Requirements

To execeute correctly the Agent, the following software is required:

• .NET Framework 4.0
• Internet Explorer dll framework
• Outgoing open port 443

Antivirus Consideration

We reported that some antivirus can interfere with the normal operation of the Agent (We have especially reported many cases with Sophos). Please be sure to insert an exception

• Sophos

Preliminary Information

• Agent Buffer: in case of the sgbox is offline, the agent will act as Buffer to store the logs until connection with the appliance is restored. The buffer store depend on the free disk space remaining.
• Port used: the port used to communicate is the 443.
• Communication type: SGBox Agent will communicate trough the Internet Explorer DCOM API.

Download

To install the agent you must to download the agent from the dedicated download section on SGBox Portal

Note, to download SGAgent, it is required to login or sign up on our portal and go to the Download SGBox Software section.

Installation Configuration

Extract the downloaded archive and run the setup

Click on “Next/Avanti” to continue with the installation

Browse the folder where you want install the agent

Edit the field “Server ip” with the IP or FQDN of your SGBox

You will be asked to confirm the data entered, click “Next/Avanti” to proceed with the installation.

Click on “Yes” to start with the installation

Click on “Close/Chiudi” to finish the installation

If the installation is correctly terminated a new service named “SGBoxTask Service” will be created

Log Retreive Configurations

Capture Logs from Standard Windows Event View

This section explain how to create a new configuration and command. A new command could be added in a same way to an existing configuration.

Log in to SGBox web interface. Go to LM > Configuration > Agents

Click on CLICK HERE TO CREATE NEW CONFIGURATION if you want create a new configuration or click on existing configuration if you want to edit it.

Enter o modify a name for the configuration and select GetEventLog to retrieve new information from Event Viewer.

Enter details of your command:

• Name: a descriptive name of your command.
• Description: brief description of your command ( not mandatory).
• Frequency: how frequent these information will be sent to SGBox.
• Log Name: the registry name. If it not present look the this section
• Select o specify the Event ID. You can Select All events or -1 to tell the agent to send all events from the specified register.

You can add more commands to your configuration.

Drag & Drop your configuration to the target host and Save Changes.

Capture Logs from Operational (Application) Windows Event View

This section explain how to create a new configuration and command from a custom registry log. We’ll take the Terminal Service Registry as example. Here the details of the logs we want retrieve:

Se the previous section to specify a new command from a basic registry:
https://www.sgbox.it/sgbox/EN/knowledge-base/create-a-new-command/

Fist of all we need to find the exact name of the registry: Right click > Properties

A new command could be added in a same way to an existing configuration.

Log in to SGBox web interface. Go to LM > Configuration > Agents

Click on CLICK HERE TO CREATE NEW CONFIGURATION if you want create a new configuration or click on existing  configuration if you want to edit it.

Enter o modify a name for the configuration and select GetEventLog to retrieve new information from Event Viewer.

Enter details of your command:

• Name: a descriptive name of your command.
• Description: brief description of your command ( not mandatory).
• Frequency: how frequent these information will be sent toSGBox.
• Log Name: select ADD NEW
• New Log Name: the registry name taken before.
• Select o specify the Event ID. You can Select All events or -1 to tell the agent to send all events from the specified register.

You can add more commands to your configuration.

Drag & Drop your configuration to the target host and Save Changes.

Capture Logs from File/Folders (TailFolder method)

This section explain how to create a new configuration and the related command in order to retrieve logs from a specific folder.

Requirements

• SGBox 5.0.2 or SGBox 4.2.7 is required.
• At least SGAgent 3.2.7433.19116 is required .

Log in to SGBox web interface. Go to LM > Configuration > Agents

Click on CLICK HERE TO CREATE NEW CONFIGURATION if you want create a new configuration or click on existing  configuration if you want to edit it.
Enter a name and select TailFolder as command.

A new windows appears. Enter details of your command:

• Name: a descriptive name of your command.
• Description: brief description of your command ( not mandatory).
• Frequency: how frequent these information will be sent to SGBox.
• Directory Path: where how logs are located
• File Name: Logs file name, also star expression could be used.
• List Subdirectories: Use this flag if you want to look also logs located in the subdirectories.
• Timestamp Pattern: a regex to find the correct timestamp of the logs.
• Timestamp Format: Specify logs timestamp format.
• Timezone: You can specify if the Timestamp is in Localtime or UTC.

ATTENTION: if the folder you are trying to monitor is inside C:/Windows/System32/ you need to use C:/Windows/sysnative/

Your command has been created. If you want you can add more commands to your configuration.

Click on Save Changes to save your configuration.

Drag & Drop your configuration to the target host and Save Changes.

When everything is configured you can see your logs in historical search

Configure File Integrity Monitoring

File Integrity Monitoring is new feature introduced with the last SGAgent version and it’s used to monitor files and shared folders. Using this feature you can monitor when a specific file is read, modified or deleted.

!Attention: File Integrity Monitoring is not File Auditing, you are not able to see the user that execute the action.

Requirements

• SGBox 5.1.3 or higher.
• SGAgent 3.4 or higher.

The FIM package can be installed from SCM>Applications>Packages: Click to install to download and install the package, then click on Run and select the hosts you want to monitor.

Go on LM>Configurations>Agents

In our example we create a specific configuration for this feature, but you can also create a new command on a existing configuration and modify it.
Click on “New Configuration” to create a new configuration and select CheckFolder.

A new window will appear to enter the command’s details:

• • Name: a descriptive name of your command.
  • Description: a short description of your command (not mandatory).
  • Frequency: how often this information will be sent to SGBox (60 sec suggested).
  • Directory Path: where the files or folders are located.
  • File Name: Name of the file (you can also use the star expression).
  • Check Subdirectories: Use this flag if you want to look at files located in sub directories as well.
  • File Integrity: Select the monitor mode* you want to use
  • Exclude files: you can specify some files to exclude for the monitor (not mandatory, regex supported)

Monitor Mode

• Monitor Only: check the integrity when the PC and agent are running.
• Monitor and store integrity: Store the integrity in a internal DB. Even if some operations on files are performed when the S.O or Agent are not running, the agent can identify them. Store large directories can seriously impact performance.

Click OK to save the command.
Click “Save Changes” to save your configuration.

Drag and drop your configuration to target host and click again on “Save Changes“.

When everything is set up you can see your logs in the historical search or from the “File Integrity Monitoring” dashboards.

FIM is very useful if you want to store critical configurations or backups.  It’s no suggested monitor all the C: storage. Here some interested folder to monitor:

C:\inetpub\wwwroot C:\Windows\Boot C:\Windows\System32\drivers\etc

Strict TLS connection with a Personal Certificate

Starting from version 3.7. it is possible configure the SGAgent to check the SGBox/Collector certificate before sending information.

Requirements:

• SGAgent version 3.7
• SGBox must have a valid certificate. Look this section.

After installed go in the installation directory. Default path is C:Files(x86)Agent** Open the file SGBoxTask.exe.config** as Administrator with a text editor like Notepad.

add the following entry after the connection strings: key=”IgnoreCertificate” value=”False”

Save the configuration and restart the SGBoxTask Service service.

Check the file SGBoxTaskLog.txt to verify that everything is ok.
Here an example of error:

220330 14.51.05 0000008 *** Error The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. System at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at SGBoxTask.Utils.Internet.GenerateCommandRequest(String uri, String ApplicationId, String login, String password)

Here an example when it works:

220330 14.54.20 0000004 Starting ServiceSGBoxTask 220330 14.54.20 0000006 Starting Main 220330 14.54.20 0000006 Params 0A002700000D https://sgbox192.sgbox.it/sgbox/LM/dataxchange/cmd.php https://sgbox192.sgbox.it/sgbox/LM/dataxchange/send.php 220330 14.54.20 0000006 SleepTime 10 msec 220330 14.54.20 0000006 RandomStartTimer 2 sec RandomMinStartTimer 1 220330 14.54.20 0000006 Enable TLS 1, 1.1, 1.2 220330 14.54.20 0000006 Starting StartSendPacket 220330 14.54.20 0000006 Starting StartGetCommand

