- 7 Minutes to read
- Print
- PDF
Setting Up and Using CTERA Sentinel
- 7 Minutes to read
- Print
- PDF
The following requirements are needed for CTERA Sentinel:
- CTERA Edge Filer 7.8.x or higher and CTERA Portal 8.2.x.
- A Syslog server with Azure Arc and Azure Monitoring Agent installed.
- A resource group in Microsoft Azure.
- A log analytics workspace in Microsoft Sentinel.
Setting Up Microsoft Sentinel for CTERA Sentinel
To set up Microsoft Sentinel for CTERA Sentinel, you need a resource group and a Log Analytics Workspace in Microsoft Sentinel.
To create a resource group in Microsoft Azure:
- In Microsoft Azure, access the Resource groups service.
- Click Create and complete the fields as follows:
Subscription – The Microsoft Azure subscription.
Resource group – A unique name for the resource group.
Region – Select a region to host the resource group. - Click Review + create, and after the group is validated, click Create.
The Resource group is created.
To create and add a Log Analytics Workspace in Microsoft Sentinel:
- In Microsoft Azure, access the Microsoft Sentinel service.
The Microsoft Sentinel screen is displayed.
- Click Create.
The Add Microsoft Sentinel to a workspace screen is displayed.
- Click Create a new workspace.
The Create Log Analytics workspace screen is displayed.
- Complete the fields as follows:
Subscription – The Microsoft Azure subscription.
Resource group – Select the resource group.
Name – A unique name for the workspace.
Region – The resource group to host the workspace. - Click Review + create, and after the workspace is validated, click Create.
- When the deployment is complete, re-access Microsoft Sentinel.
- Click Create.
- Select the newly created workspace and click Add.
You’ve now set up the Microsoft Sentinel environment for CTERA Sentinel.
Installing CTERA Sentinel
Before installing CTERA Sentinel, you must connect the Syslog server to Azure Arc and install and connect the Azure Monitor Agent (AMA).
To connect the Syslog server to Azure Arc:
- In Microsoft Azure, access the Azure Arc service.
- Under Azure Arc resources, click Machines, then Add/Create.
- Select Add a Machine.
Add Servers with Azure Arc is displayed.
- Select Add a single server and then click Generate Script.
- Complete the fields as follows:
Subscription – The Microsoft Azure subscription.
Resource group – Select the resource group.
Region – Select the region. - Click Download and run script.
A script is generated.
- Copy this script to the Syslog server.
- Run the script on the Syslog server, which will automatically connect the server to Azure Arc.
- Download and install Azure Monitor Agent (AMA) on the Syslog server.
You can use the following URL to download AMA: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/ForwarderAMAinstaller.py
Once installed, AMA is automatically connected to the Azure Arc-enabled Syslog server.
Create a Data Collection Rule to collect platform metrics before CTERA Sentinel can be used.
To create a Data collection rule:
- In Microsoft Azure, navigate to Data collection rules.
- Click Create.
A Create Data Collection Rule screen is displayed.
- Complete the fields as follows:
Rule name – Create a unique rule name.
Subscription – The Microsoft Azure subscription.
Resource group – Select the resource group.
Region – Select the region.
Platform Type – Select Linux
Data Collection Endpoint – Use the default choice,none
- Click Next: Resources
The screen displayed enables you to pick a set of resources to collect data from. - Click Add resources.
The Select a scope blade is displayed.
- Complete the fields as follows:
Resource group – Select the resource group from the Scope drop-down list and expand the arrow to the left of the resource group's name. The resource type is displayed.
Resource type– Select Machine - Azure Arc.
Location – Use the default region.
- Click Apply.
The Add data source blade is displayed. - Click Add data source.
- Check the Facility box to select all facilities.
- Click Next: destination.
The Add destination blade is displayed.
- Click Add destination and complete the fields as follows:
Destination type – Select Azure Monitor Logs from the drop-down menu.
Subscription – The Microsoft Azure subscription.
Destination Details – Select the workspace. - Click Add data source.Note
Adding Tags is optional.
- Click Review + create.
Once validated, the Data Collection Rule is ready to be created.
- Click Create.
Once deployment is complete, the Data Collection Rule is created.
CTERA Sentinel is ready to be installed.
