Integrations


Open Cybersecurity Alliance ecosystem (STIX-Shifter)

Alertflex has REST API and python connector to interact with Alertflex controller via a STIX-Shifter package. Connector translates STIX pattern to pseudo SQL requests to the controller to get information about sensors alerts in STIX objects format.

Install STIX-Shifter and connector for Alertflex

pip install antlr4-python3-runtime
pip install stix-shifter
pip install stix-shifter-utils
pip install stix-shifter-modules-alertflex

Below several examples using Alertflex stix-shifter connector:

  • Check availability of Alertflex REST interface (return code: HTTP/1.1 200 OK)

curl -k -v GET -u admin:XXXXXXX https://192.168.1.10:8181/alertflex-ctrl/rest/stix-alerts/status

  • Ping service from STIX-shifter

python main.py transmit alertflex
'{"host":"192.168.1.10", "port":"8181"}'
'{"auth": {"username": "admin","password": "XXXXXXXX"}}'
ping

  • Get info about alerts where a certain file’s md5 hash is presented

python main.py execute alertflex alertflex
'{"type": "identity", "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", "name": "Alertflex", "identity_class": "events"}'
'{"host":"192.168.1.10", "port":"8181"}' '{"auth": {"username": "admin","password": "XXXXXXX"}}'
"[file:hashes.MD5 = '02d2a1d8b353ba2bf59ca381f1836ebd']"

  • Get info about alerts with type “HOST” raised during a fixed interval of time

python main.py execute alertflex alertflex
'{"type": "identity", "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", "name": "Alertflex", "identity_class": "events"}'
'{"host":"192.168.1.10", "port":"8181"}' '{"auth": {"username": "admin","password": "XXXXXXX"}}'
"[x_org_alertflex:type = 'HOST'] START t'2020-06-09T00:00:00Z' STOP t'2020-06-09T20:11:11Z'"

Send alerts and Netflow to ElasticStack/OpenDistro

  • In Alertflex console select “Settings/Integrations/Log Management” and add parameters according to your configuration of Elasticsearch

../_images/elastic-config.png

  • Select checkbox send Netflow in “Settings/Project/Parameters” if you want send Netflow records from Suricata

../_images/project-netflow.png

Note: Performs reboot of linux system or restart payara server is required after these settings

  • For view events from Alertflex select index “alertflex*” in Kibana UI

../_images/elasticsearch.png

Send events to GrayLog

  • In GrayLog Web UI create input for Alertflex, as example use screenshot below:

../_images/graylog-input.png

  • In Alertflex console select “Settings/Integrations/Log Management” and add parameters according to your configuration of GrayLog

../_images/graylog-config.png

  • Select checkbox send Netflow in “Settings/Project/Parameters” if you want send Netflow records from Suricata

../_images/project-netflow.png

Note: Restart of payara server is required after these settings


Enable receiving metrics from Alertflex in Prometheus/Grafana

  • In Alertflex console open “Settings/Project/Parameters” web-form and select checkbox Export Prometheus metrics

../_images/prometheus-config.png

  • To configure Prometheus to request of metrics from Alertflex, please edit the file /etc/prometheus/prometheus.yml

- job_name: 'alertflex'
        metrics_path: /alertflex-ctrl/rest/metrics
        static_configs:
        - targets: ['192.168.1.10:8080']

}