FortiSIEM Configuring Cloud Applications

Configuring Cloud Applications

AccelOps supports these cloud applications for monitoring.

AWS Access Key IAM Permissions and IAM Policies

AWS CloudTrail API Configuration

AWS EC2 CloudWatch API Configuration

AWS RDS Configuration

Box.com Configuration

Cisco FireAMP Cloud Configuration

Google Apps Audit Configuration

Microsoft Azure AuditTrail Configuration

Microsoft Office365 Audit Configuration

Okta Configuration

Salesforce CRM Audit Configuration

 

 

AWS Access Key IAM Permissions and IAM Policies

In order to monitor AWS resources in AccelOps, an access key and a corresponding secret access key is needed. Prior to the availability of AWS IAM users, the recommendation was to create an access key at the level of root AWS account. This practice has been deprecated since the availability of AWS IAM users as you can read from the AWS Security Credentials best practice guide. If you were monitoring AWS using such access keys, the first step is to delete such keys and create keys based on a standalone IAM user dedicated for monitoring purposes in AccelOps. This document explains how to create such a user, and what permissions and policies to add to allow AccelOps to monitor your AWS environment.

Create IAM user for AccelOps monitoring

  1. Login to the IAM Console – Users Tab.
  2. Click Create Users
  3. Type in a username, e.g. aomonitoring under Enter User Names.
  4. Leave the checkbox Generate an access key for each user selected or select it if it is not selected
  5. Click Download Credentials and click on Close button
  6. The downloaded CSV file contains the Access Key ID and Secret Access Key that you can use in AccelOps to monitor various AWS services. You will need to add permissions before you can actually add them in AccelOps.

Change permissions for IAM user

  1. Select the user aomonitoring 2. Switch to tab Permissions
  2. Click Attach Policy.
  3. Select AmazonEC2ReadOnlyAccess, AWSCloudTrailReadOnlyAccess, AmazonRDSReadOnlyAccess, CloudWatchReadOnlyAccess, A mazonSQSFullAccess and click Attach Policy

You can choose to skip attaching some policies if you do not use that service or plan on monitoring that service. For instance, if you do not use RDS, then you do not need to attach AmazonRDSReadOnlyAccess

  1. You can choose to provide blanket read-only access to all S3 buckets by attaching the policy AmazonS3ReadOnlyAccess. Alternatively, you can specificy a more restricted policy as described in the next step
  2. Now, identify the set of S3 bucket(s) that you have configured to store Cloudtrail logs for each region. You can create an inline policy, ch oose custom policy, then paste the sample policy below. Make sure you replace the actual S3 bucket names below aocloudtrail1, aoclo udtrail2 with the ones you have configured

 

 

 

AWS CloudTrail API Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

Sample Events for AWS CloudTrail

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
CloudTrail API None None Security Monitoring

Event Types

In CMDB > Event Types, search for “Cloudtrail” in the Device Type column to see the event types associated with this device. See the Amazon API reference for more information about the event types available for CloudTrail monitoring.

Rules

There are no predefined rules for this device. However,

Reports

In Analytics > Reports, search for “cloudtrail” in the Name column to see the rules associated with this device.

Configuration

 

 

AccelOps receives information about AWS events through the CloudTrail API. After creating an S3 bucket for the storage of log files on AWS, you then configure the Simple Notification Service (SNS) and Simple Queue Service (SQS) to create a notification for the log file and have it delivered by SQS. In your AccelOps virtual appliance you then enter access credentials so AccelOps can communicate with CloudTrail as it would any other device.

Create a new Cloudtrail

  1. Log in to https://console.aws.amazon.com/cloudtrail.
  2. Switch to the region for which you want to generate cloud trail logs.
  3. Click Trails.
  4. Click on Add New Trail
  5. Enter a Trail name such as aocloudtrail
  6. Select No for Apply Trail to all regions

You will need to create a cloudtrail for each region by following all the steps mentioned here for cloudtrail, SQS, and SNS. You cannot use ‘Apply Trail to all regions’ to collect trails for all regions in one S3 bucket and have AccelOps pull these logs. In the future, AccelOps will be enhanced to support this capability

  1. Select Yes for Create a new S3 bucket.
  2. For S3 bucket, enter a name like s3aocloudtrail.
  3. Click Advanced.
  4. Select Yes for Create a new SNS topic.
  5. For SNS topic, enter a name like snsaocloudtrail.
  6. Leave the rest of advanced settings to the default values
  7. Click Create.

A dialog will confirm that logging is turned on.

Configure Simple Queue Service (SQS) Delivery

  1. Log in to https://console.aws.amazon.com/sqs.
  2. Switch to the region in which you created a new cloudtrail above
  3. Click Create New Queue.
  4. Enter a Queue Name such as sqsaocloudtrail
  5. Enter the Queue Settings.
Setting Value
Default Visibility Timeout 0 seconds
Message Retention Period

This must be set for between 5 and 50 minutes. A lower value is recommended for high event rates to avoid event loss.

