4.3 Installing Change Guardian Event Collector Addon for Windows Agent

Change Guardian Event Collector Addon for Windows Agent collects events in the common event format (CEF). Change Guardian supports events only in CEF.

Before installing the Change Guardian Event Collector Addon for Windows Agent, set up the required connectors.

NOTE:Change Guardian documentation provides the configuration steps about third-party products AWS, Office 364, Dell EMC, and Exchange for ease of use. For more information about the third-party products or for any issues with the configuration, see their documentation.

4.3.1 Prerequisites for AWS

This section provides the following information:

For information about AWS concepts, see AWS Documentation.

NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance.

Setting the AWS Account

If you are using Elastic Compute Cloud (EC2) role-base credentials, then you must use an IAM role with AmazonS3ReadOnlyAccess and AmazonSQSFullAccess policies. If you are using access key or secret key as credentials, complete the following steps:

To setup:

  1. Create an Amazon Web Services account.

  2. Log in to the AWS Management Console and open IAM.

  3. From Dashboard, click Access Management > Groups > Create New Group.

  4. Specify Group Name and attach the policies AmazonS3ReadOnlyAccess and AmazonSQSFullAccess to the group.

    The group requires necessary permissions to access the CloudTrail logs through APIs.

  5. To add new user to the group, select Users > Add Users.

  6. Specify the user details.

  7. Ensure that you download the credentials as .csv file.

    NOTE:The file contains the Access Key ID and Secret Access Key that you have to use when installing the connector.

  8. Click Groups > group_name > Group Action > Add Users to Group.

  9. Select the users to add to the group and click Add Users.

  10. To view or create an Access key ID, open user summary and click Security Credentials > Create Access key.

Configuring CloudTrail

Create a new Amazon Simple Storage Service (S3) bucket and a new Amazon Simple Notification Service (SNS) topic.

To configure CloudTrail:

  1. From the AWS Management Console, open CloudTrail.

  2. Click Create trail.

  3. Specify Trail name.

  4. Select Create new S3 bucket and specify Trail log bucket and folder.

  5. Select SNS notification delivery.

  6. Select Send SNS notification for every log file delivery.

  7. Specify a new SNS Topic.

Make a note of the AWS S3 Region name available at the browser address box of the SQS page.

Creating and Subscribing an Amazon Simple Queue Service (SQS)

To create an SQS:

  1. In the AWS Management Console, open Simple Queue Service.

  2. Click Create New Queue and specify the details.

  3. Select the new queue.

  4. Under Queue Actions, select Subscribe Queue to SNS Topic.

  5. From Choose a Topic, select the new topic and click Subscribe.

Important Parameters

You should have the following parameters after setting up AWS. Use these parameters to install Change Guardian Event Collector Addon for Change Guardian:

Parameter

Description

Proxy Host

Proxy Port

Proxy User Name

Proxy Password

(Optional) The proxy configuration settings

AWS SQS URL

The SQS URL from which you want to pull the CloudTrail notification

AWS Access Key

AWS Secret Key

The credentials for the IAM user

AWS SQS Region

AWS S3 Region

The locations of AWS data centers

AWS SQS Visibility Timeout

The time during which Amazon SQS prevents other consuming components from receiving and processing that message

AWS SQS Max Received Count

The maximum number of attempts to receive an SQS message

4.3.2 Prerequisites for Office 365

Register the connector in Azure AD and configure it with appropriate permissions. Ensure that you have enabled and configured Office 365 subscription account. Also, ensure that the subscription is associated with an Azure AD Tenant Domain account.

NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance

Registering the Application in Azure AD

To register:

  1. Log in to the Azure Management portal using the credentials of your Microsoft tenant that has the subscription to Office 365 you wish to use.

  2. Click Azure Active Directory.

  3. Under Manage, click App registrations > New registration.

  4. Specify a logical name, supported account types, redirect URI (optional), and then click Register.

    Make a note of the Application (Client) ID, which is the Client ID.

  5. Under Manage > Certificates and secrets > New client secret, specify the client secret details and click Add.

    Make a note of the Client secret value (ID), which is the Client Secret.

