XDR: Deploying The Windows Agent

XDR: Deploying The Windows Agent

Overview

The Windows agent collects relevant security data from Windows event logs running. Forwarding Windows event logs provides necessary log data required for many compliance regulations and increases overall visibility within the organization.

The agent will collect the following for forwarding to the main data processor and data lake:
  1. Application events
  1. Hardware events
  1. Security events
  1. System events
  1. Windows Firewall events
  1. Windows Defender events
  1. PowerShell events




Currently Support Windows Versions:
  1. Windows 7 and above
  2. .Windows 10
  3. .Windows Server 2008 and later


Deployment Steps


Before downloading the MSI and installing the agent it is recommended to an exclusion within your Anti-Virus solution so that the MSI file will execute. 

Add an Anti-Virus exclusion for the following folders: 
  1. C:\Program Files\Aella\* to avoid performance impacts caused by Anti-Virus real-time analysis as this where the the msi once installed will create a folder.
  2. C:\Windows\Stellar_synwatcher.exe  to avoid performance impacts caused by Anti-Virus real-time analysis


Server Agents require outbound connectivity:

  1. TCP on port 8888 to 52.7.164.23
  2. TCP on port 8888 to 3.92.7.89
  3. TCP on ports 6640-6648 to 52.7.164.23
  4. TCP on port 8443 to 52.7.164.23


Step 1: Download the windows agent. Be sure to select the correct version based on the Operating System you are deploying to (32 Bit or 64 Bit)
  1. 32 Bit Download
  2. 64 Bit Download
Step 2: Execute the MSI file once downloaded
Step 3: In the Sensor Setup Page enter the CM IP  to be 52.7.164.23 and the Tenant ID. The tenant ID will be given by CSM or sent over with the welcome email or you can always request the tenant ID to socir@cyflare.com. Please wait for the team to respond with the tenant ID. 
Step 4: Enter the following command: " show cm" You should see the 52.7.164.23 IP address with SSL protocol listed if the process completed successfully
Step 5:  Open Services.msc within the OS and check for the services are visible. The services to check are Winlog beat service, Windows Agent Sensor ctrl, Windows Agent Sensor conf and Sysmon. Please note until the agents are authorized the services might not be running even visible in the services.msc.
Step 6: Let your Customer Success Manager or email socir@cyflare.com know that you have deployed the agent. The SOC will need to authorize each windows server before log events are ingested.

If you are deploying to a large number of servers, a MST file can be provided to automate the agent installation from GPO or other systems management tools. Your Customer Success Manager can provide this for you upon request. 

    • Related Articles

    • XDR: Deploying the Linux Agent Sensor - Ubuntu/CentOS/RedHat/Debian Deployment

      Table of contents Overview  The Linux Agent on the servers has the capability to detect various events. Due to the nature of the agent and complexity of what needs to be seen from the server is crucial. The Linux Agent gives us the scope in the ...
    • XDR: Vendor Advisory for SolarWinds Orion Products - Countermeasure guidelines

      December 2020 Detect SolarWinds SUNBURST Backdoor with Stellar Cyber Open-XDR Platform On December 13 2020, multiple vendors such as FireEye and Microsoft reported emerging threats from a nation-state threat actor who compromised SolarWinds, and ...
    • XDR-Syslog Forwarding- Ports To Send To

      Firewall Ports to Open for Log Ingestion Network and security sensors require open inbound UDP ports on your firewall in order to receive and parse logs from devices on your network. The ports are already open by default on the sensor, so you must ...
    • XDR G SUITE INTEGRATION

         Pre-Requisites: You will need Domain Administrator Privileges to configure the G-Suite Integration within BDS.   Preparation Before configuring G-Suite in data processor, user would need to enable this feature in the google admin dashboard. 1. ...
    • XDR: EVENT ID Search in BDS Platform

      An Alarm raised by SOC? Curious to know what the alarm is and why SOC raised it? We provide complete transparency to check what event/alarm was raised by the SOC to the Partner/Client Pre – Requisites:  1. Login Credentials 2. Portal URL to login 3. ...