Uninstall

Prerequisites

Before Uninstall the Agent be sure that (for all users connected to the server):

• All mmc.exe instance are closed
• All services panel (services.msc) are closed
• The Task Manager (and Process Explorer) is temporary closed
• All Event Viewer instance are closed

Automatic procedure (Recommended)

To uninstall the Agent, you must go to “Add/Remove Programs”, then select the “SGBox Agent” and select “Uninstall”.

Reinstall Note: It is recommended, in case of agent reinstall, to full restart the machine before proceeding with the new install.

Manual Full Remove

To Full remove the Agent if anything goes wrong, you must check and remove these items:

• Service: Stop and remove the service, you can use this Powershell command:
  get-service SGBoxTask | stop-service then on a cmd window sc delete SGBoxTask
• Registry: Find and delete this Regsitry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SGBoxTask
• Folders: Full Remove this Folder: C:\Program Files (x86)\SGBox Agent

Update Agent

To update the Agent you must completely uninstall the old version (we recommend also to reboot the machine if possible), then install the new version with the specific installer.

Silent/Unattended Mode

Install

In order to distribuite SGAgent in silent mode you have to type the follwing command:

SetupSGBox.msi /q ServerIP="192.168.xxx.xxx"

Uninstall

In order to uninstall SGAgent in silent mode you have to type following command:

msiexec /q /x {C09891C0-0E34-4873-A869-F9DC136E67C2}

Troubleshooting

The Agent is composed by:

• A service: named SGBoxTask, must be set on automatic start and running
• Default Installation folder: C:\Program Files (x86)\SGBox Agent – Main files and folders
• SGBoxTask.exe: is the main executable file and service
• SGBoxTaskLog.txt: the main log file of agent itself
• SGBoxAgent.exe.config: configuration file for the agent
• C:\programdata\SGBoxTask\Packet: the folder where packet ready to be send, or cached are stored

How to analyze Agent log

The main log file is: SGBoxTaskLog.txt If you have any sort of problem related to the agent, you can send this file to assistance to check the stream.

Some useful rows to check the correct comunication are:

• Row with the command: GetCommand, the agent is checking the command to execute coming from LM -> Configuration -> Agents
• Detected OLD Reqest xxx: SGAgent has identified a cached command that is not used and has been marked as inactive. It’s informational
• Read Json … : the Json command received from SGBox – Sending File … : a final packet has been sended to SGBox

Check Service

To check the service is running you can from a CMD execute this command:

sc query SGBoxTask

If status equal to Running the service si correctly running, otherwise must be started or check the whole configuration.

Reconfigure IP on change appliance IP

Attention: this procedure is valid only on change IP and not when you are migrating to new appliance istance or a new major version

To change the query IP point for the agent go to the configuration file SGBoxTask.exe.config in the default folder and change these rows:

• <add key="SGCommandUrl" value="https://<ip_to_change>/sgbox/LM/dataxchange/cmd.php" />
• <add key="SGResponseUrl" value="https://<ip_to_change>/sgbox/LM/dataxchange/send.php" />

SGBoxTask.exe.config Definition

• <CommandDelay>: Time interval in seconds between the request of new command configuration coming from SGBox
• <MaxLogFileSize>: Max size of the log file SGBoxTaskLog.txt
• <LogLevel>: SGagent log verbosity level for SGBoxTaskLog.txt
• <SGCommandUrl>: Complete Url interrogation for command list coming from SGBox
• <SGResponseUrl>: Complete Url where log is sended to SGBox
• <PageSize>: Max size in bytes of the file sended to SGBox each time
• <SleepTime>: Milliseconds of delay before send the file to SGBox
• <MaxPacketFolderSize>: Max size of the whole log waiting to be sended (or cached)

