Skip to content
Playbook: Bladerunner Log Source Collection Verification
Playbook: Bladerunner daily Log Source Collection Monitoring Report and Verification Instructions
Notes on BladeRunner Collection
Playbook: Running ElasticSearch Queries to Detect Possible Reconnaissance on AWS CloudTrail Logs
Share
Explore

Notes on BladeRunner Collection

NON-AIRBYTE SOURCES

from this Slack Chat
Thread
1. Windows AD events --> Invicta Agent( bladerunner ) --> Kafka : topic bladeruner-windowsevents ( Invicta AWS account ) --> vector ( dama ) --> pulsar stream --> humio search dama --> AWS S3 - bladerunner-app-activedirectory ( invicta ) --> Exabeam Site Collector(Saas ) invicta
2. Akamai --> Invicta S3 ( bladerunner-application-akamai ) --> Invicta SQS ( bladerunner-application-akamai-sqs-queue ) --> vector ( dama ) --> humio search
3. Crowdstrike telemetry --> Invicta Lambda function ( falcon-data-forwarder-prod-SqsReceiver-STVOMWWX179P & falcon-data-forwarder-prod-bladerunner-SqsReceiver-mYNy5QmN03GK ) --> Invicta S3 (bladerunner-device-fdr) --> Invicta SQS ( bladerunner-device-fdr-sqs-queue ) --> Vector (dama) --> pulsar stream --> Exabeam Site Collector ( Saas )
4. Wazuh EDR --> wazuh agents ( bladerunner ) --> Wazuh Workers ( tools Managed Account ) --> vector (dama) --> pulsar stream ( dama ) --> humio search ( dama ) --> AWS S3 bladerunner-edr-snapshots/bladerunner-edr-logs (toma)
5. Splunk Alerts --> logstash ( bladerunner ) --> kafka Invicta : Topic bladerunner-intel --> vector receive ( dama ) --> pulsar stream ( dama ) --> humio search ( dama ) --> AWS S3 Invicta (bladerunner-onprem-application-logs/bladerunner-splunk-alerts) store
6. CheckPoint VPN --> logstash ( bladerunner ) --> kafka Invicta: Topic bladerunner-vpn-logs --> vector receive ( dama ) --> pulsar stream ( dama ) --> humio search ( dama ) --> exabeam site collector ( saas ) invicta --> AWS S3 Invicta (bladerunner-onprem-application-logs/bladerunner-vpn-logs) store
7. BeyondTrust PAM --> logstash ( bladerunner ) --> kafka Invicta: Topic bladerunner-pam-logs --> vector receive ( dama ) --> pulsar stream ( dama ) --> humio search ( dama ) --> AWS S3 Invicta (bladerunner-onprem-application-logs/bladerunner-pam-logs) store
8. Office365 --> Syformation Cloud Connector API ( Invicta ) --> vector ( dama ) --> pulsar (stream) --> humio ( search ) --> AWS S3 Invicta (bladerunner-app-office365) - store --> exabeam site collector ( saas ) invicta

9. Azure --> Syformation Cloud Connector API ( Invicta ) --> vector ( dama ) --> pulsar (stream)--> humio ( search ) --> AWS S3 Invicta (bladerunner-network-azure ) - store --> exabeam site collector ( saas ) invicta

10. AWS --> Syformation Cloud Connector ( Invicta ) --> vector ( dama ) --> pulsar (stream)--> humio ( search ) --> AWS S3 Invicta (bladerunner-network-aws) - store --> exabeam site collector ( saas ) invicta
11. Unix System/User/package/cron logs --> Invicta Agent ( bladerunner ) --> Kafka Topic: bladerunner-systemevents/bladerunner-useractivity/bladerunner-packageactivity/bladerunner-systemcron ( Invicta AWS account ) --> vector ( dama ) --> pulsar (stream)--> humio ( search ) --> AWS S3 Invicta (bladerunner-onprem-application-logs/bladerunner-systemevents/bladerunner-useractivity/bladerunner-packageactivity/systemcron) - store --> exabeam site collector ( saas ) invicta

