Comodo Help
Find the desired product help
SOCaaP

SOCaaP

Version 2.2

English

Print Help
Frequently Asked Questions
  • Introduction
    • Logging-in To The SOCaaP Console
  • Dashboard Overview
    • Summary
    • Alerts,Incidents And Website Vulnerabilities
    • Customer Health
  • SOCaaP Alerts/Escalations
    • Log-in To The Admin Console
    • The Home Screen
    • Service Summary
    • Incidents Overview
      • Incidents
      • Threat Summary
    • Log Collection Summary
    • Threat Communication Graph
    • Tickets
    • Reports
    • Notification Settings
    • Integrate Your Office 365 Account With SOCaaP
  • SOCaaP SIEM
    • Log-in To The Admin Console
    • The Main Interface
    • The Dashboard
    • Customer Asset Management
      • Add Customers
      • Add Assets For Monitoring
        • Hard Assets
        • Soft Assets
      • Configure Nxlog And Rsyslog To Send Logs To SOCaaP Server
      • Edit Customers
    • Query Management
      • Configure Event Queries
      • Long Term Analysis
      • Configure Custom Dashboards
      • Event Field Selection Settings
    • Manage Rules
      • Manage Correlation Rules
      • Manage Tagged Rules
      • Manage Aggregation Rules
    • Incidents
      • Manage Incidents
      • Incident Category Management
      • Category Action Management
    • Lists
      • Manage Live Lists
      • Manage Live List Content
      • Manage Range List Content
      • Manage IP Range List Content
      • Manage Multiple Column List Content
    • Manage Reports
    • Administration
      • Event Collection
      • Phantom Settings
      • Manage Users
    • Appendix 1 – Field Groups And Event Items Description
    • Appendix 2 –SOCaaP Supported Logs
  • SOCaaP Web Protection
    • Add Websites
    • The Main Interface
    • The Dashboard
    • Website Data And Settings
      • Website Overview
      • Security Scans
        • Website Scans
        • Website Files Security Scans
          • Malware Scan Settings
            • Automatic Configuration
            • Manual Configuration
          • Run A Scan And View Results
          • Notifications, Malware Removal And Scheduled Scans
        • Vulnerability Scans
          • CMS Vulnerability Scans
          • OWASP Top 10 Vulnerability Scans
      • Content Delivery Network
        • Activate CDN For A Website
        • CDN Settings
        • View CDN Metrics
      • Firewall
        • WAF Statistics
        • WAF Events
        • Configure WAF Policies
        • Manage Custom Firewall Rules
      • SSL Configuration
      • DNS Configuration
      • Add Trust Seal To Your Websites
      • Back Up Your Website
        • Backup Settings
        • On-Demand Backup
        • View Backup Records And File Statistics
        • Restore And Download Website Files
        • Delete Backups
    • Manage Your Profile
  • Sensor Installation
    • Requirements
    • (Option 1) Create Installation Media
    • (Option 2) Deploy Virtual Machine Environment
      • Create A New Virtual Machine
      • Configure Memory Size
      • Configure Hard Disk
      • Configure Hard Disk File Type
      • Configure Storage On Physical Hard Disk
      • Configure Size Of Virtual Hard Disk
      • Configure Network Settings
      • Select VM Startup Disk
    • Sensor Installation Steps
    • Sensor Configuration Steps
      • Login To The Web Portal
      • User Settings
      • Configure Network
      • Configure Timezone
      • Key Activation
      • (Optional) Valkyrie Key Verdict
      • (Optional) Forward Log
  • Frequently Asked Questions
  • About Xcitium Security Solutions

Frequently Asked Questions


  • What is SOCaaP Sensor?

  • Which Services are Running on SOCaaP Sensor?

  • Which configurations must be done at first install?

  • Which Network Interfaces are Active on a Hardware Sensor?

  • Which Rule-set do IDS Services Use?

  • What is the Log Forward Feature?

  • Which External IPs or Domains does SOCaaP Sensor Need to Access?

What is SOCaaP Sensor?

SOCaaP Sensor is a passive network sensor image which is used to collect and analyze network traffic for the purpose of identifying suspicious events. Hence, SOCaaP Sensor is distributed as an ISO image, it can be easily installed on both physical server devices and any virtualization environment. The sensor has inbuilt PF_RING support as packet capture accelerator in order to increase packet capture performance and decrease packet loss.

