NDR: Integration Guide (Start Here)

Description

Supported Firewalls

For more information on which firewall manufacturers we can ingest logs from, see: NDR: Supported Firewalls

Sensors

In order to successfully deploy NDR, a Security Sensor is required to be deployed in the environment. Sensors provide the data gathering foundation for Stellar Cyber's OpenXDR platform, gathering the right data with context. Modular sensors are purpose-built Stellar Cyber sensors that include both the host and the Stellar Cyber monitoring software. They are provided as both physical devices (Photon sensors) and virtual machine images for different target environments. This sensor is normally deployed at the same location and (not necessary, but if not) should be reachable from the devices that you be setting up syslog forwarding on. This will allow the device(s) to send logs to the Security Sensor appliance which will then process and securely communicate back to our main SIEM data processor.

Sensor Deployment Options

  • Security sensors can be either virtual, hosted on platforms such as VMWare, Hyper-V, AWS, or Azure, or physical.

  • Physical sensors are recommended if you or your customer lack a virtual environment to deploy a virtual sensor. These physical sensors are compact, approximately the size of a micro-PC.

  • Each end customer requires a sensor. For customers with multiple locations, a single sensor can be deployed to collect logs from all sites.

  • Single Location Customer: In this example, a single sensor is deployed at a single location.Image

  • Multi-Location Customers: In this example, a single sensor is deployed at Location A and is being forward logs from devices at all 3 locations.

    Image

Getting Started

Now that we’ve covered the deployment and have an understanding of the devices, let’s get going!

Step 1. Sensor Deployment

The first step is to get a sensor deployed. Follow the guides below in order to get your sensor deployed.

Virtual Sensor

  1. View and ensure that you meet or exceed the minimum sensor requirements - NDR: Virtual Sensor Requirements

  2. Deploy a Sensor in the environment:

    1. On-Prem

      1. NDR: Deploying a Virtual Sensor in VMware: NDR: Deploying a Virtual Sensor in VMware

      2. NDR: Deploying a Virtual Sensor in Hyper-V: NDR: Deploying a Virtual Sensor in Hyper-V

      3. NDR: Deploying a Virtual Sensor in KVM: NDR: Deploying a Virtual Sensor in KVM

    2. Cloud

      1. NDR: Deploying a Virtual Sensor in Azure: NDR: Deploying a Virtual Sensor in Azure

      2. NDR: Deploying a Virtual Sensor in AWS: NDR: Deploying a Virtual Sensor in AWS

      3. Deploying a Virtual Sensor in GCP: NDR: Deploying a Virtual Sensor in GCP

      4. NDR: Deploying a Virtual Sensor in OCI: NDR: Deploying a Virtual Sensor in OCI

  3. Configure and request authorization of the sensor: NDR: Sensor Configuration & Authorization

Physical Sensor

  1. Deploy the pre-configured sensor in the environment: NDR: Physical Sensor Deployment

Step 2. Device Log Forwarding

Follow the below guide to setup syslog forwarding from your firewall/network devices to the sensor deployed in the previous step:

  1. Forwarding Firewall Syslogs: NDR: Firewall Syslog Forwarding

  2. Syslog Port Index: NDR: Syslog Port Index

Step 3. Server Log Forwarding

Optional: If you’d like, follow the below guide(s) to setup log forwarding from your windows or Linux server(s).

  1. Windows Log Forwarding: NDR: Windows Server Log Forwarding

  2. Linux Log Forwarding: NDR: Linux Server Log Forwarding

SIEM Walk-Through

Please take a moment to watch this video, which provides a straightforward walkthrough of the SIEM interface. This walkthrough is intended as a general guide for navigating the SIEM console and is not a step-by-step tutorial on alert or event investigation, as investigative processes may vary depending on the specific product or service offering.

If you need assistance with investigating an alert, please contact our SOC team—they will be happy to assist you.

TIP: Certain pages or features may not be available depending on your service subscription (e.g., NDR, MDR for endpoints), as each service has different visibility requirements for specific features. 

https://www.youtube.com/playlist?list=PLxr1wQ6O59Ogc0N4y3jDPKjSGTHM8qRzq

Sensor Troubleshooting

We all have issues :). If you run into any issues with your sensor(s), take a look at the following guide:

  1. Sensor Troubleshooting: NDR: Sensor Troubleshooting

Related Articles

  • SentinelOne (S1) MDR: Frequently Asked Questions (FAQs)
    Read More
  • Avanan: IRaaS SOP
    Read More
  • Infocyte: Exclusions
    Read More

Categories

Managed Security Services
Network Detection and Response
not finding your answers?
Ask the Community
was this article helpful?
YesNo