High-level design

Alertflex project is an automation, continuous monitoring, threat detection and response solution. The Alertflex works as a Security Event Manager with SOAR functionality for a distributed grid of security sensors and scanners.

Solution is designed for use in Hybrid IT infrastructure (on-premises and cloud-based), provides an orchestrator and a single pane of glass for more than 30 products (mostly free open-source software), monitors different types of platforms: Windows, Linux, Docker, Kubernetes, Amazon AWS.


Low-level design

TThe Alertflex implements security events management functions for a distributed hub of security sensors ( Suricata NIDS, Wazuh HIDS, Falco CRS ). It is based on the next levels: Collection (Alertflex collector), Streaming (ActiveMQ), Analysis (Alertflex controller), Storage (MySQL), Access (Alertflex controller and management console).

For working inside of Hybrid IT environment, the solution consists of distributed software components Collector, Controller, Management Console. Alertflex Controller and Management Console build up the Central node, which can be placed inside of monitored IT infrastructure or outside.

Alertflex Collector (Altprobe) is placed in the network segment where security sensors are installed (Container Runtime Security, Host IDS, File Integrity Monitor, The Docker Bench for Security, Network IDS). Together with security sensors and scanners, Collector logically forms the Remote node.


Central node

The minimum configuration of the central node includes Alertflex Java EE applications (Controller, Management console) which work under Payara/GlassFish AS and third-party open-source components ActiveMQ, Redis, MySQL. It can be installed on the stand-alone server or virtual machine with Linux Centos 7 or Ubuntu 18.04 version. The high availability of the central node is based on cluster configurations of third-party components and microservices architecture Alertflex applications. Below shown a detailed scheme of Cnode:


Collector node

Collector node is based on the micro-segmentation model. It can include several alertflex collectors (Altprobe), security sensors/IDS and scanners. The minimum configuration of such a node includes one installed collector on a computer/virtual machine in the node segment. The configuration can be expanded by installation several Alertflex collectors on different computers/VM inside of the one node segment. It allows to connect several security sensors and scanners inside one network segment controlled by the node and to use a union network and agents namespace. Alertflex collector can directly read security events from IDS logs or use Redis server for receiving events from IDS which are installed on other hosts. See an example of such configuration below: