EMC Celerra Or VNX Device Configuration Guide Stealthaudit® Stealthbits Activity Monitor®

2021

EMC Celerra or VNX Device Configuration Guide StealthAUDIT® Stealthbits Activity Monitor®

TOC

EMC Celerra or VNX Device Configuration Overview 4

Supported File System Platforms 5

Supported Network Attached Storage Devices 5

StealthAUDIT Console Server Permissions 6

File System Applet Deployment Permissions 7

File System Proxy Service Permissions 8

StealthAUDIT File System Scan Options 9

StealthAUDIT File Activity Auditing 11

Local Mode Scans 12

Firewall Rules for Local Mode Scans 12 File System Data Collection Configuration for Local Mode Scans 13

Proxy Mode with Applet Scans 13

Firewall Rules for Proxy Mode with Applet Scans 15 File System Data Collection Configuration for Proxy Mode with Applet Scans 15

Proxy Mode as a Service Scans: with RPC or Secure RPC 17

Firewall Rules for Proxy Mode as a Service Scans 19 File System Data Collection Configuration for Proxy Mode as a Service Scans 20 Additional Parameters for File System Proxy Service 22

Activity Monitor Configuration 23

Activity Monitor Activity Agent Deployment 24

Prepare for Activity Monitoring 24

Monitored Host Configuration 25

Firewall Rules for Activity Monitoring 27

Additional Firewall Rules for Dell EMC Unity, EMC Celerra, & EMC VNX Devices 28

StealthAUDIT Integration 28

Identify an Activity Log for StealthAUDIT 29

Doc_ID 694 2

StealthAUDIT Data Collection Configuration for File Activity Scans 29

StealthINTERCEPT Integration 30

SI Agent Deployment 30

StealthDEFEND Integration 31

Sensitive Data to StealthDEFEND 32

SIEM Integration 33

EMC Celerra & VNX Device Configuration for Access Auditing 35

Group Membership for EMC Devices 35

Disable Secure Negotiate 36

EMC Celerra & VNX Device Configuration for Activity Monitoring 37

Install the EMC CEE 39

Connect Data Movers to EMC CEE Server 39

Validate EMC CEE Registry Key Settings 42

Validate EMC CEE Services are Running 43

StealthAUDIT Connection Profile & Host List 45

File System Custom Connection Profile 45

File System Custom Host List 46

Appendices 48

Appendix: EMC CEE Debug Logs 48

Appendix: EMC Event Mapping 49

Appendix: Configure EMC Registry Key Settings 50

More Information 53

Doc_ID 694 3

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® EMC Celerra or VNX Device Configuration Overview Stealthbits products audit and monitor Microsoft® Windows® file servers and/or Network Attached Storage (NAS) devices. StealthAUDIT employs the File System Solution to execute Access Auditing (FSAA), Activity Auditing (FSAC), and/or Sensitive Data Discovery Auditing scans. The Activity Auditing (FSAC) scans also require the Activity Monitor be deployed to monitor the target environment. Additionally, the Activity Monitor can be configured to provide activity data to StealthINTERCEPT, StealthDEFEND, and/or various SIEM products.

This document describes the necessary settings required to audit and monitor the target environment and to allow for successful use of:

l StealthAUDIT v11.0

l Stealthbits Activity Monitor v6.0

l StealthINTERCEPT v7.3 (Through integration with Activity Monitor)

l StealthDEFEND v2.7 (Through integration with Activity Monitor) NOTE: The Sensitive Data Discovery Auditing requires the StealthAUDIT Sensitive Data Discovery Add-on.

The sections of this document align to the products as follows:

l StealthAUDIT

l StealthAUDIT Scan Options

l Activity Monitoring

l EMC Celerra & VNX Device Configuration for Access Auditing

l EMC Celerra & VNX Device Configuration for Activity Monitoring

l StealthAUDIT Connection Profile & Host List

l Stealthbits Activity Monitor

l Activity Monitoring

l EMC Celerra & VNX Device Configuration for Activity Monitoring

l StealthINTERCEPT

l Activity Monitoring

l EMC Celerra & VNX Device Configuration for Activity Monitoring

Doc_ID 694 4

l StealthDEFEND

l Activity Monitoring

l EMC Celerra & VNX Device Configuration for Activity Monitoring

Supported File System Platforms The versions and devices listed below are supported for Access Auditing, Activity Monitoring, and Sensitive Data Discovery Auditing.

NOTE: Access Auditing and Sensitive Data Discovery Auditing support CIFS and NFSv3 (and below).

Supported Network Attached Storage Devices StealthAUDIT for File Systems is compatible with scanning the following Network Attached Storage (NAS) devices as targets:

l EMC® Celerra® 6.0+

l EMC® VNX®:

l VNX® 7.1

l VNX® 8.1

Doc_ID 694 5

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® StealthAUDIT Console Server Permissions In most cases the StealthAUDIT user is a member of the local Administrators group on the StealthAUDIT Console server. However, if the Role Based Access model of StealthAUDIT usage is employed, then the user assigned the role of Job Initiator (for manual execution) or the credential used for the Schedule Service Account (for scheduled execution) must have the following permissions to execute File System scans in local mode, applet mode, or proxy mode with applet:

l Group membership in either of the following local groups:

l Backup Operators

l Administrators

These permissions grant the credential the ability to create a high integrity token capable of leveraging the “Back up files and directories” from where the StealthAUDIT executable is run.

Additionally, the credential must have WRITE access to the …\StealthAUDIT\FSAA folder in the installation directory. This is required by either the user account running the StealthAUDIT application, when manually executing jobs within the console, or the Schedule Service Account assigned within StealthAUDIT, when running jobs as a scheduled tasks.

Doc_ID 694 6

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® File System Applet Deployment Permissions If executing the File System scans in either applet mode or proxy mode with applet, then the credential must have permissions to deploy and start the applet. Remember, the applet can only be deployed to a Windows server.

Configure the credential(s) with the following rights on the proxy server(s):

l Group membership in the local Administrators group

l Granted the “Backup files and directories” local policy privilege

l Granted the “Log on as a batch” privilege

l If running FSAC, the service account in the credential profile requires access to the admin share (e.g. C$) where the sbtfilemon.ini file exists

CAUTION: The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start.

Doc_ID 694 7

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® File System Proxy Service Permissions If executing the File System scans in proxy mode as a service with RPC or secure RPC, then the File System Proxy Service should be installed on the Windows proxy server(s) prior to executing the scans. The version of the proxy service must match the major version of StealthAUDIT.

The service can be run either as LocalSystem or with a domain account supplied during the installation of the File System Proxy Service with the following permission on the proxy server:

l Membership in the local Administrators group

l Granted the “Log on as a service” privilege (Local Security Policies > Local Policies > User Rights Assignment > Log on as a service)

l If running FSAC, the service account in the credential profile requires access to the admin share (e.g. C$) where the sbtfilemon.ini file exists

Additionally, the credential must have WRITE access to the …\StealthAUDIT\FSAA folder in the installation directory.

NOTE: The File System Proxy Service can be installed ad hoc through a data collector configuration option. In that case, the credential in the assigned Connection Profile must have permissions to install and run the service. Remember, it is not possible to enable secure RPC while using this option.

For secure RPC, a credential is supplied during installation to provide secured communications between the StealthAUDIT server and the proxy server. This credential must be a domain account, but no additional permissions are required. However, this account must be included as a StealthAUDIT Task (Domain) type credential in the Connection Profile to be used by the File System Solution. It is recommended to use the same domain account configured to run the proxy service for the secure RPC account.

If secure RPC will be enabled and the service configured to run as LocalSystem, then the installer automatically adds the necessary service principal names (SPNs) to the computer object in Active Directory.

If secure RPC will be enabled and the service configured to run as a supplied domain account, then it is necessary to manually configure the SPNs on the user object in Active Directory prior to installing the File System Proxy.

See the StealthAUDIT File System Proxy Service Installation Guide for additional information.

If installing the File System Proxy Service on multiple servers, then a custom host list of proxy servers should also be created. See the FSAA: Scan Server Selection section of the StealthAUDIT User Guides v11.0 for additional information.

Doc_ID 694 8

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® StealthAUDIT File System Scan Options Required permissions on the targeted file system are dependent upon not only the type of environment targeted but also the mode in which the data collection scan is executed. There are three primary types of scan modes: local, applet, or proxy. The proxy mode can be conducted via applet deployment, via running as a service with RPC (installed in advance), as well as through running as a service with a secure RPC option.

For the purpose of this document, “applet” refers to the runtime deployment of the StealthAUDITRPC.exe to either the target host (applet mode scans) or the proxy host (proxy mode with applet scans) via Microsoft Task Scheduler. A “proxy” host is any host which can be leveraged for running File System scans against target hosts.

Local Mode

When File System scans are run in local mode, it means all of the data collection processing is conducted by the StealthAUDIT Console server across the network. The data is collected in the SQLite database(s), or Tier 2 database(s), on the StealthAUDIT Console server, and then imported into the StealthAUDIT database, or Tier 1 database, on the SQL Server.

The diagram illustrates the StealthAUDIT server running the scan against a file server.

Proxy Mode with Applet

CAUTION: The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start.

When File System scans are run in proxy mode with applet, it means the File System applet is deployed to the Windows proxy server when the job is executed to conduct data collection. The data collection processing is initiated by the proxy server where the applet is deployed and leverages a local mode-type scan to each of the target host(s). The final step in data collection is to compress and transfer the data collected in the SQLite database(s), or Tier 2 database(s), back to the StealthAUDIT Console server.

Doc_ID 694 9

The diagram illustrates the StealthAUDIT server sending an FSAA applet to a proxy server, which runs the scan against a file server, and then returns data to the StealthAUDIT server.

Proxy Mode as a Service with RPC

When File System scans are run in proxy mode as a service with remote procedure call (RPC), there are two methods available for deploying the service:

l Pre-Installed File System Proxy Service – File System Proxy Service installation package must be installed on the Windows proxy server(s) prior to executing the scans. This is the recommended method and provides the option for enabling secure RPC.

l Ad Hoc File System Proxy Service Deployment – File System Proxy Service is installed on the Windows proxy server when the job is executed

The data collection processing is conducted by the proxy server where the service is running and leverages a local mode-type scan to each of the target hosts. The final step in data collection is to compress and transfer the data collected in the SQLite databases, or Tier 2 databases, back to the StealthAUDIT Console server.

Doc_ID 694 10

The diagram illustrates the StealthAUDIT server communicating with the proxy service on a proxy server, which runs the scan against a file server, collecting the data locally. Then the proxy service returns data to the StealthAUDIT server.

It is recommended to install the File System Proxy Service to the desired Windows proxy servers prior to job execution. However, it can be installed ad hoc through a data collector configuration option, but it is not possible to enable secure RPC while using this option.

Proxy Mode as a Service with Secure RPC

When File System scans are run in proxy mode as a service with secure RPC, the File System Proxy Service must be installed on the Windows proxy server(s) prior to executing the scans. The data collection processing is conducted by the proxy server where the service is running and leverages a local mode-type scan to each of the target host(s). The final step in data collection is to compress and transfer the data collected in the SQLite database(s), or Tier 2 database(s), back to the StealthAUDIT Console server.

The secure RPC is configured during the installation of the service on the proxy server. The credential provided for the secure communications in the installation wizard is also added to the StealthAUDIT Connection Profile assigned to the File System Solution.

The diagram illustrates the StealthAUDIT server communicating securely with the proxy service on a proxy server, which runs the scan against a file server, collecting the data locally and securely. Then the proxy service returns data securely to the StealthAUDIT server.

NOTE: Each of the StealthAUDIT scan jobs (Access Auditing/Sensitive Data Discovery Auditing jobs and the Activity Auditing jobs) require specific credentials assigned within the connection profile and a specific host list assigned. See the StealthAUDIT Connection Profile & Host List section for additional information.

StealthAUDIT File Activity Auditing

Doc_ID 694 11

Specific permissions are necessary for Activity Auditing (FSAC) scans, which employ the Activity Monitor. See the Activity Monitor Configuration section for information.

Local Mode Scans When File System scans are run in local mode, it means all of the data collection processing is conducted by the StealthAUDIT Console server across the network. The data is collected in the SQLite database(s), or Tier 2 database(s), on the StealthAUDIT Console server, and then imported into the StealthAUDIT database, or Tier 1 database, on the SQL Server.

The account used to run either a manual execution or a scheduled execution of the File System scans, must have the following permissions on the StealthAUDIT Console server:

l Group membership in either of the following local groups:

l Backup Operators

l Administrators

Additionally, the credential must have WRITE access to the …\StealthAUDIT\FSAA folder in the installation directory on the StealthAUDIT Console server. This is required by either the user account running the StealthAUDIT application, when manually executing jobs within the console, or the Schedule Service Account assigned within StealthAUDIT, when running jobs as a scheduled tasks.

The Sensitive Data Discovery Add-on must be installed on the StealthAUDIT Console server. By default, SDD scans are configured to run two concurrent threads. Each thread requires a minimum of 2 additional GB of RAM per host. For example, if the job is configured to scan 8 hosts at a time with 2 concurrent SDD threads, then an extra 32 GB of RAM are required (8x2x2=32). See the StealthAUDIT Sensitive Data Discovery Add-On Installation Guide for additional information.

When running Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credentials within the Connection Profile assigned to the File System scans must be properly configured as explained above. Also the firewall rules must be configured to allow for communication between the applicable servers.

See the Activity Monitor Configuration section for information on additional requirements for Activity Auditing (FSAC) scans.

Firewall Rules for Local Mode Scans

Doc_ID 694 12

The following are the firewall settings are required when executing the Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in local mode for communication between StealthAUDIT and the target host:

Communication Direction Protocol Ports Description

StealthAUDIT Console to File Server/Device TCP 445 SMB

File System Data Collection Configuration for Local Mode Scans To employ the local mode scan for collecting file system data from the target host, navigate to the desired FileSystem > 0.Collection > …System Scans job(s) and open the File System Access Auditor Data Collector Wizard from the job’s query. The following configuration settings are required to employ local mode:

l Applet Settings wizard page – Require applet to be running as service on target option must remain unselected

l Scan Server Selection wizard page – Local StealthAUDIT Server option must be selected to run in local mode NOTE: If the Automatic option is selected and the target is a NAS device, StealthAUDIT defaults to local mode scan.

See the FSAA Query Configuration section of the StealthAUDIT User Guides v11.0 for additional information.

RECOMMENDED: When choosing to use local mode for any of the File System Solution …System Scans job(s), set local mode for all of the …System Scans job(s) that will be scheduled to run together.

NOTE: Sensitive Data Discovery Auditing scans are configured on the Sensitive Data Settings and SDD Criteria Settings wizard pages of the File System Access Auditor Data Collector Wizard from the 1-SEEK System Scans Job.

Proxy Mode with Applet Scans When File System scans are run in proxy mode with applet, it means the File System applet is deployed to the Windows proxy server when the job is executed to conduct data collection. The data collection processing is initiated by the proxy server where the applet is deployed and

Doc_ID 694 13

leverages a local mode-type scan to each of the target host(s). The final step in data collection is to compress and transfer the data collected in the SQLite database(s), or Tier 2 database(s), back to the StealthAUDIT Console server.

Configure the credential(s) with the following rights on the proxy server(s):

l Group membership in the local Administrators group

l Granted the “Backup files and directories” local policy privilege

l Granted the “Log on as a batch” privilege

l If running FSAC, the service account in the credential profile requires access to the admin share (e.g. C$) where the sbtfilemon.ini file exists

Additionally, the credential must have WRITE access to the …\StealthAUDIT\FSAA folder in the installation directory on the proxy server as well as on the StealthAUDIT Console server. This is required by either the user account running the StealthAUDIT application, when manually executing jobs within the console, or the Schedule Service Account assigned within StealthAUDIT, when running jobs as a scheduled tasks.

Remember, Remote Registry Service must be enabled on the host where the applet is deployed (for Applet Mode or Proxy Mode with Applet scans) to determine the system platform and where to deploy the applet.

CAUTION: The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start.

Sensitive Data Discovery Auditing scans also require .NET Framework 4.0+ to be installed on the target Windows server in order for Sensitive Data Discovery collections to successfully occur. The Sensitive Data Discovery Add-on must be installed on the StealthAUDIT Console server. By default, SDD scans are configured to run two concurrent threads. Each thread requires a minimum of 2 additional GB of RAM per host. For example, if the job is configured to scan 8 hosts at a time with 2 concurrent SDD threads, then an extra 32 GB of RAM are required (8x2x2=32). See the StealthAUDIT Sensitive Data Discovery Add-On Installation Guide for additional information.

