Stellar Cyber Integration Framework
Ingestion Level Overview
LEVEL | DESCRIPTION | STARLIGHT ACTION | INTEGRATION ENABLES |
---|---|---|---|
1 | Data ingestion only | Starlight ingests data from the source, normalizes and enriches it |
|
2 | Data ingestion and detections | Starlight ingests data from the source, normalizes and enriches it, maps the data to specific or general detections and Threat Hunting Apps |
|
3 | Data ingestion, detections and response | Starlight ingests data from the source, normalizes and enriches it, mapps the data to specific or general detections and threat hunting apps, Integrate for response actions |
|
DATA SOURCES | INTEGRATION LEVEL | COMMENTS |
---|---|---|
Firewalls | Level 3 | Killchain, NTA, UBA detections; Threat Hunting App; Respond with Firewall block rules |
Active Directory | Level 2 (Parser) Level 3 (Connector) | Killchain, NTA, UBA detections; User Profile enrichments; Respond with “disable user” actions |
SaaS (Office365, G-Suite & Cloudtrail) | Level 2 | Killchain, UBA detections; Threat Hunting App |
Vulnerability Scanners | Level 2 | Killchain, NTA; Threat Hunting App |
OKTA | Level 2 | Killchain, NTA; Threat Hunting App |
Crowdstrike EDR | Level 2 (Parser) Level 3 (Connector) | Forensics, Threat Hunting App, Playbook, Visualizer, Reporting/Alerting, Respond with quarantine or hide endpoint actions |
Sophos Endpoint Protection | Level 2 | Killchain detections, Threat Hunting App |
Critical Deployment Points
Required deployments that drive enrichment creating better context within InterflowTM JSON-based records.
- Windows Agent on Domain Controller to get IP / User association
- Windows Agent on DHCP Server or be able to monitor DHCP traffic to get IP / Hostname association
- Active Directory Connector to get user profiles to show under User Behavior Analytics
- Vulnerability Scanner to get vulnerability information and new asset information to show under Asset Analytics