Centrify for QRadar Integration Guide

Size: px

Start display at page:

Download "Centrify for QRadar Integration Guide"

Laura Greene
5 years ago
Views:

1 Centrify for QRadar Integration Guide November 2017 Centrify Corporation Abstract This integration guide is to help our Centrify Infrastructure Services customers easily integrate Centrify events into QRadar. Centrify Corporation TEL (669) Tannery Way URL Santa Clara, CA 95054

2 Legal Notice This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or nondisclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time Centrify Corporation. All rights reserved. Portions of Centrify software are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R (for Department of Defense (DOD) acquisitions) and 48 C.F.R and (for non-dod acquisitions), the government s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Centrify, DirectControl, DirectAuthorize, DirectAudit, DirectSecure, and DirectControl Express are registered trademarks and Centrify User Suite, Centrify Server Suite, Centrify for Mobile, Centrify for SaaS, Centrify for Mac, DirectManage, Centrify Suite, Centrify Express, DirectManage Express, Centrify Identity Platform, Centrify Identity Service, and Centrify Privilege Service are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,442,962 and 9,378,391. The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred. CENTRIFY CORPORATION ALL RIGHTS RESERVED II

3 Contents Legal Notice... 1 Introduction... 1 WinCollect Agent... 2 Syslog Demon... 2 Centrify DSM for QRadar... 2 Centrify Extension for QRadar... 2 Installation... 2 Preparing to install QRadar on Windows... 3 Preparing to install QRadar on *Nix... 5 Installing WinCollect Agent on Windows... 5 Configuring Syslog on Linux Installing DSM Automatic Update Manual Installation Configuring Log Source Installing Centrify Extension for QRadar Searching Centrify Events CENTRIFY CORPORATION ALL RIGHTS RESERVED III

Introduction This guide is used to help our Customers to easily integrate audit trail events data from Centrify Infrastructure Services into QRadar.

8 and above Centrify Infrastructure Services Release 2016 Release 2016.1 Release 2016.2 Release 2017 Release 2017.1 Release 2017.

QRadar Centrify Extension for QRadar Note: Some sections in this document are for Windows installations only, some are for *Nix installations only, and some apply to all

4 Introduction This guide is used to help our Customers to easily integrate audit trail events data from Centrify Infrastructure Services into QRadar. You can leverage the Centrify Extension for QRadar to normalize these events into QRadar. The guide applies to following versions: QRadar and above Centrify Infrastructure Services Release 2016 Release Release Release 2017 Release Release The following diagram provides an overview of various components involved with Centrify Extension for QRadar: WinCollect Agent QRadar Console Syslog Demon Centrify DSM for QRadar Centrify Extension for QRadar Note: Some sections in this document are for Windows installations only, some are for *Nix installations only, and some apply to all operating systems. Where different steps are required for Windows vs. *Nix, two sections are provided, one for each OS. In sections for *Nix, Linux examples may be used. If you use a different *Nix OS, see the documentation for your system for more information. CENTRIFY CORPORATION ALL RIGHTS RESERVED 1

5 WinCollect Agent The WinCollect Agent is responsible for collecting Centrify audit trail events from the Windows machine and forwarding them to the QRadar Console. The WinCollect Agent can be downloaded from IBM Fix Central at: ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Security+QRa dar+siem&fixids=7.2.0-qradar-wincollect x64.exe&source=dbluesearch&function=fixid&parent=ibm%20security Syslog Demon The Syslog Demon is used for collecting Centrify audit trail events from Linux machine and forwarding them to the QRadar console. Centrify DSM for QRadar The Centrify DSM for QRadar is used for collecting Centrify Events on QRadar console. This DSM can be obtained from following link: verview.html Centrify Extension for QRadar This extension, CentrifyExtensionForQRadar.zip, consists of about 120 Custom Event Properties for parsing different fields from Centrify Audit Trail events. This extension can be obtained from Centrify download center. Installation First, ensure that your QRadar console is installed and running. To verify the installation, go to This guide is applicable for QRadar v7.2.8 and The Centrify Extension for QRadar supports the following versions of Centrify products: Release 2016 Release Release Release 2017 Release Release CENTRIFY CORPORATION ALL RIGHTS RESERVED 2

Preparing to install QRadar on Windows To prepare for QRadar installation on Windows: 1. Download WinCollect Agent from the IBM site. Choose the version for your system type (32bit or 64 bit). 2.

6 Preparing to install QRadar on Windows To prepare for QRadar installation on Windows: 1. Download WinCollect Agent from the IBM site. Choose the version for your system type (32bit or 64 bit). 2. Download Centrify Extension for QRadar. 3. Check availability of Centrify DSM for QRadar: rpm qa grep i Centrify 4. Configure Authorization Token. This token is used for authenticating communication between Windows machines and QRadar console. a. Log in to QRadar console using admin credentials. b. Click Admin tab. c. Click Authorized Service. d. Enter the name for the token. e. Choose Admin as Role and Security profile. f. Set the Expiry Date to an appropriate value. g. Click Create Service. CENTRIFY CORPORATION ALL RIGHTS RESERVED 3

8 Preparing to install QRadar on *Nix To prepare for QRadar installation on *Nix: 1. Ensure that syslog daemon (syslog/rsyslog/syslog-ng) is installed. Use the appropriate command to check: service status rsyslog #OR service status syslog-ng 2. If the daemon is not installed, use the appropriate command to install the required daemon: yum install rsyslog #OR yum install syslog-ng 3. Download Centrify Extension for QRadar. 4. Check availability of Centrify DSM for QRadar: rpm qa grep i Centrify Installing WinCollect Agent on Windows To install WinCollect: 1. Right click on the.exe file that you downloaded for WinCollect during pre-installation, and choose Run as administrator. CENTRIFY CORPORATION ALL RIGHTS RESERVED 5

2. Enter the User Name and Organization and click

10 3. If you have the latest version of WinCollect agent (7.2.5 and above) you will need to select Stand Alone mode and click Next. If you do not see a choice of Managed or Stand Alone modes here, it means that you have an older version of WinCollect agent and you should skip to step Check Create Log Source. 5. Enter a Log Source Name that will appear as the machine name on QRadar console. 6. Enter the IP address of the windows member machine as the Log Source Identifier. 7. Under Event Logs, select Application (all Centrify audit trail events are logged in the application log). 8. Click Next. CENTRIFY CORPORATION ALL RIGHTS RESERVED 7

12 9. Enter the Hostname / IP address of the QRadar Console. 10. Choose TCP as the Protocol for sending application logs from the windows member. 11. Ensure that ports (514, 8413) are open for communication between WinCollect agent and QRadar console. 12. Complete the installation by clicking Next. You do not need to perform steps because they are only for older versions of WinCollect. 13. For WinCollect agent versions prior to 7.2.5, only a single mode is supported. If you have an older version of WinCollect, after performing step 2 you will see the screen shown below. Enter Host Identifier, Authentication Token, and Configuration console (host and port). The name that you enter in the host identifier will come as Host Name in QRadar console. By default, WinCollect Agent communicates with QRadar console on port 8413 and 514. Please ensure that these two ports are open through the firewall. CENTRIFY CORPORATION ALL RIGHTS RESERVED 9

13 14. The Log Source Name and Log Source Identifier are optional. 15. Make sure that Application is selected under Event Logs. WinCollect Agent can forward all the event logs; however, for Centrify audit trail events, we must ensure that we are forwarding application logs. CENTRIFY CORPORATION ALL RIGHTS RESERVED 10