See the Activity Monitor Configuration section for information on additional requirements for Activity Auditing (FSAC) scans.

Doc_ID 694 14

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® Firewall Rules for Proxy Mode with Applet Scans The following are the firewall settings are required when executing the Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in proxy mode with applet for communication between StealthAUDIT and the proxy server:

Communication Direction Protocol Ports Description

StealthAUDIT Console to TCP 135 RPC endpoint mapper Windows Proxy Server for FSAA Applet Deployment

StealthAUDIT Console to TCP Randomly RPC for FSAA Applet Windows Proxy Server allocated high Deployment TCP ports

StealthAUDIT Console to TCP 445 SMB Windows Proxy Server

Between StealthAUDIT TCP 8766 FSAA Applet Settings Console and Windows Proxy Configuration Server

NOTE: The FSAA applet settings configuration port 8766 can be customized on the Applet Settings page of the File System Access Auditor Data Collector Wizard.

The following are the firewall settings are required when executing the Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in proxy mode with applet for communication between the proxy server and the target host:

Communication Direction Protocol Ports Description

Windows Proxy Server to File Server/Device TCP 445 SMB

File System Data Collection Configuration for Proxy Mode with Applet Scans

Doc_ID 694 15

To employ the proxy mode with applet scan for collecting file system data from the target host, navigate to the desired FileSystem > 0.Collection > …System Scans job(s) and open the File System Access Auditor Data Collector Wizard from the job’s query. The following configuration settings are required to employ proxy mode with applet:

l Applet Settings wizard page – Require applet to be running as service on target option must remain unselected

l Scan Server Selection wizard page – Choose between a single proxy or multiple proxy options

l Specific Remote Server [textbox] – Assigns the data collection processing to the server specified in the textbox

l Specific Remote Servers by Host List – Assigns the data collection processing to the proxy servers in the host list selected within the wizard via the Select Hosts Lists button.

Other configuration settings that directly relate to proxy mode with applet scans are:

l Applet Settings wizard page

l Port Number – Default 8766, dedicated applet port must be open on the target host

l Applet Log level –Type of log created on the target host

l Keep log files for last [number] scan(s) – Data retention period. The default is set to 15.

l Strong proxy affinity (only run scans on last proxy to scan host, unless no longer in proxy host list) – If selected, a host which was previously scanned with a given proxy will only be rescanned with that same proxy. If a host has not yet been scanned by a proxy server, the data collector should choose the least loaded proxy at that time. After that host has been scanned, it will follow the proxy affinity mapped out.

l Maximum concurrent scans to run on any single applet host [number] – This option dictates a set limit to the number of simultaneous scans allowed to run on a proxy host regardless of max threads set on the job

l Strong proxy affinity timeout: [number] minute(s) – This option determines the time a host waits, while the proxy server is busy, before it gets pushed into the job engine queue

l Applet communication timeout: [number] minutes – This option determines the length of time (in minutes) the StealthAUDIT Console attempts to reach the proxy before giving up. The behavior is dependent upon proxy mode settings configured on the Scan Server Selection wizard page.

l Stop scan on applet communication timeout – When checked, this option pauses the scan when connection to the applet is lost

Doc_ID 694 16

l Scan cancellation timeout: [number] minute(s) – This option will timeout the applet if there is an attempt to pause the scan and the applet does not respond within the specified time

l Scan Server Selection wizard page

l Fallback to local mode if applet can’t start – If the applet cannot be deployed on the target host, it will be deployed locally on the same server as the StealthAUDIT Console if this option is enabled. The scan collects data across the network (local mode).

l Run remote applet with normal priority (non-proxy applet server uses background priority by default) – If this option is enabled, the applet runs with normal priority. Running at low- priority allows other normal priority applications to take precedent over the scan when consuming processing power and system resources. Running at low priority allows the scan to run with little or no impact on the applet host.

l Scan Settings

l Restart incomplete scans after (0 always restarts) [number] days – Determines when the saved progress should be discarded and the scan restarted

l Rescan unimported hosts after (0 always rescans) [number] days – Controls when the host is rescanned even if its data has not been imported yet

See the FSAA Query Configuration section of the StealthAUDIT User Guides v11.0 for additional information.

RECOMMENDED: When choosing to use proxy mode with applet for any of the File System Solution …System Scans job(s), set proxy mode with applet for all of the …System Scans job(s) that will be scheduled to run together.

Proxy Mode as a Service Scans: with RPC or Secure RPC When File System scans are run in proxy mode as a service with remote procedure call (RPC), there are two methods available for deploying the service:

l Ad Hoc File System Proxy Service Deployment – File System Proxy Service is installed on the Windows proxy server when the job is executed

Doc_ID 694 17

File System Proxy Service Credentials

The service can be run either as LocalSystem or with a domain account supplied during the installation of the File System Proxy Service with the following permission on the proxy server:

l Membership in the local Administrators group

l Granted the “Log on as a service” privilege (Local Security Policies > Local Policies > User Rights Assignment > Log on as a service)

l If running FSAC, the service account in the credential profile requires access to the admin share (e.g. C$) where the sbtfilemon.ini file exists

Additionally, the credential must have WRITE access to the …\StealthAUDIT\FSAA folder in the installation directory.

See the StealthAUDIT File System Proxy Service Installation Guide for additional information.

Sensitive Data Discovery Auditing Consideration

The Sensitive Data Discovery Add-on must be installed on the proxy server. This requirement is in addition to having the Sensitive Data Discovery Add-on installed on the StealthAUDIT Console server.By default, SDD scans are configured to run two concurrent threads. Each thread requires a minimum of 2 additional GB of RAM per host. For example, if the job is configured to scan 8 hosts at a time with 2 concurrent SDD threads, then an extra 32 GB of RAM are required (8x2x2=32). See the StealthAUDIT Sensitive Data Discovery Add-On Installation Guide for additional information.

Secure RPC Considerations

Doc_ID 694 18

Secure RPC & Service Principal Names

See the StealthAUDIT File System Proxy Service Installation Guide for additional information

Activity Monitoring

See the Activity Monitor Configuration section for information on additional requirements for Activity Auditing (FSAC) scans.

Firewall Rules for Proxy Mode as a Service Scans The following are the firewall settings are required when executing the Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in proxy mode as a service for communication between StealthAUDIT and the proxy server:

Communication Direction Protocol Ports Description

StealthAUDIT Console to TCP 135 RPC endpoint mapper for Windows Proxy Server FSAA Applet Deployment

Between StealthAUDIT Console TCP 8766 FSAA Applet Settings and Windows Proxy Server Configuration

NOTE: The FSAA applet settings configuration port 8766 can be customized on the Applet Settings page of the File System Access Auditor Data Collector Wizard.

Doc_ID 694 19

Communication Direction Protocol Ports Description

Windows Proxy Server to File Server/Device TCP 445 SMB

File System Data Collection Configuration for Proxy Mode as a Service Scans To employ the proxy mode as a service scan for collecting file system data from the target host, navigate to the desired FileSystem > 0.Collection > …System Scans job(s) and open the File System Access Auditor Data Collector Wizard from the job’s query. The following configuration settings are required to employ proxy mode as a service:

l Applet Settings wizard page

l Choose between deploying the service at the start of job execution or employing a proxy where the service is already installed

l Windows Service – Automatically installs the FSAA Applet as a proxy service

l Require applet to be running as service on target – Employs the File System Proxy Service already installed on the proxy server

l Use secure RPC connection (must have servicePrincipalName configured in Active Directory) – Must be checked to use secure RPC (if configured when the File System Proxy was installed).

l Scan Server Selection wizard page – Choose between a single proxy or multiple proxy options

l Specific Remote Server [textbox] – Assigns the data collection processing to the server specified in the textbox

l Specific Remote Servers by Host List – Assigns the data collection processing to the proxy servers in the host list selected within the wizard via the Select Hosts Lists button.

Other configuration settings that directly relate to proxy mode with applet scans are:

Doc_ID 694 20

l Applet Settings wizard page

l Port Number – Default 8766, dedicated applet port must be open on the target host

l Applet Log level –Type of log created on the target host

l Keep log files for last [number] scan(s) – Data retention period. The default is set to 15.

l Strong proxy affinity timeout: [number] minute(s) – This option determines the time a host waits, while the proxy server is busy, before it gets pushed into the job engine queue

l Stop scan on applet communication timeout – When checked, this option pauses the scan when connection to the applet is lost

l Scan cancellation timeout: [number] minute(s) – This option will timeout the applet if there is an attempt to pause the scan and the applet does not respond within the specified time

l Scan Server Selection wizard page

l Scan Settings

l Restart incomplete scans after (0 always restarts) [number] days – Determines when the saved progress should be discarded and the scan restarted

Doc_ID 694 21

l Rescan unimported hosts after (0 always rescans) [number] days – Controls when the host is rescanned even if its data has not been imported yet

See the FSAA Query Configuration section of the StealthAUDIT User Guides v11.0 for additional information.

RECOMMENDED: When choosing to use proxy mode as a service for any of the File System Solution …System Scans job(s), set proxy mode as a service for all of the …System Scans job(s) which will be scheduled to run together.

Additional Parameters for File System Proxy Service The port and priority parameters can be modified for the File System Proxy service on the registry key: HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\services\StealthAUDITF SAA\ImagePath

l Port parameter – Only needs to be added to the registry key value if a custom port is used. The default port of 8766 does not need to be set as a parameter

l Append -e [PORT NUMBER] to the ImagePath key value

l Priority parameter – Can be modified so that the service will run as a background priority, which may be desired if the service has been installed directly on a file server

l Append -r 0 to the ImagePath key value

NOTE: If both parameters are added, there is no required order.

It is recommended to stop the StealthAUDIT FSAA Proxy Scanner service before modifying the registry key. See the Custom Parameters for File System Proxy Service section of the StealthAUDIT File System Proxy Service Installation Guide for additional information.

Doc_ID 694 22

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® Activity Monitor Configuration The Activity Monitor collects activity events from file system environments. There must be a deployed activity agent on a Windows server to monitor the target environment.

While actively monitoring, the agent generates activity log files which are stored on the agent server. The Activity Monitor integrates with other Stealthbits products as well as SIEM products:

l StealthAUDIT

l Activity Monitor activity agent writes activity log files on the agent server.

l StealthAUDIT data collection can be configured to collect data for a specified number of days. RECOMMENDED: The Activity Monitor should be configured to keep more activity log files than StealthAUDIT is collecting.

l StealthAUDIT Activity Auditing (FSAC) scans target the proxy server to collect data from the activity log files specified as being for StealthAUDIT.

l StealthAUDIT Activity Auditing (FSAC) scans should be scheduled with these settings considered.

l Activity Monitor only

l Activity Monitor agent writes activity log files on the agent server.

l Activity Monitor Console search feature displays data from the activity log files.

l StealthINTERCEPT

l Activity Monitor activity agent writes activity log files on the Windows proxy server for monitoring NAS devices.

l StealthINTERCEPT Agent needs to be deployed on the Windows proxy server.

l StealthINTERCEPT Agent monitors the activity log files as the activity agent writes activity data, and the StealthINTERCEPT Agent sends events to the StealthINTERCEPT event database according to the enabled policy configuration.

l StealthDEFEND

l Activity Monitor activity agent writes activity log files on the activity agent server.

l Activity Monitor sends the event stream to StealthDEFEND, which is configured on the Monitored Hosts’ properties > Syslog tab.

Doc_ID 694 23

l SIEM Integration

l Activity Monitor activity agent writes activity log files on the activity agent server.

l Activity Monitor sends the event stream to the SIEM product, which is configured on the Monitored Hosts’ properties > Syslog tab.

Activity Monitor Activity Agent Deployment Servers targeted for activity agent deployment must have .NET Framework 4.7.2 or higher installed or the deployment fails. Deploy an activity agent from the Activity Monitor Console. The credential supplied during deployment must have:

l Group membership in the local Administrators group

Follow the steps to deploy an activity agent.

Step 1 – On the Agents tab, click Add agent to open the Add New Agent(s) window.

Step 2 – On the Install new agent page, enter the Server name to deploy to a single server.

Step 3 – On the Credentials to connect to the server(s) page, provide the provisioned credential.

Remember, Remote Registry Service must be enabled on the host where the activity agent is deployed.

See the Stealthbits Activity Monitor Installation & Console User Guide for additional information on deploying and configuring the activity agent.

Prepare for Activity Monitoring The target environment must be prepared for activity monitoring before the activity agent is configured. This preparation includes:

l For EMC devices, install the EMC Common Event Enabler (CEE) on the Windows proxy server where the Activity Monitor activity agent is deployed

l EMC CEE requires .NET Framework 3.5 to be installed on the Windows proxy server.

l For EMC Celerra devices, connect Data Movers

l Configure Firewall

Once this preparation is complete, the activity agent can be configured for monitoring through the Activity Monitor Console. See the EMC Celerra & VNX Device Configuration for Activity Monitoring section for details on completing this preparation.

Doc_ID 694 24

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® Monitored Host Configuration After activity agent deployment and the preparations for monitoring have been completed, add the Monitored Host to the activity agent server. In the Activity Monitor Console, open the Add New Host window and provide the following information:

l On the Choose Agent page, select the server for the Agent.

l On the Add Host page:

l Select the appropriate Storage device type.

l Then enter the name of the file system server name in the textbox.

l Optionally add a Comment to indicate intended output.

l On the Protocols page, specify the protocol to monitor: All, CIFS, or NFS.

l On the Configure Operations page, the following configurations can be modified:

l File Operations – Check operations on files to be monitored

l Directory Operations – Check operations on directories to be monitored

l Suppress subsequent Read operations in the same folder – Logs only one read operation when subsequent read operations occur in the same folder. This option is provided to improve overall performance and reduce output activity log volume.

l Suppress Microsoft Office operations on temporary files – Filters out events for Microsoft Office temporary files. When Microsoft Office files are saved or edited, many temporary files are created. With this option enabled, events for these temporary files are ignored.

l On the Configure Basic Options page, the following configurations an be modifed:

l Report account names – Adds an Account Name column in the generated TSV files

l Add C:\ to the beginning of the reported file paths – Adds ‘C:\” to file paths to be displayed like a Windows file path:

l Display example if checked – C:\Folder\file.txt

l Display example if unchecked – /Folder/file.text

l Report UNC paths – Adds a UNC Path column and a Rename UNC Path column in the generated TSV files

l This option corresponds to the REPORT_UNC_PATH parameter in the INI file. It is disabled by default. The UNC Path is in the following format:

l For CIFS activity – \\[HOST]\[SHARE]\[PATH]

l Example CIFS activity – \\ExampleHost\TestShare\DocTeam\Temp.txt

Doc_ID 694 25

l For NFS activity – [HOST]:/[VOLUME]/[PATH]

l Example NFS activity – ExampleHost:/ExampleVolume/DocTeam/Temp.txt

l When the option is enabled, the added columns are populated when a file is accessed remotely through the UNC Path. If a file is accessed locally, these columns are empty. These columns have also been added as Syslog macros.

l Report operations with millisecond precision – Changes the timestamps of events being recorded in the TSV log file for better ordering of events if multiple events occur within the same second

l On the Where to Log the Activity page, select whether to send the activity to either a Log File or Syslog Server.

l Configure the options on either the Log File page, the Syslog Server page, or both, depending on what options were selected on the Where to Log the Activity page.

l For Log File, the configurable options are:

l Specify output file path – Specify the file path where log files are saved. Click the ellipses button (...) to open the Windows Explorer to navigate to a folder destination. Click Test to test if the path works.

l Period to keep Log files – Log files will be deleted after the period entered number of days entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a set amount of Minutes, Hours, or Days.

l This log file is for StealthAUDIT – Enable this option to have StealthAUDIT collect this monitored host configuration RECOMMENDED: Identify the configuration to be read by StealthAUDIT when integration is available.

l While the Activity Monitor can have multiple configurations per host, StealthAUDIT can only read one of them.

l Add header to Log files – Adds headers to TSV files. This is used to feed data into Splunk.

l For Syslog, the configurable options are:

l Syslog server in SERVER[:PORT] format – Type the Syslog server name with a SERVER:Port format in the textbox.

l The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the organization’s environment can resolve the name format used. The Event stream is the activity being monitored according to this configuration for the monitored host.