  6. Click API permissions > Add a permission > Office 365 Management APIs > Delegated permissions and Application Permissions.

  7. Select ActivityFeed.Read, ActivityFeed.ReadDlp and ServiceHealth.Read and click Add permissions.

  8. On the API permissions page, click Grant admin consent for <organization name>.

Important Parameters

You should have the following parameters after setting up Office 365. Use these parameters to install Change Guardian Event Collector Addon for Change Guardian:

Parameter

Description

Azure Tenant Domain

The domain name of the Office 365 Azure tenant

Client ID

The Client ID of the registered application in Azure Active Directory

Client Secret

The Client Secret of the application registered in Azure Active Directory

Proxy Host

Proxy Port

Proxy User Name

Proxy Password

(Optional) Proxy configuration setting

4.3.3 Prerequisites for Dell EMC

NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance

Installing Common Event Enabler

To install Common Event Enabler (CEE):

  1. Log into the machine with the account that has administrator privilege.

  2. Ensure that .NET Framework 3 is enabled.

  3. Run the file EMC_CEE_Pack for either the 32-bit (WIN32) or the 64-bit (X64) version of the software.

  4. Follow the prompts and complete the installation.

    NOTE:Do not change the location of the temporary directory.

  5. When installer prompts you to restart the server, Click No.

  6. Open services.mcs and search for EMC CAVA in the services list.

  7. Right click Properties and click Log On > This Account > Browse > Advanced > Find Now.

  8. Select the administrator or the account with administrative privilege and set the password.

  9. Restart the machine.

  10. Access the CEPA server from a browser.

    Use the same format that you provided in the Dell EMC web console, for example, http://1.1.1.1:12228/cee.

    If the CEPA server is running, it displays the version of CEE.

To set up application access:

  1. Open Windows registry and open HKEY_LOCAL_MACHINE > SOFTWARE > EMC > CEE > CEPP > Audit > Configuration.

  2. Specify ArcSightConnector in Endpoint.

  3. Specify 1 in Enable, and restart the machine.

Important Parameters

You should have the following parameters after setting up Dell EMC. Use these parameters to install Change Guardian Event Collector Addon for Change Guardian:

Parameter

Description

Domain Name

Domain Host Name

Domain User Name

Domain Password

The domain controller details to perform SID translation of users

4.3.4 Prerequisites for Exchange

The Exchange Management Shell is built on Windows PowerShell technology. With the Shell, you can manage every aspect of Exchange, including enabling new e-mail accounts, configuring SMTP connectors, storing database properties, storing transport agents, and more. The Shell can perform every task that can be performed by the Exchange Management Console and the Exchange Web interface, in addition to tasks that cannot be performed in those interfaces.

NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance

This section provides the following information:

Enabling Mailbox Audit Logging

To understand mailbox audit logging, see Messaging policy and compliance permissions in the Microsoft Exchange Documentation.

Use the Shell to specify Mailbox Audit Logging Settings, and specify logging settings for Administrator, Delegate, and Owner access.

  1. Enable mailbox audit logging for Ben Smith's mailbox:

    Set-Mailbox -Identity "Ben Smith" -AuditEnabled $true

  2. For detailed syntax and parameter information, see Set-Mailbox in the Microsoft Exchange Documentation.

  3. Specify that the SendAs or SendOnBehalf actions performed by delegate users are logged for Ben Smith's mailbox:

    Set-Mailbox -Identity "Ben Smith" -AuditDelegate SendAs,SendOnBehalf -AuditEnabled $true

  4. Specify that the MessageBind and FolderBind actions performed by administrators are logged for Ben Smith's mailbox:

    Set-Mailbox -Identity "Ben Smith" -AuditAdmin MessageBind,FolderBind -AuditEnabled $true

  5. Specify that the HardDelete action performed by the mailbox owner will be logged for Ben Smith's mailbox.

    Set-Mailbox -Identity "Ben Smith" -AuditOwner HardDelete -AuditEnabled $true

Enabling Administrator Audit Logging

To understand administrator audit logging, see Administrator audit logging in Exchange Server and Exchange and Shell Infrastructure Permissions in the Microsoft Exchange Documentation.

