The EtherSensor Transfer service is responsible for the delivery of the EtherSensor Analyser work results to external consumer systems.
The delivery of the results of analysis of objects extracted from traffic is performed according to a delivery profile, of which there are the following types:
Universal
Deliver the content of application-level messages to external consumer systems: DLP systems, eDiscovery, Enterprise Archiving, Enterprise Search, etc. Include SMTP/SMTPS, FTP/FTPS, SFTP, IMAP, FILEDROP (local file system), or SMB/CIFS (network directory).
Proprietary
Deliver the content of application-level messages to external consumer systems. The current version (5.1.0.13519) supports delivery profiles that work with the following proprietary protocols, e.g. DeviceLock Enterprise Server and InfoWatch Traffic Monitor.
Group
Include the usual delivery profiles with preassigned weights, designed to balance the load between the external consumer systems.
SYSLOG profiles
Used to transport results to consumer systems that receive event data via a SYSLOG server (usually SIEM systems). A SYSLOG line may be formed as a result of filter work, as well as by processing an object extracted from traffic by a pre-prepared Lua script. This allows for real-time data preparation in an arbitrary format specific to the particular consumer system (without so-called "connectors").
The delivery profile is assigned to a message using the message filter while the message data are analyzed. If the message analysis discovers that no delivery profile was assigned to the message, then it is delivered using the default profile. After successful delivery, the message is deleted from the message cache, and all available information about the message is destroyed.
The same object or its processing results using multiple methods may be delivered to multiple consumers using multiple delivery profiles.
For example:
Email content is delivered to the corporate DLP system and to the eDiscovery system simultaneously, and at the same time the metadata in CEF format are delivered to a SIEM system that works in an external SOC on the MSSP side.
The main format used by Microolap EtherSensor to deliver the content of the reconstructed objects to the consumer systems is the EML envelope. The EtherSensor Transfer service can also deliver data in its internal XML and/or JSON formats if the EML envelope is not a required component of the delivery protocol (copying data to directories or the use of FTP).
The system architecture when insecure data delivery protocols are used:
Fig. 20. EtherSensor Transfer service operation diagram.
The system architecture when secure data delivery protocols are used:
Fig. 21. How EtherSensor Transfer service works with secure protocols.
To deliver the capture data, the EtherSensor Transfer service monitors local directory spools and delivers the data as soon as they appear in a spool. To do this, the EtherSensor Transfer service uses delivery profiles that specify actions to be performed with the data being delivered. A delivery profile may be assigned by the EtherSensor Analyser service during data analysis. Then the delivery profile information is specified in the capture results metadata. If there is no profile specified in the capture results metadata, then the default profile is used:
The process of assigning a delivery profile and delivering the results.
Fig. 22. The process of assigning a result delivery profile
Command Line Parameters
The EtherSensor Transfer service, during Microolap EtherSensor installation, is installed as a Windows service set to start automatically. However, you can also start it as ethersensor_transfer.exe, a Windows application with the following command line parameters:
/process
Starts the ethersensor_transfer.exe process as a regular Win32 process (may be helpful for debugging).
/service
Starts as a Windows service.
/config
Saves the service default configuration.