Doc_ID 694 26

l Syslog Protocol – Identify the Syslog protocol to be used for the Event stream. The drop- down menu includes:

l UDP

l TCP

l TLS

l The TCP and TLS protocols add the Message framing drop-down menu. See the Syslog Tab section for additional information.

l The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary by Syslog protocol:

l UDP – Sends a test message and does not verify connection

l TCP/TLS – Sends test message and verifies connection

l TLS – Shows error if TLS handshake fails

l See the Syslog Tab section for additional information.

After the monitored host configuration is complete, additional steps are required for StealthAUDIT, StealthINTERCEPT, StealthDEFEND, and SIEM integration. See the StealthAUDIT Integration, StealthINTERCEPT Integration, StealthDEFEND Integration, and SIEM Integration sections for additional information.

Firewall Rules for Activity Monitoring Firewall settings are dependent upon the type of environment being targeted. The following firewall settings are required for communication between activity agent server and the Activity Monitor Console:

Communication Direction Protocol Ports Description

Activity Monitor to Activity Agent TCP 4498 Activity Agent Server Communication

Doc_ID 694 27

The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft Connecting to WMI on a Remote Computer article.

Additional Firewall Rules for Dell EMC Unity, EMC Celerra, & EMC VNX Devices The following firewall settings are required for communication between the CEE server/ Activity Monitor activity agent server and the target Dell EMC Unity, EMC Celerra, or EMC VNX device:

Communication Direction Protocol Ports Description

EMC Device to CEE Server TCP RPC CEE Dynamic Communication Range

CEE Server to Activity Agent Server TCP RPC CEE Event Data (when not same server) Dynamic Range

StealthAUDIT Integration StealthAUDIT reads the activity log files created by the activity agent which are designated as being “…for StealthAUDIT” in the monitored host configuration. The credential in the Connection Profile must have:

l Group membership in the local Administrators group on the activity agent server

Remember, if the activity log files are being archived, then the credential used by StealthAUDIT to read the activity log files must also have READ and WRITE permissions on the archive location.

StealthAUDIT Activity Auditing scans are collecting data stored in the activity log files by the activity agents. The following firewall settings are required for communication between the activity agent server and StealthAUDIT:

Doc_ID 694 28

Communication Direction Protocol Ports Description

StealthAUDIT to Activity Agent Server TCP 445 SMB

StealthAUDIT to Activity Agent Server TCP Predefined WMI

Identify an Activity Log for StealthAUDIT While the Activity Monitor can have multiple configurations per host, StealthAUDIT can only read one of them. Therefore, after the Activity Monitor has been configured to monitor a host, it is necessary to indicate when that configuration is for StealthAUDIT. Follow the steps to identify the activity log file to be read by StealthAUDIT.

Step 1 – Within the Activity Monitor Console on the Monitored Hosts tab, select the desired configuration and click Edit.

Step 2 – On the Log File tab:

l Period to keep Log files – Activity logs are deleted after the number of days entered. The default is 10 days. RECOMMENDED: Keep a minimum of 10 days of activity logs. Raw activity logs should be retained to meet an organization’s audit requirements.

l For StealthAUDIT integration, this value must be higher than the number of days between the StealthAUDIT Activity Auditing scans.

l Check the This log file is for StealthAUDIT box.

RECOMMENDED: Select the Comments tab and identify this output as being configured for StealthAUDIT.

Step 3 – Then click OK to save the setting.

StealthAUDIT now reads that activity log file when scanning the associated host.

StealthAUDIT Data Collection Configuration for File Activity Scans To employ Activity Auditing (FSAC) scans, navigate to the FileSystem > 0.Collection > 1-FSAC System Scans Job and open the File System Access Auditor Data Collector Wizard from the job’s query.

On the Activity Settings wizard page, configure data retention period:

Doc_ID 694 29

l Set Scan Filter for Detailed Activity – This option indicates the number of days of activity details are collected and retained within StealthAUDIT. The default is 60.

l StealthAUDIT collects activity log files since the last execution of the 1-FSAC System Scans Job, e.g. if the job runs daily, it only collects the past day’s activity.

l Remember, the schedule for which the 1-FSAC System Scans Job is set must be less than the number of days configured for activity log retention by the Activity Monitor activity agent. RECOMMENDED: Retain a minimum of 10 days of activity log files and schedule the job to execute as often as possible within the organization, usually daily. Set Filter for Statistics of Activity – This option indicates the number of days of activity statistics are retained within StealthAUDIT. The default is 120.

See the FSAA Query Configuration section of the StealthAUDIT User Guides v11.0 for additional information.

StealthINTERCEPT Integration To employ the Activity Monitor for file system activity monitoring with StealthINTERCEPT (SI), deploy an SI Agent on the server where the Activity Monitor activity agent resides. The activity agent writes activity log files on the proxy server. The SI Agent monitors the activity log files as the data is written and sends events to the StealthINTERCEPT event database according to the enabled StealthINTERCEPT policy configuration.

NOTE: It is necessary for the Activity Monitor to be configured to monitor at the minimum the type of activity for which the SI Agent is monitoring.

Since the Activity Monitor settings control the log retention for NAS device activity, the File System Monitor global setting within StealthINTERCEPT does not affect the log retention.

SI Agent Deployment Servers targeted for SI Agent deployment must have .NET Framework 4.6.1 or higher installed or the deployment fails.

Step 1 – From within the SI Admin Console, select the Agents interface. Click the Add (+) button to open the Deploy Agents window.

Step 2 – On the Select Computers page, add hosts.

Doc_ID 694 30

Step 3 – On the Set Options page, provide the credentials and ensure the Windows File System Module is installed.

Once the SI Agent has been deployed, policies can be created for monitoring purposes. See the StealthINTERCEPT Admin Console User Guide for additional information.

StealthDEFEND Integration To employ the Activity Monitor for file system activity monitoring with StealthDEFEND, configure the Monitored Hosts’ properties to send activity data to StealthDEFEND on the Syslog tab.

NOTE: The Activity Monitor can be configured for multiple outputs for a host, e.g. for StealthAUDIT, StealthINTERCEPT, StealthDEFEND, or SIEM products. Add a new output for the same host to the Monitored Host tab in the Activity Monitor Console to customize the activity data to be sent to StealthDEFEND.

RECOMMENDED: Add a Comment to identify the product for which the output aligns. Comments can be added when the new output is configured on the Add Hosts page or when the Monitored Hosts’ properties are edited on the Comments tab.

After the Activity Monitor has been configured to monitor the host, follow these steps to send the event stream to StealthDEFEND.

Step 1 – On the Monitored Hosts tab, select the host and click Edit to open the host’s properties window. Select the Syslog tab.

Step 2 – Select the UDP option for the Syslog protocol from the drop-down menu.

Step 3 – Type the StealthDEFEND server name in a [SERVER]:[PORT] format in the textbox.

Step 4 – Click the ellipsis (…) to open the Syslog Message Template window.

Step 5 – Select StealthDEFEND for the Template.

Step 6 – Click OK to save the selection and close the Syslog Message Template window. Remember, it is recommended to select the Comments tab and identify this output as being configured for StealthDEFEND.

Step 7 – Click OK to save the changes and close the host’s properties window.

The template is assigned as the Syslog message template for the selected monitored host. StealthDEFEND begins receiving event stream data. See the StealthDEFEND Installation & Configuration User Guide for additional information.

Doc_ID 694 31

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® Sensitive Data to StealthDEFEND In StealthAUDIT, the FS_DEFEND_SDD Job exports sensitive data matches collected by the File System Solution Sensitive Data Discovery Auditing jobs to StealthDEFEND. It is available through the Instant Job Library.

For StealthDEFEND integration with StealthAUDIT, the following job groups must be successfully run before running the FS_DEFEND_SDD Job:

l FileSystem > 0.Collection Job Group

l FileSystem > 7.Sensitive Data Job Group NOTE: The StealthAUDIT Sensitive Data Discovery Add-On is required for sensitive data collection.

Follow the steps to configure the FS_DEFEND_SDD Job to send sensitive data to StealthDEFEND.

Step 1 – In StealthAUDIT, install the FS_DEFEND_SDD Job to the desired location from the Instant Job Library under the File System library.

