HPE Security ArcSight Connectors

Similar documents
HPE Security ArcSight Connectors

HPE Security ArcSight Connectors

HPE Security ArcSight Connectors

HPE Security ArcSight Connectors

HPE Security ArcSight Connectors

HPE Security ArcSight SmartConnectors. Format Preserving Encryption Environment Setup Guide

HPE Security ArcSight Connectors

HPE Security ArcSight User Behavior Analytics

HPE Security ArcSight Connectors

HPE Security ArcSight Connectors

HPE Security ArcSight Connectors

HP ALM Client MSI Generator

HP AutoPass License Server

Configuration Guide. SmartConnector for Apache Tomcat File. February 14, 2014

HPE ALM Client MSI Generator

HPE RDX Utility Version 2.36 Release Notes

HPE Security ArcSight Connectors

HP UFT Connection Agent

HPE Security ArcSight Connectors

HPE Security ArcSight. ArcSight Data Platform Support Matrix

HPE Automatic Number Plate Recognition Software Version: Automatic Number Plate Recognition Release Notes

HPE Security ArcSight ESM

Configuring LDAP Authentication for HPE OBR

HP 3PAR OS MU1 Patch 11

HP Fortify Scanning Plugin for Xcode

IDE Connector Customizer Readme

HP Operations Orchestration

HP Network Node Manager i Software Step-by-Step Guide to Scheduling Reports using Network Performance Server

Micro Focus Security ArcSight Connectors. SmartConnector for McAfee Gateway Syslog. Configuration Guide

Micro Focus Security ArcSight Connectors. SmartConnector for Microsoft IIS Multiple Site File. Configuration Guide

Marvell BIOS Utility User Guide

ALM. What's New. Software Version: Go to HELP CENTER ONLINE

HPE Remote Analysis Agent Software Version: 5.3 Microsoft Windows. Technical Note

HPE Remote Analysis Agent Software Version: 5.2 Microsoft Windows. Technical Note

HPE Security ArcSight Connectors

HPE 3PAR OS MU3 Patch 24 Release Notes

HPE 3PAR OS MU5 Patch 49 Release Notes

HP Software product hierarchy updates

HPE 3PAR OS MU2 Patch 36 Release Notes

HP Database and Middleware Automation

HPE Storage Optimizer Software Version: 5.4. Support Matrix

HP Operations Orchestration

Micro Focus Security ArcSight Connectors. SmartConnector for Snort Syslog. Configuration Guide

HPE ConnectorLib Java SDK

HPE StoreEver MSL6480 Tape Library Version 5.50 Firmware Release Notes

HPE ALM Excel Add-in. Microsoft Excel Add-in Guide. Software Version: Go to HELP CENTER ONLINE

HPE ControlPoint. Software Version: Support Matrix

HP ArcSight Express. Software Version: AE 4.0. Technical Note: ArcSight Express Backup and Recovery

HP 3PAR OS MU3 Patch 18 Release Notes

HPE Security ArcSight Connectors

HP Service Test Management

IDOL Site Admin. Software Version: User Guide

HP Operations Orchestration Software

HP Data Center Automation Appliance

Intelligent Provisioning 1.64(B) Release Notes

HP D6000 Disk Enclosure Direct Connect Cabling Guide

HPE 3PAR File Persona on HPE 3PAR StoreServ Storage with Veritas Enterprise Vault

HP 3PAR OS MU3 Patch 17

HPE ConvergedSystem 700 for Hyper-V Deployment Accelerator Service

HPE 3PAR OS GA Patch 12

HP Integration with Incorta: Connection Guide. HP Vertica Analytic Database

HP Business Availability Center

HPE Moonshot ilo Chassis Management Firmware 1.52 Release Notes

QuickSpecs. HP IMC Branch Intelligent Management Software. Models HP IMC Branch Intelligent Management System Software Module w/50-node E-LTU

HP Virtual Connect Enterprise Manager

HP Enterprise Collaboration

HPE OneView for Microsoft System Center Release Notes (v 8.2 and 8.2.1)

