Transcription
Integration GuideIntegrating Netwrix Auditor withEventTrackerEventTracker v9.3 or abovePublication Date:July 22, 2021 Copyright Netsurion. All Rights Reserved.1
AbstractThis guide helps you in configuring Netwrix Auditor with EventTracker to receive Netwrix Auditor events. Inthis guide, you will find the detailed procedures required for monitoring Netwrix Auditor.ScopeThe configuration details in this guide are consistent with EventTracker version v9.3 or above and NetwrixAuditor 9.8 and LaterAudienceAdministrators, who are assigned the task to monitor and manage Netwrix Auditor events usingEventTracker. Copyright Netsurion. All Rights Reserved.2
Table of ContentsTable of Contents .31.Overview .42.Prerequisites.43.Configuring Netwrix Auditor to forward logs to EventTracker.44.5.6.3.1Configuring Task Scheduler.43.2Configuring Event Filter.5EventTracker Knowledge Pack. 104.1Category. 104.2Alert. 104.3Report. 104.4Dashboards . 11Importing Netwrix Auditor Knowledge Pack into EventTracker. 145.1Category. 145.2Alert. 155.3Knowledge Object. 165.4Report. 185.5Dashboards . 19Verifying Netwrix Auditor Knowledge Pack in EventTracker . 226.1Category. 226.2Alert. 236.3Knowledge Object. 236.4Report. 246.5Dashboards . 25About Netsurion . 26Contact Us. 26 Copyright Netsurion. All Rights Reserved.3
1. OverviewNetwrix Auditor delivers a single console for analysis, alerting and reporting on IT infrastructure changes.Theproduct helps organizations track changes and access events across the IT environment,and providesinformation as a set of easy-to-read reports.Netwrix Auditor solves security, compliance and operationalproblems.EventTracker helps to monitor events from Netwrix Auditor. Its dashboard, alerts, and reports will help youtrack Authentication Activities and any other actions, to keep you informed. It will trigger alert wheneveruser tries to authenticate and fails, or any configuration action is successful.2. Prerequisites EventTracker agent should be installed in a host system/ server.PowerShell 5.0 should be installed on the host system/ server.User should have administrative privilege on host system/ server to run powershell.Admin access to Netwrix Auditor platform.Audit Database settings are configured in Netwrix Auditor Server.TCP 9699 port (default Netwrix Auditor Integration API port) is open for inbound connections.Event log export add-on (Netwrix Add-ons for SIEM Integration) script folder should be downloadedon the host system/server.3. Configuring Netwrix Auditor to forward logs to EventTrackerThe steps provided below will help to configure the EventTracker to receive Netwrix Auditor events usingEvent log.3.1 Configuring Task Scheduler1. On the computer where you want to execute the add-on, navigate to Task Scheduler.2. Select Create Task.3. On the General tab, specify a task name, e.g., EventTracker(Netwrix AuditorAdd-on).Note: Make sure the account that runs the task has all necessary rights and permissions.4. On the Triggers tab, click New On settings select Daily.On Advanced settings- Click on Repeat task every-10 minutes and for duration of indefinitely.5. On the Actions tab, click New. Action - Start a program.Program/script - Powershell.exe. Copyright Netsurion. All Rights Reserved.4
Add arguments (optional) - Add a path to the add-on in double quotes and specify add-onparameters.For example: -file "C:\Add-ons\Netwrix Auditor Audit Records to Event Log Add-on.ps1"Note: Netwrix Auditor Add on script is not blocked.Save the task.6. To verify configuration - Open Event Viewer dialog, navigate to Event Viewer (local) Applicationsand Services Logs Netwrix Auditor Integration log.3.2 Configuring Event Filter1. Lunch EventTracker Control panel.2. Double click EventTracker Agent Configuration. Copyright Netsurion. All Rights Reserved.5
3. Navigate to Event Filters Filter Exception.4. Click New. Copyright Netsurion. All Rights Reserved.6
5. Configure settings for relevant events as shown below. Event ID- 24966 Event ID- 20618 Copyright Netsurion. All Rights Reserved.7
Event ID- 49901 Event ID- 64197 Copyright Netsurion. All Rights Reserved.8
