Eventtracker Macos Integration Guide

Integration Guide

Integrating macOS with EventTracker

EventTracker v9.3 and above

Publication Date:

July 16, 2021

Abstract

This guide provides instructions to configure macOS (Sierra, High Sierra, Mojave, Catalina, and Big Sur) to generate and forward logs for critical events. Once EventTracker is configured to collect and parse these logs, dashboard and reports can be configured to monitor macOS. Scope

The configuration details in this guide are consistent with EventTracker version v9.3 or above and Apple macOS.

Audience

Administrators who are assigned the task to monitor macOS events using EventTracker.

Table of Contents Table of Contents 3 1. Overview 4 2. Prerequisites 4 3. EventTracker Manager configuration 4 4. EventTracker macOS Log Forwarder Installation and Configuration 7 5. EventTracker Knowledge Pack 7 4.1 Flex Reports 8 4.2 Alerts 10 4.3 Categories and Saved searches 10 4.4 Dashboard 11 5. Importing macOS Knowledge Pack into EventTracker 12 5.1 Category 13 5.2 Alerts 14 5.3 Token Templates 15 5.4 Knowledge Objects 15 5.5 Flex Reports 16 5.6 Dashboards 17 6. Verifying macOS Knowledge Pack in EventTracker 20 6.1 Categories 20 6.2 Alerts 20 6.3 Token Templates 20 6.4 Knowledge Objects 21 6.5 Flex Reports 21 6.6 Dashboards 22 About Netsurion 23

1. Overview Apple Macintosh Operating System (Mac) is a Unix-like Operating system. Mac contains numerous log files sent by various system processes and applications. These logs can be forwarded to syslog server.

With EventTracker, you can monitor macOS events from a single view. EventTracker checks the status and availability of macOS for critical processes and consolidates all the syslog.

EventTracker can generate flex reports and can also trigger alerts whenever it detects any suspicious activities. These alerts and flex reports will help you to analyze login and logout activities, authentication failure and any kind of administrator activities.

2. Prerequisites • macOS (Sierra, High Sierra, Mojave, Catalina, and Big Sur) should be configured for forwarding logs. • Make sure the syslog port to be provided during integration is open in macOS and perimeter firewalls. • It is strongly recommended to use TLS+TCP (syslog over TLS) based connection with EventTracker. EventTracker syslog port should be configured for TLS. Please follow this guide. You can also use TCP or UDP based connection based on your need. • Add exception for syslog port to be provided during integration in firewall, if exists in between macOS and EventTracker Manager.

3. EventTracker Manager configuration 1. Click on Manager under Admin.

• Go to syslog/Virtual Collection Point tab. Make sure TLS+TCP is enabled on EventTracker manager against this syslog port. It is recommended to use TLS+TCP based communication between manager and macOS. You can also use TCP or UDP based connection based on your need.

2. Click on the symbol and then select Extract device Id.

3. Provide below Regex in Regular Expression space. Hostname:(?P[^,]+)\,\sTenant:(?P[^,]+)

4. Provide below value in Token name.

Computer~Tenant. 5. Check Active box.

6. Click on Add and then close.

7. Click on the symbol and then select Assign Device Type.

8. Provide below regex in Regular Expression Space.

ETSmacOSLogForwarder 9. Select Device Type as Mac.

10. Check Active box. 11. Click on Add and then close.

12. Click Save.

4. EventTracker macOS Log Forwarder Installation and Configuration Please refer this guide to understand how to install macOS Log Forwarder and forward logs to EventTracker.

5. EventTracker Knowledge Pack After logs are received by EventTracker manager, Knowledge Packs can be configured into EventTracker. The following Knowledge Packs are available in EventTracker to support macOS.

5.1 Flex Reports • Mac OS - Administrative activities - This report gives the information about any kind of administrative activities in macOS.

Sample logs:

• Mac OS - Authentication and Authorization - This report gives the information about user authentication and authorization activities in macOS.

Sample logs:

• Mac OS - Command executed - This report gives information about command executed by users.

Sample logs:

• Mac OS - Login and Logout activities - This report gives information about user login and logout activities based on local or remote.

Sample logs:

• Mac OS - User and Group management - This report gives information about user and group management activities like modification, creation, and addition.

Sample logs:

5.2 Alerts • Mac OS: Login failure - This alert will be generated when the user login failure is attempted. • Mac OS: User authentication failure - This alert will be generated when the user authentication fails. 5.3 Categories and Saved searches

• Mac OS - Administrative activities - This category-based report provides information related to administrative activities. • Mac OS - Authentication and Authorization - This category-based report provides information related to user authentication and authorization activities. • Mac OS - Command executed - This category-based report provides information related to command executed by users. • Mac OS - Login and Logout activities - This category-based report provides information related to user login and logout activities based on local or remote. • Mac OS - User and Group management- This category-based report provides information related to user and group management activities like modification, creation, and addition.

5.4 Dashboard • Mac OS- Authentication and Authorization: This dashboard provides information related to user authentication and authorization activities.

• Mac OS- User Authentication failure: This dashboard provides information related to user authentication failure activities.

