Correlation Module
The module permits to manage events and logs generated by all the Agger module.
Overview
The Correlation Module provides the capability to perform the correlation of the information retrieved from events and logs.
The Correlation Module is provided as a complete virtual machine.
How it works
All the events generated by all the Agger module, as well as any other log source such as Firewalls, IDS/IPS, Network devices, Domain controller, Applications, etc. can be managed by the Agger Correlation Module.
This module collects, filters and analyses all the received events and logs, generating alerts which are managed by Agger server in order to define eventual reactions and can be sent to a second layer external SIEM.
Module Management
All the events can be accessed and analysed through a modern graphical console which permit to create personalized dashboards and reports.
Advantages
Secure communication infrastructure designed for Internet deployment.
Management through the central server.
Integrable with external SIEM.
Main Features
Type of data gathered
Events, files, OS/application logs from Agents.
Events, files, netflow logs from Probes.
Events and logs from third-party Security Devices.
cloud-based source of IOC, information on attack patterns and third-party feeds.
Detection
Analysis at global level of all received events.
Central data repository; normalization, filtering, storage, and correlation of events and logs using internal SIEM (Logstash, Elasticsearch and Kibana).
Third-party Threat Intelligence Source dispatch to agents and probes.
Reaction
Generation of TCP reset flagged packets.
Orchestration of third-party devices.
Full remediation using Agger Endpoint Detection and Response.
