Accenture MDR Quick Start Guide for Sophos Enterprise Console

This quick start guide will help Accenture MDR customers configure Sophos Enterprise Console to allow log collection from the Log Collection Platform (LCP).

 

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in

Accenture MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

LCP

Sophos Enterprise Console

1433 (TCP)

Default port

Configuring Sophos Enterprise Console

You must configure Sophos Enterprise Console to work with the event collector by following the steps below.

  1. Create a read-only database user account for Microsoft SQL Server.

  2. Set the Microsoft SQL server security mode to mixed authentication.

  3. Create a read-only database user with Windows Account for Microsoft SQL Server.

  4. Configure the SQL Server instance to listen on a non-dynamic port.

  5. Configure an SSL connection for the Microsoft SQL Server JDBC driver.

  6. Configure the sensor properties for Windows user accounts.

 

​ICreate a read-only database user account for Microsoft SQL Server.

To create a read-only database user account for Microsoft SQL Server, follow the steps below.

  1. From the Windows Start menu, choose Run, and then type the following command: cmd

  2. Navigate to the directory that contains the OSQL.EXE file.

For Microsoft SQL Server 2014, the default directory location for this file is: C:\Program Files\Microsoft SQL Server\100\Tools\Binn

For Microsoft SQL Server 2012, the default directory location for this file is: C:\Program Files\Microsoft SQL Server\110\Tools\Binn

For Microsoft SQL Server 2008, the default directory location for this file is: C:\Program Files\Microsoft SQL Server\100\Tools\Binn

For Microsoft SQL Server 2005, the default directory location for this file is: C:\Program Files\Microsoft SQL Server\90\Tools\Binn

3. Login as the system administrator user. Type the following command: sqlcmd -S ip_address_or_host_name -U sa -P sa_user_password

4. At the command prompt, type the following commands:

  • For Microsoft SQL Server 2000 or Microsoft SQL Server 2000 Desktop Engine (MSDE):

EXEC sp_addlogin 'account_name','password', database_name' USE database_name EXEC sp_grantdbaccess 'account_name'

GRANT SELECT ON vEventsFirewallData to 'account_name';

GRANT SELECT ON Computers to 'account_name';

GRANT SELECT ON vThreatInstances to 'account_name';

GRANT SELECT ON vThreatEventData to 'account_name';

go

quit

  • For Microsoft SQL Server 2005, 2008, and 2012, and 2014:

EXEC sp_addlogin 'account_name', 'password', 'database_name' USE database_name

CREATE USER account_name FOR LOGIN account_name

GRANT SELECT ON vEventsFirewallData to 'account_name';

GRANT SELECT ON Computers to 'account_name';

GRANT SELECT ON vThreatInstances to 'account_name';

GRANT SELECT ON vThreatEventData to 'account_name';

go

quit

 

IISet the Microsoft SQL server security mode to mixed authentication.

To set the Microsoft SQL server security mode to mixed authentication, follow the steps below.

Based on the Microsoft SQL server version, do one of the following:

  • For Microsoft SQL server 2005, from the Start menu, click Programs Microsoft SQL Server Microsoft SQL Server Management Studio.

  • For Microsoft SQL server 2008, 2012, 2014, and 2016, from the Start menu, click Programs Microsoft SQL Server > SQL Server Management Studio.

  1. On the left pane, right-click the appropriate server, and then click Properties.

  2. In the Server Properties window, select Security.

  3. In the Server Authentication section, select SQL Server and Windows Authentication mode.

  4. Click OK and then click Close.

 

IIICreate a read-only database user with Windows Account for Microsoft SQL Server.

To create a read-only database user with Windows Account for Microsoft SQL Server, follow the steps below.

From Windows Domain Controller, create a standard user and note down the username and password.

Note: While Creating a Domain User ensure that you deselect the User must change password at next logon option and select the Password never expires option.

  1. Open SQL Server Management Studio.

  2. Login to the SQL Database with Admin privileges.

  3. In Object Explorer, expand the Databases folder. Expand the database in which you want to create the new database user.

  4. Right-click the Security folder, point to New, and select Logins….

  5. In the Database User – New dialog box, on the General page, select Windows Authentication.

  6. In the User name box, from the User type list, select Windows user. You can also click Search (…) to open the Select User or Group dialog box.

  7. In the Default Database box, specify the database that will own objects created by this user.

  8. On the User Mapping page, select the databases that this login can access. When you select a database, check the Map check box.

  9. Specify a database user to map to the login. Provide the username you created in the above steps.

  10. Specify the default schema of the user. When a user is first created, its default schema is dbo.

  11. From the Database role membership for Database drop-down list, select db_datareader.

  12. Click Ok.

 

IVConfigure the SQL Server instance to listen on a non-dynamic port.

To configure the SQL Server instance to listen to network requests on a non-dynamic port, follow the steps below.

  1. Start the SQL Server Configuration Manager.

  2. Do one of the following:

  • For Microsoft SQL Server 2005, in the left pane, expand SQL Server 2005 Network Configuration.

  • For Microsoft SQL Server 2008, in the left pane, expand SQL Server 2008 Network Configuration.

  • For Microsoft SQL Server 2012, in the left pane, expand SQL Server 2012 Network Configuration.

  • For Microsoft SQL Server 2014, in the left pane, expand SQL Server 2014 Network Configuration.

3. Select Protocols for <instance_name>.

4. On the right pane, make sure that the following fields are set as follows:

  • In TCP/IP Properties, on the IP Address tab, make sure that Active and Enabled are both set to Yes.

  • Make sure that TCP Dynamic Ports is blank for the IP address that the collector connects to.

  • Make sure that TCP Port contains the value 1433 for the IP address that the collector connects to.

 

V. Configure an SSL connection for the Microsoft SQL Server JDBC driver.

 Note: This step is needed only if Secure Sockets Layer (SSL) connection is a requirement.

 You can configure an SSL connection for Microsoft SQL Server 2005, 2008, 2012, or 2014 database with Microsoft SQL Server JDBC driver 4.0.

To configure SSL for the Microsoft SQL Server, follow the steps below.

  1. Start the SQL Server Configuration Manager.

  2. Expand SQL Server Network Configuration, right-click the protocols for the server that you want and then click Properties.

  3. On the Certificate tab, select the certificate that you want to use to protect your connection. 

Note: Self-signed certificates are supported but not recommended because they do not provide adequate security.

4. On the Flags tab, view or specify the protocol encryption option. The logon packet is always encrypted.

5. Set the ForceEncryption option to Yes.  

Note: ForceEncryption encrypts all the client and server communication. Clients that cannot support encryption are denied access.

  6. Restart the SQL Server. Click SQL Server Services and then right-click SQL-SERVER and Restart.

 

VI. Configure the sensor properties for Windows user accounts.

Note: To set up Windows Authentication with Accenture security database event collectors, you must use off-box collection. You cannot use this setup with on-box collection.

 You must use Microsoft SQL Server 2005 JDBC driver version 1.2 (which is the oldest version supported by Accenture event collectors) or newer.

To configure the sensor properties for Windows user accounts, follow the steps below.

  1. Run the MS SQL Server 2005 JDBC driver installer.

  2. Copy the sqljdbc_auth.dll file from the <installation directory>\sqljdbc_<version>\<language>\auth\  location to the <drive>\WINDOWS directory on the computer where the JDBC driver is installed.

  • For the 4.7.x Event Agent, only use the sqljdbc_auth.dll file in the x86 folder regardless of whether the operating system is 32 bit or 64 bit.

  • For the 4.8 Event Agent, on a 32 bit operating system, use the sqljdbc_auth.dll file in the x86 folder and on a 64-bit processor, use the sqljdbc_auth.dll file in the x64 folder.

3. Set up the Event Agent service with the login credentials of the account whose Windows credentials are used to access the MS SQL Server.

  • On the Start menu click Run.

  • In the Open text box, type services.msc, and click OK.

  • Right-click Event Agent and click Properties.

  • On the Log On tab, select This account and enter the users credentials.

  • Click OK and restart the service.

4. In the Collector configuration, for the database sensor setting, add the string ;integratedSecurity=true to the end of the Database URL.

For example: jdbc:jtds:sqlserver://hostname:1433/database_name;integratedSecurity=true

5. In the collector's database sensor setting, remove any values entered in the username and password fields.

6. In some situations, you might need to copy the sqljdbc_auth.dll file in the .\ jre\lib folder where the LCP event agent is installed.

LCP Configuration Parameters

Table 1-2: The Sophos Enterprise Console event collector(DB-3674) properties to be configured by MDR are shown in the table.

Property

Default value

Description

Database URL

jdbc:jtds:sqlserver://<hostname>:1433/

<databasename>

 

Note: To configure the Sophos event collector

properties for an encrypted protocol, 

add the following property string at the end of the

database URL: ;encrypt=true 

Example: jdbc:jtds:sqlserver://<hostname>:1433/

<dbname>;encrypt=true

 

Note :If you are using a self-signed certificate, add the following property string at the end of the URL: ;trustServerCertificate=true

Example:

jdbc:jtds:sqlserver://<hostname>:1433/

<dbname>;encrypt=true;

trustServerCertificate=true

 

Note: If you are using the Windows login

credentials to access the MS-SQL server, 

add the following property string at the

end of the URL: ;integratedSecurity=true

Example: jdbc:jtds:sqlserver://<hostname>:1433/

<dbname>;integratedSecurity=true

 

Note: If you are using using kerberos/encryption

then a manual intervention is required to update

the database connection URL.

Example: Kerberos + Encryption

jdbc:jtds:sqlserver://<hostname>:1433/<dbname>;

ssl=request;useNTLMv2=true;encrypt=true;

trustServerCertificate=true;

Kerberos

jdbc:jtds:sqlserver://<hostname>:1433/<dbname>;

domain=<DOMAINNAME>;

ssl=request;useNTLMv2=true;

The database URL string that needs to be configured on the collector by MDR.

hostname - Hostname or IP address of the database. 

databasename - The name of the database in which the SEP events are stored.

instance_name - The name of the instance within the specified database.

1433 (TCP port) - The default port number for DB connectivity.

Note: If the database is configured to use a different port number, please advise the MDR

onboarding team.

User Name

Custom Value

The name of the user having read-only access to the Sophos Enterprise Console database.

Password

********

The password for the database user account name for the Sophos Enterprise Console database.

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.