Step 2 – In the StealthDEFEND Console, generate the app token (endpoint token) to be copied and pasted into the Connection Profile.

l Navigate to the Configuration page.

l In the Integrations box, select App Tokens.

l In the Type drop-down list, select App Token.

l Enter a name and a unique description for the app token.

l Click Add to generate the app token.

l In the Integrations box, click the App Tokens arrow and select the token that you created.

l Ensure that the app token is enabled for sending data to StealthDEFEND. In the General box, verify that the status is set to ON.

l In the App Token box, click Copy Token to copy the app token to the clipboard.

l Paste the app token to the desired location.

l Click Save to save changes to the page.

Step 3 – In StealthAUDIT, create a Connection Profile for the FS_DEFEND_SDD Job and set the following information on the User Credentials window:

Doc_ID 694 32

l Select Account Type – Web Services (JWT)

l Access Token – Paste the app token generated in StealthDEFEND into the text box Assign the Connection Profile on the Connection Tab of the job’s Properties.

Step 4 – In StealthAUDIT, create a custom host list.

l The target host is the DNS name or IP address of the StealthDEFEND server running the StealthDEFEND Web Service:

l Format – [HOST]:[PORT]

l Example host list format – ExampleHost:8080

l Assign host list at the FS_DEFEND_SDD > Configure > Hosts node

RECOMMENDED: Schedule the FS_DEFEND_SDD Job to run as part of the FileSystem Job, after the FileSystemOverview Job. The FS_DEFEND_SDD Job should be run after each subsequent sensitive data collection.

SIEM Integration The Activity Monitor can be configured to stream events to various SIEM products.

RECOMMENDED: Add a Comment to identify the product for which the output aligns. Comments can be added when the new output is configured on the Add Hosts page or when the host properties are edited on the Comments tab.

After the Activity Monitor has been configured to monitor a host, it is necessary to select a syslog template to be used for communicating with the SIEM product. The following Syslog templates have been provided:

l AlienVault

l HP Arcsight

l LogRythm

l McAfee

l QRadar

Doc_ID 694 33

l Splunk

l CEF (generic CEF message format)

l LEEF (generic LEEF message format) NOTE: Stealthbits has created apps for IBM® QRadar® and Splunk® which are available through their app exchanges. See the Stealthbits File Activity Monitor App for QRadar User Guide or the Stealthbits File Activity Monitor App for Splunk User Guide for additional information.

Follow these steps to configure the Activity Monitor to stream event data to a SIEM product.

Step 1 – Within the Activity Monitor Console on the Monitored Hosts tab, select the desired configuration and click Edit. Select the Syslog tab.

Step 2 – Type the server name for the SIEM product in a [SERVER]:[PORT] format in the textbox.

Step 3 – Select the desired Syslog protocol from the drop-down menu.

Step 4 – Click the ellipsis (…) to open the Syslog Message Template window.

Step 5 – Select the desired template from the Template drop-down menu. If desired, the message can be modified, which creates a “Custom” template.

Step 7 – Then click OK to save the changes and close the host’s properties window.

The template is assigned as the Syslog message template for the selected monitored host. The SIEM product begins receiving event stream data.

Doc_ID 694 34

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® EMC Celerra & VNX Device Configuration for Access Auditing In order for StealthAUDIT to execute Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credential must have the following permissions on the target host:

l Group membership in both of the following groups:

l Power Users

l Backup Operators

If there are folders to which the credential is denied access, it is likely that the Backup Operators group does not have the “Back up files and directories” right. In that case, it is necessary to assign additional the “Back up files and directories” right to those groups or to create a new local group, using Computer Management from a Windows server. Then assign rights to it using the CelerraManagementTool.msc plugin which is available to EMC customers. For further information, see the Celerra guide Using Windows Administrative Tools on VNX found on the Celerra website.

In order to successfully scan EMC devices from a StealthAUDIT Console on a Windows Server 2012 or Windows Server 2012 R2, the “Require Secure Negotiate” policy must be turned off on that server. This is due to a problem that is caused by the “Secure Negotiate” feature which was added to SMB 3.0 for Windows Server 2012 and Windows 8. This feature depends upon the correct signing of error responses by all SMBv2 servers, including servers that support only protocol versions 2.0 and 2.1. Some third-party file servers do not return a signed error response; therefore, the connection fails. See the Disable Secure Negotiate section for additional information.

Group Membership for EMC Devices Follow the steps assign group membership through Computer Management.

Step 1 – Open Computer Management (compmgmt.msc).

Step 2 – Right-click on the Computer Management (local) node and select Connect to another computer.

Step 3 – Enter the name of the EMC device in the textbox and click OK.

Step 4 – Navigate to the Local Users and Groups > Groups node for the device.

Step 5 – Select the Backup Operators group and add the account being provisioned.

Step 6 – Select the Power Users group and add the account being provisioned.

Doc_ID 694 35

The account has been provisioned for Access Auditing and Sensitive Data Discovery Auditing.

Disable Secure Negotiate Follow the steps on the StealthAUDIT Console server to disable the Require Secure Negotiate policy.

NOTE: This process is only needed for Windows Server 2012 or Windows Server 2012 R2.

Step 1 – Open the Registry Editor (run regedit). Navigate to following location: HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorksta tion\Parameters

Step 2 – Right-click on RequireSecureNegotiate and select Modify. The Edit DWORD Value window opens. In the Value data field, enter the value of 0. Click OK, and the Edit DWORD Value window closes.

NOTE: If the Debug DWORD Value does not exist, it needs to be added.

The Require Secure Negotiate policy has been disabled on the StealthAUDIT Console server.

Doc_ID 694 36

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® EMC Celerra & VNX Device Configuration for Activity Monitoring An EMC Celerra or VNX device can be configured to audit Server Message Block (SMB) protocol access events. All audit data can be forwarded to the EMC Common Event Enabler (CEE). The Activity Monitor listens for all events coming through the EMC CEE and translates all relevant information into entries in the TSV files or syslog messages.

If the service is turned off, a notification is sent to the EMC CEE framework to turn off the associated StealthAUDIT filter, but the policy is not removed.

The EMC CEE Framework uses a “push” mechanism so a notification will only be sent to the activity agent when a transaction occurs. Daily activity log files are created only if activity is performed. No activity log file is created if there is no activity for the day.

StealthAUDIT Activity Auditing (FSAC) scans require the Activity Monitor to have a deployed activity agent on the Windows proxy server to monitor the EMC Celerra or VNX device. While actively monitoring, the activity agent generates activity log files stored on the target host from which StealthAUDIT reads the activity. Both the credential used to deploy the activity agent and the credential used by StealthAUDIT to read the activity log files must have:

l Group membership in the local Administrators group

It is also necessary to enable the Remote Registry Service on the target hosts, where the activity agent is deployed. Additionally, the EMC Common Event Enabler (CEE) should be installed on the Windows proxy server where the activity agent is deployed. EMC CEE 8.4.2 through EMC CEE 8.6.1 are not supported for asynchronous bulk delivery (VCAPS) feature.

RECOMMENDED: EMC CEE 8.2.0 is the recommended version to use with the VCAPS feature.

EMC CEE requires .NET Framework 3.5 to be installed on the Windows proxy server in order for the EMC CEE service to start.

NOTE: If the activity log files are being archived, configurable within the Activity Monitor Console, then the credential used by StealthAUDIT to read the activity log files must also have READ and WRITE permissions on the archive location.

Complete the following checklist prior to configuring the Activity Monitor to monitor the host. Instructions for each item of the checklist are detailed within the following sections.

Checklist Item 1: Plan Deployment

Doc_ID 694 37

l Prior to beginning the deployment, gather the following:

l DNS name of Celerra or VNX CIFS share(s) to be monitored

l Data Mover or Virtual Data Mover hosting the share(s) to be monitored

l Account with access to the CLI

l Download the EMC CEE from:

l http://support.emc.com

Checklist Item 2: Install the EMC CEE

l EMC CEE should be installed on the Windows proxy server(s) where the Activity Monitor activity agent is deployed RECOMMENDED: EMC CEE 8.2.0 is the recommended version to use with the asynchronous bulk delivery (VCAPS) feature.

l Important:

l Open MS-RPC ports between the EMC device and the Windows proxy server(s) where the EMC CEE is installed

l EMC CEE 8.4.2 through EMC CEE 8.6.1 are not supported for use with the VCAPS feature

l EMC CEE requires .NET Framework 3.5 to be installed on the Windows proxy server

Checklist Item 3: EMC Device Configuration

l Configure the cepp.conf file on the Celerra VNX Cluster

l Connect Data Movers to EMC CEE Server

Checklist Item 4: Activity Monitor Configuration

l Deploy the Activity Monitor activity agent to a Windows proxy server where EMC CEE was installed

l After activity agent deployment, configure the EMC CEE Options tab of the agent’s Properties window within the Activity Monitor Console

l Automatically sets the EMC registry key settings

Checklist Item 5: Configure EMC CEE to Forward Events to the Activity Agent

NOTE: Note: When EMC CEE is installed on the Windows proxy server(s) where the Activity Monitor activity agent will be deployed, the following steps are not needed.

