This blog is all about Cyber Security and IT

Showing posts with label SIEM. Show all posts
Showing posts with label SIEM. Show all posts

Friday, February 22, 2019

RSA- SA- SIEM







Main Components of RSA-SA





Decoder / Log Decoder >>>>





Security Analytics collects two types of data: packet data and log data.





Packet data, that is, network packets, are collected using the Decoder through the network tap or span port.





A Log Decoder can collect four different log types - Syslog, ODBC, Windows eventing, and flat files.





Windows eventing refers to the Windows 2008 collection methodology
and flat files can be obtained via SFTP.





Concentrator / Broker >>>>





Any data that can be indexed on the Decoder is filtered by the respective Concentrator.





Once data is stored in the Concentrator, it is streamed as metadata to the RSA Analytics Warehouse.





Archivers >>>>






The Archiver is a host that enables long-term log archiving by
indexing and compressing log data and sending it to archiving storage.





The archiving storage is optimized for long-term data retention, and
compliance reporting.





Archiver stores raw logs and log meta data from Log Decoders for
long term-retention, and it uses Direct-Attached Capacity (DAC) for
storage.
Note: Raw packets and packet meta data are not stored in
the Archiver.





Event Stream Analysis(ESA) >>>>





This ESA host provides event stream analytics such as correlation and
complex event processing at high throughputs and low latency. It is
capable of processing large volumes of disparate event data from
Concentrators.





ESA uses advanced Event Processing Language that allows users to
express filtering, aggregation, joins, pattern recognition, and
correlation across multiple disparate event streams.





ESA helps to perform powerful incident detection and alerting.





Warehouse Connectors >>>>





Warehouse Connector allows you to collect meta data and events from
Decoders and write them in Avro format into a Hadoopbased
distributed computing system.





You can set up Warehouse Connector as a service on existing Log
Decoders or Decoders or it can be run as a virtual host in your virtual
environment.





The Warehouse Connector contains the following components: Data
Source, Destination, and Data Stream.





RSA Analytics Warehouse >>>>





RSA Analytics Warehouse provides the capacity for longer term data
archiving through a Hadoop-based distributed computing system that
collects, manages, and enables analytics and reporting on security
data.





RSA Analytics Warehouse requires a service called Warehouse
Connector to collect meta data and events from Decoder and Log
Decoder and write them in Avro format into a Hadoopbased
distributed computing system.





Any incoming data at the Log Decoder and Concentrator is ultimately
forwarded to the Warehouse.





A Warehouse typically consists of two units: Storage nodes and Direct
Attached Capacity (DAC).





Entire data (not just meta data) is stored in the RSA Analytics
Warehouse and is available to Security Analytics when required.