Seceon Public Portal > Feeds/Inputs to aiSIEM > image2019-3-21_8-28-2.png

Raw Network and Metadata Stream: These can be the unprocessed inputs from the network.
Netflows: Netflow (V5, V9 and IPfix)is a protocol for aggregating IP traffic information. With Netflow V9/IPfix, one can look into Layer 2 traffic as well. The platform leverages Netflows as one of its source inputs. Netflows enable collection of traffic flow statistics on routing devices and is completely transparent to the existing network, including end stations, application software and network devices like LAN switches. As Netflow is performed independently on each internetworking device, it should be made operational on each router in the network. CCE receives Netflows on port 9995.

OTM needs the following informational fields from netflows: IN_BYTES, IN_PKTS, PROTOCOL, TCP_FLAGS, L4_SRC_PORT, IPV4_SRC_ADDR, L4_DST_PORT, IPV4_DST_ADDR, LAST_SWITCHED, and FIRST_SWITCHED. For more details refer to https://www.plixer.com/support/netflow-v9/.

SFlows: SFlow is a packet sampling technology where the switch captures every 100th packet (configurable) per interface and sends it off to the collector. Sflow is built into the ASIC, and places minimal load on the CPU. It is a general purpose network traffic measurement system technology. sFlow is designed to be embedded in any network device and to provide continuous statistics on any protocol (L2, L3, L4, and up to L7), so that all traffic throughout a network can be accurately characterized and monitored. These statistics are essential for congestion control, troubleshooting, security surveillance, network planning etc. They can also be used for IP accounting purposes. Some of the switches like Brocade, Extreme and HP support SFlows. The Seceon CCE provides a Flow collector function to collect these flows and convert them to flow information that can be used by the APE. Seceon CCE receives SFlows on port 6343.
Syslog: Syslog is a way for network devices to send event messages to a logging server – usually known as a Syslog server. In this case CCE acts as one. The Syslog protocol is supported by a wide range of devices and can be used to log different types of events. For example, a router might send messages about users logging on to console sessions, while a web-server might log access-denied events. Most network equipment, like routers and switches, can send Syslog messages. Not only that, but some servers also have the ability to generate Syslog data, as do most firewalls, some printers, and even web-servers like Apache. Windows-based servers don’t support Syslog natively, but a large number of third-party tools (e.g. Nxlog) make it easy to collect Windows Event Log or IIS data and forward it to a Syslog server. The Seceon CCE receives these logs from the network on port 514.
Raw Application Logs: CCE also receives logs from several applications like MSSQL in the network. These logs are received on port 514.
Threat Intelligence and Enrichment Data – The platform consumes feeds from its predefined set of threat intelligence sources for enrichment such as blacklisted URL and domain names. User can send feed from their own sources using the Seceon professional services.

Other streaming telemetry such as supported SIEM data can be used as an aggregator and the aggregated logs can be sent to CCE.

Please note that it is not mandatory to get all the above sources of information from every network but we need to ensure that there is atleast one flow source( either sflow or netflow), and one log source(identity logs from windows) redirected for complete visualization. At the same time, you can redirect sources as many as you want.

Configurations

This section has various subsections referring to the instructions of configuring data from various logs/flows sources to the Seceon CCE. Please refer to the respective subsection based on your requirement.