Event ID- 159936.Review the changes and click OK to confirm.7. Click Save. Copyright Netsurion. All Rights Reserved.9
4. EventTracker Knowledge PackAfter logs are received by EventTracker manager, Knowledge Packs can be configured into EventTracker.The following Knowledge Packs are available in EventTracker to support Netwrix Auditor.4.1 Category Netwrix Auditor - Failed configuration activities - This category provides information related to allfailure configurations detected in Netwrix Auditor.Netwrix Auditor - Successful configuration activities - This category provides information related toall successful configurations in Netwrix Auditor.Netwrix Auditor - User login failed activities - This category provides information related to all loginfailure detected in Netwrix Auditor.Netwrix Auditor - User Login successful activities - This category provides information related to allsuccessful login detected in Netwrix Auditor.4.2 Alert Netwrix Auditor: Successful configuration activity - This alert is triggered when a successfulconfiguration is detected in Netwrix Auditor. Netwrix Auditor: User Login Failed - This alert is triggered when a user login failure is detectedin Netwrix Auditor.4.3 Report Netwrix Auditor - Failed User login activities - This report gives information about all the userlogin failure detected in Netwrix Auditor. Report contains username, domain name, IP address,application name, etc. Netwrix Auditor - Successful configuration activities - This report gives information about allthe successful configuration detected in Netwrix Auditor. Report contains Username, ObjectName, Domain Name, etc. Netwrix Auditor - Failed configuration Activities - This report gives information about all thefailed configuration activities detected in Netwrix Auditor. Report contains Username, ObjectName, Domain Name, etc. Copyright Netsurion. All Rights Reserved.10
Netwrix Auditor - Successful user login activities - This report gives information about all theuser successful login activities detected in Netwrix Auditor. Report contains Username, DomainName, IP address, Application Name, etc.4.4 Dashboards Netwrix Auditor - User successful login activities by Username Netwrix Auditor - User successful login activities by geo location Copyright Netsurion. All Rights Reserved.11
Netwrix Auditor - User login failure activities by Username Netwrix Auditor - User login failure activities by geo location Copyright Netsurion. All Rights Reserved.12
Netwrix Auditor - successful configuration activities Netwrix Auditor - Actions by object type Copyright Netsurion. All Rights Reserved.13
5. Importing Netwrix Auditor Knowledge Pack into EventTrackerNOTE: Import knowledge pack items in the following sequence: CategoryAlertKnowledge ObjectReportDashboard1. Launch EventTracker Control Panel.2. Double click Export Import Utility.3. Click the Import tab.5.1 Category1. Click Category option, and then click the browse Copyright Netsurion. All Rights Reserved.button.14
2. Locate Category Netwrix Auditor.iscat file, and then click Open.3. To import categories, click Import.EventTracker displays success message.4. Click OK, and then click Close.5.2 Alert1. Click Alert option, and then click Browse Copyright Netsurion. All Rights Reserved.15
2. Locate Alerts Netwrix Auditor.isalt file, and then click Open.3. To import alerts, click Import.EventTracker displays success message.4. Click OK, and then click Close.5.3 Knowledge Object1. Click Knowledge objects under Admin option in the EventTracker manager page. Copyright Netsurion. All Rights Reserved.16
2. Click Importas highlighted in the below image.3. Click Browse.4. Locate the file named KO Netwrix Auditor.etko.5. Select the check box and then click on Copyright Netsurion. All Rights Reserved.Import option.17
6. Knowledge objects are now imported successfully.5.4 Report1. Click Reports option and select New (*.etcrx) option. Copyright Netsurion. All Rights Reserved.18
