Endpoint Event and Alert Flow
SIEMonster Endpoint
Events and Alerts
Flow Charts
V 1.01
May 10, 2016
Windows Endpoint Event and Alert Flow
2
1
3
2
Windows
Endpoint
PROTEUS
NXLOG events Stream
3
4
1
OSSEC HIDS SIEM
NXlog events SIEM
HIDS events Stream
CAPRICORN
Level 1-2 Incident
Response
End point Security Events via NXlog
3
4
Kraken / Tiamat
OSSEC Host Intrusion Detection Traffic
OSSEC HIDS after being shipped vand processed via Logstash
Elastic Search Cluster
Long Term Storage
V 1.01
OSSEC HIDS on Capricorn, is shipped via Filebeat to Proteus into Logstash
Data is then forked to Capricorn for short term storage, alerting and Long Term storage on
Krajken/Tiamat
May 10, 2016
Linux Endpoint Event and Alert Flow
2
1
3
2
PROTEUS
Linux Host
HIDS Events Stream
3
4
1
OSSEC HIDS SIEM
Filebeat Events SIEM
Filebeat Events Stream
CAPRICORN
Level 1-2 Incident
Response
End point Security Events Filebeat Events
3
4
Kraken / Tiamat
OSSEC Host Intrusion Detection Traffic
OSSEC HIDS after being shipped vand processed via Logstash
Elastic Search Cluster
Long Term Storage
V1.01
OSSEC HIDS on Capricorn, is shipped via Filebeat to Proteus into Logstash
Data is then forked to Capricorn for short term storage, alerting and Long Term storage on
Krajken/Tiamat
May 10, 2016
Agentless Endpoint Event and Alert Flow
2
1
Syslog
Devices
PROTEUS
3
SYSLOG Events SIEM
SYSLOG Events Stream
CAPRICORN
Level 1-2 Incident
Response
SYSLOG Events for Endpoitns without agents, Switches/Firewalls/Printers/SCADA etc
3
Kraken / Tiamat
Elastic Search Cluster
Long Term Storage
V1.01
May 10, 2016