-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
116 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,49 +1,135 @@ | ||
| # Impulse XDR | ||
| <div align=center> | ||
| <h1>Welcome to Impulse XDR!</h1> | ||
| <h2> | ||
| <a href="https://impulse-xdr.com/docs/get-started/install_manager">Quickstart</a> | | ||
| <a href="https://impulse-xdr.com/docs/introduction">Docs</a> | | ||
| <a href="https://impulse-xdr.com">Web</a> | | ||
| <a href="https://github.com/bgenev/impulse-xdr/releases">Releases</a> | ||
| </h2> | ||
| </div> | ||
|
|
||
| #### Deep Security Visibility & Protection | ||
|
|
||
| Impulse XDR is the easiest way to start monitoring your servers and endpoints including VPS, VPC, VMs, Droplets or Linux/Windows 10/11 machines. | ||
| ## 🌟 Deep Security Visibility & Protection | ||
|
|
||
| Whether your goal is to secure a single VPS server or large cloud network (VPC), Impulse will help you get there. Set up deep visibility and protection for your infrastucture in two steps: | ||
| Impulse is a fully automated SIEM/XDR with real-time threat detection sensors, storage and visualisation. It detects malware from behavioural patterns rather than signatures and enables deeper visibility than legacy tools. It can be deployed on any device or VM running Linux such as cloud VMs in VPC networks, VPS servers or personal workstations and IoTs. | ||
|
|
||
| 1. Install the self-hosted security events manager on one of your existing instances. It runs on all major Linux distributions and requires almost no configuration. | ||
| It’s organised around a self-hosted, manager-sensor architecture that provides traditional SIEM capabilities like centralized log storage, indexing and normalization, but also automated log-correlation and real-time threat detection via its open-source EDR sensors. It installs in 5 mins on as little as 1.5 gb RAM, 1-core VM. | ||
|
|
||
| 2. Deploy a light or heavy sensor on each endpoint, depending on the features and level of visibility that you need. | ||
|  | ||
|
|
||
| That's it. Security telemetry and analytics start flowing to your screen! | ||
|
|
||
| Impulese provides integrity monitoring for every aspect of your environment - files, processes, connections, ports, users, authentications, installed packages, kernel modules, etc. every variable that could be an indicator of compromise is tracked and analysed. | ||
| ## 🍀 What makes it better at threat detection? | ||
|
|
||
| [Documentation](https://impulse-xdr.com/docs/introduction/) | ||
| Instead of looking for specific malware signatures, it tracks indicators of compromise via their on-disk forensic artefacts. Malware comes in all shapes and forms but its output is always the same - connections to C&C centres, modified files, new processes, modified services/background tasks, authentications, etc. Impulse assigns different metrics/weight to each IOC group (implemented with osquery) depending on its level of significance and continuously monitors for new events. It then aggregates bursts of events, indicative of anomalous activity, into detections. | ||
|
|
||
| ## Main Features: | ||
| This approach provides a much deeper visibility and allows detections of unknown threats from behavioural activity patterns rather than constantly updated signatures. Users get a full historical chain of events with everything important that has ever happened on the system and a filtered dashboard with high-severity detections. | ||
|
|
||
| #### Security Analytics | ||
| Ingests telemetry data from its fleet of monitoring sensors and provides security analytics & insights. | ||
|  | ||
|
|
||
| #### Indicators of Compormise | ||
| Built-in core indicators of compromise track security events on hosts and alert you in case of anomalous activity. | ||
|
|
||
| #### Network Visibility & IDS | ||
| Monitors network flows, detects intrusion attempts and automatically blocks offenders with active response. | ||
| ## 🚴♂️ Main Features | ||
|
|
||
| #### File Integrity Monitoring | ||
| Tracks changes on the filesystem tree and notifies you about file or permission modifications. | ||
| - **Security Analytics**: Ingests telemetry data from its fleet of monitoring sensors and provides security analytics & insights. | ||
| - **Indicators of Compormise**: Built-in core indicators of compromise track security events on hosts and alert you in case of anomalous activity. Even if certain events don't generate a detection, they are still added to an "IOCs History" database which provides integrity monitoring for every aspect of your environment - files, processes, connections, ports, users, authentications, installed packages, kernel modules, etc. every variable that could be an indicator of compromise is tracked and analysed. | ||
| - **Network Visibility & IDS**: Monitors network flows, detects intrusion attempts and automatically blocks offenders with active response. | ||
| - **File Integrity Monitoring**: Tracks changes on the filesystem tree and notifies you about file or permission modifications. | ||
| - **Security Policies**: Monitors system configuration settings to ensure compliance with preset core security policies. | ||
| - **Active Response**: Automatically blocks suspicious IPs, stops processes, closes ports and quarantines files. | ||
| - **Fleet Firewall**: Fleet firewall blocks offenders across the fleet. | ||
| - **Threat Intel**: Integrates with high-quality threat intelligence providers to enrich your context data. | ||
| - **Vulnerability Scanning**: Discovers installed packages and associated CVEs. | ||