HP Operations Orchestration Software

HPE Security Fortify WebInspect Enterprise Software Version: Windows operating systems. Installation and Implementation Guide

HP Device Manager 4.7

Intelligent Provisioning 1.70 Release Notes

HPE 3PAR OS MU3 Patch 28 Release Notes

Installation Guide. OMi Management Pack for Microsoft Skype for Business Server. Software Version: 1.00

Release Notes ArcSight SmartConnector

HPE StoreEver MSL6480 Tape Library CLI Utility Version 1.0 User Guide

Universal CMDB. Software Version: Content Pack (CP20) Discovery and Integrations Content Guide - Discovery Activities

HPE 3PAR OS MU3 Patch 23 Release Notes

HP Operations Orchestration Software

External Devices. User Guide

HPE Enterprise Integration Module for SAP Solution Manager 7.1

Active Health System Viewer Release Notes

External Devices User Guide

Micro Focus Security ArcSight Connectors. SmartConnector for McAfee Network Security Manager Syslog. Configuration Guide

Achieve Patch Currency for Microsoft SQL Server Clustered Environments Using HP DMA

OMi Management Pack for Microsoft SQL Server. Software Version: For the Operations Manager i for Linux and Windows operating systems.

RSA NetWitness Logs. Microsoft Exchange Server. Event Source Log Configuration Guide. Last Modified: Thursday, November 2, 2017

HP Network Node Manager ispi Performance for Quality Assurance Software

HP BLc Intel 4X QDR InfiniBand Switch Release Notes. Firmware Version

HP Operations Orchestration

Standardize Microsoft SQL Server Cluster Provisioning Using HP DMA

HP Data Protector Integration with Autonomy IDOL Server

HPE 1/8 G2 Tape Autoloader and MSL Tape Libraries Encryption Kit User Guide

HP Accelerated iscsi for Multifunction Network Adapters User Guide

Release Notes. Operations Smart Plug-in for Virtualization Infrastructure

Generating Unique System IDs (SIDs) after Disk Duplication using Altiris Deployment Solution

HPE Operations Bridge Reporter

External Devices User Guide

HP Insight Control for Microsoft System Center Installation Guide

HP Operations Orchestration

HPE WBEM Providers for OpenVMS Integrity servers Release Notes Version 2.2-5

Transcription:

HPE Security ArcSight Connectors SmartConnector for Windows Event Log Unified: Microsoft Exchange Access Auditing Supplemental Configuration Guide July 15, 2017

Supplemental Configuration Guide SmartConnector for Microsoft Exchange Access Auditing Windows Event Log Unified July 15, 2017 Copyright 2010 2017 Hewlett Packard Enterprise Development LP Warranty The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Package Enterprise Development LP shall not be liable for technical or editorial omissions contained herein. The information contained herein is subject to change without notice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. Hewlett Package Enterprise Development LP products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices. This document is confidential. Restricted Rights Legend Confidential computer software. Valid license from Hewlett Packard Enterprise Development LP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Follow this link to see a complete statement of Hewlett Package Enterprise Development LP copyrights, trademarks and acknowledgements: https://community.saas.hpe.com/t5/discussions/third-party-copyright-notices-and-license-terms/td-p/1589228. Revision History Date Description 07/15/2017 Removed platform support for Windows 2003. 02/14/2014 Added recommendation to use the SmartConnector for Microsoft Exchange PowerShell for Exchange 2010 and later versions. 09/30/2013 Updated Collect Events from the Event Log procedure. 05/15/2012 Updated for new installation procedure. 03/30/2012 Added configuration information for application logs. 02/15/2012 Added IPv6 mapping support. 11/15/2011 Updated configuration information. 09/24/2010 First edition of this configuration guide, for initial support of Microsoft Exchange Mailbox Access Auditing events 10100, 10102, 10104, and 10106 with Microsoft Exchange 2007 SP2..

