Accenture MDR Quick Start Guide for AppOmni

Owned by Sekar Venkataramani
Last updated: Aug 26, 2024 by Aparna Rr
8 min read

This quick start guide will help Accenture MDR customers configure AppOmni to collect logs to the Log collection Platform (LCP).

 This document includes the following topics:

 

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

     Destination

      Port

    Description

LCP

AWS SQS

443 (TCP)

Default Port

Configuring AppOmni

Section 1 - AWS S3 Configuration & IAM User Creation

Creation of S3 bucket

  1. Navigate to https://s3.console.aws.amazon.com/

  2. Click Create Bucket

  3. Provide a name for the S3 bucket

  4. Click Create Bucket

image2024-8-22_17-47-52.png

Create an IAM User

Create an IAM user with upload access to the bucket. Please reference the AWS documentation, Controlling access to a bucket with user policies, for instructions on performing this step.

Follow below document for IAM user permission: 

Retrieve access key and access key ID

  1. Login to AWS console with the user created in above step.

  2. In the AWS console, select your account name and, in the drop-down menu, select Security credentials.

image2024-8-22_18-1-0.png

  1. In Access keys, select Create access key. After creation, copy the keys from the Access key and Secret access key fields.

Section 2: Configure Destination in AppOmni Console

  1. Log into your AppOmni console

  2. Navigate to Threat detection > Destinations

  3. Click Add Destination

  1. Search for Amazon Web Services and click on that.

  1. Click Continue

  1. Fill below details and rest everything should be default.

a. Name - Mention the name

b. Description (Optional)- Mention the description

c. AWS region name - Provide the AWS S3 bucket region

d. AWS access key - Provide the Secret Access key which we have created in previous steps

e. AWS access key ID - Provide the Access Key which we have created in previous steps

f. AWS bucket name - Provide the S3 bucket name where you want to store the logs 

g. Delivery Format - Select JSON line

7. Click on Save

  1. Once the destination has created, check if it is enabled or not. If it is not enabled than enable it.

  2. Review the JSON files in the S3 bucket.

Section 3: Create SQS and attach with S3

Refer this document: 

Prerequisite: Following is the IAM user policies required for SQS:

SQS:

IAM User Permission: SQS

{ “Action”: [ “sqs:GetQueueAttributes”, “sqs:GetQueueUrl”, “sqs:ReceiveMessage”, “sqs:DeleteMessage”, “sqs:ListQueues" ], “Effect”: “Allow”, “Resource”: “arn:aws:sqs:region:accountID:SQSName” }

S3:

IAM User Permission: S3

{ "Effect": "Allow", "Action": ["s3:ListBucket","s3:GetObject"], "Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"], "Condition": {} }

When KMS encryption is enabled in Appomni for s3 or SQS or for both, IAM users also need KMS permission to decrypt:

KMS:

IAM User Permission: KMS

{   "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:AWS_Region:AWS_account_ID:key/key_ID" }

If in case SQS and s3 both are encrypted with different KMS keys, add two resources in the above KMS policy with comma-separated values.

The above policies are IAM user policies. 

If SQS is encrypted, please add below policy in KMS. This policy is required to make s3 events notify SQS:

KMS Policy

LCP Configuration Parameters:

Table 1-2: AppOmni Event collector (API - 3939) properties to be configured by MDR are given in the table.

Property

Default Value

Description

Region

 

Enter region (Eg: us-east-1)

Secret Access ID

 

Based on the Account ID

Secret Access Key

 

Based on the Account ID

Logging Source

SQS

Though S3 and cloud watch are available in the drop-down, in this case, please select SQS only.

S3 Bucket/Log Group(s)/SQS Queue URL

 

Provide SQS Queue URL

Bucket Prefix Path(s)

 

No need to provide in case of SQS URL

 

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.