| - **Self-Hosted & Open-Core**: Data never leaves you servers. | ||
|
|
||
| #### Security Policies | ||
| Monitors system configuration settings to ensure compliance with preset core security policies. | ||
|
|
||
| #### Active Response | ||
| Automatically blocks suspicious IPs, stops processes, closes ports and quarantines files. | ||
| ## 👣 What indicators (IOCs) does it track? | ||
|
|
||
| #### Fleet firewall | ||
| Fleet firewall blocks offenders across the fleet. | ||
| - Unusual inbound and outbound network traffic | ||
| - Unusual authentications | ||
| - New or unknown applications, processes and background tasks | ||
| - Unusual activity from administrator or privileged accounts | ||
| - An increase in incorrect login attempts that may indicate brute force attack | ||
| - New or modified files and large numbers of requests for the same file | ||
| - Suspicious registry or system file changes | ||
| - Modified system binaries | ||
| - New cron-tabs and Systemd services | ||
| - Open ports | ||
| - Unusual Domain Name Servers (DNS) requests and registry configurations | ||
| - Newly generated compressed files | ||
|
|
||
| #### Malware scanner | ||
| Integrated with VirursTotal to scan for malicious files on your hosts. | ||
| and many more. | ||
|
|
||
| #### Active Response | ||
| Integrated with several high-quality threat intelligence providers to enrich your context data. | ||
| ## 🛠️ What can I protect/monitor with it? | ||
|
|
||
| #### Self-Hosted & Open-Core | ||
| Data never leaves you servers. | ||
| 1. **Cloud VMs in VPC.** Works with any cloud provider including AWS, DigitalOcean, Azure, GCP, Alibaba, etc. | ||
|
|
||
| 2. **VPS server.** Either deploy in standalone mode or deploy the manager on one VPS and then place a sensor on the target VPS. | ||
|
|
||
| 3. **Cluster of VPS servers.** If you have multiple VPS servers spread across various providers, simply choose one of them as the manager and place light/heavy sensors on the rest. | ||
|
|
||
| 4. **Website host.** Install in standalone mode to lockdown your host and reduce load by blocking port scanners. | ||
|
|
||
| 5. **Monitor personal workstation.** The Impulse EDR provides real-time threat-detection & integrity monitoring for personal computers. A hardened Linux Desktop such as Debian with Impulse EDR monitoring is one of the most secure configurations that you can get. | ||
|
|
||
| 6. **IOT device, Raspberry Pi or similar.** Light sensors can be installed on any Linux device that provides ssh access. | ||
|
|
||
| 7. **Install on local VM and learn cybersecurity/sysadmin.** The level of visibility provided by Impulse means that you can use it to learn and play around with Linux environments. Deploy on localhost VM, then modify system settings or try to attack the VM and observe what changes in the “IOT History” dashboard. | ||
|
|
||
| ## 📘 How to get started and documentation | ||
|
|
||
| Set up deep security visibility and protection for your infrastructure in two steps: | ||
|
|
||
| 1. Install the self-hosted security events manager on one of your existing machines (this could be any VM, VPS, laptop or Raspberry Pi with 1-core, 1.5gb RAM). It runs on all major Linux distributions and requires close to zero configuration. | ||
|
|
||
| 2. Deploy a light or heavy sensor on each endpoint, depending on the features and level of visibility that you need. | ||
| That's it. Security telemetry and analytics start flowing to your screen! | ||
|
|
||
|
|
||
| [Setup & Documentation](https://impulse-xdr.com/docs/introduction/) | ||
|
|
||
|
|
||
| ## How does it compare with other security monitoring tools? | ||
|
|
||
| | Feature | Other Tools | Impulse XDR | | ||
| | --------------------------------------------------------------------------------------------- | -------------------------------------------------------- | ---------------------------------------------------------------------------- | | ||
| | Able to detect known and unknown malware from system behaviour | No | Yes | | ||
| | Visibility level | Tell you only when something really, really bad happens. | Full historical chain of events for every potential indicator of compromise. | | ||
| | Traditional SIEM features with centralized log storage, indexing and storage | Some | Yes | | ||
| | Light, open-source sensors with host and network intrusion detection baked-in | No | Yes | | ||
| | File Integrity Monitoring | Some | Yes | | ||
| | Secure Configuration Management | Basic | Yes | | ||
| | Can work on as little as 1.5 GB RAM, 1-core CPU | No way | Yes | | ||
| | Purpose-built interface for presenting security information in digestible form | No | Yes | | ||
| | Flexible installation on any Linux OS instance with Docker containers and SystemD services | Some | Yes | | ||
| | Create and distribute custom monitoring policies | Some | Yes | | ||
| | Active response with fleet firewall, asset isolation and remote script execution | No | Yes | | ||
| | Easy self-host installation | No | Yes | | ||
| | Future proof, built with best in class components: Postgres, gRPC, Rsyslog, Osquery, Suricata | No | Yes | | ||
| | Pricing | Bill shock | Free version and affordable premium | | ||
|
|
||
| **Demo** | ||
|
|
||
|  | ||
|
|
||
|
|
||
| **Fleet** | ||
|
|
||
|  | ||
|
|
||
|
|
||
| **Detections** | ||
|
|
||
|  | ||
|
|
||
|
|
||
| **Network IDS** | ||
|
|
||
|  | ||
|
|
||
|
|
||
| **Secure Configuration** | ||
|
|
||
|  | ||
|
|
||
|
|
||
| **Live Query** | ||
|  |