Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.
The following guide is based on a supported third party agent from Prophecy International.
Product |
Samurai [Local] Collector |
Samurai [Cloud] Collector |
Microsoft DNS |
|
This guide describes how to configure the integration for Microsoft DNS, using the Snare Epilog agent.
The following information is required to configure the Domain Name System (DNS) server, Windows PowerShell, and log filtering.
Prerequisites
Windows DNS Server Configuration
Perform these steps to configure the DNS server:
- Open the Run dialog box Window.
- Type the following command:
dnsmgmt.msc
- Right-click the relevant DNS server and click Properties.
The DNS Manager page appears.
- Click the Debug Logging tab.
- Select the Log packets for debugging checkbox.
Select the following checkboxes:
- Under Packet direction, select Incoming.
- Under Transport protocol, select UDP and TCP.
- Under Packet contents, select Queries/Transfers.
- Under Packet type, select Request and Response.
Specify a file path along with the following filename:
microsoft_dns_debug-.txt
If a path is not specified, it will default to:
C:\Windows\system32\dns\
- Click Apply/OK.
This configuration should take affect immediately without restarting the DNS service. If the file is not created, restart the DNS service.
Windows PowerShell Configuration
Use this configuration to implement file rotation by appending a date/time to the file name daily. It allows you to delete the previous day's logs without impacting the ability of Snare Enterprise Epilog for Windows to monitor the current day's file.
Perform the following steps to configure Windows PowerShell:
- Open Windows Powershell.
- Run the following command:
Set-DnsServerDiagnostics -EnableLogFileRollover $true
Snare Enterprise Epilog for Windows Agent
Installation
Perform these steps to install Snare Enterprise Epilog for Windows Agent:
- Obtain Snare Enterprise Epilog for Windows Agent.
- Run the installation package.
- Click Next until the Service Account window appears.
- Select Use System Account.
NTT recommends using the local system account, however, a local or Active Directory account may be used to run the Snare service. When using an Active Directory account, use the following syntax:
user@domain.local
The account will require the following permissions:
- Run Snare as a service
- Read the Event Log
- Initiate outgoing network connections
- Bind to a port for utilizing the web-based graphical user interface (GUI)
Alternatively, provide the account with Admin privileges.
- Click Next.
- Click Next.
- Click Next to bypass the Network Destination window. (This configuration will be described later in the guide).
- In the Web User Interface window, perform the following steps:
- Select the Enable Web Access checkbox.
- Select Yes – Please enter a password.
-
In the Password field, specify a secure password.
- This password will be used to log in to the Snare Enterprise Epilog for Windows Agent configuration GUI after the installation is complete.
- Select the Local access only? checkbox.
- Click Next.
- Click Next to accept the default installation path.
- Click Next to accept the default Start menu folder.
- Click Install.
Configuration
Perform the following steps to configure Snare Enterprise Epilog for Windows Agent:
- Navigate to Start > Intersect Alliance > Epilog for Windows to access Snare Enterprise Epilog for Windows.
- Specify snare as the username.
- Specify the password that was entered in the Installation section
- Click Destination Configuration from the left navigation pane.
- Under the Network Destinations section, perform the following steps:
- Specify the IP address of the Samurai XDR Collector deployed on your network in the Domain / IP field.
- Specify 514 as the Port.
- Select TCP from the Protocol list.
- Leave the TLS Authentication Key field blank.
- Select Select SYSLOG (RFC3164) from the Format list.
- Select Comma from the Delimiter Character list.
- Under the Hostname Options section, perform the following steps:
- Select the Use Host IP Address as source address checkbox.
- Select the IP Address from where logs will originate from the Select the specific Network Adapter list.
- Scroll down to the bottom of the page and click Update Destinations.
- Click Log Configuration from the left navigation pane.
- Click Add.
- Perform the following steps:
- Select Microsoft DNS server logs from the Select the Log Type list.
- For Multi-Line Format, select Single line only.
- Make sure the Send Comments checkbox is not selected.
-
Specify the path used in the DNS Server Configuration section - in the Log File or Directory field.
- Specify microsoft_dns_debug-*.txt in the Log Name Format field.
- In the options that appear below this field, select All matching files.
- Click Change Configuration.
Log Filter Configuration
Perform the following steps to configure log filtering:
- Click Log Filter Configuration from the left navigation pane.
- For new installations, a default rule is present that states "Include *."
- Delete this rule, if present.
- Click Add.
- Perform the following steps to add a log filter:
- For Select the Match Type, select Include.
- Specify *PACKET* in the General Search Term field.
- In the Select the Alert Level section, specify the following:
- In the Snare field, select Clear.
- In the Syslog field, leave the default value.
- In the CEF field, leave the default value.
- In the LEEF field, leave the default value.
- Click Change Configuration.
- Click Apply Configuration & Restart Service.
For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai XDR Application as we auto detect the vendor and product. The only reason you need to use the Samurai XDR Application is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.
Comments
0 comments
Article is closed for comments.