Archive for the ‘Uncategorized’ Category

Adallom/Microsoft Cloud Security – Log Export

April 5th, 2016

Forward logs to your SIEM (Preview Feature)

 Taken from: https://technet.microsoft.com/en-us/library/mt657569.aspx

Integrating with a SIEM service allows you to better protect your cloud applications while maintaining your usual security workflow, automating security procedures and correlating between cloud-based and on-premises events. The Cloud App Security SIEM agent pulls the logs using the Cloud App Security API and streams them in CEF format into the SIEM logger to enable you to include your Cloud App Security logs in your SIEM. To integrate Cloud App Security with your SIEM, you must perform the following to take the Cloud App Security logs from the and send them to your SIEM service using Syslog TCP.

Note
 Cloud App Security uses TCP to assure reliability of the SIEM integration.
  1. Prerequisites:
    • A standard Linux or Windows server (can be a virtual machine).
    • The server should run Java 8.
  2. In the Cloud App Security console, click your name in the console menu bar, and select User settings and then click on the API Token tab. Name your SIEM integration token and click Generate new token. In the Created API token window, copy the token value.
  3. Create the following folders on your server:/etc/mcas/siemagent (Linux) or C:\MCAS\siemagent (Windows)/etc/mcas/siemagent/cfg (Linux) or C:\MCAS\siemagent\cfg (Windows).
  4. Download SIEMAgent.jar and save it to your server in:For Linux: /etc/mcas/siemagent/For Windows: C:\MCAS\siemagent
    Note
    It is recommended to keep the version number as part of the filename, for easier identification of the installed version.
    Note
    • Cloud App Security supports multiple concurrent SIEM agents for different variations of logs and filters. You can create several configuration files and repeat these steps.
    • The Cloud App Security SIEM agent uses the system clock to make the initial events synchronization. Make sure its accurate before running the agent. Events will be downloaded from the initial run and onward. If you want to download all events, contact support.
  5. Configure your SIEM agent as follows:
    1. Choose a name for your configuration and create a new file in the cfg folder and name it [CFGNAME].xml.Where CFGNAME is the name of your configuration (do not include the brackets [ ] in your code).Start with a letter, and do not use spaces or special symbols (the use of numbers, dashes and underscores is allowed). Paste the following into the file you created, and edit the parameters within (instructions on the next step).For Linux:
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      
         /var/log/mcas/siemagent/[CFGNAME]
         /etc/mcas/siemagent/state/[CFGNAME].dat
         [RUN INTERVAL]
         https://[PORTAL SUB-DOMAIN].portal.cloudappsecurity.com/api/
         [TOKEN]
         [LOG TYPE]
         
             [FILTER]
             [FILTER]
         
         [SIEM HOST]
         [SIEM PORT]
         [OPTIONAL - PROXY HOST]
         [OPTIONAL - PROXY PORT]
         [OPTIONAL - LOGGING ENABLE]
         [OPTIONAL - SIEM LOGGING ENABLE]
         [OPTIONAL – FORMAT SET]
         [OPTIONAL – CUSTOM FORMAT]
      

      For Windows:

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      
         C:\MCAS\siemagent\log\[CFGNAME]
         c:\MCAS\siemagent\state\[CFGNAME].dat
         [RUN INTERVAL]
         https://[PORTAL SUB-DOMAIN].portal.cloudappsecurity.com/api/
         [TOKEN]
         [LOG TYPE]
         
             [FILTER]
             [FILTER]
         
         [SIEM HOST]
         [SIEM PORT]
         [OPTIONAL - PROXY HOST]
         [OPTIONAL - PROXY PORT]
         [OPTIONAL - LOGGING ENABLE]
         [OPTIONAL - SIEM LOGGING ENABLE]
         [OPTIONAL – FORMAT SET]
         [OPTIONAL – CUSTOM FORMAT]
      
      
      
      

      Parameters table:

      Note
      Omit any lines of the optional parameters that you are not using.
      Value Description Example
      CFGNAME A unique name that describes this instance of the SIEM agent. Use the same name you chose for the file name. audits
      RUN INTERVAL The interval for synchronization in milliseconds.

