CyFlare SOC In a Box Quick Start Guide

CyFlare SOC In a Box Quick Start Guide

Deployment Overview

Your appliance has been pre-configured based on the information provided at the time of your order for rapid deployment into your environment.

The deployment consists of the following high level steps:
  1. Configure Firewall Rules
  2. Physical cabling into your network
  3. Network Mirror / SPAN configuration to enable the Network Intrusion Detection System (NIDS)
  4. Syslog configuration of each in scope network device such as your firewall, router and network switches
  5. Server agent deployment (Windows or Linux)
  6. API Integration for Office 365 and OKTA if relevant for your deployment

Deployment Responsibilities Matrix

The Breach Detection System (BDS) has various requirements and tasks associated in order to properly and fully deploy the solution. The next two sections detail out the deployment tasks with associated owners along with related collateral or directives to aid in completion of the deployment.

Subscriber Requirements

Action Or Task
Directive Or Collateral
Provide a static internal IP for appliance management
Static IP Assigned by you that will be assigned to the appliance.This will be the interface enabled for SSH access by the SOC for port 22
Best practice is to build a separate vlan to aviod any looping
Provide a static internal IP for security sensor
Static IP Assigned by you that will be assigned to the security sensor. This will also be the target IP for syslog that may be forwarded on UDP port 514
Best practice is to build a separate vlan to avoid any looping.
Provide a public IP for the SOC to use for troubleshooting the appliance if needed
A Public IP that is provided to the SOC to be used for troubleshooting the appliance over SSH 

Enable port forwarding or port address translation to port 22 of the provided management IP
Port forwarding (you can choose a custom port) and forward port 22 to the management IP you assigned. 
Each vendor has it's own process for enabling port mirroring. Please refer to your vendors documentation or support resources.
Physical cabling of LAN1 Appliance interface
Ethernet connectivity to LAN1 Interface that will have internet connectivity per the firewall requirements identified below

Physical cabling to LAN2 and above interface for receiving mirrored traffic
Ethernet connectivity for listening ports to receive network traffic for network Intrusion Detection System capabilities

Enable port mirror from managed switches
Requires a managed switch or network packet broker. Copies network traffic to designated port(s) for Network IDS evaluation
Each vendor has it's own procedure for enabling port mirroring. Below is a list of common switches and links to vendor documentation for port mirroring.

Additionally, please pay special attention to the Network IDS Enablement section within this document
Deploy provided windows/linux server agent(s)
Used to collect server event logs and provide File Integrity Monitoring on servers
For Windows Agents: CLICK HERE
For Linux Agents: CLICK HERE
Enable sending of syslog from in scope devices
Syslog is a standard feature on network devices to forward log data to the security sensor for compliance enablement and security correlation
Send syslog level 2 over UDP Port 514 to the IP Address of your security sensor
Generate and share API Tokens to SOC as needed (OKTA, Office365, AWS, etc..)
The BDS has various API integrations to allow for logs data to be securely ingested. Once provided, the SOC will configure in the backend to validate the connection succeeded and logs are flowing.
Office 365 KB: CLICK HERE
Modify Firewall Policy per the requirements
Allows required connectivity to and from the appliance to the CyFlare cloud for data processing and analytics
This document - see "Firewall Rules"
Complete SOC Survey
SOC Survey provides context to your environment and allows the SOC to create properly tune the BDS and corresponding playbook so that alerts are not raised that are previously known or authorized by your organization
SEE ATTACHED TEMPLATE. Once populated please send to and the soc will update playbooks accordingly
Provide a distribution list or email address to be designated as the Incident Handler (IH) for all SOC generated tickets to be sent to
This is the main contact the SOC will use for sending of all tickets. This is typically an email distribution list if multiple contacts need to be notified at ticket creation time
Please send this to your assigned CSM
If a different contact than the IH, identify an email or distribution list that should receive reporting from the SOC
Identifies the recipient of any automated or manual reporting that is sent from the SOC to your organization
Please send this to your assigned CSM
Accept support portal invite 
Your CSM will send you an invite that must be accepted in order to completely setup the support portal account enabling ticket management and knowledge base article review
Check spam folder as the invite may go to spam. You may see the invite come from ""

CyFlare Responsibilities

The following list describes the actions CyFlare will be responsible for when deploying your BDS.

Action or Task
Send welcome email from Customer Success Manager (CSM)
Introduction email to you that includes contact information for your Customer Success Manager, project sequencing and several other links to help you get started with the service
Create BDS Portal account
Your unique BDS account within the CyFlare cloud
Create requested user account(s) within the portal
Individual credentials for users that require access to your portal account
Build and ship the BDS appliance(s) to requested location(s)
CyFlare configures, validates and ships your appliance(s) based on the IP information provided at time of order
Provide "MST" file for bulk Windows agent deployments
The SOC or CSM will provide you with a unique Microsoft Transform (MST) file to be used for bulk agent deployment. This is useful if you use SCCM or another software deployment tool. This custom file is tokenized and specific for your portal.
Create CyFlare support portal account(s) as requested
The support portal is where you can create & view tickets as well as search and view the knowledgebase. Your CSM will send invites requiring you to accept and complete your account setup
Validate SSH access to deployed appliance(s)
SOC will confirm we can connect via the SSH details provided (public ip and port) to the appliance in the event troubleshooting is required. This is provided to ease the burden on your organization if sensor specific troubleshooting is required
Validate appliance connectivity
SOC will confirm that the sensor is connected, sending traffic as expected and working as expected

Physical Connectivity

Step 1: Connect power supply and power on. A blue indicator light on the power switch should now be visible.

