Change Guardian Event Collector Addon for Windows Agent collects events in the common event format (CEF). Change Guardian supports events only in CEF.
Before installing the Change Guardian Event Collector Addon for Windows Agent, set up the required connectors.
NOTE:Change Guardian documentation provides the configuration steps about third-party products AWS, Office 364, Dell EMC, and Exchange for ease of use. For more information about the third-party products or for any issues with the configuration, see their documentation.
This section provides the following information:
For information about AWS concepts, see AWS Documentation.
NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance.
If you are using Elastic Compute Cloud (EC2) role-base credentials, then you must use an IAM role with AmazonS3ReadOnlyAccess and AmazonSQSFullAccess policies. If you are using access key or secret key as credentials, complete the following steps:
To setup:
Create an Amazon Web Services account.
Log in to the AWS Management Console and open IAM.
From Dashboard, click Access Management > Groups > Create New Group.
Specify Group Name and attach the policies AmazonS3ReadOnlyAccess and AmazonSQSFullAccess to the group.
The group requires necessary permissions to access the CloudTrail logs through APIs.
To add new user to the group, select Users > Add Users.
Specify the user details.
Ensure that you download the credentials as .csv file.
NOTE:The file contains the Access Key ID and Secret Access Key that you have to use when installing the connector.
Click Groups > group_name > Group Action > Add Users to Group.
Select the users to add to the group and click Add Users.
To view or create an Access key ID, open user summary and click Security Credentials > Create Access key.
Create a new Amazon Simple Storage Service (S3) bucket and a new Amazon Simple Notification Service (SNS) topic.
To configure CloudTrail:
From the AWS Management Console, open CloudTrail.
Click Create trail.
Specify Trail name.
Select Create new S3 bucket and specify Trail log bucket and folder.
Select SNS notification delivery.
Select Send SNS notification for every log file delivery.
Specify a new SNS Topic.
Make a note of the AWS S3 Region name available at the browser address box of the SQS page.
To create an SQS:
In the AWS Management Console, open Simple Queue Service.
Click Create New Queue and specify the details.
Select the new queue.
Under Queue Actions, select Subscribe Queue to SNS Topic.
From Choose a Topic, select the new topic and click Subscribe.
You should have the following parameters after setting up AWS. Use these parameters to install Change Guardian Event Collector Addon for Change Guardian:
|
Parameter |
Description |
|---|---|
|
Proxy Host Proxy Port Proxy User Name Proxy Password |
(Optional) The proxy configuration settings |
|
AWS SQS URL |
The SQS URL from which you want to pull the CloudTrail notification |
|
AWS Access Key AWS Secret Key |
The credentials for the IAM user |
|
AWS SQS Region AWS S3 Region |
The locations of AWS data centers |
|
AWS SQS Visibility Timeout |
The time during which Amazon SQS prevents other consuming components from receiving and processing that message |
|
AWS SQS Max Received Count |
The maximum number of attempts to receive an SQS message |
Register the connector in Azure AD and configure it with appropriate permissions. Ensure that you have enabled and configured Office 365 subscription account. Also, ensure that the subscription is associated with an Azure AD Tenant Domain account.
NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance
To register:
Log in to the Azure Management portal using the credentials of your Microsoft tenant that has the subscription to Office 365 you wish to use.
Click Azure Active Directory.
Under Manage, click App registrations > New registration.
Specify a logical name, supported account types, redirect URI (optional), and then click Register.
Make a note of the Application (Client) ID, which is the Client ID.
Under Manage > Certificates and secrets > New client secret, specify the client secret details and click Add.
Make a note of the Client secret value (ID), which is the Client Secret.
Click API permissions > Add a permission > Office 365 Management APIs > Delegated permissions and Application Permissions.
Select ActivityFeed.Read, ActivityFeed.ReadDlp and ServiceHealth.Read and click Add permissions.
On the API permissions page, click Grant admin consent for <organization name>.
You should have the following parameters after setting up Office 365. Use these parameters to install Change Guardian Event Collector Addon for Change Guardian:
|
Parameter |
Description |
|---|---|
|
Azure Tenant Domain |
The domain name of the Office 365 Azure tenant |
|
Client ID |
The Client ID of the registered application in Azure Active Directory |
|
Client Secret |
The Client Secret of the application registered in Azure Active Directory |
|
Proxy Host Proxy Port Proxy User Name Proxy Password |
(Optional) Proxy configuration setting |
NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance
To install Common Event Enabler (CEE):
Log into the machine with the account that has administrator privilege.
Ensure that .NET Framework 3 is enabled.
Run the file EMC_CEE_Pack for either the 32-bit (WIN32) or the 64-bit (X64) version of the software.
Follow the prompts and complete the installation.
NOTE:Do not change the location of the temporary directory.
When installer prompts you to restart the server, Click No.
Open services.mcs and search for EMC CAVA in the services list.
Right click Properties and click Log On > This Account > Browse > Advanced > Find Now.
Select the administrator or the account with administrative privilege and set the password.
Restart the machine.
Access the CEPA server from a browser.
Use the same format that you provided in the Dell EMC web console, for example, http://1.1.1.1:12228/cee.
If the CEPA server is running, it displays the version of CEE.
To set up application access:
Open Windows registry and open HKEY_LOCAL_MACHINE > SOFTWARE > EMC > CEE > CEPP > Audit > Configuration.
