Blog

How does LinkShadow assist in Centralized Alerting?

LinkShadow intelligent NDR continuously analyzes network traffic, extracting the metadata and ingesting it into the Advanced AI-based analytics engine. This network capture is obtained by leveraging the concept of traffic-SPAN or port mirror on customers' Core switches that handle all the traffic of the network.
Together with the network capture, LinkShadow also integrates with external third-party security systems like EDR, Vulnerability managers, SIEM, etc., to get information on detections.
The AI-powered platform then analyzes every piece of this collective information. There are multiple checks that are applied to the traffic received, some of which can be cited as examples like traffic to known-bad destinations, abnormal protocol behaviors, or even unusual types of connections reported by the internal machine learning engine.
Whenever LinkShadow detects abnormal, suspicious, or malicious traffic, it triggers that incident as an anomaly with an anomaly alert in the console. LinkShadow also generates anomaly alerts when there is a detection on one of the third-party integrations. These detections are obtained through API-based integration.
The above-mentioned scenarios can be achieved in stand-alone deployments as well as distributed deployments.
In the case of distributed deployment, LinkShadow collector appliances can be deployed in the remote sites. The remote collector appliances will communicate with a master analytics appliance over an encrypted channel. The purpose of these remote collector appliances will be to receive the mirrored or SPAN traffic from the network core from those branches and then refine the traffic and forward it to the analytics appliance.
In this type of deployment, all the alerts related to anomalies in each of the sites as well as the main site will be populated in the Master Analytics Appliance.
The above picture shows the list of anomaly alerts that were detected in a central appliance. These alerts can be LinkShadow-generated alerts by the AI/ML analytics inside the platform. Some alerts can also be API-based vendor-specific alerts like Kaspersky Detections, Azure high-Severity alerts, etc