Step 2: Connect an Ethernet cable to “LAN1. This is the management interface in which an IP has been pre-assigned. This connection requires internet access. This Interface responds to 2 static IP addresses that you will have previously assigned. One is for the appliance IP and the other is for the security sensor IP.

NOTE: If Vulnerability Scanning has been purchased & enabled, an IP address will be required to be provisioned via DHCP. We recommend a long term reservation be created for the DHCP lease.

Step 3: Connect an Ethernet cable to “LAN2”. This is the data port that will receive mirrored / TAP traffic and used for network monitoring.

Step 4 (optional): Connect “LAN3” and “LAN4” ports if additional data ports are required for your network. These ports are enabled and in listening mode by default. No IP address is required for these ports.

NOTE: If you have purchased the 200 series rack-mountable unit you may connect to LAN ports 2 – 6 for data sensor ports. No IP address is required for these ports

Firewall Rules

The following rules are required to allow us to completely manage the appliance, analyze security data and store vulnerability scan reports.

Inbound To The Management Static IP:          
  • Port forward port 22 TCP (or any designated external port) to the Management IP address of the appliance (port 22 TCP – used for SSH access)  -- We don't ask for this anymore, and only use it if our ZTNA solution is not functioning as designed.  We will ask for temporary access via this method to correct any issues.

Outbound From The Management Static IP Of The Appliance:

  • To destination IP address over TCP port 80
  • To destination IP address over TCP port 80
  • To destination IP address over UDP port 51820 to the  ZTNA Access Gateway
  • To destination IP address150.136.235.122 over TCP port 8444, to the ZTNA Controller for authentication

Outbound From The Network Sensor IP:

  • 6640-6648 TCP to  
  • 8443 TCP to
  • 8888 TCP to
  • 8888 TCP to
  • 8472 UDP to
  • 4789 UDP to
  • 5123 TCP to
Outbound From Windows Servers With Deployed Agents:
  1. TCP on port 8888 to
  2. TCP on port 8888 to
  3. TCP on port 8443 to
  4. TCP  on ports 6640-6648 to
If Vulnerability Scanning is Purchased and Enabled:
  • Outgoing TCP Port 443 - Nessus Cloud Manager Communication 

Network IDS Enablement

In order for the solution to see your network traffic a copy of network traffic must be provided. 
This can be done in two ways:

  1. Enable a mirror / SPAN on your network switch(es). Mirror / SPAN capabilities vary by switch vendor and model.
  2. Insert a network TAP

The mirror / SPAN should be setup minimally on each core switch so that all internet traffic is sent to the network sensor. Additionally, you may want to consider enabling mirror / SPAN on each distribution switch so that lateral traffic (traffic that passes within the same distribution switch) is visible to the network sensor. 

When enabling the mirror / SPAN do not include traffic from LAN 1 (Management) Interface. It will cause traffic looping and may impact network performance and consume additional internet bandwidth.  If you are Mirroring VLANS or Port Groups, be sure that LAN 1 (Management) is not included within those VLANS or Port Groups.

As a best practice, we recommend adding the Port connected to LAN 1 to its own VLAN

Sample Diagram

SOC Access To Your Network Sensor

From time to time the SOC will require SSH access to troubleshoot the sensors and can do that without burdening your staff. 

The viable options for enabling that are typically the following options though we can adhere to what is normal for your organization:
  • Provide the SOC a Non-Persistent VPN option
  • Provide a Jump-Box SSH access is preferred for configuration and troubleshooting. 
  • (Most common method used) Direct SSH Access via port forwarding to a provided static public IP and specified port
  • Direct SSH Access via port forwarding to a static public IP

Syslog Configuration

By default, your appliance is configured to automatically receive Syslogs via UDP port 514 at the IP address assigned for your security sensor (not the Appliance IP). 

Server Agent Deployment

Server agents are required to collect and process events occurring on your Windows or Linux servers.  

Click Here to view the Windows Agent deployment instructions.

Cloud Service Integrations

The solution allows for integration of Office 365, OKTA and AWS Cloudtrail cloud service logs.

Instructions for enabling each are provided here:
  1. Office 365
  2. AWS Cloudtrail
  3. OKTA (Coming Soon)

    • Related Articles

    • AlienVault USM Anywhere Customer Quick Start Guide

      Summary This document is intended as a step by step guide for new customer implementations of USM Anywhere with an introduction to the incident ticketing process and interacting with the SOC.  The solution and service are deployed in phases. The ...
    • How to Engage With The CyFlare SOC

      SOC Contact Information CyFlare SOC Phone Number: 877-729-3527 – Option 2 Secure Ticket Portal & Help Center: SOC Portal Link Email To Create A Ticket: Deployment Tracker & Document Management Portal: HERE
    • CyFlare Detection List & MITRE ATT&CK Framework Mapping

      Purpose This document identifies the detections that are available to CyFlare clients from the identified managed security services.  Filters & Definitions State - This represents whether the default mode for the detection. It may be On or Off by ...
    • Nessus Pro Vulnerability Scanning QSG

      Nessus Pro Vulnerability Scanning Quick Start Guide   Deployment Overview   The SOC will handle the building and configuration of the Nessus scanner.  The building of the scanner can be done with either direct access to the box or, remote access.   ...
    • AWS Cloudtrail Integration Guide With Breach Detection

      Overview AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS ...