Accenture MDR Quick Start Guide for Tenable AD
- Dinesh Murugaiyan
This quick start guide will help Accenture MDR customers configure Tenable AD to send logs to the Log collection Platform (LCP).
This document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Tenable AD | LCP | 601 (TCP) | Default port
|
Configuring Tenable AD
Pre-requisite: You need administrator privilege to configure syslog.
In Tenable.ad, click System > Configuration > Syslog.
2. Click the Add a Syslog alert button on the right. The Add a Syslog alert pane appears.
3. Under the Main Information section, provide the following:
→ In the LCP IP address or hostname box, type the server IP or hostname that receives notifications.
→ In the Port box, type the port number for the collector.
→ In the Protocol box, click the arrow to select either UDP or TCP. If you choose TCP, select the TLS option checkbox if you want to enable TLS security protocol to encrypt the logs.
→ In the Description box, type a brief description for the collector.
4. In the Profiles box, click to select the profile(s) to use for this Syslog alert.
5. In the Trigger the alert drop-down list, select one:
→ On changes: Tenable.ad sends out a notification whenever an event that you specified occurs.
→ On each deviance: Tenable.ad sends out a notification on each deviant IoE detection.
→ On each attack: Tenable.ad sends out a notification on each deviant IoA detection.
Note- We are supporting are 3 triggers.
6. Send alerts when deviances are detected during the initial analysis phase: do one of the following:
→ Unselect the checkbox: Tenable.ad does not send out email notifications when a system reboot triggers alerts.
7. Severity threshold: click the arrow of the drop-down box to select the threshold at which Tenable.ad sends alerts.
→ select “low“
8. Depending on the alert trigger you selected in Step 4:
→ Event changes: If you set alerts to trigger “on changes”, type an expression to trigger the event notification. You can either click on the icon to use the search wizard or type a query expression the search box and click Validate.
→ Indicators of Exposure: If you set alerts to trigger “on each deviance”, click the arrow next to each severity level to expand the list of Indicators of Exposure and select the ones for which to send alerts.
→ Indicators of Attack: If you set alerts to trigger on each attack, click the arrow next to each severity level to expand the list of Indicators of Attack and select the ones for which to send alerts.
9. Click the Domains box to select the domains for which Tenable.ad sends out alerts.
10. Click Test the configuration.
→ A message confirms that Tenable.ad sent a Syslog alert to the server.
11. Click Add.
→ A message confirms that Tenable.ad created the Syslog alert.
LCP Configuration Parameters
Table 1-2: The Tenable AD event collector (Syslog -3997) properties to be configured by Accenture are given in the table.
Property | Default Value |
Protocol | TCP |
Host Names/IP Addresses | * |
Signatures | |
Port Number | 601 |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.