Integrating PAM360 with ManageEngine Log360 UEBA

This document discusses the process of integrating PAM360 with ManageEngine Log360 UEBA (User and Entity Behavior Analytics).

At the end of this document, you will have learned the following:

  1. Key Benefits of Integration
  2. How does the Integration Work?
  3. Prerequisites for Performing the Integration
  4. Steps to Configure the Integration in PAM360
  5. How to View Log360 UEBA Reports in PAM360?
  6. Important Points to Consider

1. Key Benefits of Integration

ManageEngine PAM360 integrates with ManageEngine Log360 UEBA, a machine learning-based add-on that analyzes audit logs and detects abnormal behavior using risk scores, anomaly trends, and audit reports. The PAM360-Log360 UEBA integration allows you to consolidate and visualize the resource and user audit trails within the Advanced Analytics tab in PAM360.

2. How does the Integration Work?

Log360 UEBA sources data from PAM360 via its API using your server details and login credentials. The audit trails from PAM360 are sent to Log360 UEBA at regular intervals and visualized as graphs for better understanding. Once the integration is complete, you will be able to view the resource and user audit data segregated as audit and anomaly reports interpreted using patterns and user behavior, right from the PAM360 user interface.

    Note: PAM360 - Log360 UEBA integration works with Log360 UEBA build 4023 and above only.

3. Prerequisites for Performing the Integration

Before commencing the integration, follow the steps detailed below to satisfy the prerequisites.

3.1 Enable HTTPS Connection in Log360 UEBA

Change the connection type to HTTPS in the Log360 UEBA server. The integration works only with HTTPS connections as PAM360 uses HTTPS to secure remote connections. Click here to learn how to change the connection type in the Log360 UEBA server. Once you change the connection type, follow the steps given in this document to generate and apply an SSL certificate in the Log360 server.

3.2 Import SSL Certificate in the PAM360 Server

Once HTTPS is enabled, import a valid SSL certificate into PAM360. Follow the steps below:

  1. Stop the PAM360 service.
  2. Open the command prompt and go to the "<PAM360_Installation_Folder>/bin" directory.
  3. Execute the following command:
    importCert.bat <Path of the certificate used by Log360 UEBA server>
  4. Restart the PAM360 service.

3.3 Enable Log360 UEBA Analytics under User Roles

Only the users with Log360 UEBA Analytics role will see the Log360 UEBA option under ManageEngine Integrations. By default, this role is enabled for all admin users. If you have a custom user role that requires access to the Log360 UEBA dashboard, follow the below steps to provide access:

  1. Navigate to Admin >> Customization >> Roles.
  2. Click Add Role to create a custom role.
  3. In the Add Role dialog box, click the Analytics tab and select the check box ManageEngine Log360 UEBA. Once this option is enabled, ManageEngine Integration option will also be enabled automatically. Now, once you assign this custom role to a user, they can access Log360 UEBA under Admin >> Integrations >> ManageEngine.

4. Steps to Configure the Integration in PAM360

In the PAM360 console, follow the below steps to enable the integration:

  1. Navigate to Admin >> Integration >> ManageEngine. You will see a consolidated view of all ManageEngine products integrated with PAM360.

    2. Only the users with the "ManageEngine Integration" role will see the ManageEngine option under Integration.

    Buttons and Definitions:

    Sl. No: Button Definition

    1

    Enable

    You will see this option if the integration is disabled. Click this button to enter required details of the Log360 UEBA server and enable integration.

    2

    Edit

    You will see this option if the integration is enabled. Click this button to update the Log360 UEBA host name and port details.

    3

    Disable

    You will see this option if the integration is enabled. Click this button to disable the integration.
  2. Under ManageEngine Log360 UEBA, click Enable. In the Log360 UEBA Integration dialog box that opens up, the following details are required:
    1. Host Name - The host machine in which Log360 UEBA is running.
    2. Port - The port number in which Log360 UEBA is listening.

