CyberHub Deployment Guide for Azure Environment (Global)

Owned by Aparna Rr
Last updated: Sept 02, 2024
11 min read

This deployment guide will help Accenture Adaptive MxDR customers to build CyberHub using Azure deployment.

The document includes the following topics:

Introduction to the Accenture CyberHub

The Accenture CyberHub is designed to collect, compress, and transmit your devices log data securely to the Google Log forwarder for analysis and storage.

Screenshot 2024-08-28 140214.png

Getting Started

The CyberHub is mainly focused on supporting wide range of secure services for customer devices. Devices logs can be processed and analyzed in CyberHub and gathered data can securely transported.

Data collection

  1. Security event sources detect and log network and endpoints activity.

  2. Log data is gathered by Event Collectors and sent to an Event Translator Service. Event Collectors gathers, filter, and aggregate the log data and send both raw and processed log data to the Event Translator Service for transmission to the CyberHub.

  3. A data forwarding service or Google Log Forwarder sends raw / processed security data directly to Chronicle SIEM. The security data is encrypted while in transit to Chronicle.

CyberHub Onboarding Process

Onboarding is the act of configuring, establishing, and validating the flow of data from your devices into the Adaptive MxDR. All devices must be onboarded prior to the Adaptive MxDR being able to utilize data from the device. The CyberHub onboarding process is as follows:

  1. The image of an Azure CyberHub is in the form of a Virtual Hard Disk (VHD) which will be transferred to customer Azure storage Account.

  2. Connectivity needs to be established for the CyberHub to access all required services.

  3. CyberHub virtual hardware requirements need to be in place, as specified in the prerequisites section.

  4. CyberHub needs to be deployed by following the deployment instructions.

  5. Your Accenture SDL need to be informed about every new deployed CyberHub .

  6. CyberHub connectivity details such as Internal IP, hostname and DNS details need to be shared via CyberHub Techstack created on the Adaptive MxDR Portal.

  7. Accenture MxDR will be performing CyberHub connectivity tests and review deployment success.

  8. After the CyberHub is fully deployed, Accenture MxDR will perform CyberHub baseline and apply hardening scripts. From this point only certified Accenture MxDR Technical resources will be able to access and solely manage the CyberHub.

Access to the CyberHub can’t be granted to anyone else.

Assumptions​: Accenture Adaptive MxDR customers provide virtual hardware resources to deploy the CyberHub in on-prem private or public clouds. Customer is responsible for managing the underlying virtual platform. Virtual hardware requirements must be met as listed in Prerequisites. CyberHub deployment also requires customers to make sure all network configuration is in place prior to beginning the installation.

The following information is required for each CyberHub :

Table - 1.1: Installation Requirements

Host Name

The host name of the computer where the CyberHub will reside; i.e., CyberHub001.

Domain name server

A comma-separated list of local domain name server IP addresses. This allows the collector to resolve logged host names to IP addresses, which is critical for Accenture MDR analysis.

Subnet mask

The subnet mask for the network where the CyberHub will reside, in IPv4 format; i.e., 255.255.255.0

Gateway

The IP address for the default gateway the CyberHub will use, in IPv4 format; i.e., 128.0.0.1

IP address

Static/reserved IP address for the CyberHub , in IPv4 format; i.e., 128.0.0.8

Domain

The CyberHub 's domain name; can be any name you prefer and does not have to be the actual local domain name; i.e., example.customer.com

Prerequisites

Before installing the CyberHub, please make sure the following prerequisites are met.

  • CyberHub can connect from SOC using the AWS Session Manager. Please discuss this subject with your Technical Project Manager for more queries.

  • Virtual hardware is provisioned, as per specification listed below and can support the CyberHub OS base. CyberHub image is currently based on Ubuntu 20.4 version.

  • CyberHub requires to have access to the DNS server holding DNS A-records of all event sources planned to be integrated with the MDR service. We can integrate up to 3 DNS servers and 6 DNS. Search Domains per the CyberHub. DNS information is currently not shared between CyberHub's.

  • When standing up an CyberHub server to connect to the MDR, apply the following port settings:

Table - 1.2 : Port Requirements

Source

Destination

Protocol/Port

Description

<CyberHub IP>

  1. ssm.us-east-1.amazonaws.com 

  2. ec2messages.us-east-1.amazonaws.com 

  3. ssmmessages.us-east-1.amazonaws.com 

  4. kms.us-east-1.amazonaws.com

TCP/443

SSM Agent service for Adaptive MxDR management access

<CyberHub IP>

 

<Customer NTP>

UDP/123

Network Time Protocol

<CyberHub IP>

updates.monitoredsecurity.com

TCP/443

CyberHub Updates

<CyberHub IP>

lcp-cfg.global.apis.monitoredsecurity.com/

TCP/443

CyberHub configurations.

<CyberHub IP>

<Customer DNS Server>

TCP/53; UDP/53

DNS resolution (TCP is used in case the message is longer than 512 Bytes)

<CyberHub IP>

<Chronicle Cloud Instance>

TCP/443

To send logs to Chronicle instance. List of Chronicle URLs in link -Chronicle forwarder

Other ports may be required depending on what sources are logging to the CyberHub . There may be specific port requirements for the collectors of that source.

Installation Requirements

Table - 1.3: Minimum System Requirements

RAM

CPU

Managed Disk

RAM

CPU

Managed Disk

32 GiB

8

256 GiB (Default Performance Tier)

CyberHub has minimum 8x8 combination but all available (General Purpose and Memory Optimized) Azure VM size comes with 8 Core start with 32 GiB memory.

The above CyberHub Specifications for estimation and guidance only. Post deployment, a detailed understanding on amount of log data being generated in the environment, in combination with the log processing capacity will be required to.

CyberHub Azure VM Size

Size

Family

Temp Storage

IOPS

Recommended Usage

Size

Family

Temp Storage

IOPS

Recommended Usage

D[8-416]s_v4

(VM with 0 GiB Temp storage)

General Purpose

0 GiB

>= 12800

We recommend this size when CyberHub will be work on low EPS/infrequent logging devices.

E[8-416]s_v4

(VM with 0 GiB Temp storage)

Memory Optimised

0 GiB

>= 12800

We recommend this size when CyberHub will be work on high EPS logging devices.

Configuration for Azure Environment

To enable log collection for Azure environment, follow the steps below:

Obtain the Azure CyberHub image (VHD) file from Accenture Adaptive MxDR.

  1. The installation disk image of an Azure CyberHub is in the form of a Virtual Hard Disk (VHD). To transfer the CyberHub VHD file to customer Azure storage, MDR requires either one of the set of following information:

    1. Azure Storage Account Name and Storage Access Key

    2. Blob Name and SAS URL

  2. In a web browser, open the Microsoft Azure portal and login with your Azure account credentials.

  3. Create a new Resource groups. If you would like to deploy the CyberHub under an existing resource group then you can skip the below steps.

a. Create a resource > search Resource group > select Create

image-20240402-071602.png

b. In Resource groups, click Add.

c. In Resource group name, type a suitable name.

d. From the Subscription, select your subscription.

e. From the Resource group location / Region, select the location where you want the CyberHub deployed and then click Create.

Azure Storage Setup for VHD

Create a Storage account. If you would like to deploy the CyberHub under an existing storage account, then you can skip the below steps.

  1. Navigate to Resource > Search Storage account > select Create.   

  1. Select correct subscription and resources group

  2. Provide appropriate Storage account name and Region.

  3. Add Instance Details

  • Select Performance as Standard or Premium

  • Select Redundancy as Geo-redundant storage (GRS)

  • Enable the checkbox for read access to data available 

  1. Navigate to next page > Advanced

  • Configure security settings

  • Configure Blob storage

  1. Navigate to next page > Networking

  • Configure Network connectivity method and routing

  1. Navigate to next page > Tags

  • Define appropriate tags.

  1. Review all configuration and select Create.

  2. Search for above created storage on the search bar and navigate to this created storage account.

10. Navigate to Data Storage > Containers and select New container

 

11. Provide appropriate container name and set Public access level as Container

  1. Review and select Create.

Create a virtual network for the CyberHub

Create a Virtual network account. If you would like to deploy the CyberHub under an existing network account , then you can skip the below steps.

  1. Create a resource > Search Virtual network > Select Create

 

  1. On the Create virtual network page, fill the following information.

  • In Name, type a name for your virtual network. 

  • In Resource group, select Use existing and then select the resource group name, which you created in Step 3.

  • In Location / Region, select the same location which was used while creating the resource group name and click Create.

  • In Address space, assign the space you would like to use for the CyberHub.

  • In Subnet name, type a subnet name.

  • In Subnet address range, assign the subnet address range you would like to use for the CyberHub.

  • In Subscription, select your subscription.

Create a Public IP address for the CyberHub (Optional)

  1. Create a Resource > search Public IP address > select Create

  1. In Create public IP address, fill the following information.

a. In Name, type a public IP address name.

b. In IP Version, select IPv4.

c. In IP address assignment, select Static.

d. Idle timeout has auto value by default, hence, no changes required.

e. In DNS name label, enter a name.

f. In Subscription, select your subscription.

g. In Resource group, select Use existing and then select the resource group name, which you created in

.

h. In Location, select the same location which was used while creating the resource group name and click Create

Create a network security group

  1. Create a Resource > search Network security group > select Create

  1. In the Create network security group, fill the following information.

  • In Subscription, select your subscription.

  • In Resource group, select Use existing and then select the resource group name, which you created in Step 3.

  • In Instance details, in the Name field, type a network security group name.

  • In Location / Region, select the same location which was used while creating the resource group name.

 

  • Search for the Resource group and select the resource group name which you created in Step 3.

 

  • After you select the resource group name you will see the network security group which was created in Step 1

  1. In Network security group, click Outbound security rules and then click Add.

On the Add outbound security rule page, fill the required information.

a. Select the Source as Any, type the * in Source port ranges

b. Select Destination as IP Addresses.

c. Enter the Destination IP addresses/CIDR ranges as 0.0.0.0/0.

d. From the Service drop-down list, select HTTPS.

e. Under Action, select Allow.

f. The field Priority has auto generated value by default, hence, no changes required.

g. In the Name, type an inbound rule name and click Add.

  1. Repeat the above steps to allow outbound access for the rest of the below SOC IP addresses.

SOC Outbound access IP addresses

IP addresses

Port

Protocol

Description

0.0.0.0/0

443

TCP

For SSM, Chronicle Cloud updates and configurations

Local NTP

123

UDP

For NTP  - Network Time Protocol server

Preferred DNS

53

UDP and TCP

For DNS Resolution

  1. After adding all above SOC IP addresses, you will obtain a similar output as shown below.  

Example: Allow outbound access to Database IP address and port/protocol from the CyberHub.

Create a Managed disk for the CyberHub VHD

  1. Navigate a resource > search Managed Disk > select Create.       

  1. Select correct Subscription and Resources group.

  2. Provide appropriate disk name. This disk will be used later to create CyberHub VM.

  3. Select region and availability zone if needed.

  4. Select source type Storage blob and browse source blob field to select storage container where you have stored CyberHub 4.0 vhd.

  1. Select OS Type as Linux and VM generation as Gen1. Select Premium SSD 256 GiB (Default Performance Tier) as minimum recommended disk size. Please refer for Pre-requisites.

  1. Navigate to the next page > Encryption and select Encryption type > (Default)

 

  1. Navigate to the next page > Networking and choose appropriate connectivity method.

 

  1. Navigate to the next page > Advanced and select enabled shared disk as No.

 

  1. Navigate to the next page > Tags

 

 

11.Please define appropriate tags for VM.

12. Review all configuration and select create.

 

Create CyberHub VM from above created managed disk

  1. Search for Disks on the search bar and navigate to the managed disk created in Step 1.

  2. Select Disk and navigate to Overview page. Disk will be in unattached state.

  1. Select Create VM option from Overview page.

  2. Select correct subscription and resources group.

  3. Provide appropriate virtual machine name for CyberHub VM.

  4. Region will be pre-populated.

  5. Select Availability options as No redundancy required.5

  6. Image option will be pre-populated and it will be selected to CyberHub managed disk created in Step 1.

  7. Uncheck Azure spot instance.

10. Selected correct VM size. Recommended is E-Series Memory Optimised Family type with minimum 32 Memory and 8 CPUs. Please refer prerequisites.

  1. Select Public inbound ports > None and License type > Other.

12. Navigate to next page > Disks

  1. Navigate to next page > Networking.

This will setup Network Interface for VM

  • Please select appropriate Virtual network, Subnet, Public IP, NIC network security group, Public inbound ports

  • Please choose Advanced option under NIC network security group and configure security group created in above steps.

  1. Navigate to next page > Management.

  1. This will configure monitor options for VM.

  • Set Boot Diagnostics as managed storage account

  • Uncheck the OS guest diagnostics

  • Uncheck the System Managed identity

  • Uncheck the Login with Azure AD

  • Uncheck auto shutdown

  • Set Patch orchestration option as Image default.

16. Skip Navigate to next page > Advanced. We don't provide custom and user data to VM.

17. Review all details and select Create.

If you want to change private IP assignment to static or to specific private IP, use following steps:

  1. Select Networking in Settings of CyberHub VM.

  2. In Networking, select the name of the primary network interface next to Network interface.

  3. In the network interface properties, select IP configurations in Settings.

  4. Select ipconfig1 (config to which Private IP assigned) in the IP configurations page

  5. Navigate to Private IP address settings, change assignment to Static, provide private IP or retain same IP and Click Save.

  6. To move forward with the onboarding process, please notify the Accenture Adaptive MxDR team once you have completed the steps outlined above.

 

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.