Network Connectivity Checklist

If the agent is unable to communicate with the Appliance/Collector, please check these actions to be sure that the communication over network is correct:

• Check that machine firewall does not block the requests
• Check that Antivirus installed does not block the requests
• Check that network device between machine and main gateway does not block or drop requests
• Check that no GPO configuration can collide with the agent requests
• Check that the machine is enabled with communication with at least SSL 1.3

Introduction

How to: First time configuration

How to: Configuration

Restore previous configuration

How to: Dashboard

Risk graph area

This area contains the Relative Risk graph for the defined domains.  Assuming that if all the KPIs do not exceed the defined thresholds the overall risk is 0 (zero), the system calculates the relative risk level, KPI by KPI, by multiplying the risk associated with each KPI by the delta between the observed value and the defined threshold.

For example, if the risk associated to a KPI is 7, the observed value is 25 and the defined thresholds are 20 for the low threshold and 30 for the high one, the delta will be 25 – 20, so the daily risk for this KPI will be (25-20) * 7 = 35.
Then single KPI risk are summed together to give the daily risk level for that specific AD domain.

This is useful when, once you have identified your own domain baseline by opportunely trigger KPIs thresholds, to graphically spot issues. You’ll receive a daily alert e-mail about the exceeded thresholds also.

Domain Tabs area

This area contains one tab for each defined domain, clicking on a domain tab will switch to the domain specific dashboard from which you can configure domain KPIs.

KPI area

Here are shown all the KPIs with their most recent value

KPI Status area

In the KPI status area you can see the result of the analisys for each KPI:

• Severity column graphically shows which KPI threshold has been exceeded.
• Last check column contains the date time of the last analysis run.
• Risk column contains the KPI related Risk.
• Current threshold column graphically shows the KPI defined threshold value.
• Alert recipients column shows the recipient list where KPI alerts will eventually be sent.
• Active column shows if the KPI will or will not be analyzed.
• Send Alert column shows if KPI alerts will or will not be sent.

Action area

Action area contains the buttons to interact with the KPI configuration settings.

By clicking the pencil icon, the edit panel will be shown allowing the KPI settings customization, you can then set your specific KPI threshold as well as set the KPI risk level or add one or more specific recipients for the KPI. Finally you can choose to activate or deactivate the KPI check and to enable or disable KPI email notification.

To get some help in the threshold definition, you can click on the graph icon to open a KPI statistic panel.

And finally, by clicking on the eye icon you can have the details about the Users, Groups and Computers that are related to the KPI.

Please note that all these last three panels can be opened together to have a complete KPI picture.

Add-on Packages

ADEngine Self Audit dashboard

ADEngine Alerts dashboard

Before you begin

If you started with SGBox from version 5.3.0 or above and/or if you have never installed the old SGBox Windows packages Windows package Base and Windows package Advanced, you don’t need to cleanup anything; just follow the standard installation steps.

However, if you’re an old SGBox customer, or if you’ve installed one or both of the old packages, a little cleanup procedure needs to be followed to avoid duplicate events. Please follow the instruction at the end of the “Windows Audit package installation” section.

Windows Audit package installation

To install the new Windows Audit package From SCM->Application->Packages find the package in the package list, click the Install button and then the Download and install button on the App Installation pop-up.

On the Windows Audit – Recommended installation panel, configure installation option as for your needs:

1. Select the hosts from which you want to collect Windows Audit information from. These hosts will be automatically added to the Windows Audit Classes, so events collection can immediately start after the installation.
2. Download the Group Policy configuration guide and follow the instruction to properly enable needed events collection.
3. Insert the email address to which you want to forward LCE alert messages to.
4. Check the flag if you want to have newly added/installed windows machines automatically added to SGBox Windows Audit classes.
5. Click Install button to install the package.

To check the installation, please verify the existence of the following:

Post installation considerations

We need also to make sure that the new Windows Agent Configuration are correctly bound to the relative windows hosts. Go to LM->Configuration->Agents and check that everything is fine.

