Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Device Configuration

Raw Network and Metadata Stream

These can be the unprocessed inputs from the network.

Netflow

Netflow (V5, V9 and IPfix)is a protocol for aggregating IP traffic information. With Netflow V9/IPfix, one can look into Layer 2 traffic as well. The platform leverages Netflow as one of its source inputs. Netflow enables the collection of traffic flow statistics on routing devices and is completely transparent to the existing network, including end stations, application software and network devices like LAN switches. As Netflow is performed independently on each internetworking device, it should be made operational on each router in the network. CCE receives Netflows on port 9995. 

OTM needs the following informational fields from net flows: IN_BYTES, IN_PKTS, PROTOCOL, TCP_FLAGS, L4_SRC_PORT, IPV4_SRC_ADDR, L4_DST_PORT, IPV4_DST_ADDR,     LAST_SWITCHED, and FIRST_SWITCHED. 

SFlows

SFlow is a packet sampling technology where the switch captures every 100th packet (configurable) per interface and sends it off to the collector. Sflow is built into the ASIC and places the minimal load on the CPU. It is a general-purpose network traffic measurement system technology. sFlow is designed to be embedded in any network device and to provide continuous statistics on any protocol (L2, L3, L4, and up to L7), so that all traffic throughout a network can be accurately characterized and monitored. These statistics are essential for congestion control, troubleshooting, security surveillance, network planning etc. They can also be used for IP accounting purposes. Some of the switches like Brocade, Extreme and HP support SFlows.  The Seceon CCE provides a Flow collector function to collect these flows and convert them to flow information that can be used by the APE. Seceon CCE receives SFlows on port 6343.

Syslog

Syslog is a way for network devices to send event messages to a logging server – usually known as a Syslog server. In this case, CCE acts like one. The Syslog protocol is supported by a wide range of devices and can be used to log different types of events. For example, a router might send messages about users logging on to console sessions, while a web server might log access-denied events. Most network equipment, like routers and switches, can send Syslog messages. Not only that, but some servers also have the ability to generate Syslog data, as do most firewalls, some printers, and even web servers like Apache. Windows-based servers don’t support Syslog natively, but a large number of third-party tools (e.g. Nxlog) make it easy to collect Windows Event Log or IIS data and forward it to a Syslog server. The Seceon CCE receives these logs from the network on port 514.

Raw Application Logs

CCE also receives logs from several applications like MSSQL in the network. These logs are received on port 514.

Threat Intelligence and Enrichment Data

The platform consumes feeds from its predefined set of threat intelligence sources for enrichment such as blacklisted URLs and domain names. Users can send a feed from their own sources using the Seceon professional services.

Another streaming telemetry such as supported SIEM data can be used as an aggregator and the aggregated logs can be sent to CCE.

 

Seceon Inc. All rights reserved. https://www.seceon.com