-
SuggestedSuggested
- How It Works Streama© is the foundation of Coralogix's stateful streaming data platform, based on our 3 “S” architecture – source, stream, and sink.
- How Monday.com Improved Monitoring to Spend Less Time Searching for Issues Monday.com uses Coralogix to centralize and standardize their logs so they can easily search their logs across the entire stack.
- Creating a Free Data Lake with Coralogix Like many cool tools out there, this project started from a request made by a customer of ours. Having recently migrated to our service, this customer...
Oh no!
Oh no!We didn’t find anything for “”,
please try a different search
Breaking News from AWS re:Invent
Coralogix receives AWS Rising Star award!
Back to All Docs
How to install Coralogix STA
Last Updated: Jun. 04, 2023
The Coralogix STA (Security Traffic Analyzer) is a tool by Coralogix for deep packet inspection, packet capturing, cloud configuration vulnerability scanning, and more.
For additional information see the introduction doc.
The STA can be installed using the following methods
- CloudFormation Template
- As this an AWS service, this installation only for AWS
- Terraform Template
- Available for AWS and Azure
- OVA image
In addition, STA can be installed in a limited internet access environment.
Pre-requisites
Before you install the STA please make sure the following requests are met:
AWS
- Configuration is saved using an AWS S3 bucket. It is recommended to use a dedicated bucket, if you won’t define one, the STA will generate a bucket.
- Have an empty S3 bucket for holding the configuration.
- You have permissions to deploy EC2 instances, spot fleets, load-balancers and security groups in the AWS account you plan to deploy the STA in.
- Instances that you plan to mirror their traffic by using the VPC traffic mirroring feature belong to one of the following types:
C4, D2, G3, G3s, H1, I3, M4, P2, P3, R4, X1, X1e, A1, C5, C5d, C5n, I3en, M5, M5a, M5ad, M5d, p3dn.24xlarge, R5, R5a, R5ad, R5d, T3, T3a, and z1d.
- If you are looking to monitor instances by using our Virtual Tap, make sure you can run privileged containers in that environment (for example in AWS FarGate you cannot do that) – to read more about the Virtual Tap, see this doc.
Azure
- Configuration is saved using an Azure’s Storage Accounts service. It is recommended to use a dedicated container, so the configuration will be saved outside of the STA and can be modified/restored later
- Have an empty container for holding the configuration
- You have permissions to deploy VM instances, and create resources, in the Azure’s account you plan to deploy the STA in
- mirroring instances’ traffic can be performed only by using our Virtual Tap. To read more about the Virtual Tap, see this doc
Deployment
CloudFormation Template
- Connect to your AWS account and on another tab, login to your Coralogix account
- From Coralogix UI, go to the Settings page and then to the Cloud Security tab
- Click “Deploy Security Service”
- From the top drop-down list named “Deployment method”, choose the option “CloudFormation” (should already be selected)
- Fill in the various fields on the form and click “Launch AWS CloudFormation”:
- Set the CloudFormation’s stack name (The default is “CoralogixSecurity”)
- Optionally, fill in the name of an S3 bucket that will be used for storing the STA’s configuration
- Optionally, configure the STA to use an encrypted disk
- Select the SSH key pair that will be used to connect to the STA
- Select the security group that will be assigned to the management network interface
- Optionally, fill in the name of an S3 bucket that will be used for storing the packets captured by the STA as compressed PCAP files
- If you chose to run the STA as a spot, you can set the maximum spot price here
- Select the subnet you’d like to run the STA in. Make sure that the security group you chose for the management interface belongs to this subnet. Otherwise the installation will fail
- Select the VPC you’d like to run the STA in. Make sure that the subnet you selected belongs to this VPC
- Tick the box below that says “I acknowledge that AWS CloudFormation might create IAM resources.” and click “Create stack”
Terraform Template
AWS – Prerequisites
- Connect to your AWS account and on another tab, login to your Coralogix account
- From Coralogix UI, go to the Settings page and to the Cloud Security tab
- Click “Deploy Security Service”
- From the top drop-down list named “Deployment method”, choose the option “Terraform Template”
- Click “Launch tutorial”
Deployment Steps
- Create an empty folder somewhere on your computer
- Create file
sta-ng.tf- AWS – download content from the following file from GitHub
- Azure – download content from the following file from GitHub
- Create file
values.auto.tfvars- AWS – download content from following file from GitHub
- Azure – download content from following file from GitHub
- Fill the required variables in the created file
- for variables explanation see comments from downloaded content
- Run the command
terraform initfrom the same folder - Run the command
terraform planand examine the changes that are going to be applied to your environment - Run the command
terraform applyfrom the same folder and approve the changes
OVA File
- You can download the OVA file from the following links based on the environment you would like to use them at:
- Once the file is downloaded, import the VM into the relevant environment and start it
- After the VM has finished loading, login to the VM with the user ‘ubuntu’ and the password ‘Coralogix-STA!’
- Automatically, once the user is logged on, a series of questions will be presented. Please answer all of them with all the relevant information
- Run the command
passwdand change the default password of the ubuntu user
STA Deployment In Limited Internet Access Environments
STA requires access to S3 for its config files. In some environments Internet outbound access is required to be limited to specific IPs, which means no access to public S3 will be available. In order to allow connectivity using amazon private network – Set a designated VPC gateway endpoint that connects your VPC directly to Amazon S3.
* Make sure your VPC’s route table contains Coralogix’s endpoints.
* In addition, in such environments the following enrichment services will not work: dns-rbls, unshorten-url, nist-cpe, also updates to Suricata service will fail.
Next Steps
After installing the STA, you can move forward in one of the following ways (or all of them) to get the most out of your newly installed STA:
- Configure VPC traffic mirroring to allow the STA to analyze raw traffic. For this use the following tutorials: How to automate VPC Mirroring for Coralogix STA, Guide: Smarter AWS Traffic Mirroring for Stronger Cloud Security
- Deploy Wazuh agents in selected instances to get insights into the processes running inside them. For this use the following tutorial: How to connect a Wazuh agent to the STA
- Review alerts configured and modify them to be more accurate for your organization. You can find more about it in these tutorials: Security Traffic Analyzer (STA) Alerts, Alerts API
- Run the command
sta-get-installation-idand copy the uuid that is displayed on the screen and save it in a safe place. This key is required to login to the STA with administrative privileges which might be needed as part of a troubleshooting session. - Once the installation ID is safely stored and properly backed-up, run the command
sta-acknowledge-installation-idand carefully follow the instructions on the screen to remove the installation ID from the STA
If you have any questions or need any additional help, please contact our support team via our 24/7 in-app chat!