1.2 How Change Guardian Works

There are innumerable activities that take place on an asset, and their corresponding events are logged in by the operating system. However, all events do not require attention or pose a threat to the organization. A policy defines filters, based on which Change Guardian collects events. A policy definition contains information about the type of events to collect, the users who are allowed to make the change, event severity, and so on. Change Guardian collects the events details such as who, what, when, and where. You can configure emails or alerts to receive notifications about the desired events.

You can forward Change Guardian events to other software for further analysis and long term retention. You can forward events to another Change Guardian server, Sentinel server, Splunk Enterprise Security, or Micro Focus Security ArcSight Logger.

This section provides the following information:

1.2.1 Change Guardian Workflow

The following diagram illustrates how Change Guardian interacts with different components:

1.2.2 Change Guardian Architecture

The following diagram illustrates how Change Guardian works:

Components in the Diagram

Description

Assets

Endpoints from where Change Guardian agents collect events.

Change Guardian Agents

Windows or UNIX based software that collects event data from the assets and forwards them to the Change Guardian server.

Change Guardian Event Collector Addon for Windows Agent

Collects event data in the Common Event Format (CEF) from Dell EMC, Microsoft Exchange, AWS Identity and Access Management and Office 365. The Change Guardian Agent for Windows reads the event details in the CEF.

Change Guardian Server

A Linux-based computer that receives and stores the event data. The server also stores the policies that you create. You can also search for events, and create alerts and reports.

Agent Management

A central location where you can manage agents. You can deploy and manage your agents directly on the agent host machine, or remotely install agents using Agent Manager.

Policy Editor

A Windows-based console in which you can configure and manage policies, create and assign alert rules, configure event destinations, configure emails, and schedule monitoring.

Change Guardian Configuration Scanner

A Windows based component that collects configuration data of endpoints in an Active Directory environment.

Change Guardian Web UI

Interfaces to dashboards and management consoles where you can view event details and agent status, view and triage alerts, create event routing rules and alert routing rule, manage users, and so on.

1.2.3 Top User Scenarios

Monitoring a Privileged User Account

Problem Statement: Adam Mandari is the Change Guardian administrator. His organization is required to adhere to the CIS policy Audit Account Lockout is set to include Failure for Microsoft Windows Server 2016. The policy mandates that multiple failed login attempts should be monitored. The Head of Security investigates such incidents for any breach of security.

Resolution: Adam has to monitor the user account ‘Payroll’ and monitor multiple failed logins associated with that account. Adam wants to configure an alert that notifies him when five unsuccessful login attempts made using ‘Payroll’ account.

Adam creates an Active Directory policy for Users Accounts payroll_login_activity with the following definition:

Monitors users accounts matching these user IDs Payroll
include only user account logged in events
include only failed events

Adam creates an alert rule specifying that an alert alert_user_activity should be generated when five events within 30 minutes are generated against the payroll_login_activity policy. He also configures an email server to be able to receive emails about the user account logged events.

Adam logs in to the Threat Response Dashboard to check the real-time alerts. When he receives the alert alert_user_activity in the dashboard, he finds the details of the user account logged in event. The event provides information about the machine from where the event occurred, the time at which the event occurred. Using the Threat Response Dashboard, he can decide to set a custom priority and assign it to another administrator to investigate the event.

To monitor this event regularly, Adam uses the Event Dashboard and looks for the user account logged in event. Every week, Adam exports the event details as a report and shares with the Head of Security.

Monitoring Changes to File Integrity

Problem Statement: Adam Mandari must ensure that his organization adheres the CIS policy Audit Policy Change is set to include Success for Microsoft Windows Server 2016. The policy mandates that critical Human Resource files are modified within the domain of the organization.

Resolution: Adam wants to use the real-time change monitoring feature in Change Guardian. Being the Change Guardian administrator, he creates a Change Guardian for Windows policy to monitor the changes to the specific folder, having the following definition:

Monitors changes to contents in files in c:\payroll whose patterns match * 
include only file content difference events

When an attempt is made to modify any files in the C:\payroll directory, Change Guardian Agent for Windows collects the “File integrity was changed” event from the Windows machine and sends it to the Change Guardian server. The event contains the name of the event, the Windows machine details, the user who triggered the event, the time at which the write action was performed, and the old and the changed content. He logs in to the web console and uses the Event Dashboard to view the event. Adam configures an alert that notifies him whenever “File integrity was changed” event is generated. To analyze the real-time alerts he uses the Threat Response Dashboard.

Adhering to a Standard Benchmark

Problem Statement: Adam Mandari is the Change Guardian administrator and he would like to ensure that all assets are running and they are constantly monitored by Change Guardian policies. He has to ensure that the company adheres to the CIS for Microsoft Windows Server 2016.

Resolution: Before creating a Change Guardian policy to monitor the computers, Adam ensures that the computers are communicating with the Change Guardian server and that there are no auditing related issues. Adam logs in to the web console and uses the Agent Health Dashboard to identify the status of Change Guardian agents. He reviews the diagnostic information of the agents in the warning state and identifies the auditing related issue. After resolving the issues, he logs in back to the Agent Health Dashboard to view the updated status. When all Change Guardian agents are online, Adam uses Policy Editor to create policies in Change Guardian that ensure that the company adheres to CIS standards. He assigns the policies to agents to enable continuous monitoring.