      Recommended value is 20 seconds.

      20000
      PORTAL SUB-DOMAIN The sub-domain you have when you login to the portal. cloudappsecurity
      LOG TYPE Type of logs to retrieve. Supported values:

      • audits- Activity log entries
      • alerts – Alert entries
      audits
      FILTER Optional

      List of filters. Only entries that match all the filters are returned (AND). See usage, below.

      service=google-apps
      SIEM HOST The IP address of the SIEM server. 10.0.0.120
      SIEM PORT The port number of the TCP Syslog listener. 1111
      PROXY HOST Optional

      The IP address of your HTTP proxy.

      10.0.0.250
      PROXY PORT Optional

      The TCP port of your HTTP proxy.

      8080
      LOGGING ENABLE Optional

      Set to true in order to activate the logs.

      true
      SIEM LOGGING ENABLE Optional

      Set to true in order to send internal logs of the SIEM agent to the Syslog server.

      true
      FORMAT SET Optional

      ADALLOM_CEF_V1 – (Default) the default SIEM agent output format.

      ARCSIGHT_CEF_V1 – Output format compatible with ArcSight system.

      ADALLOM_CEF_V1

      Activity Filters:

      Parameter name Type Description
      action Multi-value strings, supports negation, comma separated list. List of actions
      service Multi-value strings, supports negation, comma separated list. List of apps in the following format:

      • Take the application name as listed in the portal.
      • Convert all characters to lower case.
      • Replace spaces with a hyphen -.
      • Remove all non-numeric and non-alphabetical characters.
      • Replace multiple hyphens – with a single hyphen -.
      • Remove any hyphens – from the start and end.
      • For example:Google Apps: google-appsOffice 365: office-365Microsoft SharePoint Online: microsoft-sharepoint-online

        Salesforce: salesforce

      user Multi-value strings, supports negation, comma separated list. List of users

      Alert Filters:

      Parameter name Type Description
      users Multi-value strings, supports negation, comma separated list. List of users
  1. Run the SIEM agent in one of the following modes:
    • Manual run:
      • Linux: java -jar /etc/mcas/siemagent/siemagent.jar /etc/mcas/siemagent/cfg/[CFGNAME].xml
      • Windows: java -jar C:\MCAS\siemagent\siemagent.jar C:\MCAS\siemagent\cfg\[CFGNAME].xml
    • Automated run: Create a startup script to run the agent on system startup.

Tags: , ,
Posted in Uncategorized | Comments (0)

Cisco ACS / TACACS Active Directory Join/Bind Issues

December 29th, 2014

After battling with a number of issues successfully joining the ACS appliance to the domain, I wanted to post a list of troubleshooting steps to help anyone else that might run into issues:

– Password for the AD Account – If you are getting errors like account disabled, “invalid credentials to join this machine to active directory domain”, account locked, etc after doing a Test Connection which returns successful, try changing the password. Remove any special characters, and potentially shorten the password. I had an extremely long password with complexity that caused my issues. I am unsure of the max length, but this was the root cause of most of my issues.

You might see something like this in your logs which is an indication of above:

Dec 29 14:06:40 yyyyyyyy adleave[9970]: INFO cli.adleave Leaving domain yyy.com successful
Dec 29 14:06:40 yyyyyyyy adleave[9970]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory
Dec 29 14:06:41 yyyyyyyy adjoin[10021]: INFO cli.adjoin Version: CentrifyDC 4.3.0-192
Dec 29 14:06:41 yyyyyyyy adjoin[10021]: WARN base.kerberos.keytab getUserSalt failed: get creds: Preauthentication failed
Dec 29 14:06:41 yyyyyyyy adjoin[10021]: INFO cli.adjoin Join to domain ‘yyy.com’, zone ‘null’ failed.
Dec 29 14:06:41 yyyyyyyy adjoin[10028]: INFO cli.adjoin Version: CentrifyDC 4.3.0-192
Dec 29 14:06:41 yyyyyyyy adjoin[10028]: INFO samba.interop Attempting interoperability with untested Samba version .
Dec 29 14:06:41 yyyyyyyy adjoin[10028]: INFO cli.adjoin Wrote /etc/centrifydc//openldap/slapd.conf
Dec 29 14:06:41 yyyyyyyy adjoin[10028]: INFO util.configfiles Wrote /etc/centrifydc//openldap/ldap.conf
Dec 29 14:06:41 yyyyyyyy adinfo[10034]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory
Dec 29 14:06:41 yyyyyyyy adinfo[10034]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory

