This may not be a feature. It is something like how you configure and how you analyze it. But since it's open-source, I'm talking more about this. So, since it's open-source, getting the features of going deep into an IP is good. For example, I get an alert in which I see this IP, source IP 8.8.8.8. Now if I want to drill deep down into this and know which other IP this IP has been communicating to and these kinds of things and, also, if I have, for example, firewall logs onboarded on this tool, I can just literally go to the filter section and put the IP and check all the logs, which have been collected on this device. From this, I can make the meaning and see if those have been affected or not. It is a basic feature, but since this is open-source, it is a good thing in terms of the results we are getting.

We have various media organizations from which we get data into our network and then it goes out. If you put any control, any device, or anything to sense the traffic, it will say that it's malicious traffic, because of the nature of most of the traffic that we generate. We usually upload or download TV shows or films, they go in and out. The same size of IP packets increase because of the kind of transfer that we do.

In addition to that, we also are into broadcasting. We send the data to broadcasting stations, and from there it gets broadcasted on air.

It has really helped find critical vulnerabilities in our network at times. There was a brute force attack, a web attack, and I was able to discover that using AlienVault. There was a WannaCry in one of my systems, a trojan, and it was generating traffic towards the WannaCry domain. I was able to see that through the AlienVault system. It was not immediate. It was after almost three days that I was able to discover that there was a vulnerability within our network.

When we forward in-traffic from our one interface to Network IDS in OSSIM, we can see all of the requests that we have to and from that interface. Because of integration with Open Threat Exchange from AlienVault, we see which IPs from these requests are malicious and we can use these IPs to block them on our firewall.

I can't really discuss how this helps my organization. I'm running this from my home, so this is not a business I'm using it for. What I do is I log in infrequently to the device or to the service and I check and see if there's anything that's anomalous or anything that is of concern.