15 For more information, see the WinCollect Agent Installation Guide from IBM : ect_install_wincollect_agent.html Configuring Syslog on Linux The following steps configure syslog forwarder to forward events to the QRadar console. Update the rsyslog.conf and add the following line. This file is available under the /etc/ folder for Redhat Linux. For other types of *Nix, please refer to the OS-specific documents to locate the rsyslog.conf file. If you are using syslog-ng, please add the following entry: # My Switches source s_centrify { file( "/var/log/messages " ); }; destination d_tcp { network("qradarhost" port(1999)); }; log { source(s_centrify); destination(d_centrify); }; Restart the syslog demon: service rsyslog restart or service syslog-ng restart CENTRIFY CORPORATION ALL RIGHTS RESERVED 12

16 Installing DSM We use Centrify DSM for QRadar for parsing events. This DSM will be available with the latest version of QRadar. For existing QRadar installation, this DSM can be obtained either through Automatic update or Manual Installation. Automatic Update Updates to DSM, PROTOCOL, and VIS rpms are made available on a weekly basis to QRadar administrators using the Internet to allow appliances to connect to an automatic update server. To use automatic updates: 1. Login to QRadar console as the admin user. 2. Go to Admin Auto Update. It will show all the updates available. 3. Choose the appropriate option for installation. Manual Installation 1. To use manual updates: 2. Login to IBM Fix Central and search for Centrify DSM for QRadar. 3. Download the rpm file from the location mentioned for your OS in the Introduction section. 4. Copy this bundle into QRadar console. 5. SSH into QRadar console and run the following command. Please update the DSM name as per the version downloaded before running the command: rpm ivh DSM-CentrifyServerSuite noarch Configuring Log Source We use Centrify DSM for QRadar to parse data received at QRadar. Create a separate log source per client machine depending on the OS: 1. To create Log Source, log into QRadar console as admin user. 2. Go to Admin tab. 3. Click on Data Collect Log Source. CENTRIFY CORPORATION ALL RIGHTS RESERVED 13

17 4. Click Add. 5. Enter the appropriate name and relevant description for Log Source. 6. Choose Centrify Infrastructure Services (Centrify Server Suite) as Log source type. 7. Enter appropriate Log Source identifier. This is either an IP address or a host name. CENTRIFY CORPORATION ALL RIGHTS RESERVED 14

18 8. Choose either WinCollect (Windows) or Syslog (Unix) as Protocol Configuration depending on your OS. Log Source for Windows: a. Choose WinCollect as Protocol Configuration. b. Enter credentials for windows machine. c. Make sure Application logs are selected, as Centrify data is logged there. d. Unselect Colace events, as Centrify generates multiple events for particular action and all the events are important. e. Choose TCP as the Target Internal Destination. CENTRIFY CORPORATION ALL RIGHTS RESERVED 15

20 Installing Centrify Extension for QRadar Download Centrify Extension for QRadar and perform the following steps. Before installing this extension, user must ensure that Centrify DSM for QRadar is installed in QRadar. To check availability of the DSM, refer to the Pre-Installation check section of this document. 1. Log in to the QRadar console using admin credentials 2. Go to the Admin tab. 3. Click on Extension management. 4. Choose the downloaded zip file. 5. Select Immediately Install and click on add. CENTRIFY CORPORATION ALL RIGHTS RESERVED 17

21 6. QRadar console displays screen describing all the components in detail. Click on OK. It installs the application onto the QRadar. 7. Click on Deploy changes. Searching Centrify Events After completing installation of the Centrify Extension for QRadar, all the new Centrify audit trail events should be parsed and indexed by QRadar. You can use the following steps to validate your installation: 1. Generate some Centrify audit trail events into a Centrify managed member server, e.g. log-in to the server will generate an authentication event. The generated events should be accessible from the QRadar console system. 2. Log in to the QRadar console and click on the Log Activity tab. There you should see different Centrify Audit events parsed by QRadar. When you click on a specific event to open a detailed view, you should see various Centrify specific fields as shown below. CENTRIFY CORPORATION ALL RIGHTS RESERVED 18

Centrify for ArcSight Integration Guide

Centrify for ArcSight Integration Guide November 2017 Centrify Corporation Abstract This integration guide is to help our Centrify Infrastructure Services customers easily integrate Centrify events into