Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Exciting New Features of Coralogix STA

  • Yuval Khalifa
  • November 21, 2021
Share article

We at Coralogix, believe that cloud security is not a “nice-to-have” feature – something that only large organizations can benefit from or are entitled to have. We believe it’s a basic need that should be solved for organizations of any shape and size. This is why we built the Coralogix Security Traffic Analyzer (STA) tool for packet sniffing and automated analysis. Today we’re announcing several new features to our security product you’ll find interesting.

1. Automatic AWS VPC Traffic Mirroring Configuration Manager

One of the great things about AWS is that everything can scale up and down as much as needed to keep costs at a minimum while not losing any important data. Now we brought this power to the VPC Traffic Mirroring configuration. You can read all about it here.

2. Spot/On-demand Choice

The new installation process of the STA now allows you to choose whether you’d like to run the STA as a spot instance of a spot fleet (for example for testing purposes) or as an on-demand instance. Now the choice is absolutely yours.

3. Configurable Size

Now you can choose the size of the machine that will be used for the STA.  The instance types that are going to be used based on the selected size are listed below:

SmallMediumLarge
c5.2xlargec5.4xlargem5.8xlarge
c5d.2xlargec5d.4xlargem6g.8xlarge
c5a.2xlargec5a.4xlarger5a.8xlarge
c5n.2xlargec5n.4xlargem5n.8xlarge
c4.2xlargec4.4xlargem4.10xlarge
c6g.2xlargec6g.4xlargec6g.8xlarge
a1.2xlargea1.4xlargec5.9xlarge

4. Automated configuration sync to S3

During installation, you can set an S3 bucket for the configuration of the STA, if the bucket is empty, the STA will automatically copy its config files to that bucket, if the bucket contains the STA config files and they have been modified (either manually by you or by a script…) the STA will automatically pull the new configuration and apply it. This configuration includes the following files:

Config file namePurpose
local.rulesIncludes snort rules that will be used in addition to those that were downloaded automatically
disablesid.confList of snort SIDs that should be disabled. Use this file to disable noisy snort rules.
bpf.confA BPF filter that the STA will use to filter incoming traffic. Usually, you can achieve the same outcome by modifying the VPC Traffic Mirroring filter.
wazuh_rules.confIf the STA is installed with Wazuh support, this file is used to set the policy for all connected Wazuh agents

To learn more about how to modify these files see here.

5. Automated upload of .pcap files to S3

During installation, the user can set an S3 bucket that will be used by the STA to upload compressed pcap files of all the traffic that was observed by the STA. The user can then set any lifecycle hook on that bucket for automated cleanup of old pcap files. This bucket will also contain executable files extracted directly from the traffic. These pcap files can be used for many purposes, including forensic investigations, alert tuneups, deeper investigations of applications and services issues, and more.

6. Monitoring

The new STA contains a built-in Prometheus node-exporter that listens on the third network interface on the default port.

7. Domain letter frequency analysis

Many cyber attacks nowadays are using command and control servers, and kill-switches for their malicious code. These usually use machine-generated domain names. We added a new capability to the STA to automatically calculate a score for each domain, parent domain virtual host, certificate CN, etc. based on the frequency of letter combinations that are expected to be rare and letter combinations that are expected to be frequent. This score can be used to detect machine-generated domains in certificates, common names, and DNS requests, and several other locations where the domain name can be found.

8. “Baby Domains”

Employees and even more so, servers that are accessing domains that are “young” in the sense that they were registered only very recently are often good indications of malicious activity. The new version of the STA automatically pulls a list of domains with their creation date and adds the creation date to every domain detected in DNS requests, virtual hosts, and many other fields that contain a domain name. In addition, the new version of the STA contains a special dashboard for displaying such “baby domains” that were accessed by monitored servers and clients.

9. NIST Enrichment

The STA will automatically attempt to detect the software and version on the client and server machines that took part in the communications seen by the STA. Based on that information, the STA will attempt to detect CVEs (Common Vulnerability Enumeration) numbers associated with that software by MITRE and will alert you if a new type of software is found or if a new vulnerable software was detected.

10. Default Alerts

We added a default set of more than 60 alerts that will be added to your account after the installation of the STA. These alerts will help you to get started with the STA and dramatically improve your organization’s security posture. You can read more about these alerts here.

11. Default Dashboards

We added a default set of more than 60 different dashboards to help you slice and dice the data to find your needle in the huge haystack

That’s it for now. We have lots of new exciting features just waiting to be released in the next versions so stay tuned.

Where Modern Observability
and Financial Savvy Meet.