User Guide Functional Overview Requirements Architecture System Installation NetEye Additional Components Installation Setup The neteye Command Director NetEye Self Monitoring Tornado Business Service Monitoring IT Operation Analytics - Telemetry Geo Maps NagVis Audit Log Shutdown Manager Reporting ntopng Visual Monitoring with Alyvix Elastic Stack IT Operations (Command Orchestrator) Asset Management Service Level Management Cyber Threat Intelligence - SATAYO NetEye.Cloud Strategy Monitoring SOC System Administrator SOC Attacker Centric NetEye Update & Upgrade Backup and Restore How To NetEye Extension Packs Troubleshooting Security Policy Glossary
module icon SOC Attacker Centric
Introduction to SOC Attacker Centric Service Description NetEye SIEM
NetEye.Cloud Strategy Monitoring SOC System Administrator SOC Attacker Centric Introduction to NetEye Monitoring Business Service Monitoring IT Operation Analytics Visualization Network Visibility Log Management & Security Orchestrated Datacenter Shutdown Application Performance Monitoring User Experience Service Management Service Level Management & Reporting Requirements for a Node Cluster Requirements and Best Practices NetEye Satellite Requirements TCP and UDP Ports Requirements Additional Software Installation Introduction Single Node Cluster NetEye Master Master-Satellite Architecture Underlying Operating System Acquiring NetEye ISO Image Installing ISO Image Single Nodes and Satellites Cluster Nodes Configuration of Tenants Satellite Nodes Only Nodes behind a Proxy Additional NetEye Components Single Node Cluster Node Satellites Nodes only Verify if a module is running correctly Accessing the New Module Cluster Satellite Security Backup and Restore Identity and Access Management External Identity Providers Configure federated LDAP/AD Emergency Reset of Keycloak Configuration Advanced Configuration Roles Single Page Application in NetEye Module Permissions and Single Sign On Within NetEye Importing User Federation Groups inside another Group Importing OIDC IdP Groups inside another Group Resources Tuning Advanced Topics Basic Concepts & Usage Advanced Topics Monitoring Environment Templates Monitored Objects Import Monitored Objects Data Fields Deployment Icinga 2 Agents Configuration Baskets Dashboard Monitoring Status Icinga2 Features VMD Permissions Notifications Jobs API Configuring Icinga Monitoring Retention Policy NetEye Self Monitoring Concepts Collecting Events Add a Filter Node WHERE Conditions Iterating over Event fields Retrieving Payload of an Event Extract Variables Create a Rule Tornado Actions Test your Configuration Export and Import Configuration Example Under the hood Development Retry Strategy Configuration Thread Pool Configuration API Reference Configure a new Business Process Create your first Business Process Node Importing Processes Operators The ITOA Module Configuring User Permissions Telegraf Metrics in NetEye Telegraf Configuration Telegraf on Monitored Hosts Visualizing Dashboards Customizing Performance Graph The NetEye Geo Map Visualizer Map Viewer Configuring Geo Maps NagVis Audit Log Overview Shutdown Manager user Shutdown Manager GUI Shutdown Commands Advanced Topics Overview User Role Management Cube Use Cases ntopng and NetEye Integration Permissions Retention Advanced Topics Overview User Roles Nodes RDP Client Building Tools Editor: Interface Overview Editor: Script Building Editor: Managing Scripts Designer: Interface Overview Designer: Interface Options Designer: Component Tree Selector: Interface Overview Test Case Management Dashboard Use Cases Overview Architecture Authorization Kibana Elasticsearch Cluster Elasticsearch Configuration Replicas on a Single Node Elasticsearch Performance tuning Overview Enabling El Proxy Sending custom logs to El Proxy Configuration files Commands Elasticsearch Templates and Retentions El Proxy DLQ Blockchain Verification Handling Blockchain Corruptions El Proxy Metrics El Proxy Security El Proxy REST Endpoints Agents Logstash Elastic APM Elastic RUM Elastic XDR Log Manager - Deprecated Overview Authorization in the Command Orchestrator Module Configuring CLI Commands Executing Commands Overview Permissions Installation Single Tenancy Multitenancy Communication through a Satellite Asset collection methods Display asset information in monitoring host page Overview Customers Availability Event Adjustment Outages Resource Advanced Topics Introduction Getting Started SATAYO Items Settings Managed Service Mitre Attack Coverage Changelog NetEye.Cloud as a SaaS solution Monitoring with NetEye.Cloud Monitoring Environment Business Service Monitoring VMD SOC System Administrator (AdS) Access to NetEye and Elastic Elastic Dashboards Elastic Discover Elastic Alerts Elastic Rules Introduction to SOC Attacker Centric Service Description NetEye SIEM Before you start Update Procedure Single Node Upgrade from 4.45 to 4.46 Cluster Upgrade from 4.45 to 4.46 Satellite Upgrade from 4.45 to 4.46 DPO machine Upgrade from 4.45 to 4.46 Create a mirror of the RPM repository Sprint Releases Feature Troubleshooting Backup and Restore Tornado Networking Service Management - Incident Response IT Operation Analytics - Telemetry Identity Provider (IdP) Configuration NetEye Cluster on Microsoft Azure Introduction to NEP Getting Started with NEPs Online Resources Obtaining NEP Insights Available Packages Advanced Topics Upgrade to NetEye 4.31 Setup Configure swappiness Restarting Stopped Services Enable stack traces in web UI How to access standard logs Director does not deploy when services assigned to a host have the same name How to enable/disable debug logging Activate Debug Logging for Tornado Modules/Services do not start Sync Rule fails when trying to recreate Icinga object How to disable InfluxDB query logging Managing an Elasticsearch Cluster with a Full Disk Some logs are not indexed in Elasticsearch Elasticsearch is not functioning properly Reporting: Error when opening a report Debugging Logstash file input filter Bugfix Policy Reporting Vulnerabilities Glossary

Service Description

The elements that will be used within the project are described below, including the technical aspects.

