NDR: Frequently Asked Questions (FAQs)

Description

Description

This article will answer Frequently Asked Questions about MSS’s NDR offering.

Reports

Why Don’t I See Any Alerts in the Report?

Stellar has a built-in alerting system that assigns severity ratings (Critical, High, Medium, Low) based on predefined criteria. However, these severity ratings apply only to individual alerts and do not provide a complete picture of the broader security landscape.

The MSS SOC does not rely on Stellar's built-in alerts or severity criteria. Instead, we have developed a proprietary alerting system using artificial intelligence, mathematical algorithms, and cross-product correlation. The system analyzes multiple data points across your entire environment, considering all ingested logs rather than isolated alerts. By doing so, we can effectively filter out noise and focus on actionable intelligence, allowing our SOC team to determine whether an alert requires direct contact.

We recommend logging into Stellar regularly to familiarize yourself with your environment’s baseline. This will help you better understand which types of alerts are considered "normal."

If you have any questions about an alert in your report, our SOC team will be happy to review it with you.

As a general rule, if the SOC has not contacted you, no critical threats have been identified based on MSS’s custom alerting criteria. This means that while there may be "Critical" alerts in Stellar’s reporting, they have not met the threshold for an MSS Critical Alert requiring action.

How to Read the NDR Ingestion Report

The NDR Ingestion Report is divided into four key sections, each providing visibility into how syslog data is being received and parsed by Stellar.

  1. Windows Sensor Syslog Ingestion Sources (Top Left)
    1. This section displays information about devices sending syslogs to a Windows server sensor.
      1. Log Source Device Name: The hostname of the device sending syslogs to the Windows sensor.
      2. Log Source Device IP: The public IP address of the Windows server sensor, which forwards logs from the customer environment to the SIEM Data Processor.
      3. Log Source Device Class: The vendor or type of network device (e.g., SonicWall, Fortinet, Cisco).
      4. Log Source Port: The port used by the Windows sensor to forward logs to the SIEM Data Processor. For Windows sensors, this is typically UDP 5767.
    2. Note: If these fields are populated, it confirms Stellar is successfully parsing the log data. If the fields are blank, Stellar is not parsing the logs correctly.
    3. If you're only seeing a single device listed, but know that multiple devices are sending syslogs, ensure that each source device is using a unique name in its syslog configuration. If multiple devices share the same name (e.g., “firewall”), they will appear as a single entry in the report.
  2. Virtual/Physical Sensor Syslog Ingestion Sources (Top Right)
    1. This section reflects devices sending syslogs to a virtual or physical security sensor.
      1. IP of the Forwarder: The internal IP address of the device sending syslogs to the sensor.
      2. Vendor: The vendor/type of device sending logs (e.g., SonicWall, Fortinet, Cisco).
      3. Ingestion Port: The port used by the sensor to receive syslogs. This port may vary depending on the device.
      4. Sensor Name: The name of the virtual or physical security sensor receiving the logs.
    2. Note: As with the previous section, blank fields indicate the logs are not being correctly parsed by Stellar.
  3. Connector Ingestion Usage (Bottom Left)
    1. This section shows log ingestion data from configured connectors (e.g., third-party integrations or cloud services).
    2. If no data appears here, it means no connectors are currently configured for this tenant.
  4. Log Ingestion Usage by Device Type (Bottom Right)
    1. This chart displays overall ingestion volume segmented by device type—such as SonicWall, Cisco, Fortinet, etc.—helping visualize which technologies are contributing to log ingestion.

Image

Sensors

How do sensors work?

For successful integration, a Security Sensor appliance is required. This sensor is normally deployed at the same location and (not necessary, but if not) should be reachable from the devices that you be setting up syslog forwarding on. This will allow the device(s) to send logs to the Security Sensor appliance which will then process and securely communicate back to our main SIEM data processor. For more information, see: NDR: Supported Firewalls & Sensor Options

Is there an alert when a sensor goes offline?

Yes. Stellar will send an email alert to the provided “Alert” email address when Stellar detects that a sensor is disconnected from the DP for 30 minutes.

My Sensor is offline, what do I Do?

For information on how to troubleshoot sensors that are disconnected from or that are not sending data to Stellar, see: NDR: Sensor Troubleshooting

Firewalls

Is my firewall supported?

Stellar supports mode common firewalls and most devices that support normal syslog exporting. For more information, see: NDR: Supported Firewalls & Sensor Options

Related Articles

  • MSS Managed Firewall Best Practice Configuration
    Read More
  • NDR: Integration Guide
    Read More
  • NDR: Windows Server Agent
    Read More

Categories

Managed Security Services
Network Detection and Response
not finding your answers?
Ask the Community