The ADM is a packet sniffing sensor with layer-7 awareness for a large number of protocols. The ADM is added to an ESM the same way that a Receiver is added so an encrypted channel is established when the ADM keyed on installation. Then it will be polled for events at the same interval that Receivers are polled.
The ADM has 4-ports that can be connected to network taps or mirror ports. The ADM default policy and rules can be viewed in the Policy Editor to give you an idea of the what they cover. New rules are easy to add with the graphical drag and drop editor. The ADM allows the SIEM operator to have direct access to the wire to search and monitor data relevant to myriad different use cases but especially those focused on data exfiltration, bot C&C activity, lateral movement and acceptable use.
Logs are still forwarded to Receivers. All of the events and flow data generated by the ADM are based on the packets that it sees on the wire. The ADM data is then correlated with log data collected by the Receivers.
Though it's a completely different engine and implementation, I think it's similar to what BRO provides in functionality with differences being the integration with the ESM, graphical editor, centralized management, out-of-the-box rules, commercial support and it's available as a McAfee hardware appliance as well as a VM.
The ESM polls/pulls data directly from the ADM database just as it does the Receiver. A Receiver does is not used in the process, This is true for the DBM/DEM also.
How ADM decodes encrypted Layer 7 traffic.
for example most of the Web server application traffic will encrypted and how it will be decoded by ADM.
How it will collect the logs? Will it use any sensor or agent to collect logs. Please explain.
Thanks in advance.