Technological solutions adopted

Würth IT Italy will configure and make use of the following technological solutions:

NetEye SIEM

NetEye for years has been recognized in the market as a stable and highly flexible platform in the IT Monitoring market. NetEye SIEM is the natural evolution of the platform toward the System Information Event Management segment and integrates the ELK stack in the Enterprise version.

The Elastic Stack (aka ELK) is a robust solution for search, log management, and data analysis. Elasticsearch, Logstash, Kibana and Elastic Agent are the macro components of the solution that combine to provide a single platform for data storage, data retrieval, data sorting, and data analysis.

Würth IT Italy, through its partnership and close working relationship with the Elastic development team, is able to offer the solution fully integrated within NetEye.

SATAYO

SATAYO is an OSINT & Cyber Threat Intelligence platform developed by Würth IT Italy. Its capabilities make it a key tool for all organizations that need to monitor their exposure within public domain sources, found in the Surface, Deep & Dark Web.

The platform has an API (Application Programming Interface) and allows for the integration of collected evidence with NetEye SIEM. SATAYO, for the monitored organization, is able to continuously calculate the Exposure Assessment Index Value, a value ranging from 0 to 100 that indicates how exposed that particular organization is.

Check out more information on SATAYO following the link.

SOC Prime

SOC Prime is the leading Threat Detection Marketplace, which makes detection rules developed by the best Threat Hunters internationally available through an exclusive subscription.

Würth IT Italy, as a SOC Prime partner, has developed an integration that allows NetEye SIEM to have on board at all times detection rules that are constantly updated and thus able to identify threats as they are discovered and analyzed over time.

Greenbone Security Manager

GSM is a Continuous Vulnerability Assessment platform. The Greenbone Security Feed includes more than 100,000 vulnerability tests to date and provides recognition and protection from vulnerabilities such as SUPERNOVA, BlueKeep and PrintNightmare.

The API-equipped platform is integrated within NetEye SIEM.

OpenCTI

OpenCTI (Open Cyber Threat Intelligence) is a platform designed for knowledge processing and sharing for Cyber Threat Intelligence purposes.

It was developed by the French national cyber security agency (ANSSI) together with CERT-EU (Computer Emergency Response Team of the European Union).

It was initially designed to develop and facilitate ANSSI’s interactions with its partners. Today the platform has been fully released in open source and made available to the entire Cyber Threat Intelligence community to enable actors to structure, store, organize, visualize and share their knowledge.

The platform comes with a connector that enables interaction with NetEye SIEM.

Monitoring Perimeter

The Monitoring perimeter is based on the list of host objects and services to be monitored.

It is provided by the customer during the onboarding and can be tweaked later in the process of monitoring for existing contracts.

The NetEye SIEM platform will receive as input the data/logs/flows collected from the NetEye satellites installed in the customer’s network and from the SATAYO platform in the cloud of Würth IT Italy.

Architecture

The NetEye SIEM solution is configured as follows:

  • NetEye Master: is the main component in the architecture provided by Würth IT Italy, receives and processes logs from the various satellites installed in the client network. It transmits real-time data to the ELK console. The master machine is located within the Würth IT Italy cloud, thus enabling security and confidentiality of customer data.

  • NetEye Satellite: receives and processes logs from nodes connected to it, applying predefined correlation rules in order to detect possible cybersecurity threats. The satellite is installed at the client network, in the form of a VM (Virtual Machine).

All nodes in the client network send their logs to the NetEye Satellite installed at the client site, and the NetEye Satellite subsequently sends them to the NetEye Master through IPSec VPN connections.

All logical components of the infrastructure are based on the use of encrypted protocols.

You can also learn more details at Master-Satellite Architecture.

Data inalterability - El Proxy module

To ensure the inalterability of authentication events, NetEye uses the El Proxy module. El Proxy uses a series of signature keys to sign incoming logs and then sends them to Elasticsearch.

Each log is signed with a different Signature Key (seeded by the previous Signature Key); the signature includes the hash of the previous log. Logs that for whatever reason cannot be indexed in Elasticsearch are written in a Dead Letter Queue.

You can find more information of how El Proxy works in a dedicated NetEye Guide section.

Health Checks

In order to ensure that the blockchain is robust and that no errors have occurred during the collection of logs, NetEye defines several Health Checks to alert users of any irregularities.

Segregation of Duties - customer spaces

In Elastic, the mechanism used to implement access control is RBAC (Role Base Access Control). This mechanism allows customized role authorizations to be granted and roles to be assigned to users to implement access control.

To guarantee the correct segregation of client data, so that clients can only view objects (events, detection rules, dashboards, reports) within their competence, strict subdivisions are applied at the level of Elastic spaces, with the creation of a specific role for each individual client, which inherits the permissions on the relative space.

The activity of creating the client space and defining the appropriate roles and permissions is carried out through carefully checked batch phases that are periodically audited. Each client is assigned a unique id.

../../_images/rbac-access-control.png

Fig. 224 RBAC access control.

Blog Online Demo Training
Contact Us
© 2025, Würth IT Italy s.r.l.
VAT ID 01054690217
Privacy Cookies