Azure Logs
Even though the shift to the cloud has slowed recently as many businesses are moving certain workloads back on-premise, Microsoft Exchange remains one cloud-based service that most organizations continue to embrace – despite its frequent outages. This doesn’t come as a surprise, as Microsoft has successfully devolved on-prem Exchange Server – the only viable alternative – into an unfriendly dragon that even experienced sysadmins won’t touch with a 10 ft pole. I’d rather compile the kernel of a rare Linux distro on a mobile phone than administer Exchange 2019.
Importing Azure logs was already possible in EventSentry v5.2 with a manual setup, but EventSentry v6 makes this significantly easier where this functionality is now fully integrated. Setting it up is easy and straightforward and utilizes the already-existing delimited log file feature that you may already be familiar with (which has also been simplified!):
- Create Microsoft Cloud credentials
- Create or reuse a log file definition (e.g. Azure Sign-In Logs)
- Create a log file + assign the previously created credentials
It’s possible to assign multiple credentials to a single log file, for example if you’re a MSP that needs to monitor Azure Sign-In Logs from multiple clients.
Logs are downloaded by the new EventSentry Sync service which also converts the JSON-based logs to CSV format so they can be imported by the agent. You can configure how often logs are downloaded and whether temporary files are kept or deleted. Accessing the logs works just like accessing other on-prem delimited logs like DHCP, IIS etc. logs – via FEATURES -> LOGS -> Delimited Log Files in the web reports.
HEC: HTTP Event Collector
EventSentry already supports a variety of log sources like log files, Syslog, SNMP and more. The new HTTP Receiver – a new component in the network services – can receive remote logs via the HTTP protocol in either CSV or JSON format. The process is similar to the aforementioned Sync Service, only that the HTTP Receiver saves the received logs in a temporary directory where they are then picked up, converted (if necessary) and processed by the EventSentry agent.
Many network devices support exporting logs via HTTP, including Palo Alto, Fortinet, SonicWall and more. To enable the HTTP Receiver, simply navigate to “Network Services -> HTTP Receiver” in the management console.
Sigma
Sigma is a vendor-agnostic YAML-based format for the purpose of describing threat detection rules. This essentially allows security researches to write threat detection rules once – instead of having to convert them into one or more proprietary formats. You can then use commercial services like SOC Prime or tools to convert the Sigma rules into the format your SIEM uses. This allows security researches to focus on what they do best – identifying and documenting threats.
Here at EventSentry we think that converting Sigma rules into event log filters is boring, so we added native Sigma support to EventSentry. This means that you can take a Sigma rule “as is” and simply paste it into an event log filter. There are a number of benefits with this:
- Sigma rules are evaluated at the agent – in real time
- No need to convert Sigma rules
- Ability to create complex detection rules in Sigma format
We hate to admit it, but Sigma rules can actually support more complex rules than EventSentry’s content filters. For example, with Sigma you can match conditions like
(event id = 1 and text includes “myapp.exe”) or (event id = 2 and text includes “thisprogram.exe”)
Log Signing
Cryptographically signing logs is sometimes necessary for regulatory compliance and in high-security environments. Log signing essentially ensures that collected log data has not been removed or tampered with. Implementing log signing is a fairly complex endeavor and we solved it in a fairly straight-forward, simple way in this first implementation.
Event log & Syslog data can now be cryptographically signed by storing log data in a text file (“File Action”) and signing the created files using OpenSSL, which is now included in the latest installer. Signing log data in files has a number of advantages:
- The existing mechanism for consolidating log data in the database remains unaffected
- Signed logs can be stored on any medium that exposes NTFS/SMB, including WORM
- Log destination can be in a completely different security context – blocking EventSentry admins from modify access
Even when the signed logs are stored on the same server where EventSentry is installed, timestamping ensures that the logs cannot be modified & resigned without detection. By default, new log files are created & signed every minute, reducing overhead and making it easy to detect deleted logs.
It’s important to note that viewing & verifying logs is a manual process and requires the use of an (included) command-line script.
Anomaly Baseline
Anomaly detection not only helps detect anomalies like new processes, but can also visualize the collected data to and provide insight into activity on servers and endpoints. For example, anomaly baseline can show:
- all parent/child process relationships
- all user/process relationships
- all DLLs loaded by a process (requires Sysmon)
- all User/Pipe connections
Anomaly baseline data is automatically populated if an anomaly filter is configured to use the collector, as such it’s recommended to enable “Filter on Collector” for all anomaly rules.
Web Reports
You can now activate HTTPS in the web reports without having to run scripts and edit configuration files – simply enable HTTPS while setting up the web reports and the rest is done automagically for you!
All hosts can now be assigned a physical location, which can then be used to filter search results on all search pages. Additional map-based pages will be added in future releases.
A new auto-complete menu makes writing search queries significantly easier and more convenient:
Switch port mapping now includes an Overview tab which visualizes all switch port connections with an intuitive map that takes the new location settings into consideration as well.
In an effort to modernize the UI in the web reports and take advantage of new web technologies, support for Internet Explorer had to be dropped – as such you won’t be able to use IE to access the web reports anymore.
Other improvements include support for secondary LDAP servers, an improved collector status which now shows the TLS version, the last time the BIOS was updated and more.
Other Improvements & Features
OAuth support was added to email and HTTP actions – emails can now be sent via Office 365 and Google’s GMail without using a SMTP server (the email dialog as been optimized as well). HTTP actions can authenticate with OAuth now as well.
EventSentry now also includes a secondary installer which can be used to install the collector, network services and heartbeat services on remote hosts. In the past, setting up any of these services required a lot of manual steps which are now automated with the new installer (ADMonitor is not included as it requires additional steps unique to ADMonitor).
Deploying EventSentry has also been simplified by supporting an unattended installation of the main EventSentry installer, including the web reports. Agent-based installations now also support an alias option (intended to be used with MSI-based agent installations), allowing the assignment of virtual host names at MSI installation-time to any agent.
Performance of the large file enumeration feature, which is part of disk space monitoring, has been vastly improved by scanning the MFT directly. This feature scans every monitored volume to find the 250 largest files, which can be time-consuming and large volumes and/or slower hosts. Scanning the MFT instead of the file system only takes a fraction of the time compared with earlier versions.
Sync Service
EventSentry v6 also sports a new service, the “EventSentry Sync” service. In addition to downloading Azure-based logs, the Sync service can also download validation script updates in the background and ensure that core EventSentry services are always running.
Users with an active maintenance agreement can download EventSentry v6 either from within the EventSentry Management Console, or by downloading the installer from the customer area. If you’re not an EventSentry customer yet then you can start an EventSentry evaluation.