What is Application Data Monitor ?
How it works ?
How the communication happen in between from ADM to other device in ESM ?
How logs are forwarded to ADM ?
The ADM is a packet sniffing sensor with layer-7 awareness for a large number of protocols. The ADM is added to an ESM the same way that a Receiver is added so an encrypted channel is established when the ADM keyed on installation. Then it will be polled for events at the same interval that Receivers are polled.
The ADM has 4-ports that can be connected to network taps or mirror ports. The ADM default policy and rules can be viewed in the Policy Editor to give you an idea of the what they cover. New rules are easy to add with the graphical drag and drop editor. The ADM allows the SIEM operator to have direct access to the wire to search and monitor data relevant to myriad different use cases but especially those focused on data exfiltration, bot C&C activity, lateral movement and acceptable use.
Logs are still forwarded to Receivers. All of the events and flow data generated by the ADM are based on the packets that it sees on the wire. The ADM data is then correlated with log data collected by the Receivers.
Though it's a completely different engine and implementation, I think it's similar to what BRO provides in functionality with differences being the integration with the ESM, graphical editor, centralized management, out-of-the-box rules, commercial support and it's available as a McAfee hardware appliance as well as a VM.
Need another clarification.
whether logs collected forwarded to ADM are again forwarded to receiver and then to ESM ?
Thanks in Advance !!!
The ESM polls/pulls data directly from the ADM database just as it does the Receiver. A Receiver does is not used in the process, This is true for the DBM/DEM also.