2. Locate the file named Reports Netwrix Auditor.etcrx and select all the check box.3. Click the Importbutton to import the report. EventTracker displays success message.5.5 DashboardsNOTE: Below steps given are specific to EventTracker 9 and later.1. Open EventTracker in browser and logon. Copyright Netsurion. All Rights Reserved.19
2. Navigate to My Dashboard option as shown above.3. Click on the Importbutton as show below.4. Import dashboard file Dashboard Netwrix Auditor.etwd and select Select All checkbox.5. Click Import as shown below. Copyright Netsurion. All Rights Reserved.20
6. Import is now completed successfully.7. In My Dashboard page selectto add dashboard.8. Choose appropriate name for Title and Description. Click Save.9. In My Dashboard page select Copyright Netsurion. All Rights Reserved.to add dashlets.21
10. Select imported dashlets and click Add.6. Verifying Netwrix Auditor Knowledge Pack in EventTracker6.1 Category1. Logon to EventTracker.2. Click Admin dropdown, and then click Category.3. In Category Tree to view imported category, scroll down and expand Netwrix Auditor groupfolder to view the imported category. Copyright Netsurion. All Rights Reserved.22
6.2 Alert1. Logon to EventTracker.2. Click the Admin menu, and then click Alerts.3. In the Search box, type Netwrix Auditor, and then click Go.Alert Management page will display the imported alert.4. To activate the imported alert, toggle the Active switch.EventTracker displays message box.5. Click OK, and then click Activate Now.NOTE: Specify appropriate system in alert configuration for better performance.6.3 Knowledge Object1. In the EventTracker web interface, click the Admin dropdown, and then select Knowledge Objects. Copyright Netsurion. All Rights Reserved.23
2. In the Knowledge Object tree, expand Netwrix Auditor group folder to view the imported knowledgeobject.3. Click Activate Now to apply imported knowledge objects.6.4 Report1. In the EventTracker web interface, click the Reports menu, and then select Report Configuration.2. In Reports Configuration pane, select Defined option.3. Click on the Netwrix Auditor group folder to view the imported reports. Copyright Netsurion. All Rights Reserved.24
6.5 Dashboards1. In the EventTracker web interface, Click Home and select My Dashboard.2. In the Netwrix Auditor dashboard you should be now able to see the following screen. Copyright Netsurion. All Rights Reserved.25
About NetsurionFlexibility and security within the IT environment are two of the most important factors driving businesstoday. Netsurion’s cybersecurity platforms enable companies to deliver on both. Netsurion’s approach ofcombining purpose-built technology and an ISO-certified security operations center gives customers theultimate flexibility to adapt and grow, all while maintaining a secure environment.Netsurion’s EventTracker cyber threat protection platform provides SIEM, endpoint protection, vulnerabilityscanning, intrusion detection and more; all delivered as a managed or co-managed service.Netsurion’s BranchSDO delivers purpose-built technology with optional levels of managed services to multilocation businesses that optimize network security, agility, resilience, and compliance for branch locations.Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has themodel to help drive your business forward. To learn more visit netsurion.com or follow uson Twitter or LinkedIn. Netsurion is #19 among MSSP Alert’s 2020 Top 250 MSSPs.Contact UsCorporate HeadquartersNetsurionTrade Centre South100 W. Cypress Creek RdSuite 530Fort Lauderdale, FL 33309Contact NumbersEventTracker Enterprise SOC: 877-333-1433 (Option 2)EventTracker Enterprise for MSP’s SOC: 877-333-1433 (Option 3)EventTracker Essentials SOC: 877-333-1433 (Option 4)EventTracker Software Support: 877-333-1433 (Option 5)https://www.netsurion.com/eventtracker-support Copyright Netsurion. All Rights Reserved.26
Event log export add-on (Netwrix Add-ons for SIEM Integration) script folder should be downloaded on the host system/server. 3. Configuring Netwrix Auditor to forward logs to EventTracker The steps provided below will help to configure the EventTracker to receive Netwrix Auditor events using Event log. 3.1 Configuring Task Scheduler 1.