– You then might get the following error: “The item you trying to delete is referenced by other items. You must remove all references to this item before it can be deleted.” This is apparently a known bug. some posts say that you basically have to remove everything that refers to Active Directory in ACS. DO NOT do that. Just go to the CLI and issue the following two commands:

acs stop

acs start

Then go back in and set the password. There was a note on one of the posts that you should skip the Test Connection as it could cause the above.

– I read another post that said to right-click on the computer object in Active Directory and chose reset before doign the join. I do not believe that fixed it in my case, but it is good for the “bag of tricks” for troubleshooting this. In effect it should clean the object to prepare it for a domain join.

Tags: , ,
Posted in Uncategorized | Comments (0)

Export Contact information from Office 365 (or Exchange 2010 +)

September 13th, 2013

The following exports all contacts and selected information.  This is an Exchange/Office 365 commandlet so you will need to be connected appropriately:

get-contact -resultsize unlimited | Select-Object name,FirstName,LastName,displayname,Company,WindowsEmailAddress | Export-Csv c:\script\user_audit.csv -Delimiter "|"

Tags: ,
Posted in Uncategorized | Comments (0)

Office 2013 “Call us Overprotective” and Lync 2013 “Cannot sign in because the server is temporarily unavailable” using Office 365

September 10th, 2013

As we have been testing Office 2013 with our Office 365 implementation, we ran into two issues.

#1 – Lync 2013 could not sign in and we would receive an error message stating “Cannot sign in because the server is temporarily  unavailable”.  After digging through a lot of different forums and support threads, the one workaround that worked reliably was to launch Lync as a different user that was local to the computer and not on the domain. While this works for IT folks, not a permanent solution for the entire company.

#2 – When trying to access SharePoint documents or otherwise interact with Office 365 through Office 2013, we would get authentication prompts that would state “Call us overprotective, but we need to verify your account again before opening this document.”  These we could not find a reliable workaround to.  Many-times a document from SharePoint simply could not be opened/edited due to the prompt displaying over and over again.

We ended up opening a ticket with Microsoft for each of these issues.  While troubleshooting the issue we were doing packet captures and analyzing the packet captures when we noticed a number of TCP resends which looked similar to an issue we were having with downloading larger files from SharePoint Online. (Side note: If you are battling SharePoint download issues as well, this will help identify the issue…)  The fix/workaround that we found for that solution was to disable AutoTuning in Windows 7.

We tested disabling AutoTuning and like magic both of these issues went away we could sign into Lync 2013 and we could successfully authenticate when the Overprotective prompt comes up.

To disable AutoTuning, from an elevated command prompt (right click on cmd.exe or command prompt and choose run as administrator) execute the following command:

netsh int tcp set global autotuninglevel=disabled

For best results reboot your computer.

We are still working with Microsoft to determine what in our network layer would be causing this. For reference we are a Cisco shop, if this fixes your problem would love to hear what your core network vendor is.

Note: Our configuration provides WS-Fed through a Cloud Identity Management Solution. We utilize our Active Directory Domain for authentication to Office 365 through this service.

Tags:
Posted in Uncategorized | Comments (0)

Export AD Password and Account Information using Get-QADUser

August 20th, 2013

You will need the free Quest Active Roles Management Shell to perform this function:

Get-QADUser -Name * -SizeLimit 0 | select givenName,sn,name,samaccountname,company,description,PasswordExpires,PasswordNeverExpires,PasswordLastSet,lastLogonTimestamp,AccountIsDisabled,AccountExpires | Export-Csv c:\script\user_audit.csv -Delimiter "|"

To see a good list of fields to query:

http://powershellreflections.wordpress.com/2011/02/07/finding-stale-user-accounts-with-quest-cmdlets/

Tags:
Posted in Uncategorized | Comments (0)