Deploying The Windows Agent for Pulse Breach Detection System

Deploying The Windows Agent for Pulse Breach Detection System

​Overview

The Windows agent collects relevant security data from Windows event logs running. Forwarding Windows event logs provides necessary log data required for many compliance regulations and increases overall visibility within the organization.

The agent will collect the following for forwarding to the main data processor and data lake:
  1. Application events
  1. Hardware events
  1. Security events
  1. System events
  1. Windows Firewall events
  1. Windows Defender events
  1. PowerShell events




Currently Support Windows Versions:
  1. Windows 7 and above 
  2. Windows Server 2008 and above


Deployment Steps


Before downloading the MSI and installing the agent it is recommended to an exclusion within your Anti-Virus solution so that the MSI file will execute. 

Add an Anti-Virus exclusion for the following folders: 
  1. C:\Program Files\Aella\* to avoid performance impacts caused by Anti-Virus real-time analysis as this where the the msi once installed will create a folder.
  2. C:\Windows\Stellar_synwatcher.exe  to avoid performance impacts caused by Anti-Virus real-time analysis


Server Agents require outbound connectivity:

  1. TCP on port 8888 to 52.7.164.23
  2. TCP on port 8888 to 3.92.7.89
  3. TCP on ports 6640-6648 to 52.7.164.23
  4. TCP on port 8443 to 52.7.164.23


Step 1: Download the windows agent provided by your SOC onboarding team. Be sure to select the correct version based on the Operating System you are deploying to (32 Bit or 64 Bit)
Step 2: Execute the MSI or MST file once downloaded (Be sure you are running as administrator to install).
Step 3: In the Sensor Setup Page enter the CM IP  to be 52.7.164.23 and the Tenant ID. The tenant ID will be given by CSM or sent over with the welcome email or you can always request the tenant ID to socir@cyflare.com. Please wait for the team to respond with the tenant ID. 
Step 4: Enter the following command: "show cm" You should see the 52.7.164.23 IP address with SSL protocol listed if the process completed successfully
Step 5: Open Services.msc within the OS and check for the services are visible. The services to check are Winlog beat service, Windows Agent Sensor ctrl, Windows Agent Sensor conf and Sysmon. Please note until the agents are authorized the services might not be running even visible in the services.msc.
Step 6: Let your Customer Success Manager or email socir@cyflare.com know that you have deployed the agent. The SOC will need to authorize each windows server before log events are ingested.

If you are deploying to a large number of servers, a MST file can be provided to automate the agent installation from GPO or other systems management tools. Your Customer Success Manager can provide this for you upon request.