Use the Shell to specify Administrator Logging Settings, and specify logging settings for Administrator, Delegate, and Owner access.

  1. Enable administrator audit logging:

    Set-AdminAuditLogConfig -AdminAuditLogEnabled $True

  2. Enable administrator audit logging for every cmdlet and every parameter in the organization, with the exception of Get Cmdlets:

    Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets * -AdminAuditLogParameters *

  3. Enable administrator audit logging for specific Cmdlets run in the organization:

    Set-AdminAuditLogConfig –AdminAuditLogEnabled $true - AdminAuditLogCmdlets *Mailbox* -AdminAuditLogParameters *Address*

    Any parameter used on the specified Cmdlet is logged. Every time a specified cmdlet is run, a log entry is added to the audit log.

Enabling Execution of Microsoft Exchange PowerShell Scripts

Allow Microsoft Exchange PowerShell scripts to execute so that it can collect information about mailboxes and events from Microsoft Exchange.

To enable:

  1. Open Local Group Policy Editor.

  2. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.

  3. Set Turn on Script Execution to Enabled.

  4. Set Execution Policy to Allow local scripts and remote signed scripts.

Configuring Microsoft Exchange PowerShell

You must configure Microsoft Exchange PowerShell services to run with a privilege to receive exchange audit log.

To allow the services to run as a domain administrator:

  1. Open Windows services, and select ArcSight Microsoft Exchange PowerShell.

  2. Open Properties, click Log On.

  3. Click This Account > Browse > Locations, and select the domain name.

  4. Specify the domain administrator credentials.

Locating the Fully Qualified Domain Name

To allow Change Guardian Event Collector Addon for Windows Agent to retrieve events from the correct source, find the FQDN. Go to System in Windows Control Panel. Under Computer name, domain, and workgroup settings, and find the Full computer name.

Important Parameters

You should have the following parameters after setting up Exchange. Use these parameters to install Change Guardian Event Collector Addon for Change Guardian:

Parameter

Description

Server FQDN

The fully qualified domain name to the Exchange Server

Frequency

The frequency, in seconds, at which each mailbox audit log is retrieved

PowerShell Path

The location of the PowerShell application

4.3.5 Installing Change Guardian Event Collector Addon for Windows Agent

To install Change Guardian Event Collector Addon for Windows Agent:

  1. In Agent Manager, click Manage Installation > Download Package.

  2. Download Change Guardian Event Collector Addon for Windows Agent.

  3. In the installer window, specify the local path in which you want to install Change Guardian Event Collector Addon for Windows Agent.

  4. Select the connectors to configure.

  5. Specify the location to store events in CEF.

    NOTE:Specify the same path in CEF Data Output Path in Agent Manger.

  6. Specify the values for File Rotation Interval and File Size.

    File Rotation Interval is the interval, in seconds, at which a new file is created. A new file is created when either the File Rotation Interval or the file size exceeds the set value. If the EPS is low in AWS IAM, set the file rotation and file size values lower than the default.

  7. Specify the parameters for the selected connectors.

    If your connector is

    Do this

    Dell EMC

    Specify the following:

    • Domain name, hostname, user name, and password

    • Enable SID Translation

    Microsoft Exchange

    Specify the following:

    • Server FQDN

    • Frequency

      Set any value between 1 and 600

    AWS IAM

    Specify the following:

    • (Optional) Proxy details such as host, port, username, and password

    • AWS Access Key

    • AWS Secret Key

    • AWS SQS URL

    • AWS SQS Region

    • AWS SQS Visibility Timeout

    • AWS SQS Max Received Count

    • AWS S3 Region

    Office 365

    Specify the following:

    • Azure Tenant Domain

    • Client ID

    • Client Secret

    • (Optional) Proxy server, port, username, and password

  8. (Optional) Open Windows services, and restart the following services:

    • ArcSight Dell EMC Unity and VNXe Storage

    • ArcSight Microsoft Exchange PowerShell

    • Arcsight Microsoft Office 365

    • Arcsight Amazon Web Services CloudTrail

    NOTE:After the installation, restart the services once to receive the events.

To modify the settings of any connector, launch Change Guardian Event Collector Addon for Windows Agent and click Modify against the desired collector name.