Open the Microsoft Windows (SGBox agent) Asset (1) and verify that all the needed “configurations” (2) are properly assigned to to your Windows devices. Don’t forget to click the Save Changes button, in the bottom-left corner, if you did any change.

To eventually force the system to push configurations to the Agents, simply remove and newly add a Configuration from a device of your choice, and finally click the Save Changes button.

Please note that for events collection to be effective, it is necessary to appropriately configure both the Group Policies and the Object-level Access auditing. Here below the link to the configuration guide:

• Windows-Auditing-Configuration-Guide-v1.2_EN.pdf (2007 downloads )
• Windows-Auditing-Configuration-Guide-v1.2_IT.pdf (2039 downloads )

Old Windows package cleanup instruction

If you have installed one or both of the old SGBox Windows packages Windows package Base and Windows package Advanced, you need to configure the following to avoid duplicate events generation:

Deactivate old packages’s classes

From LM->Configuration->Class uncheck the Active flag for the following classes:

• Windows logon events
• Windows user events
• Windows File Access
• Windows Audit Policy
• Windows GPO

After verifying that everything works as expected with the new Windows Audit package, you may want to remove old objects to keep the environment clean.

Clean old Classes

From LM->Configuration->Class delete the previously deactivated classes:

• Windows logon events
• Windows user events
• Windows File Access
• Windows Audit Policy
• Windows GPO

Clean old Dashboards

From the Dashboard list delete the following dashboards:

• Top 10 windows user logon events
• Windows User Operations
• Windows user related issue

Clean old Correlation Rules

From LCE->Rules delete the following rules:

• Windows User Added to Group
• Windows User Password Changed
• Windows User Password Reset
• Windows User Removed from group
• Windows Audit Policy Changed

Clean old Agent Configuration

From LM->Configuration->Agents remove the following configurations:

• Windows logon events
• Windows user events
• Windows Audit Policy
• Windows GPO

Clean old Windows packages

Identify and remove old Windows packages by clicking on the trash in the upper-right corner of each package box

Please note that deleting the package will not remove package objects, so the previous point by point cleanup is necessary.

This article will explain how to create a Microsoft CA in order to use LDAPS protocol and access to SGBox with your AD Users. It’s not mandatory have a Microsoft CA to use LDAPS protocols, you can use also an External CA. The only requirements is that SGBox is able to solve the common name wrote in the certificate.

1. Install the Certificate Services (a “roles” of Server Manager) and configure it creating a root CA by following the wizard. I’ll be required restart the domain controller/server at the end of the task;

2. Test your LDAPs (with a tool link Microsoft LDP). Set DC IP, choose port 636, and flag “SSL” option.

3. If it works, you’ll receive a response like the following:

ld = ldap_sslinit("LAB1-WIN.uno.local", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to LAB1-WIN.uno.local.
Retrieving base DSA information... (...)


4. Export the domain controller certificate using the following steps:

• From MMC console, add the snap-in  Certificate (Local Computer);
• Choose the Personal/Certificates directory;
• choose your certificate (in the Issued To column find the Domain Controller FQDN);
• Right click on the cerficate, and choose the All Tasks/Export option;
• export the certificate in DER o Base-64 formant, and call it “certificate.cer”.

The certificate will be used to a secure communication with the domain controller.
SGBox need the *.crt extention so you need to convert it in the following way from a Linux/Unix machine:


openssl x509 -inform DER -in certificate.cer -out certificate.crt


This section explain how to configure SNMP service on Windows systems in order to monitoring and collect detailed information about the server.

Requirements:

• The SNMP service must be installed.

If you want to check or install the SNMP service you can follow this steps:
Clink on Windows > Administrative Tools > Server Manager.
Select Manage > Add Roles and Functions and install the SNMP.

Clink on Windows > Administrative Tools > Services.
Right-click SNMP Service and select Properties.
Swtich on Security tab.
Choose the community name and specify the SGBox IP address in the accepted hosts.

Click on Apply.