Data Ingestion
Many customers leverage aggregation and storage mechanisms such as Splunk and Elastic to index and collect data, which can then be easily shipped to AE for scoring. The engine also supports ingest directly from network sensors and cloud infrastructure.
AlphaSOC maintains a software package called Network Flight Recorder (NFR) that can be deployed on a physical appliance, virtual machine, or run locally as a lightweight agent. NFR can operate as a sniffer to monitor packets in real-time, or parse network events from storage.
The table below describes the supported data sources and the mechanism by which each can be sent to AE for processing. For example, users can submit logs directly to AE from an Elastic environment using LogStash or Packetbeat, or use AlphaSOC NFR to monitor Zeek or Suricata log files on disk and ship those to AE for scoring. AE can also retrieve events from Amazon S3.
Source | Telemetry Type | Ingestion Options | |||||
---|---|---|---|---|---|---|---|
DHCP | DNS | HTTP | IP | TLS | VPN | ||
AWS VPC Flow | ✓ | Amazon S3 | |||||
Azure NSG Flow | ✓ | Azure Blob Storage | |||||
Corelight | ✓ | ✓ | ✓ | ✓ | ✓ | SFTP or Amazon S3 or AlphaSOC NFR | |
Elasticsearch | ✓ | ✓ | ✓ | ✓ | AlphaSOC NFR | ||
GCP VPC Flow Logs | ✓ | Google Cloud Stoage | |||||
Snowflake | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Shared Data Table |
Splunk | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Network Behavior Analytics for Splunk |
Suricata | ✓ | ✓ | ✓ | ✓ | ✓ | AlphaSOC NFR | |
Zeek / Bro | ✓ | ✓ | ✓ | ✓ | ✓ | AlphaSOC NFR |