Doc_ID 694 38

l Ensure the EMC CEE registry key has enabled set to 1 and has an EndPoint set to StealthAUDIT. See the Validate EMC CEE Registry Key Settings section for additional information.

l Ensure the EMC CAVA service and the EMC CEE Monitor service are running. See the Validate EMC CEE Services are Running section for additional information.

Once these checklist items have been completed, it is time to add the EMC device to the Monitored Hosts tab of the Activity Monitor Console. See the Monitored Host Configuration section for additional information.

Install the EMC CEE The EMC CEE package should be installed on the Windows proxy server(s) where the Activity Monitor agent will be deployed. The EMC CEE software is not a Stealthbits product. EMC customers have a support account with EMC to access the download. Remember, v8.2.0 is the recommended version of EMC CEE to install in order to use the asynchronous bulk delivery (VCAPS) feature.

CAUTION: EMC CEE 8.4.2 through EMC CEE 8.6.1 are not supported for use with the VCAPS feature.

Follow the steps to install the EMC CEE.

Step 1 – Obtain the latest CEE install package from EMC and any additional license required for this component. It is recommended to use the most current version.

Step 2 – Follow the instructions in the Dell EMC CEE Using the Common Event Enabler on Windows Platforms guide to install and configure the CEE. The installation will add two services to the machine:

l EMC Checker Service (Display Name: EMC CAVA)

l EMC CEE Monitor (Display Name: EMC CEE Monitor)

Remember, EMC CEE requires .NET Framework 3.5 be installed to start the EMC CEE service. After installation, open MS-RPC ports between the EMC device and the EMC CEE server. See the Appendix: EMC CEE Debug Logs section for information on troubleshooting issues related to EMC CEE.

After EMC CEE installation is complete, it is necessary to Connect Data Movers to EMC CEE Server.

Connect Data Movers to EMC CEE Server

Doc_ID 694 39

The cepp.conf file contains information that is necessary to connect the Data Movers to the EMC CEE server. An administrator must create a configuration file which contains at least one event, one pool, and one server. All other parameters are optional. The cepp.conf file resides on the Data Mover.

Step 1 – Log into the EMC Celerra or VNX server with an administrator account. The administrative account should have a $ character in the terminal.

NOTE: Do not use a # charter.

Step 2 – Create or retrieve the cepp.conf file.

If there is not a cepp.conf file on the Data Mover(s), use a text editor to create a new blank file in the home directory named cepp.conf. The following is an example command if using the text editor ‘vi’ to create a new blank file: $ vi cepp.conf

If a cepp.conf file already exists, it can be retrieved from the Data Movers for modification with the following command:

$ server_file [DATA_MOVER_NAME] -get cepp.conf cepp.conf

Step 3 – Configure the cepp.conf file. For information on the cepp.conf file, see the EMC Using the Common Event Enabler for Windows Platforms guide instructions on how to add parameters or edit the values or existing parameters.

NOTE: The information can be added to the file on one line or separate lines by using a space and a ”\” at the end of each line, except for the last line and the lines that contain global options: cifsserver, surveytime, ft, and msrpcuser.

The Activity Monitor requires the following parameters to be set in the cepp.conf file:

l pool name=

l This should equal the name assigned to the configuration container. This container is composed of the server(s) IP Address or FQDN where the EMC CEE is installed and where the list of events to be monitored is located. It can be named as desired but must be a pool name.

l servers=

l This should equal the IP Address or FQDN of the Windows server where the EMC CEE is installed.

Doc_ID 694 40

l postevents=

l This should equal the events for which notifications are received. At least one error option line (pre, post, or posterr) must be defined from the following options: * (all events), blank (no events), OpenFileNoAccess, OpenFileRead, OpenFileWrite, OpenDir, FileRead, FileWrite, CreateFile, CreateDir, DeleteFile, DeleteDir, CloseModified, CloseUnmodified, CloseDir, RenameFile, RenameDir, SetAclFile, SetAclDir, SetSecFile, SetSecDir.

l msrpcuser=

l This should equal the domain account used to run the EMC CEE Monitor and EMC CAVA services on the Windows server. This parameter is a security measure used to ensure events are only sent to the appropriate servers. See the Appendix: EMC Event Mapping section for information about how EMC events are mapped to the Activity Monitor. All unspecified parameters use the default setting. For most configurations, the default setting is sufficient. Example cepp.conf file format: msrpcuser=[DOMAIN\DOMAINUSER] pool name=[POOL_NAME] \ servers=[IP_ADDRESS1]|[IP_ADDRESS2]|... \ postevents=[EVENT1]|[EVENT2]|...

Example cepp.conf file format for the Activity Monitor: msrpcuser=[DOMAIN\DOMAINUSER running CEE services] pool name=[POOL_NAME for configuration container] \ servers=[IP_ADDRESS where CEE is installed]|... \ postevents=[EVENT1]|[EVENT2]|...

Example of a completed cepp.conf file for the Activity Monitor: msrpcuser=example\user1 pool name=pool \ servers=192.168.30.15 \ postevents= CreateFile | CreateDir | DeleteFile | DeleteDir

Doc_ID 694 41

Step 4 – Move the cepp.conf file to the Data Mover(s) root file system. Run the following command: $ server_file [DATA_MOVER_NAME] -put cepp.conf cepp.conf

NOTE: Each Data Mover which runs Celerra Event Publishing Agent (CEPA) must have a cepp.conf file, but each configuration file can specify different events.

Step 5 – (This step is required only if using the msrpcuser parameter) Register the MSRPC user (see Step 3 for additional information on this parameter). Before starting CEPA for the first time, the administrator must issue the following command from the Control Station and follow the prompts for entering information: /nas/sbin/server_user server_2 -add -md5 -passwd [DOMAIN\DOMAINUSER for msrpcuser]

Step 6 – Start the CEPA facility on the Data Mover. Use the following command: server_cepp [DATA_MOVER_NAME] -service –start

Then verify the CEPA status using the following command: server_cepp [DATA_MOVER_NAME] -service –status

Once the cepp.config file has been configured, it is time to configure and enable monitoring with the Activity Monitor. See the Activity Monitor Configuration section for additional information.

Validate EMC CEE Registry Key Settings After the Activity Monitor activity agent has been configured to monitor the EMC device, it sets the EMC CEE registry key to have Enabled set to 1 and EndPoint set to StealthAUDIT to forward events. This needs to be set manually in the rare situations where it is necessary for the EMC CEE

Doc_ID 694 42

to be installed on a different server than the Windows proxy server(s) where the Activity Monitor activity agent is deployed. See the Appendix: Configure EMC Registry Key Settings section for information on manually setting this on another server.

If the monitoring agent is not registering events, validate that the EndPoint is accurately set. Open the Registry Editor (run regedit). Navigate to following location and view the EndPoint value: HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\AUDIT\Configuration

Set the following values:

l Enabled – 1

l EndPoint – StealthAUDIT

If this is configured correctly, validate that the EMC CEE services are running. See the Validate EMC CEE Services are Running section for additional information.

Validate EMC CEE Services are Running

Doc_ID 694 43

After the Activity Monitor activity agent has been configured to monitor the EMC device, the EMC CEE services should be running. If the activity agent is not registering events and the EndPoint is set accurately, validate that the EMC CEE services are running. Open the Services (run services.msc).

The following services laid down by the EMC CEE installer should have Running as their status::

l EMC CAVA

l EMC CEE Monitor

Doc_ID 694 44

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® StealthAUDIT Connection Profile & Host List Once the target environment has been configured for auditing, it is necessary to create a custom Connection Profile and a custom Host List within StealthAUDIT.

File System Custom Connection Profile In StealthAUDIT, create a Connection Profile for the target hosts with the credentials configured. See the File System Custom Host List section for additional information.

For Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the Connection Profile needs to contain the account provisioned for Access Auditing (FSAA). For Activity Auditing (FSAC) scans, the Connection Profile needs to contain the credential with access to read the activity log files that the Activity Monitor activity agent creates.

For a domain account, set the following information on the User Credentials window:

l Select Account Type – Active Directory Account

l Domain – Select from the drop-down menu or type in the textbox

l User name – Type the user name

l Password Storage – Application (unless the credential is stored within the CyberArk Enterprise Password Vault)

l Password – [For the provided user account]

l Confirm – Re-type the password

For a local account, set the following information on the User Credentials window:

l Select Account Type – Local Windows Account

l User name – Type the user name

l Password Storage – Application (unless the credential is stored within the CyberArk Enterprise Password Vault)

l Password – [For the provided user account]

l Confirm – Re-type the password

If running the scans in proxy mode with Applet using a least privilege model, it is possible that the supplied credential may not have the necessary permissions to deploy the applet. In that situation, it is necessary to add a StealthAUDIT Task type credential to the Connection Profile that has the rights to deploy the applet, and it should be listed as the first credential in the Connection Profile.

Doc_ID 694 45

If the File System Proxy has been installed and configured for Secure RPC, it is necessary to add a StealthAUDIT Task type credential to the Connection Profile that was configured with rights to interact with the service. It should be listed as the first credential in the Connection Profile.

Set the following information on the User Credentials window:

l Select Account Type

l StealthAUDIT Task (Local) – Select this type if the account is a local user account

l StealthAUDIT Task (Domain) – Select this type if the account is a domain user account

l Domain

l Local – {not a field for this type of credential, defaults to }

l Domain – Drop-down menu with available trusted domains displays. Either type the short domain name in the textbox or select a domain from the menu.

l User name – Type the user name

l Password Storage – Application (unless the credential is stored within the CyberArk Enterprise Password Vault)

l Password – [For the provided user account]

l Confirm – Re-type the password

See the Connection section of the StealthAUDIT User Guides v11.0 for instructions on creating a Connection Profile.

Apply the Connection Profile to the host inventory query and to the FileSystem > 0.Collection Job Group.

File System Custom Host List Create a custom host list containing the target hosts for which the Connection Profile just created contains credentials. If the File System scans are run in proxy mode as a service with RPC and the service is installed on multiple servers, then a custom host list of proxy servers should also be created.

If the target hosts are located within a specific OU within the domain, then the StealthAUDIT Host Discovery Wizard can be used. Scope the discovery query task by selecting the Query an Active Directory server (General) option on the Source page, and then by navigating to the OU on the Active Directory page. See the Query an Active Directory Server (General) Source Option section of the StealthAUDIT User Guides v11.0 for additional information.

Doc_ID 694 46

A custom host list can be manually created by entering the host names, or it can be imported from either a CSV file or a database table. See the Add Hosts section of the StealthAUDIT User Guides v11.0 for additional information.

Assign the custom host list to the FileSystem > 0.Collection Job Group.

Doc_ID 694 47

Appendix: EMC CEE Debug Logs If an issue arises with communication between the EMC CEE and the Activity Monitor, the debug logs need to be enabled for troubleshooting purposes. Follow the steps.

Step 1 – In the Activity Monitor Console, change the Collect logs with trace level value in the lower right corner to Trace.

Step 2 – In the Activity Monitor Console, select the EMC Celerra or VNX device from the Monitored Hosts list and Disable monitoring.

Step 3 – Download and install the Debug View tool from Microsoft on the CEE server:

http://docs.microsoft.com/en-us/sysinternals/downloads/debugview

Step 4 – Open the Registry Editor (run regedit). Navigate to following location: HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\Configuration

Step 5 – Right-click on Debug and select Modify. The Edit DWORD Value window opens. In the Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes.

NOTE: If the Debug DWORD Value does not exist, it needs to be added.

Step 6 – Right-click on Verbose and select Modify. The Edit DWORD Value window opens. In the Value data field, enter the value of 3F. Click OK, and the Edit DWORD Value window closes.

NOTE: If the Verbose DWORD Value does not exist, it needs to be added.

Step 7 – Open Services (run services.msc). Start or Restart the EMC CAVA service and the EMC CEE Monitor service. This typically takes time for the device to reestablish the connection with CEE.

Step 8 – Run the Debug View tool (from Microsoft). In the Capture menu, select the following:

l Capture Win32

l Capture Global Win32

l Capture Events

Step 9 – In the Activity Monitor Console, select EMC Celerra or VNX device from the Monitored Hosts list and Enable monitoring.

Step 10 – Generate some file activity on the EMC device. Save the Debug View Log to a file.

Doc_ID 694 48

Step 11 – Send the following logs to Stealthbits Support:

l Debug View Log (from EMC Debug View tool)

l CelerraServerSvc.log file from the activity agent (…\STEALTHbits\StealthAUDIT\FSAC folder)

RECOMMENDED: After the logs have been gathered and sent to Stealthbits Support, reset these configurations.

Appendix: EMC Event Mapping The following tables show shows EMC event types captured and not captured by the Activity Monitor. EMC Event Types Captured by the Activity Monitor

AUDIT User Action EMC Event Stealth Format EVT

Create File Create Add FILE Path Source IP

Create Folder Create Add FOLDER Path Source IP

Copy File Create Add FILE Path Source IP

Copy Folder Create Add FOLDER Path Source IP

Delete File Delete Del FILE Path Source IP

Delete Folder Delete Del FOLDER Path Source IP

Rename File Rename Ren FILE Path New Path Source IP

Rename Rename Ren FOLDER Path New Path Source IP Folder

Read File Read Rea FILE Path Source IP

Update File Write Upd FILE Path Source IP

Doc_ID 694 49

AUDIT User Action EMC Event Stealth Format EVT

File Set_ Per FILE Path Source IP Permission Security Change

Folder Set_ Per FOLDER Path Source IP Permission Security Change

EMC Event Types Not Captured by the Activity Monitor

User Action EMC Event

Mount a Share Create

View a file or folders properties Get_Security

Map Network Drive Logon

Disconnect Network Drive Logoff

View File or Folders security Settings Tree_Connect

Appendix: Configure EMC Registry Key Settings There may be situations when EMC CEE needs to be installed on a different Windows server than the one where the Activity Monitor activity agent is deployed. In those cases it is necessary to manually set the EMC CEE registry key to forward events.

Step 1 – Step 1 – Open the Registry Editor (run regedit).

Doc_ID 694 50

Step 2 – Navigate to following location: HKEY_LOCAL_ MACHINE\SOFTWARE\EMC\CEE\CEPP\AUDIT\Configuration

Step 3 – Right-click on Enabled and select Modify. The Edit DWORD Value window opens.

Step 4 – In the Value data field, enter the value of 1. Click OK, and the Edit DWORD Value window closes.

Step 5 – Right-click on EndPoint and select Modify. The Edit String window opens.

Step 6 – In the Value data field, enter the StealthAUDIT value with the IP Address for the Windows proxy server hosting the Activity Monitor activity agent. Use the following format: StealthAUDIT@[IP ADDRESS]

Examples: [email protected]

Step 7 – Click OK. The Edit String window closes. Registry Editor can be closed.

Doc_ID 694 51

Step 8 – Open Services (run services.msc). Start or Restart the EMC CAVA service and the EMC CEE Monitor service.

The EMC CEE registry key is now properly configured to forward event to the Activity Monitor activity agent.

Doc_ID 694 52

Stealthbits, now part of Netwrix is a data security software company focused on protecting an organization’s credentials and data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, we reduce security risk, fulfill compliance requirements, and decrease operations expense.

For information on our products and solution lines, check out our website at www.stealthbits.com or send an email to our information center at [email protected].

If you would like to speak with a Stealthbits Sales Representative, please contact us at +1.201.447.9300 or via email at [email protected].

Have questions? Check out our online Documentation or our Training Videos (requires login): https://www.stealthbits.com/documentation. To speak to a Stealthbits Representative: please contact Stealthbits Support at +1.201.447.9359 or via email at [email protected].

Need formal training on how to use a product more effectively in your organization? Stealthbits is proud to offer FREE online training to all customers and prospects! For schedule information, visit: https://www.stealthbits.com/on-demand-training.

Doc_ID 694 53