Headed to Las Vegas for AWS re:Invent? Come visit us at booth #118!

How to install Coralogix STA

The Coralogix STA (Security Traffic Analyzer) is a tool by Coralogix for deep packet inspection, packet capturing, cloud configuration vulnerability scanning, and more.

The STA can be installed using the following methods:

  1. CloudFormation Template
  2. Terraform Template
  3. OVA image

CloudFormation Template

  1. Connect to your AWS account and on another tab, login to your Coralogix account
  2. From Coralogix UI, go to the Settings page and then to the Cloud Security tab
  3. Click “Deploy Security Service”
  4. From the top drop-down list named “Deployment method”, choose the option “CloudFormation” (should already be selected)
  5. Fill in the various fields on the form and click “Launch AWS CloudFormation”
    1. Set the CloudFormation’s stack name (The default is “CoralogixSecurity”)
    2. Optionally, fill in the name of an S3 bucket that will be used for storing the STA’s configuration
    3. Optionally, configure the STA to use an encrypted disk
    4. Select the SSH key pair that will be used to connect to the STA
    5. Select the security group that will be assigned to the management network interface.
    6. Optionally, fill in the name of an S3 bucket that will be used for storing the packets captured by the STA as compressed PCAP files
    7. If you chose to run the STA as a spot, you can set the maximum spot price here
    8. Select the subnet you’d like to run the STA in. Make sure that the security group you chose for the management interface belongs to this subnet. Otherwise the installation will fail.
    9. Select the VPC you’d like to run the STA in. Make sure that the subnet you selected belongs to this VPC.
    10. Tick the box below that says “I acknowledge that AWS CloudFormation might create IAM resources.” and click “Create stack”

Terraform Template

  1. Connect to your AWS account and on another tab, login to your Coralogix account
  2. From Coralogix UI, go to the Settings page and to the Cloud Security tab
  3. Click “Deploy Security Service”
  4. From the top drop-down list named “Deployment method”, choose the option “Terraform Template”
  5. Click “Launch tutorial”
  6. Create an empty folder somewhere on your computer
  7. Create the following file and save it as sta-ng.tf:
variable "STALifecycle" {
}
variable "STASize" {
}
variable "WazuhRequired" {
}
variable "ElasticIpRequired" {
}
variable "CompanyID" {
}
variable "Subnet" {
}
variable "VpcId" {
}
variable "PrivateKey" {
}
variable "KeyName" {
}
variable "MgmtNicSecurityGroupID" {
}
variable "AppName" {
}
module sta_ng {
  source = "s3::https://coralogix-integrations.s3-eu-west-1.amazonaws.com/cloud-security/terraform/<target-aws-region>/sta_ng.template.tgz"
  
  STALifecycle            = var.STALifecycle
  STASize                 = var.STASize
  WazuhRequired           = var.WazuhRequired
  ElasticIpRequired       = var.ElasticIpRequired
  CompanyID               = var.CompanyID
  Subnet                  = var.Subnet
  VpcId                   = var.VpcId
  PrivateKey              = var.PrivateKey
  KeyName                 = var.KeyName
  MgmtNicSecurityGroupID  = var.MgmtNicSecurityGroupID
  AppName                 = var.AppName
}
  1. Create the following file and save it as values.auto.tfvars.json:
{
	"PrivateKey": "<coralogix-private-key>",
	"KeyName": "<ssh-key-to-use-for-connecting-to-the-sta>",
	"MgmtNicSecurityGroupID": "<security-group-id-to-assign-to-management-interface>",
	"VpcId": "<vpc-id-to-install-the-sta-in>",
	"AppName": "<coralogix-application-name-for-sta-data>",
	"CompanyID": "<coralogix-company-id>",
	"Subnet": "<aws-subnet-id-to-install-the-sta-in>",
	"STALifecycle": "<[ondemand|spotfleet]>",
	"STASize": "<[small|medium|large>",
	"WazuhRequired": <[0|1]>,
	"ElasticIpRequired": <[0|1]>
}
  1. Run the command terraform init from the same folder
  2. Run the command terraform plan and examine the changes that are going to be applied to your environment
  3. Run the command terraform apply from the same folder and approve the changes

OVA File

  1. You can download the OVA file from the following links based on the environment you would like to use them at:
    1. VirtualBox: https://coralogix-integrations.s3-eu-west-1.amazonaws.com/cloud-security/sta-ng.virtualbox.ova
  2. Once the file is downloaded, import the VM into the relevant environment and start it
  3. After the VM has finished loading, login to the VM with the user ‘ubuntu’ and the password ‘Coralogix-STA!’
  4. Automatically, once the user is logged on, a series of questions will be presented. Please answer all of them with all the relevant information
  5. Run the command passwd and change the default password of the ubuntu user

Next steps

After installing the STA, you can move forward in one of the following ways (or all of them) to get the most out of your newly installed STA:

  1. Configure VPC traffic mirroring to allow the STA to analyze raw traffic. For this use the following tutorials: How to automate VPC Mirroring for Coralogix STA, Guide: Smarter AWS Traffic Mirroring for Stronger Cloud Security
  2. Deploy Wazuh agents in selected instances to get insights into the processes running inside them. For this use the following tutorial: How to connect a Wazuh agent to the STA
  3. Review alerts configured and modify them to be more accurate for your organization. You can find more about it in these tutorials: Security Traffic Analyzer (STA) Alerts, Alerts API
  4. Run the command sta-get-installation-id and copy the uuid that is displayed on the screen and save it in a safe place. This key is required to login to the STA with administrative privileges which might be needed as part of a troubleshooting session.
  5. Once the installation ID is safely stored and properly backed-up, run the command sta-acknowledge-installation-id and carefully follow the instructions on the screen to remove the installation ID from the STA

If you have any questions or need any additional help, please contact our support team via our 24/7 in-app chat!