When we look at the offer of SIEM's market leaders, each of them builds its environment from the element of log analysis and network traffic analysis.
If you want to build this element in your infrastructure, add a behavioral analysis of network traffic to the Energylog server environment.
Flowmon ADS is a perfect choice for that. Analytical rules track network traffic on the basis of Flow protocols or traffic copies automatically generating security incidents. ADS rules as we know is a lot. Embedded rules work on several fields:
Data from Flowmon ADS illustrate not so much the number of packets sent from A to B, but they draw our attention to this transmission, which is suspicious in the context of security. Each incident has the rank of threat, placing it on the reports in a place with the right priority.
The value of this approach probably does not need to be convinced.
Let's get a new dimension
Let's combine the dynamic security system with 100% logs of our operating systems and applications, and Flowmon's incidents will gain a new dimension. Network security will be compiled with the operation of the application.
Can it be done?
Flowmon eagerly transmits information about security events to the SIEM system by means of CEF messages sent via syslog.
What will we see in the system:
Search for Flowmon ADS data
The potential of this integration.
All fields from the Flowmon analysis are available to us as variables, which allows us to search for any other traces of the infected IP address in our infrastructure. Everything is presented in synchronized time, which additionally suits the observation of the trend and deviations.
Is this information sufficient for our SOC?
Let's see how they react to the presented visualization.
Visualization of ADS Events
We can easily narrow down the views by selecting fields with the mouse, this makes integration take on additional advantages. At Energylogserver, we have the ability to run correlated alarms. So let's combine events with ADS with the behavior of the application and let the alarm that has been triggered so far passed to the maintenance departments.
In retrospect, we can also run reports, which in the form of PDF files will present us such synchronized data.
PDF Kibana report from ADS data
So where we are now ?
Elastic gives us large scale for central log management, Flowmon ADS adds dynamic security feed into static log view. We can immediately initiate actions to SOC and Ubrella systems. Do we still perform LogManagement or we touched SIEM ? The answer is yours!