XDRaaS – Quick Start Guide

 

The following items will help guide you through what CyFlare’s deployment team will be working on with you, to get you ingesting data, and moving to being monitored, by the SOC, as quickly as possible.

 

The main items that need to be addressed are the following:

1. Identify API integrations and Connectors needed for your environment
2. Determine Windows Servers and Linux Servers for XDR Agents to be installed
3. Decide whether you will be installing a physical or virtual network sensor
4. Pinpoint the network devices to forward their Syslog event messages to the network sensor for parsing and forwarding
5. Firewall Rules/Policies needed for both network sensors and server agents
   

 

API Integrations:

API Integrations and Connectors allow Cyflare to ingest data for items like on-prem AD or SaaS-based applications such as O-365, Google Workspace, AWS Cloudtrail, Azure Event Hub, just to name a few.

Your deployment team will work with you to identify those API integrations and Connectors to provide the best coverage, for your environment.  Once identified, the deployment team will then provide you the appropriate guides / KB’s with step-by-step instructions for what you need to configure on your side and what to provide Cyflare to make the connection.

 

XDR Server Agents:

These can be done at anytime and are the easiest way to start collecting information from your Windows or Linux Servers.

The deployment team will provide you with access to a secure folder, via Egnyte, so that you can securely download the appropriate agent information, which can be installed one server at a time or through whatever software distribution method you use internally.

You will be provided with the CM IP address or FQDN and your Tenant ID, so that during installation those items can be filled in.  This process will tell your agent where to send information and place the agent in your own tenant, within the XDR platform.

Network Sensor:

CyFlare can provide a physical appliance or provide instructions on how to provision a virtual appliance that will perform network traffic analysis.

The deployment team will work based on what was purchased, so that we can deploy a network sensor or network sensors, into your network.

The network sensor allows us to capture mirrored traffic (port or VLAN(s)) for what is called NTA or Network Traffic Analysis so we can look for detections like data exfiltration and lateral movement.  The mirrored traffic is always being ingested, so not just at the time an event occurs.  It doesn’t send a full packet but meta data from the packet.

For the physical sensor, you will be asked to provide:

1. an IP address
2. subnet mask
3. default gateway
4. DNS information. 
   

When the appliance arrives, you will use this information to configure your appliance/network sensor to connect to your network.  There are installation guides for each sensor model.  The SE working to deploy your solution will help provide the appropriate document.

The IP address is used for managing the sensor, but it will also be used to send interflow records to CyFlare for processing and normalization.

NOTE: It is important that you configure this network sensor into its own VLAN, so we can ensure not to mirror or copy traffic from the switch to the sensor, then from the sensor to the switch and back to the sensor.  The sensor is fine, but the burden to the switch may result in performance issues.

 

Syslog forwarding:

The network sensor will ingest Syslog data having been forwarded from your routers, switches, firewalls, wireless access points, etc…  Your assigned SE will gather the device and vendor name in order to provide the vendor-specific port assigned, so the data received can be parsed correctly.  You will login to your device and forward your syslog events to the sensor’s IP address configured in the previous section over UDP to the vendor specific port.

NOTE:  We don’t need to see all levels of syslog.  Please forward severity level 2 and above or critical and above, which would include critical, alerts and emergencies.

Polices will need to be added to your firewall, for outbound traffic only, in order to allow the network sensors and server agents to communicate with CyFlare.  We prefer that you use the FQDN values, but the IP addresses are there, in case you need them.

 

Outbound From the appliance's Static IP:

●     To destination IP address 91.189.89.90 over TCP port 80

●     To destination IP address 91.189.90.173 over TCP port 80

 

Outbound from the sensor and Linux Agent static IP:

●     TCP ports 6640-6648 to cm-cyflare.stellarcyber.cloud

●     TCP port 8443 to cm-cyflare.stellarcyber.cloud

●     TCP port 8888 to receiver-cyflare.stellarcyber.cloud

●     UDP port 8472 to 54.176.232.64

●     UDP port 4789 to 54.176.232.64

 

Outbound from any Windows Servers with SIEM agents deployed:

●     TCP port 8888 to receiver-cyflare.stellarcyber.cloud

●     TCP port 8443 to cm-cyflare.stellarcyber.cloud

●     TCP ports 6640-6648 to cm-cyflare.stellarcyber.cloud

 

NOTE:  Use FQDN where allowed, but if you need IP addressing for testing, please work with your deployment team. 

 

To access the XDR Management Platform:  https://cyflare.stellarcyber.cloud

*Credentials will be provided by your deployment team or TechOps