Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
253
Views
0
Helpful
2
Replies

CSA Registration Alert

RichardSW
Level 1
Level 1

‎07-20-2006 08:37 AM - edited ‎03-09-2019 03:39 PM

What I would like to do:

- Whenever an Agent Kit is installed, I get an email.

How I tried accomplishing this:

I built an Agent Kit that puts the Host into a default Group all by itself. This is just a temporary group - I then move the Host into its proper group. I created a module<->policy and added one network access control rule. This rule will trigger an event every time any file in the CSAagent\bin directory connects back to the IP address of my CSA server. Then, I created an EventSet that references this module, and an Alert that uses the EventSet.

Didn't work.

I changed the rule so it would trigger on All Applications, thinking maybe the CSA Agent used a file located elsewhere. Still didn't work as expected, but I was able to trigger it by using Internet Explorer and telnet to that IP.

Only thing I can think of is that the CSA Agent may have builtin exemptions so no matter what the rule, it will never trigger an event based on its own activity. Is this correct?

Does anyone else have any ideas how I can work out a rule so new agent installs will send me an email? My next test was to create a rule that triggers on the NT Event Log ID for a bootup.

Labels:
0 Helpful
2 Replies 2

netjim_66
Level 1
Level 1

‎07-21-2006 03:46 AM

Hmm... I'd have to play around with that one but right off the top of my head I thought of this:

The agent kit you created has a specific name, like AGENT KIT.exe or something.

Create an App Class and identify the AGENT KIT.exe.

Then create a rule that specifically allows that file to run on a client and have it logged.

Then in your alert identify Application Control, ALLOW action and identify the group, etc.

Then make sure the agent kit you are sending to these clients is the most updated with all of the above built in, otherwise the agent kit will fire off and not ever by logged because the rule is not yet on the client.

Make sense?

0 Helpful

RichardSW
Level 1
Level 1
In response to netjim_66

‎07-21-2006 04:13 AM

Would never work for new installs. There is no CSA service running to see that the CSA Kit is being installed. ;)

0 Helpful
Customers Also Viewed These Support Documents