12. BDO-BOB,BDO-POB,BRS,BRS_REPLACEMENT,CIAM,CRS,OFTS,ONB-POB,ONB-BOB,T4s-HK,T4S-NB,T4S ( database & application logs ) --> Invicta Agent ( bladerunner ) --> Kafka Topic : bladerunner-application & bladerunner-database ( Invicta AWS account ) --> vector ( dama ) --> pulsar (stream)--> humio ( search ) --> AWS S3 Invicta (bladerunner-onprem-application-logs/BDO-BOB,BDO-POB,BRS,BRS_REPLACEMENT,CIAM,CRS,OFTS,ONB-POB,ONB-BOB,T4s-HK,T4S-NB,T4S) - store
12. NDB/APIGEE Edge --> Google Pub/sub ( bladerunner ) --> logsstash ( invicta ) -- S3 Invicta ( bladerunner-application-data/apigee-edge,NDB ) Store
13. ATP/cadencie/ICBS/ ICBS subsidiaries/ IST/ SCU --> MFT ( Managed file Transfer ) Bladerunner --> SFTP Invicta --> S3 ( Invicta )
14. BDOPay --> SFTP ( Wibmo ) --> SFTP ( dama ) --> S3 ( dama )

AIRBYTE SOURCES

For Airbyte data sources. The full list is here:
airtable-aws_cis_benchmark <> snowflake-prod
azure <> s3-hm-bladerunner
azure <> snowflake-prod
BR-ASM <> snowflake-prod
cisa <> snowflake-prod
crowdstrike-cloud-detections-incidents <> kafka-vector
crowdstrike-cloud-discover <> snowflake-prod
crowdstrike-cloud-host & host_groups <> kafka-vector
crowdstrike-cloud-hosts <> snowflake-prod
crowdstrike-cloud-policies <> kafka-vector
crowdstrike-onprem-detections-incidents <> kafka-vector
crowdstrike-onprem-discover <> snowflake-prod
crowdstrike-onprem-host & host groups <> kafka-vector
crowdstrike-onprem-hosts <> snowflake-prod
crowdstrike-onprem-policies <> kafka-vector
custom-airtable-behavior-profile <> snowflake-prod
custom-airtable-bladerunner-base <> snowflake-nonprod
custom-airtable-bladerunner-base <> snowflake-prod
custom-airtable-bladerunner-inventory <> snowflake-prod
custom-airtable-control <> snowflake-prod
custom-airtable-globals <> snowflake-prod
custom-airtable-skybox <> snowflake-nonprod
custom-airtable-skybox <> snowflake-prod
custom-airtable-triage-and-threat-hunting-service <> snowflake-prod
custom-airtable-triage-hm-dictionary <> snowflake-prod
custom-airtable-wazuh <> snowflake-prod
custom-airtable-webapp-statics <> snowflake-nonprod
custom-airtable-webapp-statics <> snowflake-prod
cyberint <> s3-hm-bladerunner
disruptops-assessors <> kafka-vector
disruptops-check_exemptions <> snowflake-prod
disruptops-compliance <> snowflake-prod
disruptops-findings <> s3-hm-bladerunner
disruptops-findings <> snowflake-prod
disruptops-findings-historical <> snowflake-prod
disruptops-inventory <> s3-hm-bladerunner
disruptops-issues <> kafka-vector
disruptops-issues <> s3-hm-bladerunner
disruptops-issues <> snowflake-prod
disruptops-others <> s3-hm-bladerunner
dmarcian <> s3-hm-bladerunner
exabeam-account-lockouts <> kafka-vector [STOPPED]
exabeam-account-lockouts <> s3-hm-bladerunner [STOPPED]
exabeam-model-definitions <> s3-hm-bladerunner
exabeam-notable-entities <> kafka-vector [STOPPED]
exabeam-notable-entities <> s3-hm-bladerunner [STOPPED]
exabeam-rules <> kafka-vector
exabeam-rules <> s3-hm-bladerunner [STOPPED]
exploitdb <> snowflake-prod
fireeye-alerts <> s3-hm-bladerunner
fireeye-email-traces <> s3-hm-bladerunner
jira <> kafka-vector
jira <> s3-hm-bladerunner
jira-bladerunner-0.3.3 <> kafka-vector
mitre-attack <> s3-hm-bladerunner
mitre-attack <> snowflake-nonprod
mitre-attack <> snowflake-prod
mitre-capec <> s3-hm-bladerunner
mitre-cwe <> s3-hm-bladerunner
mitre-cwe <> snowflake-prod
mongodb <> snowflake-prod
ndb_collection_prod <> s3-hm-bladerunner
nist-nvd <> s3-hm-bladerunner
nist-nvd-cpes <> s3-hm-bladerunner
nist-nvd-cpes <> snowflake-prod
nist-nvd-cves <> s3-hm-bladerunner
nist-nvd-cves <> snowflake-prod
pagerduty <> s3-hm-bladerunner
s3-phishing-story <> snowflake-nonprod
s3-phishing-story <> snowflake-prod
skybox <> s3-hm-bladerunner [STOPPED]
wazuh <> kafka-vector
wazuh-new <> kafka-vector
zendesk-support <> kafka-vector [STOPPED]
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.