Session 1: Logging Into Elastic & Managing Agents and Policies Walk Through

Login to Elastic using OneLogin

1. Navigate to https://COMPANYNAME.onelogin.com/

   1. How to login to Elastic Endpoint Security with OneLogin

2. Select Elastic/Operations CTRL from the list of available shortcuts

   1. If Elastic isn’t available select the tab for COMPANYNAME:Everything to show all shortcuts

      

3. Select “Expedient Client Login”

   

Selecting a “Space”

1. Spaces are shortcuts that take you to different pages in Elastic and each space will show whatever rules and customizations have been created for that space.

2. Expedient default rules and alerts are all configured under the default space. Other spaces are shortcuts to the specific product

3. Select the default space to continue

   

View reporting agents

1. Select the three line “Hamburger menu” on the left hand side and scroll to the bottom of the menu. Select Fleet under the Management heading

   

   1. This will show all agents that are reporting to Elastic as well as their policy. Agents are the elastic application that is installed on individual endpoints that support Elastic. There should be one agent for each server monitored by Elastic. There will be two additional agents, one named COMPANYNAME-Mon01 which is a heartbeat server and one with a randomly generated 12 character hex string which is the Elastic deployment itself.

   2. Policies determine what data each agent collects. Expedient CTRL indicates the agent is collecting data for the Expedient CTRL monitoring product, Expedient SIEM indicates the agent is collecting SIEM data, and Endpoint indicates the endpoint anti-virus is activated. Endpoint protect indicates the AV is actively blocking threats, endpoint detect indicates that the AV is only detecting which is useful when first implementing AV so it doesn’t block needed applications.

   3. Data streams shows all data being collected and the storage required

   4. Palo alto data ingested from the heartbeat server shows here

   5. Heartbeat VM is a Unix VM managed by Expedient that runs pings against servers in the environment. Is also used to ingest data from any sources that don’t support a native Elastic agent like Palo Alto Firewalls that forward syslog data to the heartbeat VM.

2. Adding agents

   1. It is possible to add agents using this page however it is strongly recommended to add any new servers using workflows in the Morpheus platform as the automation includes additional steps that have to be performed manually otherwise. This is normally done by Expedient’s delivery team as part of the delivery process.

3. Agent Status

   1. Shows if agents are healthy or not

   2. If agents are not reporting properly please create a ticket with the Expedient OSC for additional trouble shoooting

4. Agent version

   1. Doesn’t have any impact if it’s on an older version

   2. Agent updates can be pushed at any time as there’s no downtime/restarts