Filr generates CEF (Common Event Format) events for the following user activities:
Login
Add, modify and delete files and folders
View, copy, move, and download files and folders
Share and share access for files and folders
Add, modify, and delete comments on files
These CEF events are written into the appserver log, database and to Kafka. The connector consumes these events from Kafka or the database and sends it to the SIEM solution. When the SIEM solution identifies an activity that could signify a threat, alerts are generated to indicate a potential security issue. These alerts can be set as either low or high priority by using a set of pre-defined rules. For example, if a user account generates 20 failed login attempts in 20 minutes, this is flagged as suspicious activity. The same activity is set at a lower priority as it is most likely to be a user that has forgotten login details. However, if an account experiences 120 failed login attempts in 5 minutes this is more likely to be an unauthorized user trying to log in. This is flagged as a high severity incident.
Kafka is a distributed system that continuously imports and exports data as event streams. For more information, see Kafka Apache Documentation.
A Zookeeper is used to maintain naming and configuration data. Zookeeper keeps track of the status of the Kafka cluster nodes and Kafka topics and partitions.
The Kafka and Zookeeper services are auto-configured when Filr is upgraded to Filr 4.3. The Kafka and Zookeeper services will be running on the localhost.
Connectors help in automating the process of collecting and managing the CEF events from any device and push the events to any SIEM solution.
The CEF events are available in the SS_CefEvents database table and in the Kafka topic named CefEvents. The connector fetches the events from either of them and pushes the events to the SIEM solution.
The following are the three ports enabled for Kafka.
9092 for SSL
9093 for SASL_SSL
The connectors can consume events from port 9092 only when the connectors are configured on the same server (localhost). Only port 9093 allows the connectors to consume events from outside the Filr server.