Correlation Module
The module permits to manage events and logs generated by all the Agger module.
Overview
The Correlation Module provides the capability to perform the connections of information retrieved from different events and logs.
The Correlation Module is provided as a complete installed virtual machine.
How it works
All the events generated by all Agger modules, as well as any other log source such as Firewalls, IDS/IPS, Network devices, Domain controller, Applications, etc. can be managed simultaneously by the Agger’s Correlation Module.
This module collects, filters and analyses all the received events and logs, generating alarms that are managed by the Agger’s Server. In order to define eventual reactions, it can be eventually sent also to an external second layer SIEM.
Module Management
All the events and logs can be accessed and analysed through a modern visual console which allows creating personalized dashboards and reports with the desired information of the customer.
Advantages
Secure communication infrastructure designed for Internet deployment.
Management through the central server.
Integrable with external SIEM.
Main Features
Type of data gathered
Events, files, OS/application logs from different Agents
Events, files, NetFlow logs from Probes
Events and logs from third-party Security Devices
Cloud-based source of IOC, information on attack patterns and third-party feeds
Detection
Analysis at the global level of all received events
Central data repository; normalisation, filtering, storage, and correlation of events and logs using internal SIEM (Logstash, Elasticsearch and Kibana)
Sending to agents and probes Intelligence Information on third-party threats
Reaction
Generation of TCP reset flagged packets
Fully scriptable (LUA “Push” and “Pull” orchestration of third-party devices through API or SNMP)
Full remediation using Agger Endpoint Detection and Response
