NDR: Frequently Asked Questions (FAQs)

Description

This article will answer Frequently Asked Questions about MSS’s NDR offering.

General

Why are there “Critical” alerts in the reports, but I was not contacted by the SOC?

Stellar has a built-in alerting system that assigns severity ratings (Critical, High, Medium, Low) based on predefined criteria. However, these severity ratings apply only to individual alerts and do not provide a complete picture of the broader security landscape.

The MSS SOC does not rely on Stellar's built-in alerts or severity criteria. Instead, we have developed a proprietary alerting system using artificial intelligence, mathematical algorithms, and cross-product correlation. The system analyzes multiple data points across your entire environment, considering all ingested logs rather than isolated alerts. By doing so, we can effectively filter out noise and focus on actionable intelligence, allowing our SOC team to determine whether an alert requires direct contact.

We recommend logging into Stellar regularly to familiarize yourself with your environment’s baseline. This will help you better understand which types of alerts are considered "normal."

If you have any questions about an alert in your report, our SOC team will be happy to review it with you.

As a general rule, if the SOC has not contacted you, no critical threats have been identified based on MSS’s custom alerting criteria. This means that while there may be "Critical" alerts in Stellar’s reporting, they have not met the threshold for an MSS Critical Alert requiring action.

Sensors

How do sensors work?

For successful integration, a Security Sensor appliance is required. This sensor is normally deployed at the same location and (not necessary, but if not) should be reachable from the devices that you be setting up syslog forwarding on. This will allow the device(s) to send logs to the Security Sensor appliance which will then process and securely communicate back to our main SIEM data processor. For more information, see: NDR: Integration Guide (Start Here)

Is there an alert when a sensor goes offline?

Yes. Stellar will send an email alert to the provided “Alert” email address when Stellar detects that a sensor is disconnected from the DP for 30 minutes.

My Sensor is offline, what do I Do?

For information on how to troubleshoot sensors that are disconnected from or that are not sending data to Stellar, see: Offline Sensor Troubleshooting

Firewalls

Is my firewall supported?

Stellar supports mode common firewalls and most devices that support normal syslog exporting. For more information, see: NDR: Supported Firewalls

How do I verify my firewall is sending logs correctly?

You can verify that data is coming into and being processed by Stellar for any device that is sending syslogs be following the below steps:

Checking Threat Hunting

1. Select the appropriate tenant
2. Go to Investigate → Threat Hunting
3. Change the Indices to Traffic and uncheck everything else
4. In the search bar, run the command: “stellar_client_addr:<IP of the device sending data>”
5. This will filter the data to logs that are coming from the device IP specified in the command above.
6. You can run this command using the IP of each device to see the logs that are coming in from that device.

Windows Servers

Is there an alert when a server sensor goes offline?

Yes. Stellar will send an email alert to the provided “Alert” email address when Stellar detects that a sensor is disconnected from the DP for 30 minutes.

How do I make sure my server is successfully connected to the SIEM?

Once (and only once) the server is authorized by SGI, you can verify that the server is connected by:

1. Open the Windows Agent Sensor CLI program.

2. Type in show cm
3. This will output the connection status.

How do I verify my server is sending logs correctly?

You can verify that data is coming into and being processed by Stellar for a server by following these steps:

Checking Threat Hunting

1. Select the appropriate tenant
2. Go to Investigate → Threat Hunting
3. Change the Indices to Windows Events and uncheck everything else
4. You will see the list of servers reporting in the Top Sensors box

My Server Shows as “Disconnected” in Stellar

There are a couple of quick things to check to make sure everything is working correctly.

1. Open the Windows Agent Sensor CLI program.

2. Type in show cm
3. This will output the connection status.

• If the Status says Up or Connected, please open a ticket by visiting MSS Ticket Portal and when asked to select a product, select Network Security, and then NDR Support.
• If the Status says Down or Disconnected, please proceed to the following troubleshooting steps:

1. Verify the correct ports are open in your firewall from your server to the internet per Step 1 above.
2. Verify the required services are running per Step 2 above.
   1. If all services are running, restart the Windows Agent Sensor Ctrl service.
   2. If the service won’t start, uninstall and reinstall the Windows Agent per the above process.
3. Reboot the server if able.

Can I change the reporting (CM) IP without uninstalling the agent?

Yes!

1. Open the Windows Agent Sensor CLI program

2. Type in Set CM <IP of the CM Host Mentioned in the installation guide>

What do I do if I am replacing a server?

1. Install the agent on the new server per the above process.
2. Open a ticket and provide:
   1. The new server’s Hostname and IP address (private) so it can be authorized and have the correct profile applied.
   2. The old server’s Hostname and IP address (private) so it can be removed.

How do I Add a New Server?

1. Install the agent on the new server per the above process.
2. Open a ticket and provide:
   1. The new server’s Hostname and IP address (private) so it can be authorized and have the correct profile applied.

How do I Remove a Server?

1. Open a ticket and provide:
   1. The old server’s Hostname and IP address (private) so it can be removed.
2. Uninstall the Stellar Windows Agent by completing the below steps:

Uninstalling the Server Sensor

During the uninstallation, a Windows command prompt window may appear. Do not close this window manually – it closes automatically when the uninstallation is complete.

Stellar Cyber recommends that you remove the Windows Server Sensor using the Change button in the Programs and Features control panel instead of the Uninstall button.

Using the Change button gives you access to the following additional uninstall options that ensure the program and all its data are removed completely:

• Remove Data Files
• Remove Scheduler Task

If you are planning on reinstalling a 4.2.2+ Windows Server Sensor, Stellar Cyber recommends that you leave these items unchecked.

If you want to uninstall completely, you should check these boxes.

Linux Servers

Can I change the reporting (CM) IP without uninstalling the agent?

Yes. You can run the Set CM command along with the correct CM IP to change it.

What do I do if I am replacing a server?

When replacing a server, all you need to do is install the agent on the new server per the above process and open a ticket to let us know that the server has been replaced. Please also provide the server’s name and IP so an engineer can authorize the new server and remove the old one.

How do I Add a New Server?

To add a new server, all you need to do is install the agent on the new server per the above process and open a ticket to let us know. Please also provide the server’s name and IP so an engineer can authorize the new server.

How do I Remove a Server?

To remove a server, uninstall the Linux Agent Sensor Agent per the following instructions:

Debian and Ubuntu Uninstall

To uninstall a sensor on Debian or Ubuntu:

apt-get remove aellads

CentOS, Red Hat 6.7, AWS Linux 2 Uninstall

To uninstall a sensor on CentOS or Red Hat:

yum remove aellads

After the agent has been uninstalled:

1. Open a ticket to let us know that the server has been removed.
   1. Please also provide the server name and IP so an engineer can remove the server.