XDR: Deploying The Windows Agent
The Windows agent collects relevant security data from Windows event logs running. Forwarding Windows event logs provides necessary log data required for many compliance regulations and increases overall visibility within the organization.
The agent will collect the following for forwarding to the main data processor and data lake:
- Application events
- Hardware events
- Security events
- System events
- Windows Firewall events
- Windows Defender events
- PowerShell events
Currently Support Windows Versions:
- Windows 7 and above
- .Windows 10
- .Windows Server 2008 and later
Before downloading the MSI and installing the agent it is recommended to an exclusion within your Anti-Virus solution so that the MSI file will execute.
Add an Anti-Virus exclusion for the following folders:
- C:\Program Files\Aella\* to avoid performance impacts caused by Anti-Virus real-time analysis as this where the the msi once installed will create a folder.
- C:\Windows\Stellar_synwatcher.exe to avoid performance impacts caused by Anti-Virus real-time analysis
Server Agents require outbound connectivity:
- TCP on port 8888 to 184.108.40.206
- TCP on port 8888 to 220.127.116.11
- TCP on ports 6640-6648 to 18.104.22.168
- TCP on port 8443 to 22.214.171.124
Step 1: Download the windows agent. Be sure to select the correct version based on the Operating System you are deploying to (32 Bit or 64 Bit)
- 32 Bit Download
- 64 Bit Download
Step 2: Execute the MSI file once downloaded
In the Sensor Setup Page enter the CM IP to be 126.96.36.199 and the Tenant ID. The tenant ID will be given by CSM or sent over with the welcome email or you can always request the tenant ID to
. Please wait for the team to respond with the tenant ID.
Step 4: Enter the following command: "
show cm" You should see the
188.8.131.52 IP address with SSL protocol listed if the process completed successfully
Open Services.msc within the OS and check for the services are visible. The services to check are Winlog beat service, Windows Agent Sensor ctrl, Windows Agent Sensor conf and Sysmon. Please note until the agents are authorized the services might not be running even visible in the services.msc.
Step 6: Let your Customer Success Manager or email email@example.com know that you have deployed the agent. The SOC will need to authorize each windows server before log events are ingested.
If you are deploying to a large number of servers, a MST file can be provided to automate the agent installation from GPO or other systems management tools. Your Customer Success Manager can provide this for you upon request.
XDR: Deploying the Linux Agent Sensor - Ubuntu/CentOS/RedHat/Debian Deployment
Table of contents Overview The Linux Agent on the servers has the capability to detect various events. Due to the nature of the agent and complexity of what needs to be seen from the server is crucial. The Linux Agent gives us the scope in the ...
XDR: Vendor Advisory for SolarWinds Orion Products - Countermeasure guidelines
December 2020 Detect SolarWinds SUNBURST Backdoor with Stellar Cyber Open-XDR Platform On December 13 2020, multiple vendors such as FireEye and Microsoft reported emerging threats from a nation-state threat actor who compromised SolarWinds, and ...
XDR-Syslog Forwarding- Ports To Send To
Firewall Ports to Open for Log Ingestion Network and security sensors require open inbound UDP ports on your firewall in order to receive and parse logs from devices on your network. The ports are already open by default on the sensor, so you must ...
XDR G SUITE INTEGRATION
Pre-Requisites: You will need Domain Administrator Privileges to configure the G-Suite Integration within BDS. Preparation Before configuring G-Suite in data processor, user would need to enable this feature in the google admin dashboard. 1. ...
XDR: EVENT ID Search in BDS Platform
An Alarm raised by SOC? Curious to know what the alarm is and why SOC raised it? We provide complete transparency to check what event/alarm was raised by the SOC to the Partner/Client Pre – Requisites: 1. Login Credentials 2. Portal URL to login 3. ...