Setting Up and Using CTERA Sentinel
  • 7 Minutes to read
  • PDF

Setting Up and Using CTERA Sentinel

  • PDF

Article summary

The following requirements are needed for CTERA Sentinel:

  • CTERA Edge Filer 7.8.x or higher and CTERA Portal 8.2.x.
  • A Syslog server with Azure Arc and Azure Monitoring Agent installed.
  • A resource group in Microsoft Azure.
  • A log analytics workspace in Microsoft Sentinel.

Setting Up Microsoft Sentinel for CTERA Sentinel

To set up Microsoft Sentinel for CTERA Sentinel, you need a resource group and a Log Analytics Workspace in Microsoft Sentinel.

To create a resource group in Microsoft Azure:

  1. In Microsoft Azure, access the Resource groups service.
  2. Click Create and complete the fields as follows:
    Subscription – The Microsoft Azure subscription.
    Resource group – A unique name for the resource group.
    Region – Select a region to host the resource group.
  3. Click Review + create, and after the group is validated, click Create.
    The Resource group is created.

To create and add a Log Analytics Workspace in Microsoft Sentinel:

  1. In Microsoft Azure, access the Microsoft Sentinel service.
    The Microsoft Sentinel screen is displayed.
    MicrosoftSentinelpage.png
  2. Click Create.
    The Add Microsoft Sentinel to a workspace screen is displayed.
    AddMicrosoftSentineltoWorkspace.png
  3. Click Create a new workspace.
    The Create Log Analytics workspace screen is displayed.
    image.png
  4. Complete the fields as follows:
    Subscription – The Microsoft Azure subscription.
    Resource group – Select the resource group.
    Name – A unique name for the workspace.
    Region – The resource group to host the workspace.
  5. Click Review + create, and after the workspace is validated, click Create.
    image.png
  6. When the deployment is complete, re-access Microsoft Sentinel.
  7. Click Create.
  8. Select the newly created workspace and click Add.
    image.png
    You’ve now set up the Microsoft Sentinel environment for CTERA Sentinel.

Installing CTERA Sentinel

Before installing CTERA Sentinel, you must connect the Syslog server to Azure Arc and install and connect the Azure Monitor Agent (AMA).

To connect the Syslog server to Azure Arc:

  1. In Microsoft Azure, access the Azure Arc service.
  2. Under Azure Arc resources, click Machines, then Add/Create.
  3. Select Add a Machine.
    Add Servers with Azure Arc is displayed.
    image.png
  4. Select Add a single server and then click Generate Script.
    image.png
  5. Complete the fields as follows:
    Subscription – The Microsoft Azure subscription.
    Resource group – Select the resource group.
    Region – Select the region.
  6. Click Download and run script.
    A script is generated.
    image.png
  7. Copy this script to the Syslog server.
  8. Run the script on the Syslog server, which will automatically connect the server to Azure Arc.
  9. Download and install Azure Monitor Agent (AMA) on the Syslog server.
Note

You can use the following URL to download AMA: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/ForwarderAMAinstaller.py

Once installed, AMA is automatically connected to the Azure Arc-enabled Syslog server.

Create a Data Collection Rule to collect platform metrics before CTERA Sentinel can be used.

To create a Data collection rule:

  1. In Microsoft Azure, navigate to Data collection rules.
  2. Click Create.
    A Create Data Collection Rule screen is displayed.
    image.png
  3. Complete the fields as follows:
    Rule name – Create a unique rule name.
    Subscription – The Microsoft Azure subscription.
    Resource group – Select the resource group.
    Region – Select the region.
    Platform Type – Select Linux
    Data Collection Endpoint – Use the default choice, none
  4. Click Next: Resources
    The screen displayed enables you to pick a set of resources to collect data from.
  5. Click Add resources.
    The Select a scope blade is displayed.
    image.png
  6. Complete the fields as follows:
    Resource group – Select the resource group from the Scope drop-down list and expand the arrow to the left of the resource group's name. The resource type is displayed.
    Resource type– Select Machine - Azure Arc.
    Location – Use the default region.
    image.png
  7. Click Apply.
    The Add data source blade is displayed.
  8. Click Add data source.
    image.png
  9. Check the Facility box to select all facilities.
  10. Click Next: destination.
    The Add destination blade is displayed.
    image.png
  11. Click Add destination and complete the fields as follows:
    Destination type – Select Azure Monitor Logs from the drop-down menu.
    Subscription – The Microsoft Azure subscription.
    Destination Details – Select the workspace.
  12. Click Add data source.
    Note

    Adding Tags is optional.

  13. Click Review + create.
    Once validated, the Data Collection Rule is ready to be created.
    image.png
  14. Click Create.
    Once deployment is complete, the Data Collection Rule is created.

CTERA Sentinel is ready to be installed.