The primary purpose of the SOCaaP Sensor is to collect raw network traffic via mirror port configuration, or using hub or tap devices. Our sensor combines signature and heuristics based IDS, which provides a strong mechanism for SOC teams to run network analysis and security monitoring. SOCaaP Sensor also provides a log forwarder service to collect supported third-party network device logs, normalize them and forward to our SOCaaP NDR servers using our common event model.

SOCaaP Sensor provides external threat intelligence integration capability. Additionally, it has Valkyrie integration for advanced extracted file analysis.

SOCaaP Sensor also provides passive OS and service fingerprinting. All the collected information about the network is sent to SOCaaP servers to be presented to users over SOCaaP portal. SOCaaP Sensor tuning and maintenance operations such as managing new signatures, tuning the signature sets to keep event volume at acceptable levels, minimizing false-positives, and maintaining up/down health status of sensors and managing data feeds are performed regularly by Xcitium SOC team.

Which Services are Running on SOCaaP Sensor?

 

In addition to the default CentOS 7 services, there's also PF_RING support for BRO IDS and Suricata IDS. There are also custom Xcitium services for integration, management and updates.

The following table shows open ports and related programs and whether or not the sensor firewall blocks the connection:

 

Port

Program

Firewall Blocking Status

22

sshd

Allowed

68

dhclient

Allowed

80

httpd

Allowed

514

rsyslogd

Allowed


Which configurations must be done at first install?

It is essential to set IP Address, Gateway and Network Token as the first step of installing SOCaaP sensor.

Which Network Interfaces are Active on a Hardware Sensor?

“eth0” interface is active and being used for management and communication to SOCaaP Servers.

“eth1” interface is responsible for listening network traffic coming from mirror interface. Therefore it works on promiscuous mode.

Which Rule-set do IDS Services Use?

IDS services are using mainly Emerging Threats Pro Ruleset which are customized and improved by Xcitium SOCaaP team.

What is the Log Forward Feature?

In addition to collecting information about network security, SOCaaP sensor also collects and forwards logs from other products in the network.

Which External IPs or Domains does SOCaaP Sensor Need to Access?

 

For remote management:

Domain: sensor.mssp.Xcitium.com

Address: 35.169.33.2


For rule update:

Domain: rules.emergingthreatspro.com

Address: 204.12.217.18, 96.43.137.98


For Amazon Kinesis:

Domain: kinesis.us-east-1.amazonaws.com

Address: 52.119.196.103

Domain: monitoring.us-east-1.amazonaws.com

Address: 52.94.238.171


DNS address:

Default DNS is set as 8.8.8.8. If the customer wants to use this dns, it should to be allowed. If the customer wants to use their own DNS, that should be allowed only after we are sure that the hosts above are resolved correctly by that DNS.

Our Products
  • Free Antivirus
  • Free Internet Security
  • Website Malware Removal
  • Free Anti-Malware
  • Anti-Spam (Free Trial)
  • Windows Antivirus
  • Antivirus for Windows 7
  • Antivirus for Windows 8
  • Antivirus for Windows 10
  • Antivirus for MAC
  • Antivirus for Linux
  • Free Endpoint Security
  • Free ModSecurity
  • Free RMM
  • Free Website Malware Scanner
  • Free Device Manager for Android
  • Free Demo
  • Network Security
  • Endpoint Protection
  • Antivirus for Android
  • Comodo Antivirus
  • Wordpress Security
Cheap CDN
  • Bootstrap CDN
  • Semantic UI CDN
  • Jquery CDN
  • CDN Plans
  • CDN
  • Free CDN
Enterprise
  • Patch Management Software
  • Patch Manager
  • Service Desk
  • Website Down
  • Endpoint Protection Solutions
  • Website Security Check
  • Remote Monitoring and Management
  • Website Security
  • Device Manager
  • ITSM
  • CRM
  • MSP
  • Android Device Manager
  • MDR Services
  • EDR Services
  • Ransomware Prevention
  • Managed IT Support Services
  • EDR
Free SSL Certificate
Support Partners Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2023. All rights reserved.