10 minutes
Maximum Message Size 256KB
Delivery Delay 0 seconds
Receive Message Wait Time 5 seconds

 

  1. Click Create Queue.
  2. When the queue is created, click the Details tab and make note of the ARN (Amazon Resource Name), as you will need this when configuring the Simple Notification Service below and when configuring the access credentials for AccelOps.

Set Up Simple Notification Service (SNS)

  1. Log in to https://console.aws.amazon.com/sns.
  2. Select Topics
  3. Select the SNS topic snsaocloudtrail that you specified when creating a cloudtrail 4. Click Actions > Subscribe to topic from the menu to launch the popup Create Subscription.
  4. For Protocol, select Amazon SQS.
  5. For Endpoint, enter the ARN of the queue that you created when setting up SQS.
  6. Click Create Subscription.

Give Permission for Amazon SNS to Send Messages to SQS

  1. Log in to https://console.aws.amazon.com/sqs.
  2. Select the queue you created, sqsaocloudtrail
  3. In the Queue Actions menu, select Subscribe Queue to SNS Topic.
  4. From the Choose a Topic dropdown, select the SNS topic snsaocloudtrail that you created earlier. 5. The Topic ARN will be automatically filled
  5. Click Subscribe.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device

Discovery. You do not need to initiate discovery of AWS Cloud Trail, but should check that AccelOps is pulling events for AWS by checking for an amazon.com entry in Admin > Setup Wizard > Event Pulling.

Settings for Access Credentials
Sample Events for AWS CloudTrail

Fri Oct 10 14:44:23 2014 AccelOps-CloudTrail [additionalEventData/LoginTo]=https://console.aws.amazon.com/console/hom e?state=hashArgs%23&isauthcode=true [additionalEventData/MFAUsed]=No [additionalEventData/MobileVersion]=No [awsRegion]=us-east-1

[eventID]=fdf8f837-7e75-46a0-ac95-b6d15993ebf7 [eventName]=ConsoleLogin

[eventSource]=SIGNIN [eventTime]=2014-10-10T06:38:11Z

[eventVersion]=1.01 [requestParameters]=null

[responseElements/ConsoleLogin]=Success [sourceIPAddress]=211.144.207.10

[userAgent]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36

[userIdentity/accountId]=623885071509

[userIdentity/arn]=arn:aws:iam::623885071509:user/John.Adams

[userIdentity/principalId]=AIDAIUSNMEIUYBS7AN4UW

[userIdentity/type]=IAMUser [userIdentity/userName]=John.Adams

Fri Oct 10 14:19:45 2014 AccelOps-CloudTrail [awsRegion]=us-east-1

[eventID]=351bda80-39d4-41ed-9e4d-86d6470c2436

[eventName]=DescribeInstances [eventSource]=EC2

[eventTime]=2014-10-10T06:12:24Z [eventVersion]=1.01

[requestID]=2d835ae2-176d-4ea2-8523-b1a09585e803

[requestParameters/filterSet/items/0/name]=private-ip-address

[requestParameters/filterSet/items/0/valueSet/items/0/value]=10.0.0.233

[responseElements]=null [sourceIPAddress]=211.144.207.10

[userAgent]=aws-sdk-php2/2.4.7 Guzzle/3.7.1 curl/7.19.7 PHP/5.3.3

[userIdentity/accessKeyId]=AKIAI2MUUCROHFSLLT3A

[userIdentity/accountId]=623885071509

[userIdentity/arn]=arn:aws:iam::623885071509:root

[userIdentity/principalId]=623885071509 [userIdentity/type]=Root

[userIdentity/userName]=accelops

AWS EC2 CloudWatch API Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Settings for Access Credentials

Sample events

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
CloudWatch API Machine name

Internal Access IP

Instance ID

Image ID

Availability Zone

Instance Type

Volume ID

Status

Attach Time

CPU Utilization

Received Bits/sec

Sent Bits/sec

Disk reads (Instance Store)

Disk writes (Instance Store)

Disk reads/sec (Instance Store)

Disk writes/sec (Instance Store)

Packet loss

Read Bytes (EBS)

Write Bytes (EBS)

Read Ops (EBS)

Write Ops (EBS)

Disk Queue (EBS)

Performance Monitoring

Event Types

PH_DEV_MON_EBS_METRIC  captures EBS metrics

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. You should also be sure to read the topic Discovering Amazon Web Services (AWS) Infrastructure.