To install CTERA Sentinel:

  1. In Microsoft Azure, access the Microsoft Sentinel service.
  2. Select the required Log Analytics Workspace.
  3. Select Content Hub under Content management in the menu.
    image.png
  4. Search for CTERA Sentinel and select it from the Content title list.
    image.png
  5. Click Install/Update.
    image.png
    CTERA Sentinel is now installed in the Microsoft Sentinel Content hub.
Note

It takes time for the logs from the CTERA Edge Filer and CTERA Portal to be fed into the system. Once connected, the data connector symbol turns green.

image.png
The Syslog data connectors are added automatically.

Using CTERA Sentinel

Accessing and Enabling CTERA Sentinel Tools

  1. In Microsoft Azure, access Microsoft Sentinel, and select the required Log Analytics Worskpace.
  2. The Overview (Preview) screen is displayed.
    image.png
    From here, you can access, view and manage:
    • Workbooks
    • Analytics
    • Hunting

Enabling the CTERA Workbook

Workbooks enable you to visualize and monitor your data to know what’s happening across all your connected data sources.

To enable the CTERA Sentinel Workbook:

  1. In Microsoft Sentinel, select the required Log Analytics Workspace.
    The Overview (Preview) screen is displayed.
  2. Select Workbooks.
    The Workbook screen is displayed.
    image.png
  3. Click Templates to view CTERA Workbook templates.
    A list of templates is displayed.
    image.png
  4. Select CTERA Audit Logs Ingestion.
    This workbook provides an overview of CTERA log ingestion and operations, offering insights into various activities and potential security incidents.
  5. Click Save and then select the location where you want to save the workbook.
    image.png

Enabling Analytics Rules

To enable Analytics rules:

  1. In Microsoft Sentinel, select the required Log Analytics Workspace.
    The Overview (Preview) screen is displayed.
  2. Select Analytics listed under Configuration.
    The Analytics screen is displayed, showing active rules, templates and anomalies.
    image.png
  3. Click Rule templates.
    A list of analytics rules is displayed.
    Note

    The following analytics rules are included in CTERA Sentinel:

    • Ransom Protect Detected a Ransomware Attack
    • Ransom Protect User Blocked
  4. Highlight the Ransom Protect Detected a Ransomware Attack rule, and click Create rule.
    image.png
    An Analytics rule wizard screen is displayed that enables you to create a new scheduled rule.
  5. Complete the fields as follows:
    Severity – Select High, Medium, Low, or Informational.
    MITRE Attack – Leave the default.
    Status – Leave the default, Enabled.
    image.png
  6. Click Next: Set rule logic.
    Options to define the logic for your new analytics rule are displayed.
    image.png
  7. Click Next: Incident settings.
    An Incident settings screen is displayed with the following options:
    Incident settings – Enables creating incidents from alerts.
    Alert groupings – Enables grouping related alerts.
    image.png
  8. Click Next: Automated response.
    The Automation rules screen is displayed, enabling viewing of all automation rules and creating new automation rules.
    image.png
  9. Click Next: Review + Create and then Save.
    image.png
    The analytics rule is now enabled and active.
  10. Repeat the same steps to enable the Ransom Protect User Blocked rule.
Note

Analytics rules can be edited.

To edit active Analytics rules:

  1. Click Active rules.
  2. The active analytics rules are displayed.
  3. Select the relevant analytics rule and click Edit.
    image.png
    Screens are displayed with options to enable editing in each of the steps where analytics rule details were previously defined.

Enabling Hunting

Hunting enables the active search for unusual behaviors or threats across your environment by running specific queries.

To run a hunt:

  1. In Microsoft Sentinel, select the required Log Analytics Workspace.
    The Overview (Preview) screen is displayed.
  2. Select Hunting listed under Threat management.
    image.png
    The Hunting screen is displayed.
  3. Click Queries.
    A list of hunting queries are displayed.
    These include the following hunts, which are currently in CTERA Sentinel:
    CTERA Mass Access Denied Detection – Tracks when a lot of access attempts are being blocked.
    CTERA Mass Permission Change Detection – Monitors for any unusual modifications to file and folder permissions.
    CTERA Mass File Deletions Detection – Scans for large-scale file deletions that could signal a problem.
  4. Select the relevant hunt queries and click Run selected queries.
    image.png
  5. To view query results, select one hunting query at a time and click View results.
    image.png

To enable a hunt to run automatically:

  1. In Microsoft Sentinel, select the required Log Analytics Workspace.
    The Overview (Preview) screen is displayed.
  2. Select Hunting listed under Threat management.
    The Hunting screen is displayed.
  3. Click Queries.
    The list of hunting queries is displayed.
    image.png
  4. Either click the blue star next to the hunt or right-click the hunt and select favorite
  5. Specify the time range that the query will run.
    image.png
  6. Click Run.
Note

Hunts are based on the latest data received while logged on.


Was this article helpful?