Before providing the authentication password, consider the below two cases:

Case 1: Both PAM360 and Log360 UEBA servers reside in the same machine

Case 2: PAM360 and Log360 UEBA servers reside in different machines

Case 1: Both PAM360 and Log360 UEBA Servers Reside in the Same Machine

If both PAM360 and Log360 UEBA servers reside in the same machine, then the authentication password is not necessary. In this case, do as follows:

  1. Enter the Host Name and Port.
  2. Leave the Requires Authentication option unchecked and click Enable.

Case 2: PAM360 and Log360 UEBA Servers Reside in Different Machines

If PAM360 server and Log360 UEBA servers reside in different machines, then the authentication password is mandatory. In this case, do as follows:

  1. Enter the Host Name and Port.
  2. Select the Requires Authentication checkbox and enter the Password. This password must be the login password of the server in which Log360 UEBA is running.
  3. Click Enable.

    Note: This integration will work only with the username "admin" which is the default username of the Log360 UEBA Super Admin account. As of now, Log360 UEBA does not support PAM360 integration with Active Directory users and custom users in Log360 UEBA.

The integration is complete. Now, all existing the audit trail from PAM360 will be sent to Log360 UEBA right away. This is a one time operation, after which the audit data will be sent from PAM360 once every one hour. As of now, this integration supports only two types of audit data from PAM360: Resource audit and User audit.

If Case 2 applies to you, Log360 UEBA reports Dashboard may not work as expected in Google Chrome and Microsoft Edge browsers. If you are using either of those browsers, follow any one of the workaround steps given below:

Workaround 1:

Enter the Fully Qualified Domain Name (FQDN) as the Host Name in this step.

Example of an FQDN: [hostname].[domain].[top level domain]

Workaround 2:

Follow the below steps in Google Chrome or the Microsoft Edge browser:

  1. Open a new tab and go to chrome://settings/. Here, click Cookies and other site data and choose the Allow all cookies option.
  2. Open a new tab and go to chrome://flags/. In the search bar, enter the keyword "samesite". Disable the SameSite by default cookies option by choosing Disabled from the drop-down beside it.
  3. Relaunch the browser.

5. How to View Log360 UEBA Reports in PAM360?

Once the integration is complete, follow the below steps to view Log360 UEBA reports in PAM360:

  1. Navigate to the Advanced Analytics tab.
  2. Click ManageEngine Log360 UEBA from the left pane. Under this, choose Resource Anomaly or User Anomaly. As per your choice, the analysis of resource and user audit reports will be displayed in the dashboard area on the right. Click here to learn about the dashboards in detail.
  3. Log360 UEBA dashboard works well in the following browsers: IE 11 and above, Mozilla Firefox 4 and above, Microsoft Edge, and Google Chrome.

If you have applied steps for Case 2, then Log360 UEBA reports dashboard may not work as expected in Google Chrome and Microsoft Edge browsers. Click here to learn the workaround steps.

6. Important Points to Consider

  1. You can integrate only one PAM360 server with a Log360 UEBA server because, as of now, Log360 UEBA does not have the provision to segregate data from different PAM360 servers as separate reports. Therefore, attempting to integrate multiple PAM360 servers with a single Log360 UEBA server might lead to data loss.
  2. All audit trails sent to Log360 UEBA are stored in the Log360 UEBA server and will remain there forever. Purging audit records in PAM360 will not delete the data stored in Log360 UEBA.
  3. Once the integration is enabled, all existing audit data from PAM360 are imported to Log360 UEBA immediately. After the initial import, the audit data is sent from PAM360 once every one hour.
  4. If your Log360 UEBA server license expires and you move to the free edition, Log360 UEBA will stop fetching audit trails from PAM360. As a result of this, the Log360 UEBA dashboard in PAM360 will not display new reports. However, the anomaly reports generated before the license expiry will remain in PAM360 unless the integration is manually disabled.
  5. To configure how audit trails are recorded in PAM360, go to the Audit tab and click Audit Actions >> Configure Resource Audit or Configure User Audit. Any configuration setting applied to the Resource and User audit types will apply to the audit data sent to Log360 UEBA. However, it is not possible to control the type of audit logs sent to Log360 UEBA without affecting the way PAM360 records the audit trails.

Click here to learn more about audits in PAM360.

See Also:
Top