Settings for Access Credentials

 

Sample events

[PH_DEV_MON_EC2_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cp p,[lineNumber]=6571,[hostName]=ec2-54-81-216-218.compute-1.amazonaws.com ,[hostIpAddr]=10.144.18.131,[cpuUtil]=0.334000,[diskReadKBytesPerSec]=0. 000000,[diskWriteKBytesPerSec]=0.000000,[diskReadReqPerSec]=0.000000,[di skWriteReqPerSec]=0.000000,[sentBytes]=131,[recvBytes]=165,[sentBitsPerS ec]=17.493333,[recvBitsPerSec]=22.026667,[phLogDetail]=

[PH_DEV_MON_EBS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAws.cp p,[lineNumber]=133,[hostName]=ec2-52-69-215-178.ap-northeast-1.compute.a mazonaws.com,[hostIpAddr]=172.30.0.50,[diskName]=/dev/sda1,[volumeId]=vo l-63287d9f,[diskReadKBytesPerSec]=7.395556,[diskWriteKBytesPerSec]=7.395 556,[ioReadsPerSec]=0.000000,[ioWritesPerSec]=0.010000,[diskQLen]=0,[phL ogDetail]=

 

 

AWS RDS Configuration

What is Discovered and Monitored

Configuration

What is Discovered and Monitored
Type Protocol Information Discovered Metrics Collected Used For
Relational Database Storage (RDS) CloudWatch API   CPU Utilization

User Connections

Free Memory

Free Storage

Used Swap

Read Latency

Write Latency

Read Ops

Write Ops

Performance Monitoring

Event Types

PH_DEV_MON_RDS_METRIC  captures RDS metrics

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration
  1. Create a AWS credential
    1. Go to Admin > Credentials > Step 1: Enter Credentials
    2. Click Add
      1. Set Device Type to Amazon AWS RDS
      2. Set Access Protocol as AWS SDK
  • Set Region as the region in which your AWS instance is located
  1. Set Access Key ID as the access key for your EC2 instance v. Set Secret Key as the secret key for your EC2 instance
  1. Click Save
  1. Create a IP to credential mapping
    1. Set IP/IP Range to com
    2. Choose Credentials to the one created in Step 1b
  2. Click test Connectivity to make sure the credential is working correctly
  3. Go to Admin > Discovery
    1. Set Discovery Type as AWS Scan
    2. Click OK to Save
    3. Select the entry and Click Discover
  4. After Discovery finishes, check CMDB > Amazon Web Services > AWS Database

Sample Events

[PH_DEV_MON_RDS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAwsRDS .cpp,[lineNumber]=104,[hostName]=mysql1.cmdzvvce07ar.ap-northeast-1.rds. amazonaws.com,[hostIpAddr]=54.64.131.93,[dbCpuTimeRatio]=1.207500,[dbUse rConn]=0,[dbEnqueueDeadlocksPerSec]=0.000587,[freeMemKB]=489,[freeDiskMB ]=4555,[swapMemUtil]=0.000000,[ioReadsPerSec]=0.219985,[ioWritesPerSec]= 0.213329,[devDiskRdLatency]=0.08,[devDiskWrLatency]=0.4029,[phLogDetail]

=

Box.com Configuration
What is Discovered and Monitored
Protocol Information Discovered Metrics

Collected

Used

For

Box.com

API

Ccreation, deletion, and modification activity for specific files or folders

File-sharing properties, including whether the file is shared, password protected, or preview/download enabled, and how many times the file was downloaded or viewed

   

Event Types

In CMDB > Event Types, search for “box.com” and look for BOX events in the Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps can monitor a directory or subdirectory, for example /All Files or /All Files/my files, or a single file , for example /All Files/my files/user guide.pdf. When you set up the access credentials for AccelOps to communicate with Box.com, you provide the path to the folder or files you want to monitor, so you should have your Box.com storage set up before you set up your access credentials. You also won’t need to initiate discovery of Box.com as you would with other devices, but should go to to Admin > Setup wizard > Event Pulling and make sure that a Box.com event pulling job is created after you have successfully set up access credentials.

Settings for Access Credentials

Sample Box.com Events

//the following event is generated when a folder called share was created using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_CREATE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=625,[fileType]=folder, [targetName]=share,[fileSize64]=0,[filePath]=/All Files,[fileOwner]=box usage,[fileDesc]=,[user]=box usage, [userId]=225282673,[accessTime]=1412700374,[accountName]=box.usage@gmail

.com,[fileId]=2541809279,[fileVersion]=1,

[targetHashCode]=,[phLogDetail]=

//the following event is generated when a file called  All

Files/share/b.txt was created using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_CREATE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=625,[fileType]=file, [targetName]=b.txt,[fileSize64]=0,[filePath]=/All

Files/share,[fileOwner]=box usage,[fileDesc]=,[user]=box usage,

[userId]=225282673,[accessTime]=1412700377,[accountName]=box.usage@gmail .com,[fileId]=21701906465,[fileVersion]=1,[targetHashCode]=da39a3ee5e6b4 b0d3255bfef95601890afd80709,[phLogDetail]=

//the following event is generated when a file called  All

Files/share/b.txt was deleted using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_DELETE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=503,[fileType]=file, [targetName]=b.txt,[fileSize64]=0,[filePath]=/All

Files/share,[fileOwner]=box usage,[fileDesc]=,[user]=box usage, [userId]=225282673,[accessTime]=0,[accountName]=box.usage@gmail.com,[fil eId]=21701844673,[fileVersion]=1,[targetHashCode]=da39a3ee5e6b4b0d3255bf ef95601890afd80709,[phLogDetail]=

//the following event is generated when a file called  All

Files/share/a.txt was modified using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_MODIFY]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=652,[fileType]=file, [targetName]=a.txt,[fileSize64]=8,[filePath]=/All Files,[fileOwner]=box usage,[fileDesc]=,[user]=box usage, [userId]=225282673,[accessTime]=1412700491,[accountName]=box.usage@gmail

.com,[fileId]=21701903189,[fileVersion]=2,[targetHashCode]=0a74245f78b73

39ea8cdfc4ac564ed14dc5c22ad,[phLogDetail]=

//the following event is generated periodically for each monitored file

and folder [PH_DEV_MON_BOX_FILE_SHARE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAge nt.cpp,[lineNumber]=601,[fileType]=folder, [targetName]=share,[fileSize64]=0,[filePath]=/All Files,[fileOwner]=box usage,[fileDesc]=,[accountName]=box.usage@gmail.com,

[fileId]=2541809279,[fileVersion]=1,[infoURL]=https://app.box.com/s/zine

f627pyuexdcxir1q,[downloadURL]=,[filePasswordEnabled]=no, [filePreviewEnabled]=yes,[fileDownloadEnabled]=yes,[fileUnshareAtTime]=-

1,[filePreviewCount]=0,[fileDownloadCount]=0,[phLogDetail]=

Cisco FireAMP Cloud Configuration

What is Discovered and Monitored

Configuration

Sample Events for Salesforce Audit

What is Discovered and Monitored
Protocol Logs Collected Used For
CloudAMP API End point malware activity Security Monitoring

Event Types

In CMDB > Event Types, search for “Cisco FireAMP Cloud” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Cisco FireAMP Cloud

Reports

There are no predefined reports for Cisco FireAMP Cloud.

Configuration

Create Cisco FireAMP Cloud Credential

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 1, Click Add to create a new credential
  4. For Device Type, select Cisco FireAMP Cloud
  5. For Access Protocol, select FireAMP Cloud API
  6. For Password Configuration, select Manual or CyberArk For Manual credential method, enter Client ID and Client Secret.
  7. For CyberArk credential method, specify CyberArk properties.
  8. Click Save.

Test Connectivity

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 2, Click Add to create a new association
  4. For Name/IP/IP Range, enter amp.sourcefire.com
  5. For Credentials, enter the name of credential created in the “Salesforce Audit Credential” step.
  6. Click Save
  7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
  8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Microsoft Audit Log Collection
Sample Events for Salesforce Audit

[FireAMP_Cloud_Threat_Detected]:[eventSeverity]=PHL_CRITICAL,[connectorG UID]=d2f5d61f-feb0-4b67-80fd-073655b86425,[date]=2015-11-25T19:17:39+00: 00,[detection]=W32.DFC.MalParent,[detectionId]=6159251516445163587,[even tId]=6159251516445163587,[eventType]=Threat Detected,[eventTypeId]=1090519054,[fileDispostion]=Malicious,[fileName]= rjtsbks.exe,[fileSHA256]=3372c1edab46837f1e973164fa2d726c5c5e17bcb888828 ccd7c4dfcc234a370,[hostName]=Demo_TeslaCrypt

Google Apps Audit Configuration

What is Discovered and Monitored

Configuration

Sample Events for Google Apps Audit

What is Discovered and Monitored
Protocol Logs Collected Used For
Google Apps Admin

SDK

Configuration Change, Account Create/Delete/Modify, Account Group

Create/Delete/Modify, Document Create/Delete/Modify/Download, Document

Permission Change, Logon Success, Logon Failure, Device compromise

Security Monitoring

Event Types

In CMDB > Event Types, search for “Google_Apps” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Google Apps

Reports

There are many reports defined in Analytics > Reports > Device > Application > Document Mgmt. Search for ” Google Apps”.

Configuration

Create a Google App Credential in Google API Console

  1. Logon to Google API Console
  2. Under Dashboard, create a Google Apps Project
    1. Project Name – enter a name
    2. Click Create
  3. Under Dashboard, click Enable API to activate Reports API service for this project
  4. Create a Service Account Key for this project
    1. Under Credentials, click Create Credentials > Create Service Account Key
    2. Choose Key type as JSON
    3. Click Create
    4. A JSON file containing the Service Account credentials will be stored in your computer
  5. Enable Google Apps Domain-wide delegation
    1. Under IAM & Admin section, choose the Service account
    2. Check Enable Google Apps Domain-wide Delegation
    3. Click Save
  6. View Client ID
    1. Under IAM & Admin section, choose the Service account
    2. Click View Client ID
  7. Delegate domain-wide authority to the service account created in Step 4
    1. Go to your Google Apps domain’s Admin console
    2. Select Security from the list of controls. If you don’t see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
    3. Select Advanced settings from the list of options.
    4. Select Manage API Client access in the Authentication section
    5. In the Client name field enter the service account’s Client ID (Step 6)
    6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to.

Define Google App Credential in FortiSIEM

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 1, Click Add to create a new credential
  4. For Device Type, select Google Google Apps
  5. For Access Protocol, select Google Apps Admin SDK
  6. Enter the User Name
  7. For Service Account Key, upload the JSON credential file (Step 4d above)
  8. Click Save.

Test Connectivity

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 2, Click Add to create a new association
  4. For Name/IP/IP Range, enter com
  5. For Credentials, enter the name of credential created in the “Google App Credential” step.
  6. Click Save
  7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
  8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Salesforce Audit Log Collection
Sample Events for Google Apps Audit

Logon Success

<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_success]:[eventSeverity]=PHL_INFO,[actor.profil eId]=117858279951236905887,[id.time]=2016-09-09T06:53:58.000Z,[id.applic ationName]=login,[kind]=admin#reports#activity,[id.customerId]=C01lzy8ye ,[id.uniqueQualifier]=8830301951515521023,[event.parameters.login_type]= google_password,[event.type]=login,[ipAddress]=45.79.100.103,[actor.emai l]=api1@accelops.net,[event.name]=login_success,[etag]=””6KGrH_UY2JDZNpg jPKUOF8yJF1A/Nfrg2SFjlC2gR6pJtpP2scVidmc”””,Google_Apps_login_login_succ ess,login_success,1,45.79.100.103,

Logon Failure

<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_failure]:[eventSeverity]=PHL_INFO,[actor.profil eId]=117858279951236905887,[id.applicationName]=login,[kind]=admin#repor ts#activity,[event.parameters.login_type]=google_password,[ipAddress]=45 .79.100.103,[event.name]=login_failure,[id.time]=2016-09-19T09:27:51.000 Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=4795688196368428241,[ev ent.type]=login,[actor.email]=api1@accelops.net,[etag]=””6KGrH_UY2JDZNpg jPKUOF8yJF1A/v5zsUPNoEdXLLK79zQpBcuxNbQU””,[event.parameters.login_failu re_type]=login_failure_invalid_password”,Google_Apps_login_login_failure ,login_failure,1,45.79.100.103,

Create User

<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_CREATE_USER]:[eventSeverity]=PHL_INFO,[actor. callerType]=USER,[actor.profileId]=117858279951236905887,[id.application Name]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[eve nt.name]=CREATE_USER,[id.time]=2016-09-19T09:22:44.646Z,[id.customerId]= C01lzy8ye,[id.uniqueQualifier]=-8133102622954793216,[event.type]=USER_SE

TTINGS,[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email ]=api1@accelops.net,[etag]=””6KGrH_UY2JDZNpgjPKUOF8yJF1A/R5GJyWG9YHSiGRv o3-8ZBM0ZlL0″””,Google_Apps_USER_SETTINGS_CREATE_USER,CREATE_USER,1,45.7 9.100.103,

Delete user

<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_DELETE_USER]:[eventSeverity]=PHL_INFO,[actor. callerType]=USER,[actor.profileId]=117858279951236905887,[id.application Name]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[eve nt.name]=DELETE_USER,[id.time]=2016-09-19T09:22:28.582Z,[id.customerId]= C01lzy8ye,[id.uniqueQualifier]=-4630441819990099585,[event.type]=USER_SE

TTINGS,[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email ]=api1@accelops.net,[etag]=””6KGrH_UY2JDZNpgjPKUOF8yJF1A/08MaodxPU6Zv7s6 vJtuUQW9ugx0″””,Google_Apps_USER_SETTINGS_DELETE_USER,DELETE_USER,1,45.7 9.100.103,

Move user settings

<134>Jan 21 19:29:20 google.com java:

[Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT]:[eventSeverity]=PHL_IN FO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,[even t.parameters.ORG_UNIT_NAME]=/test,[id.applicationName]=admin,[kind]=admi n#reports#activity,[ipAddress]=45.79.100.103,[event.name]=MOVE_USER_TO_O RG_UNIT,[id.time]=2016-09-19T09:24:25.285Z,[id.customerId]=C01lzy8ye,[id

.uniqueQualifier]=-6704816947489240452,[event.type]=USER_SETTINGS,[event .parameters.USER_EMAIL]=test-user@accelops.org,[actor.email]=api1@accelo ps.net,[event.parameters.NEW_VALUE]=/,[etag]=””6KGrH_UY2JDZNpgjPKUOF8yJF 1A/r1v9DiPZbL06fXFFjJlrWf2s3qI”””,Google_Apps_USER_SETTINGS_MOVE_USER_TO

_ORG_UNIT,MOVE_USER_TO_ORG_UNIT,1,45.79.100.103,,

Microsoft Azure AuditTrail Configuration

What is Discovered and Monitored

Configuration

Sample Events for Microsoft Azure Audit Trail

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
Azure CLI None None Security Monitoring

Event Types

In CMDB > Event Types, search for “Microsoft Azure Auditl” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Microsoft Azure Audit

Reports

There are no predefined reports for Microsoft Azure Audit.

Configuration

Create Microsoft Azure Audit Credential

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 1, Click Add to create a new credential
  4. For Device Type, select Microsoft Azure Audit
  5. For Access Protocol, select Azure CLI
  6. For Password Configuration, select Manual or CyberArk
  7. For Manual credential method, enter the user name and credentials 8. For CyberArk credential method, specify CyberArk properties.
  8. Click Save.

Test Connectivity

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 2, Click Add to create a new association
  4. For Name/IP/IP Range, enter some IP Address
  5. For Credentials, enter the name of credential created in the “Microsoft Azure Audit Credential” step.
  6. Click Save
  7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
  8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Microsoft Audit Log Collection
Sample Events for Microsoft Azure Audit Trail

2016-02-26 15:19:10 AccelOps-Azure,[action]=Microsoft.ClassicCompute/virtualmachines/shutdow n/action,[caller]=Cuiping.Wang@shashiaccelops.onmicrosoft.com,[level]=Er ror,[resourceId]=/subscriptions/3ed4ee1c-1a83-4e02-a928-7ff5e0008e8a/res ourcegroups/china/providers/Microsoft.ClassicCompute/virtualmachines/chi na,[resourceGroupName]=china,[eventTimestamp]=2016-02-14T06:12:18.553970 9Z,[status]=Failed,[subStatus]=Conflict,[resourceType]=Microsoft.Classic

Compute/virtualmachines,[category]=Administrative

Microsoft Office365 Audit Configuration

What is Discovered and Monitored

Configuration

Sample Events for Google Apps Audit

What is Discovered and Monitored
Office 365

Activity Type

Operation
File and folder activities FileAccessed, FileCheckedIn, FileCheckedOut, FileCopied, FileDeleted,FileCheckOutDiscarded, FileDownloaded, FileModified, FileMoved, FileRenamed, FileRestored, FileUploaded
Sharing and access request activities AccessRequestAccepted, SharingInvitationAccepted, CompanyLinkCreated, AccessRequestCreated,

AnonymousLinkCreated, SharingInvitationCreated, AccessRequestDenied, CompanyLinkRemoved,

AnonymousLinkRemoved, SharingSet, AnonymousLinkUpdated, AnonymousLinkUsed, SharingRevoked, CompanyLinkUsed, SharingInvitationRevoked

Synchronization activities ManagedSyncClientAllowed, UnmanagedSyncClientBlocked, FileSyncDownloadedFull, FileSyncDownloadedPartial, FileSyncUploadedFull, FileSyncUploadedPartial
Site administration activities ExemptUserAgentSet, SiteCollectionAdminAdded, AddedToGroup, AllowGroupCreationSet, CustomizeExemptUsers,

SharingPolicyChanged, GroupAdded, SendToConnectionAdded, SiteCollectionCreated, GroupRemoved,

SendToConnectionRemoved, PreviewModeEnabledSet, LegacyWorkflowEnabledSet, OfficeOnDemandSet,

NewsFeedEnabledSet, PeopleResultsScopeSet, SitePermissionsModified, RemovedFromGroup, SiteRenamed, SiteAdminChangeRequest, HostSiteSet, GroupUpdated

Exchange mailbox

activities

Copy, Create, SoftDelete, Move, MoveToDeletedItems, HardDelete, SendAs, SendOnBehalf, Update, MailboxLogin
Sway activities SwayChangeShareLevel, SwayCreate, SwayDelete, SwayDisableDuplication, SwayDuplicate, SwayEdit, EnableDuplication,

SwayRevokeShare, SwayShare, SwayExternalSharingOff, SwayExternalSharingOn, SwayServiceOff, SwayServiceOn,

SwayView

User administration activities Add user, Change user license, Change user password, Delete user, Reset user password, Set force change user password, Set license properties, Update user
Group

administration activities

Add group, Add member to group, Delete group, Remove member from group, Update group
Application administration activities Add delegation entry, Add service principal, Add service principal credentials, Remove delegation entry, Remove service principal, Remove service principal credentials, Set delegation entry
Role administration activities Add role member to role, Remove role member from role, Set company contact information
Directory administration activities Add domain to company, Add partner to company, Remove domain from company, Remove partner from company, Set

company information, Set domain authentication, Set federation settings on domain, Set password policy, Set DirSyncEnabled flag on company, Update domain, Verify domain, Verify email verified domain

Event Types

In CMDB > Event Types, search for “MS_Office365” in the Search column to see the event types associated with Office 365.

Rules

There are no predefined rules for Office 365

Reports

There are many reports defined in Analytics > Reports > Device > Application > Document Mgmt. Search for “Office365”

Configuration

Create Office365 API Credential

  1. Check Office365 Account
    1. Login to Microsoft Online with your Office account
    2. Navigate to office home->admin center->Billing->Purchase services->Office 365 Business Premium
    3. Make sure the you have Office365 Business Premium subscription
  2. Create a X.509 certificate and extract some values
    1. Download Windows SDK and install on your workstation
    2. In windows PowerShell run these commands and make sure they succeed
    3. Open certmgr.msc, and export the new X.509 certificate (office365Cert) by clicking Action->All Tasks-> Export Choose Do not export private key
      1. Choose Base-64 encoding
  • Specify the file name to export
  1. Run the following power shell commands to get values $base64Value, $base64Thumbprint, $keyid from the X.509 certificate for use in next step

After running these commands, the values will be set as follows

(prompt)> $keyid a8a98039-aa56-4497-ab82-d7c419e70eca (prompt)> $base64Thumbprint

A7DP44d3q++M+Cq5MQdFZDcwbr4=

(prompt)>$base64Value

MIIC/zCCAeugAwIBAgIQTdQI9aEaZ4FP/zTqmOXZrzAJBgUrDgMCHQUAMBgxFjA UBgNVBAMTDU9mZmljZTM2NUNlcnQwHhcNMTYwMzE1MDgwMDAwWhcNMTg wMzE1MDgwMDAwWjAYMRYwFAYDVQQDEw1PZmZpY2UzNjVDZXJ0MIIBIjANBgkqhk iG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp9IG5ZNQ9xrtolAc2jUItRhwjm FKsdST+GTlzax7bXiQl8Zp905DUBgfSyAQr77r/2cDRkf0mV7wW/2i+Pqbfi9CY wzjINLyzqxBL5lJPwzVo8aqi/ykILCsbBX6prGvc/TJXjWHbP90AHfZU t6cDPN3CrE98s3gZlWwz7wDnJP5AU/FXx4Cf4gPZOMEBPRdJqQwIZgLzHk0oDg9 kXFoiwDKORsTiamSMd34nncmmNivrqjKM57pa6jacxWFwbXDov6TlxLm tniHuH1psMRj/+jkmucoF2c2cRvTdqFePEqoWemB/np7Zwjj6VTruI5Zld22CcN IJY4ZbheAgYMXmwIDAQABo00wSzBJBgNVHQEEQjBAgBBekE2Kf2vBlJd fJmP+pAtAoRowGDEWMBQGA1UEAxMNT2ZmaWNlMzY1Q2VydIIQTdQI9aEaZ4FP/z TqmOXZrzAJBgUrDgMCHQUAA4IBAQANiw//Vxe04mUInzJUSNXCOUJFj9

HWDzQfbfBOWQQ9YiVm7o0qmSHR8bkaKTxNDl4ng0i6WpMnzmodJjtDpn4I7ZmwA

YehBiFWlUVhAW+M00bvOezcROiscOBuvWd6dQ7Op0XDpYGRnBctCv3w+

YWs0f3odrLCECvO3dk5QJbk500+S8QkLmoVv31/T1BEHnIaY3YudiVO/EpM8n7I /o8YlThHqqSQ6WGeMxYA+ts7yi+Jm++mV6xScK9qWdCbB4BW4ePZWxXi t5Bod+kC9iSco3o44hmmZdohUpF0t08Gu27dMXsaltd7djb7KeqxZrXihfFC8Xe FRBoPALIB52Ud

  1. Create FortiSIEM application in Azure
    1. Login to Azure
    2. Click Active Directory in left panel
    3. Click Default Directory in the right
    4. Select APPLICATIONS tab, then click ADD.
    5. Fill application details and click Next
      1. Name – FortiSIEM
      2. Type – Choose WEB Application AND/OR API
      3. Fill in App properties and Click Done
      4. Sign-on URL – https://<Supervisor IP>
      5. App ID URL – https://<Supervisor IP>
      6. Click the application (FortiSIEM) in left panel, choose Configure tab
      7. Client ID is displayed
      8. User assignment required – No
  • Keys – Select time duration
  1. Save
  2. Key is now displayed – copy this key to local workstation. You would not be able to retrieve it once you leave this page. In the command bar, click Manage Manifest and select Download Manifest
  1. Edit the downloaded JSON file in Step 3.g.vi and
    1. Enter the following in the “keyCredentials” section
    2. The credential file looks like this
  2. Store the JSON file. Click Upload Manifest to upload it to Azure

Permit Office365 Monitoring

  1. Continue with Step 5 above
  2. Choose Office 365 Activities
    1. Microsoft 265 Management APIs – Yes
    2. Microsoft Sharepoint Online – Yes
  3. Allow read permission to chosen Office365 activities

Define Office365 Management Credential in FortiSIEM

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 1, Click Add to create a new credential
    1. For Name, provide a name for reference
    2. For Device Type, select Microsoft Office365
    3. For Access Protocol, select Office365 Mgmt Activity API
    4. For Tenant ID, use the ID from Azure Login URL

 

  1. For Password Configuration, select Manual or
  2. For Client ID, choose from Step 3.g.i in Create Office365 API Credential
  3. For Client Secret, choose from Step 3.g.v in Create Office365 API Credential
  1. For Manual credential method, enter the user name, password and Security Token.
  2. For CyberArk credential method, specify CyberArk properties.
  3. Click Save.

