Least Privileged User: DX, Windows
Purpose
The Data Indexer accepts logs for indexing, reads lists from EMDB, and returns log data upon request from the Web Console and Client Console.
Shared Services
N/A. At this time, Linux-based Data Indexers do not share data storage or any other resource outside the Data Indexer environment.
Registry Access
| Read Control | Write Owner | Write DAC | Delete | Create Link | Enumerate Subkeys | Set Value | Query Value | Full Control | Children Inherent | |
|---|---|---|---|---|---|---|---|---|---|---|
| HKEY_LOCAL_MACHINE/ SYSTEM/CurrentControlSet/ services/lr-bulldozer | X | X | ||||||||
| HKEY_LOCAL_MACHINE/ SYSTEM/CurrentControlSet/ services/lr-carpenter | X | X | ||||||||
| HKEY_LOCAL_MACHINE/ SYSTEM/CurrentControlSet/ services/lr-columbo | X | X | ||||||||
| HKEY_LOCAL_MACHINE/ SYSTEM/CurrentControlSet/ services/lr-elasticsearch | X | X | ||||||||
| HKEY_LOCAL_MACHINE/ SYSTEM/CurrentControlSet/ services/lr-gomaintain | X | X | ||||||||
| HKEY_LOCAL_MACHINE/ SYSTEM/CurrentControlSet/ services/lr-transporter | X | X | ||||||||
| HKEY_LOCAL_MACHINE/ SYSTEM/CurrentControlSet/ services/lr-watchtower | X | X |
Database Access
The Elasticsearch database is accessed through service layers only, and user context is tied to the services.
Database access to the EMDB is controlled through specific services executing calls to the Platform Manager on port 1433.
Ports
| Micro-Service | Protocol | Destination Port | Direction | Operating System | Purpose |
|---|---|---|---|---|---|
| Bulldozer | TCP | 1433 | Outbound from DX to PM | Windows | SQL Server access to EMDB |
| Carpenter | TCP | 1433 | Outbound from DX to PM | Windows | SQL Server access to EMDB |
| Columbo | TCP | 13130 | Inbound to DX | Windows | Web Console/Client Console queries |
| TCP | 13132 | Inbound to DX | Windows | Web Console Threat Activity Map port (GumShoe) | |
| ElasticSearch | TCP | 9200 | DX Local Only | Windows | Curl queries to Elasticsearch |