Types of Stellar Cyber Sensors

This topic describes the family of sensors available from Stellar Cyber, from lightweight server sensors that install as agents on target Linux and Windows servers to purpose-built physical sensors capable of monitoring at 10G network speeds. Sensors provide the data gathering foundation for Stellar Cyber's OpenXDR platform, gathering the right data with context.

Sensors are used to create visibility where it does not yet exist, or to simplify and consolidate telemetry collection with Stellar Cyber. You can capture data from network, assets, and containers, all under the same license, and administered from the same platform.

Starting with the 4.3.7 release, new physical sensors are shipped as modular sensors on Ubuntu 22.04.

Family of Stellar Cyber Sensors

The Stellar Cyberfamily of sensors consists of the following members:

  • Server Sensors – Server Sensors install as software on target hosts to be monitored. They are also referred to as agents. Server Sensors are available for both Linux and Windows, as described below.

  • Device Sensors – Device Sensor is an umbrella term that refers to any purpose-built Stellar Cyber sensor that includes both the host and the Stellar Cyber monitoring software. Device Sensors are provided as both physical devices (Photon sensors) and virtual machine images for different target environments.

    Previous releases provided a variety of different types of device sensors, including Network, Security, and Modular. Starting with 4.3.7, the only type of device sensor is Modular. You can use the Modular Sensor Profile to enable whatever sensor features you like, creating the same functionality provided by the different sensor types in previous releases. For your convenience, both Modular sensors and the legacy Network and Security sensors are described below.

Linux Server Sensor

A Linux server sensor is a managed background daemon that works as a network sensor without log forwarding that also monitors:

  • Process info
  • Command execution
  • Files
  • File events

The server sensor converts that information to metadata and forwards it to the DP as Interflow. The DP can then correlate traffic, processes, users, and commands for security, DDoS, and breach attempt detections.

The server sensor launches the following processes:

  • aella_audit—collects audit logs and provides file integrity monitoring
  • aella_conf—handles the configuration
  • aella_ctrl—monitors other services, and can stop or start them based on the configuration
  • aella_flow—collects metadata in traffic
  • aella_mon—collects system resource usage, including CPU, RAM, and disk

Windows Server Sensor

The Windows Server Sensor (agent) runs as a Windows service in a compatible Windows Server system. The Server Sensor observes events within the Windows Server system and sends Interflow data records to the data processor.

The captured events are:

  • Hardware
  • Security
  • System
  • Windows Firewall
  • Windows Defender
  • PowerShell

The Windows Server Sensor launches the following processes:

Name in Task Manager

Name in Services App

Description

aella_conf_win_srv.exe

Windows Agent Sensor Conf

Handles Windows Server Sensor configuration

aella_ctrl_win_srv.exe

Windows Agent Sensor Ctrl

Monitors other services, and can stop or start them based on the configuration

aella_diagnostics_win_srv.exe

Windows Agent Sensor Phonehome

Sends Windows Server Sensor logs to DP

aella_winlog.exe

Windows Agent Sensor Logbeat

Sends Windows events to DP

aella_filebeat.exe

Windows Agent Sensor Filebeat

Sends log files from Windows DHCP server (if installed and running) to DP

Modular Sensor

A modular sensor lets you easily add the features you like to your sensor. This helps simplify your deployment and lets you manage the VM requirements for the sensors based on the modular features they use.

When you enable either the IDS or Malware Sandbox feature for a Modular Sensor, it counts against your licensed total of Security Sensors.

Modular sensors always include log ingestion. From there, you can add network traffic analysis, IDS, Sandbox, and Tenable integration as needed. Modular sensors are available as virtual images for common cloud environments.

Keep in mind that VM resource requirements increase as you add more features to the Modular Sensor Profile. Refer to Modular Sensor Specifications for details on the resources required to run different combinations of features in a Modular Sensor Profile, as well as how to use the show module and show module request CLI commands to compare provisioned resources against those required to run specific feature combinations. Stellar Cyber only enables a Modular Sensor Profile on a sensor if the host VM's resources can support it.