Alertflex project is an automation, continuous monitoring, threat detection and response solution.
The Alertflex works as a Security Event Manager with SOAR functionality for a distributed grid of security sensors and scanners.
Solution is designed for use in Hybrid IT infrastructure (on-premises and cloud-based), provides an orchestrator and a single pane of glass for more than 30 products (mostly free open-source software), monitors different types of platforms: Windows, Linux, Docker, Kubernetes, Amazon AWS.
Alertflex implements security events management functions for a distributed hub of security sensors and scanners. The functional is based on the next levels: Collection (Alertflex collector), Streaming (ActiveMQ), Analysis (Alertflex controller), Storage (MySQL), Access (Alertflex controller and management console).
For working inside of a Hybrid IT environment, the solution consists of distributed software components Collector, Controller, Management Console. Alertflex Controller and Management Console build up the Central node, which can be placed inside of monitored IT infrastructure or outside.
Alertflex Collector (Altprobe) is placed in the network segment where security sensors and scanners are installed. Based on configurations of collectors and topology of the network, Alertflex logically forms the Collector node.
The minimum configuration of the Central Node includes Alertflex Java EE applications (Controller, Management console, which work under Payara/GlassFish AS) and third-party open-source components ActiveMQ and MySQL. This configuration can be installed on the stand-alone server or virtual machine with Linux Centos 7 or Ubuntu 18.04 version.
Example stand-alone server with Appliance configuration (additionally include Alertflex collector and sensors) shown below:
The high availability of the Central Node is based on cluster configurations of third-party components and microservices architecture Alertflex applications:
The Collector node is based on the micro-segmentation model. It can include several Alertflex collectors (Altprobe) for retrieving info and manage of security sensors and scanners.
The minimum configuration of the Collector node includes one installed collector at a computer/virtual machine. The configuration can be expanded by installation several Alertflex collectors on different computers/VM inside a defined network segment. In this case, all collectors must have the same Node ID in the config file. It allows using the same filtering policies, Host IDS agents namespace, and security events statistics for all collectors united into the Collector node.
Alertflex collector directly reads from output files security events of sensors and reports of scanners. Additionally, Altprobe can use Redis for receiving events from sensors that are installed on other hosts or services.
Below shown an example of configuration with two Collector Nodes for log files and Redis as a source for Collector: