A.4 Setting Up Assets for Monitoring

The following procedures are followed by the Micro Focus Quality Assurance team to setup the assets. Note the parameters to use later during the installation of Change Guardian Event Collector Addon for Windows.

A.4.1 Setting Up AWS

This section provides the following information:

For information about AWS concepts, see AWS Documentation.

NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance.

Setting the AWS Account

If you are using Elastic Compute Cloud (EC2) role-base credentials, then you must use an IAM role with AmazonS3ReadOnlyAccess and AmazonSQSFullAccess policies. If you are using access key or secret key as credentials, complete the following steps:

To setup:

  1. Create an Amazon Web Services account.

  2. Log in to the AWS Management Console and open IAM.

  3. From Dashboard, click Access Management > Groups > Create New Group.

  4. Specify Group Name and attach the policies AmazonS3ReadOnlyAccess and AmazonSQSFullAccess to the group.

    The group requires necessary permissions to access the CloudTrail logs through APIs.

  5. To add new user to the group, select Users > Add Users.

  6. Specify the user details.

  7. Ensure that you download the credentials as .csv file.

    NOTE:The file contains the Access Key ID and Secret Access Key that you have to use when installing the connector.

  8. Click Groups > group_name > Group Action > Add Users to Group.

  9. Select the users to add to the group and click Add Users.

  10. To view or create an Access key ID, open user summary and click Security Credentials > Create Access key.

Configuring CloudTrail

Create a new Amazon Simple Storage Service (S3) bucket and a new Amazon Simple Notification Service (SNS) topic.

To configure CloudTrail:

  1. From the AWS Management Console, open CloudTrail.

  2. Click Create trail.

  3. Specify Trail name.

  4. Select Create new S3 bucket and specify Trail log bucket and folder.

  5. Select SNS notification delivery.

  6. Select Send SNS notification for every log file delivery.

  7. Specify a new SNS Topic.

Make a note of the AWS S3 Region name available at the browser address box of the SQS page.

Creating and Subscribing an Amazon Simple Queue Service (SQS)

To create an SQS:

  1. In the AWS Management Console, open Simple Queue Service.

  2. Click Create New Queue and specify the details.

  3. Select the new queue.

  4. Under Queue Actions, select Subscribe Queue to SNS Topic.

  5. From Choose a Topic, select the new topic and click Subscribe.

Important Parameters

You should have the following parameters after setting up AWS. Use these parameters to install Change Guardian Event Collector Addon for Change Guardian:

Parameter

Description

Proxy Host

Proxy Port

Proxy User Name

Proxy Password

(Optional) The proxy configuration settings

AWS SQS URL

The SQS URL from which you want to pull the CloudTrail notification

AWS Access Key

AWS Secret Key

The credentials for the IAM user

AWS SQS Region

AWS S3 Region

The locations of AWS data centers

AWS SQS Visibility Timeout

The time during which Amazon SQS prevents other consuming components from receiving and processing that message

AWS SQS Max Received Count

The maximum number of attempts to receive an SQS message

A.4.2 Setting Up Office 365

Register the connector in Azure AD and configure it with appropriate permissions. Ensure that you have enabled and configured Office 365 subscription account. Also, ensure that the subscription is associated with an Azure AD Tenant Domain account.

NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance

Registering the Application in Azure AD

To register:

  1. Log in to the Azure Management portal using the credentials of your Microsoft tenant that has the subscription to Office 365 you wish to use.

  2. Click Azure Active Directory.

  3. Under Manage, click App registrations > New registration.

  4. Specify a logical name, supported account types, redirect URI (optional), and then click Register.

    Make a note of the Application (Client) ID, which is the Client ID.

  5. Under Manage > Certificates and secrets > New client secret, specify the client secret details and click Add.

    Make a note of the Client secret value (ID), which is the Client Secret.

  6. Click API permissions > Add a permission > Office 365 Management APIs > Delegated permissions and Application Permissions.

  7. Select ActivityFeed.Read, ActivityFeed.ReadDlp and ServiceHealth.Read and click Add permissions.

  8. On the API permissions page, click Grant admin consent for <organization name>.

Important Parameters

You should have the following parameters after setting up Office 365. Use these parameters to install Change Guardian Event Collector Addon for Change Guardian:

Parameter

Description

Azure Tenant Domain

The domain name of the Office 365 Azure tenant

Client ID

The Client ID of the registered application in Azure Active Directory

Client Secret

The Client Secret of the application registered in Azure Active Directory

Proxy Host

Proxy Port

Proxy User Name

Proxy Password

(Optional) Proxy configuration setting

A.4.3 Setting Up Dell EMC

NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance

Installing Common Event Enabler

To install Common Event Enabler (CEE):

  1. Log into the machine with the account that has administrator privilege.

  2. Ensure that .NET Framework 3 is enabled.

  3. Run the file EMC_CEE_Pack for either the 32-bit (WIN32) or the 64-bit (X64) version of the software.

  4. Follow the prompts and complete the installation.

    NOTE:Do not change the location of the temporary directory.

