-
Notifications
You must be signed in to change notification settings - Fork 0
SIEM Agent Deployment Guide
valb00 edited this page Mar 26, 2021
·
5 revisions
We currently assume Windows Admins prefer the Group Policy deployment option. Future supported deployment options include ServiceNow and JAMF.
-
Admin sets up a SIEM. Azure Sentinel, ELK, QRadar or Splunk
-
They set up a ChainKit account through their Portal.
-
From their secure portal, they get a private endpoint for downloading hardened configurations. This is used to glue SIEM and Agent policies. They also get a clientKey which is secret and only shown to the administrator.
-
First, a Smoke Test / Tryout.
- Smoke Test/Tryout
Download agent from https://download.chainkit.com/
or only from within the portal:
https://customer-url-hardening.chainkit.com/download?key=clientId - We give a MSI file or EXE file. MSIs are preferred for group deployment.
msiexec /i "Setup-Chainkit-SIEM-20211201-598327853289057.msi" /quiet WRAPPED_ARGUMENTS="/SETUP_URL=http://customer-url-hardening.chainkit.com/download?key=clientId”
- Dotnet Service is created: Chainkit-SIEM-20211201-598327853289057
- Start/Stop - Use EDR best practises
- Admin Deployment
- Setup Group Policy running MSIExec
A sample guide for MSIExec is here: Deploy Lansweeper Agent
- Setup Group Policy running MSIExec
- Smoke Test/Tryout
-
Mass deployment/update/patch process:
- Admin downloads new Chainkit-SIEM-20220401-fabcde3522523532.msi
- Setup Group Policy to Stop Service
- Run
msiexec /i "Setup-Chainkit-SIEM-20220401-fabcde3522523532.msi" /quiet WRAPPED_ARGUMENTS="/SETUP_URL=http://customer-url-hardening.chainkit.com/download?key=clientId"
- MSI uploads new binaries, creates a new service item (versioned) and starts.
- Admin uninstalls old service agent.
Copyright Chainkit 2021 | www.chainkit.com | info@chainkit.com | Twitter | LinkedIn | Facebook
Command Line Interface
See it in action
White Papers
Blog