Specify ArcSightConnector in Endpoint.
Specify 1 in Enable, and restart the machine.
You should have the following parameters after setting up Dell EMC. Use these parameters to install Change Guardian Event Collector Addon for Change Guardian:
|
Parameter |
Description |
|---|---|
|
Domain Name Domain Host Name Domain User Name Domain Password |
The domain controller details to perform SID translation of users |
The Exchange Management Shell is built on Windows PowerShell technology. With the Shell, you can manage every aspect of Exchange, including enabling new e-mail accounts, configuring SMTP connectors, storing database properties, storing transport agents, and more. The Shell can perform every task that can be performed by the Exchange Management Console and the Exchange Web interface, in addition to tasks that cannot be performed in those interfaces.
NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance
This section provides the following information:
To understand mailbox audit logging, see Messaging policy and compliance permissions in the Microsoft Exchange Documentation.
Use the Shell to specify Mailbox Audit Logging Settings, and specify logging settings for Administrator, Delegate, and Owner access.
Enable mailbox audit logging for Ben Smith's mailbox:
Set-Mailbox -Identity "Ben Smith" -AuditEnabled $true
For detailed syntax and parameter information, see Set-Mailbox in the Microsoft Exchange Documentation.
Specify that the SendAs or SendOnBehalf actions performed by delegate users are logged for Ben Smith's mailbox:
Set-Mailbox -Identity "Ben Smith" -AuditDelegate SendAs,SendOnBehalf -AuditEnabled $true
Specify that the MessageBind and FolderBind actions performed by administrators are logged for Ben Smith's mailbox:
Set-Mailbox -Identity "Ben Smith" -AuditAdmin MessageBind,FolderBind -AuditEnabled $true
Specify that the HardDelete action performed by the mailbox owner will be logged for Ben Smith's mailbox.
Set-Mailbox -Identity "Ben Smith" -AuditOwner HardDelete -AuditEnabled $true
To understand administrator audit logging, see Administrator audit logging in Exchange Server and Exchange and Shell Infrastructure Permissions in the Microsoft Exchange Documentation.
Use the Shell to specify Administrator Logging Settings, and specify logging settings for Administrator, Delegate, and Owner access.
Enable administrator audit logging:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
Enable administrator audit logging for every cmdlet and every parameter in the organization, with the exception of Get Cmdlets:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets * -AdminAuditLogParameters *
Enable administrator audit logging for specific Cmdlets run in the organization:
Set-AdminAuditLogConfig –AdminAuditLogEnabled $true - AdminAuditLogCmdlets *Mailbox* -AdminAuditLogParameters *Address*
Any parameter used on the specified Cmdlet is logged. Every time a specified cmdlet is run, a log entry is added to the audit log.
Allow Microsoft Exchange PowerShell scripts to execute so that it can collect information about mailboxes and events from Microsoft Exchange.
To enable:
Open Local Group Policy Editor.
Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.
Set Turn on Script Execution to Enabled.
Set Execution Policy to Allow local scripts and remote signed scripts.
You must configure Microsoft Exchange PowerShell services to run with a privilege to receive exchange audit log.
To allow the services to run as a domain administrator:
Open Windows services, and select ArcSight Microsoft Exchange PowerShell.
Open Properties, click Log On.
Click This Account > Browse > Locations, and select the domain name.
Specify the domain administrator credentials.
To allow Change Guardian Event Collector Addon for Windows Agent to retrieve events from the correct source, find the FQDN. Go to System in Windows Control Panel. Under Computer name, domain, and workgroup settings, and find the Full computer name.
You should have the following parameters after setting up Exchange. Use these parameters to install Change Guardian Event Collector Addon for Change Guardian:
|
Parameter |
Description |
|---|---|
|
Server FQDN |
The fully qualified domain name to the Exchange Server |
|
Frequency |
The frequency, in seconds, at which each mailbox audit log is retrieved |
|
PowerShell Path |
The location of the PowerShell application |
To install Change Guardian Event Collector Addon for Windows Agent:
In Agent Manager, click Manage Installation > Download Package.
Download Change Guardian Event Collector Addon for Windows Agent.
In the installer window, specify the local path in which you want to install Change Guardian Event Collector Addon for Windows Agent.
Select the connectors to configure.
Specify the location to store events in CEF.
NOTE:Specify the same path in CEF Data Output Path in Agent Manger.
Specify the values for File Rotation Interval and File Size.
File Rotation Interval is the interval, in seconds, at which a new file is created. A new file is created when either the File Rotation Interval or the file size exceeds the set value. If the EPS is low in AWS IAM, set the file rotation and file size values lower than the default.
Specify the parameters for the selected connectors.
|
If your connector is |
Do this |
|---|---|
|
Dell EMC |
Specify the following:
|
|
Microsoft Exchange |
Specify the following:
|
|
AWS IAM |
Specify the following:
|
|
Office 365 |
Specify the following:
|
(Optional) Open Windows services, and restart the following services:
ArcSight Dell EMC Unity and VNXe Storage
ArcSight Microsoft Exchange PowerShell
Arcsight Microsoft Office 365
Arcsight Amazon Web Services CloudTrail
NOTE:After the installation, restart the services once to receive the events.
To modify the settings of any connector, launch Change Guardian Event Collector Addon for Windows Agent and click Modify against the desired collector name.