Integrations¶
Open Cybersecurity Alliance ecosystem (STIX-Shifter)¶
Alertflex has REST API and python connector to interact with Alertflex controller via a STIX-Shifter package. Connector translates STIX pattern to pseudo SQL requests to the controller to get information about sensors alerts in STIX objects format.
Install STIX-Shifter and connector for Alertflex
pip install antlr4-python3-runtime
pip install stix-shifter
pip install stix-shifter-utils
pip install stix-shifter-modules-alertflex
Below several examples using Alertflex stix-shifter connector:
Check availability of Alertflex REST interface (return code:
HTTP/1.1 200 OK
)
curl -k -v GET -u admin:XXXXXXX https://192.168.1.10:8181/alertflex-ctrl/rest/stix-alerts/status
Ping service from STIX-shifter
python main.py transmit alertflex
'{"host":"192.168.1.10", "port":"8181"}'
'{"auth": {"username": "admin","password": "XXXXXXXX"}}'
ping
Get info about alerts where a certain file’s md5 hash is presented
python main.py execute alertflex alertflex
'{"type": "identity", "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", "name": "Alertflex", "identity_class": "events"}'
'{"host":"192.168.1.10", "port":"8181"}' '{"auth": {"username": "admin","password": "XXXXXXX"}}'
"[file:hashes.MD5 = '02d2a1d8b353ba2bf59ca381f1836ebd']"
Get info about alerts with type “HOST” raised during a fixed interval of time
python main.py execute alertflex alertflex
'{"type": "identity", "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", "name": "Alertflex", "identity_class": "events"}'
'{"host":"192.168.1.10", "port":"8181"}' '{"auth": {"username": "admin","password": "XXXXXXX"}}'
"[x_org_alertflex:type = 'HOST'] START t'2020-06-09T00:00:00Z' STOP t'2020-06-09T20:11:11Z'"
Send alerts and Netflow to ElasticStack/OpenDistro¶
In Alertflex console select “Settings/Integrations/Log Management” and add parameters according to your configuration of Elasticsearch

Select checkbox
send Netflow
in “Settings/Project/Parameters” if you want send Netflow records from Suricata

Note: Performs reboot of linux system or restart payara server is required after these settings
For view events from Alertflex select index “alertflex*” in Kibana UI

Send events to GrayLog¶
In GrayLog Web UI create input for Alertflex, as example use screenshot below:

In Alertflex console select “Settings/Integrations/Log Management” and add parameters according to your configuration of GrayLog

Select checkbox
send Netflow
in “Settings/Project/Parameters” if you want send Netflow records from Suricata

Note: Restart of payara server is required after these settings
Enable receiving metrics from Alertflex in Prometheus/Grafana¶
In Alertflex console open “Settings/Project/Parameters” web-form and select checkbox
Export Prometheus metrics

To configure Prometheus to request of metrics from Alertflex, please edit the file
/etc/prometheus/prometheus.yml
- job_name: 'alertflex'
metrics_path: /alertflex-ctrl/rest/metrics
static_configs:
- targets: ['192.168.1.10:8080']
}