ManageEngine Endpoint Central

ManageEngine EventLog Analyzer integrates seamlessly with Endpoint Central, enabling IT teams to gain deeper insights into endpoint activities and store critical Endpoint Central logs for extended security auditing. With this integration, EventLog Analyzer can audit endpoint details, monitor remote administrative actions, detect connected devices like USBs, track policy and license modifications, and generate alerts based on Endpoint Central logs. EventLog Analyzer also ingests security telemetries from Endpoint Central to enhance threat detection. Before you begin, ensure you have configured Endpoint Central as an application source to EventLog Analyzer for monitoring.

Monitoring Endpoint Central

Often, compliance regulations—especially those associated with federal agencies, such as FedRAMP, FISMA, PCI DSS, and more— mandate that audit logs of applications such as Endpoint Central are monitored to ensure security posture.

EventLog Analyzer centralizes audit and access logs from Endpoint Central, enabling comprehensive monitoring through the following use cases:

Use case Description Why implement it? Available reports, alerts, and capabilities
Audit log aggregation Centralizes the audit and access logs of ManageEngine Endpoint Central. To ensure the security posture of your network, detect threats at early stages, and comply with regulatory mandates.
  • Secured log archival for custom time retention
  • Ability to generate reports and alerts through log analysis
Logon monitoring Audit user logons and logoffs with details such as logon location and device. To analyze the logon trends and detect suspicious or unauthorized access of the application if any
  • Successful Logons
User activity monitoring Audit user accesses and activities such as password policy modified, role changes, and more happening on Endpoint Central To ensure secured Endpoint Central access and detect unauthorized access and changes to the application
  • Password Policy Modifications
  • User Account Modifications
  • Role Changes
Remote activity monitoring Audit and monitor access to Endpoint Central from a remote location To detect unauthorized access to the application from remote locations
  • Remote Control Activities
  • Remote Shutdown Activities

Securing Endpoint Central

EventLog Analyzer analyzes the audit and access logs of Endpoint Central and detects suspicious patterns, unauthorized accesses, and threats to the applications. Use cases are outlined below:

Use case Description Relevant MITRE ATT&CK techniques Available threat detection rules and capabilities
Detecting insider threats Detect unusual or unauthorized accesses of the Endpoint Central application by users.
  • Lateral Movement
  • Privilege Escalation
 Insider threat detection
Identifying privilege escalation attempts This rule detects multiple requests to assign administrative roles to a single user, signaling a possible attack aimed at gaining elevated permissions within the system.
  • Privilege Escalation
  • Account Manipulation
  • Credential Access
 Role Flooding Attack
Defending critical inventory data against unauthorized access This rule identifies disruptions in inventory management processes, highlighting potential security incidents that may compromise the integrity of inventory records.
  • Denial of Service
  • Credential Access
  • Impact
 Security Interruption-Inventory Management
Detecting attempts to bypass security controls in inventory systems This rule monitors for unusual access patterns or configurations that suggest an attempt to evade security measures protecting inventory management.
  • Defense Evasion
  • Exploitation
  • Credential Access
 Security Evasion-Inventory Management
Monitoring data transmission through insecure servers This rule flags instances where data is forwarded through servers lacking proper security measures, helping to prevent data leaks or unauthorized access.
  • Exfiltration
  • Command and Control
  • Initial Access
 Insecure forwarding server
Enhancing mobile device security by identifying evasion tactics This rule monitors for attempts to disable or bypass mobile device management (MDM) policies, ensuring that mobile endpoints remain compliant with security protocols.
  • Defense Evasion
  • Credential Access
  • Lateral Movement
 Security Evasion-MDM

Enriching TDIR with Endpoint Central telemetries

Threat detection use cases

EventLog Analyzer ingests security telemetries—such as vulnerable machine data and misconfigurations associated with specific devices—to enrich its threat detection, investigation, and response.

Use case Description Telemetry from Endpoint Central Available rules and capabilities
Exploit detection:
For example, detecting WinRAR zero-day vulnerability exploitation		 The pre-configured rule helps identify and mitigate potential security threats targeting this vulnerability. Devices and machines with WinRAR vulnerability
  • WinRAR Zero-day Vulnerability Exploitation

Threat response use cases

EventLog Analyzer comes with two predefined workflows for Endpoint Central:

  • Install Patch
  • Approve Patch

Compliance

The below compliance regulations mandate you to centralize audit and access logs from applications deployed in the secure network for monitoring and analysis. They also recommend you detect suspicious trends from these analyses to ensure overall security posture. EventLog Analyzer helps you meet these requirements by centralizing and analyzing Endpoint Central logs.

