We are glad to know that you are joining our many clients who have already installed the STA. Now, you would like to know which components are installed as part of the installation of the STA and the architecture of the solution. If so, you came to the right place.
As you have seen in the article “How to install Coralogix STA“, there are multiple ways to install the STA which we will touch soon but first, let’s take a closer look at the STA instance itself:
The STA’s instance, listens for incoming traffic on its first two network interfaces (eth0 and eth1) but will never respond to those packets since no daemon is configured to listen on these NICs. The traffic from these network interfaces is then analyzed by Zeek and Suricata and optionally copied to the packets S3 bucket if specified during the installation. The data from Zeek and Suricata is then enriched automatically by several services within the STA and eventually – shipped to the Coralogix account specified during the installation.
Some of the enrichment services require Internet access on port 80 (RDAP) and port 443 (NIST, ET Rules updates and Coralogix connection) and the ability to perform DNS requests to several servers (RDAP, DNSRBLs, NIST, ET Rules updates and Coralogix connection).
The STA’s cloud installation (either AWS CloudFormation or Terraform) will also install the following components to support the STA and facilitate its maintenance and integration:
Now that you know what each component of the STA is for and what it is doing, the next step can be to understand the default set of alerts by reading Security Traffic Analyzer (STA) Alerts or to learn how to modify a Suricata rule by reading How to Modify an STA Suricata Rule or, if you already know that, you will probably find the article about Writing Effective Suricata Rules with Examples [Best Practices] helpful.
As always, please do not hesitate to contact us through the chat with any issue you may have.