Data Ingestion
Many customers leverage aggregation and storage mechanisms such as Splunk and Elastic to index and collect data, which can then be easily shipped to AE for scoring. The engine also supports ingest directly from network sensors and cloud infrastructure.
AlphaSOC maintains a software package called Network Flight Recorder (NFR) that can be deployed on a physical appliance, virtual machine, or run locally as a lightweight agent. NFR can operate as a sniffer to monitor packets in real-time, or parse network events from storage.
The table below describes the supported data sources and the mechanism by which each can be sent to AE for processing. For example, users can submit logs directly to AE from an Elastic environment using LogStash or Packetbeat, or use AlphaSOC NFR to monitor Zeek or Suricata log files on disk and ship those to AE for scoring. AE can also retrieve events from Amazon S3.
| Source | Telemetry Type | Ingestion Options | Plug & Play | |||||
|---|---|---|---|---|---|---|---|---|
| DHCP | DNS | HTTP | IP | TLS | VPN | |||
| AWS VPC Flow | ✓ | Amazon S3 | ✓ | |||||
| Corelight | ✓ | ✓ | ✓ | ✓ | ✓ | Amazon S3 / SFTP | ✓ | |
| Splunk | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Network Behavior Analytics for Splunk | ✓ |
| Suricata | ✓ | ✓ | ✓ | ✓ | ✓ | AlphaSOC NFR | ||
| Zeek / Bro | ✓ | ✓ | ✓ | ✓ | ✓ | AlphaSOC NFR | ||
Plug and Play indicates native integration with instant, simple deployment. Configuring ingestion via NFR requires some manual configuration.