Configuration Guide Contents Product Overview... 4 Enable Mailbox Access Auditing... 4 Access the Audited Information... 7 Change Default Properties... 7 Exclude Service Accounts... 8 Connector Installation and Configuration... 8 Collect Events from the Event Log... 8 Device Event Mapping to ArcSight Fields... 9 Exchange Event 10100 Mappings... 9 Exchange Event 10102 Mappings... 9 Exchange Event 10104 Mappings...10 Exchange Event 10106 Mappings...10 HPE Security ArcSight Connectors 3

SmartConnector for Windows Event Log Unified: Microsoft Exchange SmartConnector for Microsoft Exchange Mailbox Access Auditing Windows Event Log Unified This guide provides information about the SmartConnector for Microsoft Exchange Access Auditing Windows Event Log Unified and its event mappings to ArcSight data fields. This connector supports Microsoft Exchange Server 2007 audit application events for Windows Server 2008 and Windows Server 2008 R2 versions only. With Exchange Server 2010, Microsoft has added new native audit capabilities, such that the audit logs are maintained in the mailboxes themselves. Being able to get those audit logs is very difficult due to the potential number of mailboxes and the vast amount of data they may contain, and Windows Event Log integration for this will not work. Therefore, for Microsoft Exchange 2010 and later versions, use the SmartConnector for Microsoft Exchange PowerShell, which retrieves Microsoft Exchange Server 2010 SP2 and 2013 Mailbox Audit logs remotely, and lets you specify the mailboxes to be audited. The ArcSight SmartConnector Mappings to Windows Security Events document provides the main mappings for the Windows Event Log SmartConnectors; the field mappings listed in this document are specifically for the SmartConnector for Windows Event Log Unified: Microsoft Exchange Audit.. Product Overview Microsoft Exchange Server is the server side of a client-server, collaborative application product developed by Microsoft. It is part of Microsoft's line of server products, used by enterprises using Microsoft infrastructure solutions. Microsoft Exchange 2007 Service Pack 2 is supported by this SmartConnector. Enable Mailbox Access Auditing To access the configuration area for mailbox access auditing, use the Exchange Management Console. The following figure shows the new Manage Diagnostic Logging Properties menu option. 4 HPE Security ArcSight Connectors

Configuration Guide HPE Security ArcSight Connectors 5

SmartConnector for Windows Event Log Unified: Microsoft Exchange To configure mailbox access auditing on a particular mailbox server: 1 Select that server in the Exchange Management Console and then select the Manage Diagnostics Logging Properties menu option from the action pane; the Manage Diagnostics Logging Properties window is displayed. 2 In this window, expand the MSExchangeIS category and then expand the 9000 Private category. 3 Under the MSExchangeIS\9000 Private category, configure auditing for any or all of the four possible actions: Folder Access, to log events that correspond to opening folders, such as the Inbox, Outbox, or Sent Items folders Message Access, to log events that correspond to explicitly opening messages Extended Send As, to log events that correspond to sending a message as a mailboxenabled user Extended Send On Behalf Of, to log events that correspond to sending a message on behalf of a mailbox-enabled user. 4 When you have finished configuring the auditing levels, click Configure. 6 HPE Security ArcSight Connectors

Configuration Guide For more information about Exchange mailbox access auditing, see http://www.msexchange.org/articles_tutorials/exchange-server-2007/compliance-policiesarchiving/exchange-2007-mailbox-access-auditing-part1.html For examples of configuring Exchange mailbox access auditing, see http://www.howexchangeworks.com/2009/09/mailbox-access-auditing-in-exchange.html Access the Audited Information Now that mailbox access auditing is enabled, you can view the information logged by navigating to Event Viewer -> Applications & Services Log -> Exchange Auditing. Change Default Properties By default, the location for storing the logs is in the Exchange Server installation directory (Drive\Program Files\Microsoft\Exchange Server\Logging\AuditLogs). The default behavior is to archive the logs when it gets full; therefore, the location of the logs should be changed to a drive that has enough free space. You can do this by selecting the properties for the Exchange Auditing log and changing the options. HPE Security ArcSight Connectors 7

