Skip to content

Installing Coralogix STA

The Coralogix Security Traffic Analyzer (STA) is a tool by Coralogix for deep packet inspection, packet capturing, cloud configuration vulnerability scanning, and more.

This tutorial demonstrates how to install the Coralogix STA.

The STA can be installed using the following methods

  1. CloudFormation Template for AWS

  2. Terraform Template

    • Available for AWS, Azure, and GCP
  3. OVA image

In addition, STA can be installed in a limited internet access environment.

Prerequisites

Before you install the STA please make sure the following requests are met:

AWS

  1. Configuration is saved using an AWS S3 bucket. It is recommended to use a dedicated bucket, if you won’t define one, the STA will generate a bucket.

    • Have an empty S3 bucket for holding the configuration.
  2. You have permissions to deploy EC2 instances, spot fleets, load-balancers and security groups in the AWS account you plan to deploy the STA in.

  3. Instances that you plan to mirror their traffic by using the VPC traffic mirroring feature belong to one of the following types:

    • C4, D2, G3, G3s, H1, I3, M4, P2, P3, R4, X1, X1e, A1, C5, C5d, C5n, I3en, M5, M5a, M5ad, M5d, p3dn.24xlarge, R5, R5a, R5ad, R5d, T3, T3a, and z1d.
  4. If you are looking to monitor instances by using our Virtual Tap, make sure you can run privileged containers in that environment (for example in AWS FarGate you cannot do that) - to read more about the Virtual Tap, see this doc.

Azure

  1. Configuration is saved using an Azure’s Storage Accounts service. It is recommended to use a dedicated container, so the configuration will be saved outside of the STA and can be modified/restored later

  2. Have an empty container for holding the configuration

  3. You have permission to deploy VM instances and create resources in the Azure’s account in which you plan to deploy the STA

  4. Mirroring instance traffic can be performed only by using our Virtual Tap.

GCP

  1. The STA creates new cloud storage by default dedicated to the configuration, but you can define your own. If this is your preference, make sure to provide an empty storage container.

  2. Instance traffic can be mirrored using our Virtual Tap or automated VPC mirroring service, which creates packet mirroring policies for tagged instances.

Deployment

CloudFormation Template

  1. Connect to your AWS account and on another tab, login to your Coralogix account

  2. From Coralogix UI, go to the Settings page and then to the Cloud Security tab

  3. Click "Deploy Security Service"

  4. From the top drop-down list named "Deployment method", choose the option "CloudFormation" (should already be selected)

  5. Fill in the various fields on the form and click "Launch AWS CloudFormation":

    1. Set the CloudFormation's stack name (The default is "CoralogixSecurity")

    2. Optionally, fill in the name of an S3 bucket that will be used for storing the STA's configuration

    3. Optionally, configure the STA to use an encrypted disk

    4. Select the SSH key pair that will be used to connect to the STA

    5. Select the security group that will be assigned to the management network interface

    6. Optionally, fill in the name of an S3 bucket that will be used for storing the packets captured by the STA as compressed PCAP files

    7. If you chose to run the STA as a spot, you can set the maximum spot price here

    8. Select the subnet you'd like to run the STA in. Make sure that the security group you chose for the management interface belongs to this subnet. Otherwise the installation will fail

    9. Select the VPC you'd like to run the STA in. Make sure that the subnet you selected belongs to this VPC

    10. Tick the box below that says "I acknowledge that AWS CloudFormation might create IAM resources." and click "Create stack"

Terraform Template

AWS - Prerequisites

  1. Connect to your AWS account and on another tab, login to your Coralogix account

  2. From Coralogix UI, go to the Settings page and to the Cloud Security tab

  3. Click "Deploy Security Service"

  4. From the top drop-down list named "Deployment method", choose the option "Terraform Template"

  5. Click "Launch tutorial"

Deployment Steps

  1. Create an empty folder somewhere on your computer

  2. Download the terraform module files

    • AWS - download content here

    • Azure - download content here

    • GCP – download archived content here

    • For older versions, follow this link and download the desired version

  3. Create file values.auto.tfvars

    • Fill in the required variables in the values file

    • for the explanation of variable types and expected content see comments from downloaded content

  4. Run the command terraform init from the same folder

  5. Run the command terraform plan and examine the changes that are going to be applied to your environment

  6. Run the command terraform apply from the same folder and approve the changes

OVA File

  1. You can download the OVA file from the following links based on the environment you would like to use them at:

    1. VirtualBox: https://coralogix-integrations.s3-eu-west-1.amazonaws.com/cloud-security/sta-ng.virtualbox.ova

    2. VMware ESXi: https://coralogix-integrations.s3-eu-west-1.amazonaws.com/cloud-security/sta-ng.vmware.ova

  2. Once the file is downloaded, import the VM into the relevant environment and start it

  3. After the VM has finished loading, login to the VM with the user 'ubuntu' and the password 'Coralogix-STA!'

  4. Automatically, once the user is logged on, a series of questions will be presented. Please answer all of them with all the relevant information

  5. Run the command passwd and change the default password of the ubuntu user

STA Deployment In Limited Internet Access Environments

STA requires access to S3 for its config files. In some environments Internet outbound access is required to be limited to specific IPs, which means no access to public S3 will be available. In order to allow connectivity using amazon private network - Set a designated VPC gateway endpoint that connects your VPC directly to Amazon S3.

* Make sure your VPC's route table contains Coralogix’s endpoints.

* In addition, in such environments the following enrichment services will not work: dns-rbls, unshorten-url, nist-cpe, also updates to Suricata service will fail.

Next Steps

After installing the STA, you can move forward in one of the following ways (or all of them) to get the most out of your newly installed STA:

  1. Configure VPC traffic mirroring to allow the STA to analyze raw traffic. For this use the following tutorials: How to automate VPC Mirroring for Coralogix STA, Guide: Smarter AWS Traffic Mirroring for Stronger Cloud Security

  2. Deploy Wazuh agents in selected instances to get insights into the processes running inside them. For this use the following tutorial: How to connect a Wazuh agent to the STA

  3. Review alerts configured and modify them to be more accurate for your organization. You can find more about it in these tutorials: Security Traffic Analyzer (STA) Alerts, Alerts API

  4. Run the command sta-get-installation-id and copy the uuid that is displayed on the screen and save it in a safe place. This key is required to login to the STA with administrative privileges which might be needed as part of a troubleshooting session.

  5. Once the installation ID is safely stored and properly backed-up, run the command sta-acknowledge-installation-id and carefully follow the instructions on the screen to remove the installation ID from the STA

If you have any questions or need any additional help, please contact our support team via our 24/7 in-app chat!