Test Connectivity

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 2, Click Add to create a new association
  4. For Name/IP/IP Range, enter office.com
  5. For Credentials, enter the name of credential created in the Define Office365 Management Credential step 3a 6. Click Save
  6. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
  7. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Office365 Log Collection
Sample Events for Google Apps Audit
Okta Configuration

AccelOps can integrate with Okta as a single-sign service for AccelOps users, discover Okta users and import them into the CMDB, and collect audit logs from Okta. See Setting Up External Authentication for information on configuring Okta to use as a single-sign on service, and Adding Users from Okta for discovering users and associating them with the Okta authentication profile. Once you have discovered Okta users, AccelOps will begin to monitor Okta events.

What is Discovered and Monitored

Event Types

Rules

Reports

Sample Okta Event

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Okta API      

Event Types

In CMDB > Event Types, search for “okta” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

 Sample Okta Event

Mon Jul 21 15:50:26 2014 AccelOps-Okta [action/message]=Sign-in successful [action/objectType]=core.user_auth.login_success [action/requestUri]=/login/do-login [actors/0/displayName]=CHROME

[actors/0/id]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36

[actors/0/ipAddress]=211.144.207.10

[actors/0/login]=YaXin.Hu@accelops.com [actors/0/objectType]=Client

[eventId]=tev-UlpTnWJRI2vXNRKTJHE4A1405928963000

[eventName]=USER-AUTH-LOGIN-SUCCESS [published]=2014-07-21T07:49:23.000Z

[requestId]=U8zGA0zxVNXabfCeka9oGAAAA [sessionId]=s024bi4GPUkRaegPXuA1IFEDQ [targets/0/displayName]=YaXin Hu

[targets/0/id]=00uvdkhrxcPNGYWISAGK

[targets/0/login]=YaXin.Hu@accelops.com [targets/0/objectType]=User

Salesforce CRM Audit Configuration

What is Discovered and Monitored

Configuration

Sample Events for Salesforce Audit

What is Discovered and Monitored
Protocol Logs Collected Used For
Salesforce API Successful/Failed Login, API Query Activity, Dashboard Activity, Opportunity Activity,

Report Export Activity, Report Activity, Document Download Activity

Security Monitoring

Event Types

In CMDB > Event Types, search for “Salesforce Audit” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Salesforce CRM Audit

Reports

There are many reports defined in Analytics > Reports > Device > Application > CRM

Salesforce Failed Logon Activity

Salesforce Successful Logon Activity

Top Browsers By Failed Login Count

Top Browsers By Successful Login Count Top Salesforce Users By Failed Login Count

Top Salesforce Users By Successful Login Count

Top Successful Salesforce REST API Queries By Count, Run Time

Top Failed Salesforce Failed REST API Queries By Count, Run Time

Top Salesforce API Queries By Count, Run Time

Top Salesforce Apex Executions By Count, Run Time

Top Salesforce Dashboards Views By Count

Top Salesforce Document Downloads By Count

Top Salesforce Opportunity Reports By Count

Top Salesforce Report Exports By Count

Top Salesforce Reports By Count, Run Time Top Salesforce Events

Configuration

Create Salesforce Audit Credential

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 1, Click Add to create a new credential
  4. For Device Type, select Salesforce Salesforce Audit
  5. For Access Protocol, select Salesforce API
  6. For Password Configuration, select Manual or CyberArk
  7. For Manual credential method, enter the user name, password and Security Token.
  8. For CyberArk credential method, specify CyberArk properties.
  9. Click Save.

Test Connectivity

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 2, Click Add to create a new association
  4. For Name/IP/IP Range, enter salesforce.com
  5. For Credentials, enter the name of credential created in the “Salesforce Audit Credential” step.
  6. Click Save
  7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
  8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Salesforce Audit Log Collection
Sample Events for Salesforce Audit
Configuring Console Access Devices

AccelOps supports these console access devices for discovery and monitoring.

Lantronix SLC Console Manager Configuration

 

 

 

Lantronix SLC Console Manager Configuration

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
Syslog   Admin access, Updates, Commands run Log analysis and compliance

Event Types

Around 10 event types are generated by parsing Lantronix SLC logs. The complete list can be found in CMDB > Event Types by searching for Lantronix-SLC. Some important ones are

Lantronix-SLC-RunCmd

Lantronix-SLC-Update

Lantronix-SLC-User-Logon-Success

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps processes events from this device via syslog.  Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

 

 

 

 

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.