  5. When installer prompts you to restart the server, Click No.

  6. Open services.mcs and search for EMC CAVA in the services list.

  7. Right click Properties and click Log On > This Account > Browse > Advanced > Find Now.

  8. Select the administrator or the account with administrative privilege and set the password.

  9. Restart the machine.

  10. Access the CEPA server from a browser.

    Use the same format that you provided in the Dell EMC web console, for example, http://1.1.1.1:12228/cee.

    If the CEPA server is running, it displays the version of CEE.

To set up application access:

  1. Open Windows registry and open HKEY_LOCAL_MACHINE > SOFTWARE > EMC > CEE > CEPP > Audit > Configuration.

  2. Specify ArcSightConnector in Endpoint.

  3. Specify 1 in Enable, and restart the machine.

Important Parameters

You should have the following parameters after setting up Dell EMC. Use these parameters to install Change Guardian Event Collector Addon for Change Guardian:

Parameter

Description

Domain Name

Domain Host Name

Domain User Name

Domain Password

The domain controller details to perform SID translation of users

A.4.4 Setting Up Exchange

The Exchange Management Shell is built on Windows PowerShell technology. With the Shell, you can manage every aspect of Exchange, including enabling new e-mail accounts, configuring SMTP connectors, storing database properties, storing transport agents, and more. The Shell can perform every task that can be performed by the Exchange Management Console and the Exchange Web interface, in addition to tasks that cannot be performed in those interfaces.

NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance

This section provides the following information:

Enabling Mailbox Audit Logging

To understand mailbox audit logging, see Messaging policy and compliance permissions in the Microsoft Exchange Documentation.

Use the Shell to specify Mailbox Audit Logging Settings, and specify logging settings for Administrator, Delegate, and Owner access.

  • Enable mailbox audit logging for Ben Smith's mailbox:

    Set-Mailbox -Identity "Ben Smith" -AuditEnabled $true

    For detailed syntax and parameter information, see Set-Mailbox in the Microsoft Exchange Documentation.

  • Specify that the SendAs or SendOnBehalf actions performed by delegate users are logged for Ben Smith's mailbox:

    Set-Mailbox -Identity "Ben Smith" -AuditDelegate SendAs,SendOnBehalf -AuditEnabled $true

  • Specify that the MessageBind and FolderBind actions performed by administrators are logged for Ben Smith's mailbox:

    Set-Mailbox -Identity "Ben Smith" -AuditAdmin MessageBind,FolderBind -AuditEnabled $true

  • Specify that the HardDelete action performed by the mailbox owner will be logged for Ben Smith's mailbox.

    Set-Mailbox -Identity "Ben Smith" -AuditOwner HardDelete -AuditEnabled $true

Enabling Administrator Audit Logging

To understand administrator audit logging, see Administrator audit logging in Exchange Server and Exchange and Shell Infrastructure Permissions in the Microsoft Exchange Documentation.

Use the Shell to specify Administrator Logging Settings, and specify logging settings for Administrator, Delegate, and Owner access.

  • Enable administrator audit logging:

    Set-AdminAuditLogConfig -AdminAuditLogEnabled $True

  • Enable administrator audit logging for every cmdlet and every parameter in the organization, with the exception of Get Cmdlets:

    Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets * -AdminAuditLogParameters *

  • Enable administrator audit logging for specific Cmdlets run in the organization:

    Set-AdminAuditLogConfig –AdminAuditLogEnabled $true - AdminAuditLogCmdlets *Mailbox* -AdminAuditLogParameters *Address*

    Any parameter used on the specified Cmdlet is logged. Every time a specified cmdlet is run, a log entry is added to the audit log.

Enabling Execution of Microsoft Exchange PowerShell Scripts

Allow Microsoft Exchange PowerShell scripts to execute so that it can collect information about mailboxes and events from Microsoft Exchange.

To enable:

  1. Open Local Group Policy Editor.

  2. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.

  3. Set Turn on Script Execution to Enabled.

  4. Set Execution Policy to Allow local scripts and remote signed scripts.

Configuring Microsoft Exchange PowerShell

You must configure Microsoft Exchange PowerShell services to run with a privilege to receive exchange audit log.

To allow the services to run as a domain administrator:

  1. Open Windows services, and select ArcSight Microsoft Exchange PowerShell.

  2. Open Properties, click Log On.

  3. Click This Account > Browse > Locations, and select the domain name.

  4. Specify the domain administrator credentials.

Locating the Fully Qualified Domain Name

To allow Change Guardian Event Collector Addon for Windows Agent to retrieve events from the correct source, find the FQDN. Go to System in Windows Control Panel. Under Computer name, domain, and workgroup settings, and find the Full computer name.

Important Parameters

You should have the following parameters after setting up Exchange. Use these parameters to install Change Guardian Event Collector Addon for Change Guardian:

Parameter

Description

Server FQDN

The fully qualified domain name to the Exchange Server

Frequency

The frequency, in seconds, at which each mailbox audit log is retrieved

PowerShell Path

The location of the PowerShell application