SmartConnector for Windows Event Log Unified: Microsoft Exchange Exclude Service Accounts To keep from filling up your mailbox access log with events for service accounts that have full access to the mailboxes, you can run the following command to exclude service accounts from being audited. Get-MailboxDatabase -identity "server\sg\dbname" Add-ADPermission -User "service account" -ExtendedRights ms-exch-store-bypass-access-auditing - InheritanceType All Connector Installation and Configuration Follow the installation and configuration procedures in the SmartConnector Configuration Guide for Microsoft Windows Event Log Unified, selecting Microsoft Windows Event Log Unified as the connector to be configured.. Collect Events from the Event Log To set up the connector to collect application events: 1 From $ARCSIGHT_HOME\current\bin, double-click runagentsetup.bat. 2 Select Modify Connector on the window displayed and click Next. 3 Select Modify connector parameters and click Next. 4 Select Navigate to the Modify table parameters window. 5 To collect events from an application log, modify the Application field by selecting true for event collection in the Application field and enter Exchange Auditing in the Custom Log Names field. 8 HPE Security ArcSight Connectors

Configuration Guide You can specify multiple Custom Log Names in a comma-separated format; for example: Oracle Audit, Exchange Auditing 6 Click Next to update the parameters; when you receive the successful update message, click Next. 7 Select Exit and click Next to exit the configuration wizard. 8 Restart the connector for your changes to take effect. For more information about application event support, see the SmartConnector Configuration Guide for Microsoft Windows Event Log Unified. Device Event Mapping to ArcSight Fields The following section lists the mappings of ArcSight data fields to the device's specific event definitions. See ArcSight 101 for more information about the ArcSight data fields. Exchange Event 10100 Mappings ArcSight ESM Field Device Custom IPv6 Address 3 Device Custom Number 1 Device Custom Number 3 Device Custom String 4 Device Custom String 5 Device Custom String 6 File Name File Path Name Source Host Name Source Process Name Source Service Name Source User ID Source User Name Target Address Exchange Event 10102 Mappings ArcSight ESM Field Device Custom IPv6 Address 3 Device Custom Number 1 Device Custom Number 3 Device Custom String 4 Device Custom String 5 Device Custom String 6 File Name File Path Name Source Host Name Device-Specific Field Destination IPv6 Address Source Process ID Mailbox Name Identifier Message ID or Folder name depending upon event Folder path (when relevant) A folder in mailbox was opened by user. Machine Name Process Name Application ID Accessing User (full Exchange ID) Account Name Address Device-Specific Field Destination IPv6 Address Source Process ID Mailbox Name Identifier Message ID or Folder name, depending upon event Folder path (when relevant) A message in mailbox was opened by user. Machine Name HPE Security ArcSight Connectors 9

SmartConnector for Windows Event Log Unified: Microsoft Exchange ArcSight ESM Field Source Process Name Source Service Name Source User ID Source User Name Target Address Exchange Event 10104 Mappings ArcSight ESM Field Device Custom IPv6 Address 3 Device Custom Number 1 Device Custom Number 3 Device Custom String 4 Device Custom String 5 Device Custom String 6 File Name Name Source Host Name Source Process Name Source Service Name Source User ID Source User Name Target Address Target User ID Exchange Event 10106 Mappings ArcSight ESM Field Device Custom IPv6 Address 3 Device Custom Number 1 Device Custom Number 3 Device Custom String 4 Device Custom String 5 Device Custom String 6 File Name Name Source Host Name Source Process Name Source Service Name Source User ID Source User Name Target Address Target User ID Device-Specific Field Process Name Application ID Accessing User (full Exchange ID) Account Name Address Device-Specific Field Destination IPv6 Address Source Process ID Mailbox Name Identifier Message ID or Folder name, depending upon event User sent a message on behalf of another user. Machine Name Process Name Application ID Accessing User (full Exchange ID) Account Name Address full ID of user being impersonated Device-Specific Field Destination IPv6 Address Source Process ID Mailbox Name Identifier Message ID or Folder name, depending upon event User sent a message as another user. Machine Name Process Name Application ID Accessing User (full Exchange ID) Account Name Address full ID of user being impersonated 10 HPE Security ArcSight Connectors

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback