Integrating PAM360 with Microsoft Sentinel
PAM360, a unified Privileged Access Management product from ManageEngine, integrates with Microsoft Sentinel, a cloud-native security information and event management (SIEM) solution by Microsoft. This is in addition to the already available integrations with the third-party SIEM solutions such as Splunk, ManageEngine EventLog Analyzer, and Sumo Logic.
At the end of this document, you will have learned the following:
- Key Benefits of Integration
- Configuring a PAM360 workspace in Microsoft Sentinel
- Enabling Microsoft Sentinel integration in PAM360
- Viewing PAM360 logs in Microsoft Sentinel
- Troubleshooting Tips
1. Key Benefits of Integration
PAM360's extensive auditing capabilities include gathering and processing audit logs for resources, passwords, and users in real time. The product allows you to tailor notifications for specific events from the Audit tab.
Through the PAM360-Microsoft Sentinel integration, PAM360 sends detailed logs to the SIEM tool as syslogs, enabling you to view PAM360 audit trails from the Microsoft Sentinel interface. Apart from the above-mentioned SIEM tools, you can set up any other log management tool to collect audit logs. It is possible to configure multiple log management tools concurrently.
2. Configuring a PAM360 Workspace in Microsoft Sentinel
Prerequisites
- Ensure that the PAM360 server has internet access to send syslogs to Microsoft Sentinel.
- This integration requires a workspace in Microsoft Sentinel. If you don't have one already, create a new workspace for PAM360. Refer to this document for instructions on how to create a new workspace.
- Log in to the Microsoft Azure Portal. Under Azure Services, click Microsoft Sentinel.
- Open the newly created workspace. In the left pane, under Configuration, click Data Connectors.
- A list of data connectors will be displayed on the right. Enter "syslog" in the search bar on the right. Click the Syslog connector to open it using the Open connector page option.
- The Syslog configuration page will open up. Here, under Configuration, you will find two steps. Under step 2 Configure the logs to be collected, click the link Open your workspace agents configuration.
- In the Legacy agents management page, a list of permission levels will be listed under Facility. Add facility for Syslog. Select all checkboxes to grant permissions and click Apply.
- Go back to the Syslog configuration page. Under step 1, click the link Download & install agent for non-Azure Linux machines. You will be redirected to the Agents management page where you can find the Workspace ID and the Primary & Secondary keys under the Log Analytics agent instructions menu.
- Copy and save the Workspace ID and the keys in a safe location as they are necessary to complete the integration in PAM360.
- Please note that the PAM360 - Microsoft Sentinel integration does not require any Azure agents, so you don't need to download any from the Agents management page.
- You can also obtain the Workspace ID and the Primary/Secondary key by navigating to Settings >> Agents management. Here, expand the Log Analytics agent instructions menu to view the required information.
Notes:
You have successfully configured a workspace for PAM360 in the Microsoft Sentinel portal.
3. Enabling Microsoft Sentinel Integration in PAM360
Follow the below steps to complete the Microsoft Sentinel configuration in PAM360.
- In the PAM360 interface, navigate to Admin >> Integrations >> SIEM Integrations.
- Under Microsoft Sentinel, click Enable. In the dialog box that appears, enter the Workspace ID copied from the Microsoft Sentinel portal.
- In the Shared Key field, enter either the Primary or the Secondary key taken from the Microsoft Sentinel portal and click Enable.
- Click Enable again in the confirmation dialog box.
The integration process is now complete. All audit trails that are captured in PAM360 will be transferred to the Microsoft Sentinel portal.
4. Viewing PAM360 Logs in Microsoft Sentinel
To view the PAM360 logs in Microsoft Sentinel, go to the Microsoft Sentinel portal.
- In the left pane, navigate to General >> Logs.
- Expand the Custom Logs menu and verify if a custom log for PAM360 has been created with the name PAM360_CL.
- Double click the custom log, the command will appear on the terminal to the right. Add a semicolon to the custom log command: PAM360_CL;
- You can choose the required time range and click the Run option from the top.
- Now, all logs captured from PAM360 in the selected time range will appear below.
- If required, use the Export option to export the logs in the CSV format.
5. Troubleshooting Tips
After configuring the integration, if you are still unable to view the PAM360 logs in the Microsoft Sentinel portal, try the below steps:
- Ensure there is internet connectivity in the machine where the PAM360 server resides.
- If you have used the Primary key while configuring the integration, edit the configuration details and enter the Secondary key in the Shared Key field and save changes. If both the keys fail to work, use the Regenerate option to regenerate fresh keys and try to configure again. Jump to the section for reference.
- Check if syslog permissions are enabled under Legacy agents management >> Facility. Jump to the section for reference.
- Check if the Generate Syslog option is enabled in the PAM360 interface under Configure Audit.
- Ensure that you do not delete the custom fields that are auto-generated in the Sentinel portal under Settings >> Custom Logs after the integration is enabled in PAM360. In case, you have deleted the custom fields, re-configure the integration with a new workspace to view the logs.