To install CTERA Sentinel:
- In Microsoft Azure, access the Microsoft Sentinel service.
- Select the required Log Analytics Workspace.
- Select Content Hub under Content management in the menu.
- Search for CTERA Sentinel and select it from the Content title list.
- Click Install/Update.
CTERA Sentinel is now installed in the Microsoft Sentinel Content hub.
It takes time for the logs from the CTERA Edge Filer and CTERA Portal to be fed into the system. Once connected, the data connector symbol turns green.
The Syslog data connectors are added automatically.
Using CTERA Sentinel
Accessing and Enabling CTERA Sentinel Tools
- In Microsoft Azure, access Microsoft Sentinel, and select the required Log Analytics Worskpace.
- The Overview (Preview) screen is displayed.
From here, you can access, view and manage:- Workbooks
- Analytics
- Hunting
Enabling the CTERA Workbook
Workbooks enable you to visualize and monitor your data to know what’s happening across all your connected data sources.
To enable the CTERA Sentinel Workbook:
- In Microsoft Sentinel, select the required Log Analytics Workspace.
The Overview (Preview) screen is displayed. - Select Workbooks.
The Workbook screen is displayed.
- Click Templates to view CTERA Workbook templates.
A list of templates is displayed.
- Select CTERA Audit Logs Ingestion.
This workbook provides an overview of CTERA log ingestion and operations, offering insights into various activities and potential security incidents. - Click Save and then select the location where you want to save the workbook.
Enabling Analytics Rules
To enable Analytics rules:
- In Microsoft Sentinel, select the required Log Analytics Workspace.
The Overview (Preview) screen is displayed. - Select Analytics listed under Configuration.
The Analytics screen is displayed, showing active rules, templates and anomalies.
- Click Rule templates.
A list of analytics rules is displayed.NoteThe following analytics rules are included in CTERA Sentinel:
- Ransom Protect Detected a Ransomware Attack
- Ransom Protect User Blocked
- Highlight the Ransom Protect Detected a Ransomware Attack rule, and click Create rule.
An Analytics rule wizard screen is displayed that enables you to create a new scheduled rule. - Complete the fields as follows:
Severity – Select High, Medium, Low, or Informational.
MITRE Attack – Leave the default.
Status – Leave the default,Enabled
.
- Click Next: Set rule logic.
Options to define the logic for your new analytics rule are displayed.
- Click Next: Incident settings.
An Incident settings screen is displayed with the following options:
Incident settings – Enables creating incidents from alerts.
Alert groupings – Enables grouping related alerts.
- Click Next: Automated response.
The Automation rules screen is displayed, enabling viewing of all automation rules and creating new automation rules.
- Click Next: Review + Create and then Save.
The analytics rule is now enabled and active. - Repeat the same steps to enable the Ransom Protect User Blocked rule.
Analytics rules can be edited.
To edit active Analytics rules:
- Click Active rules.
- The active analytics rules are displayed.
- Select the relevant analytics rule and click Edit.
Screens are displayed with options to enable editing in each of the steps where analytics rule details were previously defined.
Enabling Hunting
Hunting enables the active search for unusual behaviors or threats across your environment by running specific queries.
To run a hunt:
- In Microsoft Sentinel, select the required Log Analytics Workspace.
The Overview (Preview) screen is displayed. - Select Hunting listed under Threat management.
The Hunting screen is displayed. - Click Queries.
A list of hunting queries are displayed.
These include the following hunts, which are currently in CTERA Sentinel:
CTERA Mass Access Denied Detection – Tracks when a lot of access attempts are being blocked.
CTERA Mass Permission Change Detection – Monitors for any unusual modifications to file and folder permissions.
CTERA Mass File Deletions Detection – Scans for large-scale file deletions that could signal a problem. - Select the relevant hunt queries and click Run selected queries.
- To view query results, select one hunting query at a time and click View results.
To enable a hunt to run automatically:
- In Microsoft Sentinel, select the required Log Analytics Workspace.
The Overview (Preview) screen is displayed. - Select Hunting listed under Threat management.
The Hunting screen is displayed. - Click Queries.
The list of hunting queries is displayed.
- Either click the blue star next to the hunt or right-click the hunt and select
favorite
- Specify the time range that the query will run.
- Click Run.
Hunts are based on the latest data received while logged on.