Prerequisites

• UEBA Technician Machine.

• The ports will by default be used for communication between the admin server and browser.
• The port can be customized by the user. The acceptable range for the value is between 1024-65535.

• UEBA Server

• The Elasticsearch server in UEBA uses this port.
• The port can be customized by the user. The acceptable range for the value is between 9230-9290.

• Utilization of PostgressSQL/MSSQL database port in order to connect to the PostgreSQL database in UEBA.
• Firewall port need not be opened since the internal port is bound to localhost.

• Utilization of the port in order to connect to the Redis database in UEBA.
• The acceptable range for the value is between 8179-8189.

• Utilization of SSL to enhance the security between server and the client through HTTPS.
• The port can be customized by the user. The acceptable range for the value is between 1024-65535.

• Fetches the real time events from integrated products.
• The acceptable range for the value is between 61616-61626.

• EventLog Analyzer Technician Machine.
• EventLog Analyzer Agent Machine.

Ports Usage:

• The ports will by default be used for communication between the admin server and managed server, as well as between the agent and server.
• The port can be customized by the user. The acceptable range for the value is between 1024–65535.

Ports Usage:

• The Elasticsearch server in EventLog Analyzer uses this port. EventLog Analyzer Server and SEM can coexist on the same server.
• The port can be customized by the user. The acceptable range for the value is between 1024–65535.

• Utilization of Redis port in order to connect to the Redis in EventLog Analyzer.
• Firewall port need not be opened since the internal port is bound to localhost.

Ports Usage:

• These UDP ports are used internally by EventLog Analyzer for agent-to-server communication.
• The port can be customized by the user. The acceptable range for the value is between 1024–65535.
• Internal port bound to localhost, firewall port need not be opened.

Ports Usage:

• Utilization of PostgreSQL/MySQL database port in order to connect to the PostgreSQL/MySQL database in EventLog Analyzer.
• Firewall port need not be opened since the internal port is bound to localhost.

UserGroups:

• Event Log Readers
• Distributed COM Users

User Permissions:

For root\cimv2 in WMI Properties:

• Enable Account
• Remote Enable
• Read Security.

Firewall Permissions:

• Predefined Rule:
  Windows Management Instrumentation (WMI)

User Permissions:

• The port is customizable by the user.

Ensure that the algorithm mentioned below is present in the sshd_config file.

File Location: /etc/ssh/sshd_config

Key exchange (KEX): diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group14-sha256 , diffie-hellman-group15-sha512, diffie-hellman-group16-sha512, diffie-hellman-group17-sha512, diffie-hellman-group18-sha512 , ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp52

Ciphers: aes128cbc, aes128ctr, aes192cbc, aes192ctr, aes256cbc, aes256ctr, arcfour128, arcfour256, blowfishcbc, tripledescbc

MAC: hmacmd5, hmacmd596, hmacsha1, hmacsha196, hmacsha256, hmacsha512

*This will be Required for all Linux Communications.

• Linux Agent Installation
• Linux Agent Management & Communication
• Configuring Automatic SysLog Forwarding
• Linux MYSQL Server Discovery

User Rights:

Service restart rights for 'rsyslog' or 'syslog' service.

User Permissions:

• "rw" permission should be enabled to files (/etc/ rsyslog.conf or /etc/syslog.conf).
• Permissions for SSH Communication

User Permissions:

• User can customize the port.

User Permissions:

• Read access to the IIS log folder should be enabled.
• Permissions for the system 32/inetsrv should be enabled
• Administrator share privileges are required eg : Admin$,c$

Environment Permission:

• 8094, 8095 port should be open in both Agent machine and in Server machine.

User Permissions:

• Read, write and modify permissions to files in \\<ipaddress>\Admin$\TEMP\EventLogAgent should be enabled.
• Access "Remote Registry" service
• At least read control should be granted for winreg registry key. (Computer \HKEY_LOCAL _MACHINE\ SYSTEM\ CurrentContro lSet\Control\ SecurePipe Servers\winreg).
• Read/Write registry keys - SOFTWARE\\ Wow6432Node \\ZOHO Corp\\EventLog Analyzer\\ (or) SOFTWARE \\ZOHO Corp \\EventLog Analyzer\\.
• There should be access to remote services.msc

Sudo User Permissions:

• "rwx" permission is required for /opt/ManageEngine/ for transferring files.
• Permissions for SSH Communication

User Permissions:

• SFTP permissions to transfer files to /opt/Manage Engine/EventL ogAnalyzer_ Agent and /etc /audisp/plugins.d
• Service start/stop/restart permission for auditd.
• Permissions for SSH Communication

User Permissions:

• Network access: Do not allow anonymous not allow anonymous enumeration of SAM accounts and shares.
• Sometimes, connecting to different workgroup needs credentials even to view the shared resources.

User Permissions:

• SAuthentication for the FTP server should be enabled.

User Permissions:

• User should have read permission to Active Directory Domain Objects.
• Permission to run LDAP query in ADS_ SECURE_AUTHENTICATION mode should be present.

User Permissions:

• User should have read permission to Active Directory Domain Objects.
• Permission to run WinNT query in ADS_ SECURE_ AUTHENTI CATION mode should be given.

User Permissions:

• The winreg registry key should at the very least be given read control.

User Permissions:

• Can be configured to use dynamic TCP ports for communication.

Ports Usage::

• Fetches a list of live SNMP-enabled IP devices that responds to the SNMP ping.

Ports Usage:

• The Server Message Block (SMB) protocol uses this port to read the log files.

User Permissions:

• WMI permission is needed to find the MySQL server configuration file using SFTP.

User Permissions:

• Read permission to the MySQL server configuration file using SFTP.
• Permissions for SSH Communication

UserGroups:

• Distributed COM Users

User Permissions:

For root\cim v2 In WMI Properties:

• Execute Methods
• Enable Account
• Remote Enable
• Read Security

Environment Permission:

• The computer should not include EventLog Analyzer Installed server.

UserGroups:

• Distributed COM Users

User Permissions:

For root\cim v2 In WMI Properties:

• Execute Methods
• Enable Account
• Remote Enable
• Read Security

Environment Permission:

• The computer should not include EventLog Analyzer Installed server

UserGroups:

• Distributed COM Users

User Permissions:

For root\cim v2 In WMI Properties:

• Execute Methods
• Enable Account
• Remote Enable
• Read Security

Environment Permission:

• The user should have read,write and modify access to the shared path in the script.

UserGroups:

• Distributed COM Users

User Permissions:

For root\cim v2 In WMI Properties:

• Execute Methods
• Enable Account
• Remote Enable
• Read Security

Environment Permission:

• Remote Registry Service should be running.
• Full Control permission to HKEY_LOCAL_ MACHINE\SYSTEM\ CurrentControlSet\ Services\USBSTOR

UserGroups:

• Distributed COM Users
• Administrators

User Permissions:

For root\cim v2 In WMI Properties:

• Execute Methods
• Enable Account
• Remote Enable
• Read Security

UserGroups:

• Distributed COM Users

User Permissions:

For root\cim v2 In WMI Properties:

• Execute Methods
• Enable Account
• Remote Enable
• Read Security

UserGroups:

• Distributed COM Users

User Permissions:

For root\cim v2 In WMI Properties:

• Execute Methods
• Enable Account
• Remote Enable
• Read Security

UserGroups:

• Distributed COM Users

User Permissions:

For root\cim v2 In WMI Properties:

• Execute Methods
• Enable Account
• Remote Enable
• Read Security

UserGroups:

• Distributed COM Users

User Permissions

For root\cim v2 In WMI Properties:

• Execute Methods
• Enable Account
• Remote Enable
• Read Security

Environment Permission:

• "AllowRemoteRPC" should be 1 for HKEY_ LOCAL_MACHINE\ SYSTEM\Current ControlSet\Control\Terminal Server.

User Permissions:

• The user should have "Delete" Right in the AD to delete other Accounts.
• The user to delete should not have "Protect Object from accidental deletion" checked.

User Permissions:

• The User account provided should have "Read","Write ","modify owners" and "modify permissions" permissions enabled.

• The User account provided should have "Read", "Write" , "modify owners" and "modify permissions" permissions enabled.

UserGroups:

• Distributed COM Users

User Rights:

• Act as part of the operating system
• Log on as a batch job
• Log on as a service
• Replace a process level token.

User Permissions:

For root\cim v2 In Properties:

• Execute Methods
• Enable Account
• Remote Enable
• Read Security

Environment Permission:

• The user should have read,write and modify access to the shared path.

• Sudo permission for user

• A "connect" Socket Permission to the host/port combination of the destination URL or a "URL Permission" that permits this request.

• Read permission to the specified CSV file.

Ports User Customizable

Additional Rights: https://www.manageengine.com/products/eventlog/help/threat-intelligence-and-analytics/threat-response/incident-management/playbook-management.html#ciscoCredentials

Ports User Customizable

Additional Rights: https://www.manageengine.com/products/eventlog/help/threat-intelligence-and-analytics/threat-response/incident-management/playbook-management.html#fortigateCredentials

Ports User Customizable

Additional Rights: https://www.manageengine.com/products/eventlog/help/threat-intelligence-and-analytics/threat-response/incident-management/playbook-management.html#paloAltoCredentials

Ports User Customizable

Additional Rights: https://www.manageengine.com/products/eventlog/help/threat-intelligence-and-analytics/threat-response/incident-management/playbook-management.html#sophosXGCredentials

Ports User Customizable

Additional Rights: https://www.manageengine.com/products/eventlog/help/threat-intelligence-and-analytics/threat-response/incident-management/playbook-management.html#fortigateCredentials

User Permissions:

• Managed server to Admin server communication via default webserver port.
• The default port number is 8095.
• The port can be customized by the user.

User Permissions:

• Admin server to Managed server communication via default webserver port
• User can customize the port. The value should be between 1024 and 65535.

User Permissions:

• Managed server transfers the archive files to Admin Server via SSH 8080.
• User can customize the port. The value should be between 1024 and 65535.

To fetch the "Log360 Cloud Threat Analytics" feeds, the below URLs will be used

• https://log360cloud.manageengine.com/
• https://log360feeds.manageengine.com/