Industry Regulatory mandate Requirements
Healthcare HIPAA
  • Security Management Process - Requirement 164.308(a)(1)
  • Information System Activity Review - Requirement 164.308(a)(1)(ii)(D)
  • Audit Controls - Requirement 164.312(b)
  • Access Control - Requirement 164.312(a)(1)
  • Integrity - Requirement 164.312(c)(1)
  FERPA -
Financial services PCI DSS
  • Requirement 10.1 - Link all access to system components to each user.
  • Requirement 10.2 - Implement automated audit trails to log key events.
  • Requirement 10.3 - Record user ID, event type, date/time, success/failure, event origin, and affected data.
  • Requirement 10.5 - Secure audit trails from unauthorized access and modifications.
  • Requirement 10.7 - Retain audit trail history for at least one year, with three months readily available.
  GLBA Safeguards Rule (16 CFR Part 314)Information Security Program (314.4)
  SOX
  • Section 302 - Establish and maintain internal controls for financial reporting; disclose control deficiencies.
  • Section 404 - Annual internal control report on the effectiveness of the internal control structure for financial reporting.
  • Section 409 - Real-time disclosure of material changes in the financial condition or operations of the company.
Government FISMA
  • NIST SP 800-53, AU-2 - Audit Events
  • NIST SP 800-53, AU-3 - Content of Audit Records
  • NIST SP 800-53, AU-4 - Audit Storage Capacity
  • NIST SP 800-53, AU-5 - Response to Audit Processing Failures
  • NIST SP 800-53, AU-6 - Audit Review, Analysis, and Reporting
  NERC
  • CIP-007-6 R4 - Logging
  • CIP-007-6 R5 - Security Event Monitoring
  • CIP-008-6 R1 - Incident Reporting and Response Planning
  NRC
  • 10 CFR 73.54 - Protection of Digital Computer and Communication Systems and Networks
  • Requirement Guide 5.71 - Section C.5.5.4 - Audit & Accountability
  CMMC
  • AU.2.041 - Trace actions to individual users.
  • AU.3.045 - Review and update logged events.
  • AU.3.046 - Alert on audit log failures.
  • AU.3.048 - Centralize audit logs.
  • AU.3.049 - Correlate and analyze audit logs for suspicious activity.
Data privacy GDPR
  • Article 30 - Records of Processing Activities
  • Article 32 - Security of Processing
  CCPA and CPRA
  • 1798.100(e) - Implement and maintain reasonable security procedures.
  • 1798.145(i) - Secure personal information.
  PDPA
  • Section 21 - Security Measures for Personal Data Protection
  • Section 22 - Rights of Data Subjects
  POPIA
  • Section 19 - Security Safeguards
  • Section 21 - Security Measures on Information Systems
  LGPD
  • Article 6 - Principles for Processing Personal Data
  • Article 46 - Security and Confidentiality of Data
Information security ISO 27001:2013
  • A.12.4.1 - Event Logging
  • A.12.4.3 - Administrator and Operator Logs
  NIST CSF
  • PR.PT-1 - Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.
  • DE.AE-3 - Event data are collected and correlated from multiple sources and sensors.
  Cyber Essentials
  • User Access Control - Ensure that user activities are tracked and logged.
  • Security Monitoring - Implement measures to detect and alert on unauthorized access.
  COCO
  • Section 99.31(a): Conditions for access to student records
  • Section 99.32: Recordkeeping of access and disclosures
  GPG
  • Audit Trail - Maintain records of system activities.
  • Monitoring and Review - Regularly review logs for anomalies.
  ISLP
  • Logging and Monitoring - Implement and maintain logging mechanisms.
  • Incident Response - Use logs for incident investigation.
  TISAX
  • Logging and Monitoring - Ensure all relevant actions are logged.
  • Incident Management - Use logs to detect and respond to incidents.
  SAMA
  • 4.1.4 - Monitor and log access to critical systems.
  • 4.1.5 - Regular review of audit logs for unauthorized activities.
Others UAE-NESA
  • Section 3.8 - Logging and Monitoring
  • Section 4.6 - Security Incident Management
  QCF
  • CS-12 - Log and Monitor Activities
  • CS-13 - Incident Management and Response
  CJDN
  • Policy Area 7.1 - Auditing and Accountability
  • Policy Area 7.2 - Incident Response
  ECC
  • Control 10 - Log Management
  • Control 11 - Security Event Monitoring