• Mac OS- User and Group management: This dashboard provides information related to user and group management activities like addition, creation, and modification.

• Mac OS- Login and Logout activities: This dashboard provides information related to user login and logout activities.

6. Importing macOS Knowledge Pack into EventTracker Note: Import knowledge pack items in the following sequence:

• Categories • Alerts • Token Templates • Knowledge Objects

• Flex Reports • Dashboards

1. Launch EventTracker Control Panel.

2. Double click Export Import Utility.

3. Click the Import tab. 6.1 Category

1. Click Category option, and then click the browse button.

2. Locate Category_MAC OS.iscat file, and then click the Open button.

3. To import categories, click the Import button. EventTracker displays success message.

4. Click OK, and then click the Close button. 6.2 Alerts

1. Click Alert option, and then click the browse button.

2. Locate Alert_MAC OS.isalt file, and then click the Open button. 3. To import alerts, click the Import button.

4. Click OK, and then click the Close button. 6.3 Token Templates 1. Click Parsing rules under Admin option in the EventTracker manager page.

2. Move to Template and click on import configuration icon on the top right corner.

3. In the popup window browse the file named Token Template_ MAC OS.ettd.

4. Select all the check box and then click on Import option. EventTracker displays success message.

5. Click OK, and then click the Close button. 6.4 Knowledge Objects 1. Click Knowledge objects under Admin option in the EventTracker manager page. 2. Locate the KO_MAC OS.etko file.

3. Click the Upload option. 4. Select all the check box and then click on Import option.

5. Knowledge objects are now imported successfully.

6. Click OK, and then click the Close button. 6.5 Flex Reports On EventTracker Control Panel,

1. Click Reports option and select new (*.etcrx) from the option.

2. Locate the Reports_MAC OS.etcrx file and select all the check box.

3. Click the Import button to import the reports. EventTracker displays success message.

4. Click OK, and then click the Close button. 6.6 Dashboards Note: If you have EventTracker version v9.3, you can import dashboards.

1. Open EventTracker.

2. Navigate to Dashboard>My Dashboard. My Dashboard pane is shown.

3. Click the Import button to import the dashlets.

4. Locate the Dashboard_MAC OS.etwd file. 5. Click the Upload option.

6. Select all the check box and then click on Import option. Dashlets are now imported successfully. 7. Click the Add button to create a new dashlets.

8. Fill suitable Title and Description and click Save. 9. Click Customize to locate macOS dashlets and choose all created dashlets for macOS. 10. Click Add dashlet to create dashboard.

7. Verifying macOS Knowledge Pack in EventTracker 7.1 Categories 1. Logon to EventTracker.

2. Click Admin dropdown, and then click Categories.

3. In Category Tree to view imported categories, scroll down and expand macOS group folder to view the imported categories.

7.2 Alerts 1. In the EventTracker web interface, click the Admin dropdown, and then click Alerts. 2. In search box, enter macOS and then click the Search button. EventTracker displays alert of macOS.

7.3 Token Templates 1. In the EventTracker web interface, click the Admin dropdown, and then click Parsing rules. 2. On Template tab, click on the macOS group folder to view the imported Token Values.

7.4 Knowledge Objects 1. In the EventTracker web interface, click the Admin dropdown, and then click Knowledge Objects.

2. In the Knowledge Object tree, expand macOS group folder to view the imported Knowledge objects.

7.5 Flex Reports 1. In the EventTracker web interface, click the Reports menu, and then select Report Configuration.

2. In Reports Configuration pane, select Defined option. 3. Click on the macOS group folder to view the imported macOS reports.

7.6 Dashboards 1. Open EventTracker in browser and logon. 2. Navigate to Dashboard>My Dashboard.

3. In the macOS dashboard you should be now able to view the following.

About Netsurion

Flexibility and security within the IT environment are two of the most important factors driving business today. Netsurion’s cybersecurity platforms enable companies to deliver on both. Netsurion’s approach of combining purpose-built technology and an ISO-certified security operations center gives customers the ultimate flexibility to adapt and grow, all while maintaining a secure environment.

Netsurion’s EventTracker cyber threat protection platform provides SIEM, endpoint protection, vulnerability scanning, intrusion detection and more; all delivered as a managed or co-managed service. Netsurion’s BranchSDO delivers purpose-built technology with optional levels of managed services to multi- location businesses that optimize network security, agility, resilience, and compliance for branch locations. Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has the model to help drive your business forward. To learn more visit netsurion.com or follow us on Twitter or LinkedIn. Netsurion is #19 among MSSP Alert’s 2020 Top 250 MSSPs.

Corporate Headquarters

Netsurion Trade Centre South 100 W. Cypress Creek Rd Suite 530 Fort Lauderdale, FL 33309 Contact Numbers EventTracker Enterprise SOC: 877-333-1433 (Option 2) EventTracker Enterprise for MSP’s SOC: 877-333-1433 (Option 3) EventTracker Essentials SOC: 877-333-1433 (Option 4) EventTracker Software Support: 877-333-1433 (Option 5) https://www.netsurion.com/eventtracker-support