Phase 8. Configure HaloENGINE Features

For any type of licensed system, the first step is to enable the monitor.

Prerequisite: Verify that the HaloENGINE license is active. Refer to the section "Phase 3. Activate License (First time)".

1. On the left navigation bar, click Customer Configuration, and then from the Customers list, select one of them.

2. On the HaloENGINE Features tab, click Configure. The HaloENGINE Features page will appear as shown in the figure below:

   

   Enable Monitor

3. Enabling the Monitor is the first step.

4. Click on the slider button to enable Monitor and then click Apply Configuration.

   Results:

   1. You will receive a confirmation message after changing the default configuration.

   2. Click Reload Configuration to make the changes take effect.

Enable Classification/Action Engine

Follow the below steps to enable the classification engine:

1. Click on the slider button to enable/disable Classification/Action Engine.  

2. The Choose locales button will be enabled automatically.

3. Click Choose locales, Choose Locale page will appear as shown in the figure below:

   

   Locales

4. Search and select one or more texts for translation. For example, en_US.

5. Click Apply.

   Results:

   1. The chosen texts for translation are added to the list.

   2. You can either press Apply Configuration now and then reload configuration to let the changes take effect, or you can configure further settings and then press Apply Configuration.

Enable Excel Conversion

Note: If you only have a license for the Block and Monitor feature, the following options will be disabled.

Follow the below steps to configure an Excel file download:

1. Transform .tsv with xls/xlsx extension − To transform tab-separated text files (.tsv) named as, .xls/xlsx to proper .xls /.xlsx files, click on the slider button.

2. Automatically transform tab-separated content to xlsx − To transform tab-separated text files (.tsv) independent of the extension and convert to XLSX automatically, click on the slider button.

3. Use .txt on xls/xlsx transformation failure − If the conversion of .tsv/.txt the file to a native XLS/XLSX file fails, the exported file will get labeled as .txt.

4. When you complete the HaloENGINE configuration, click Apply Configuration. 

5. What to do next: Click Reload Configuration for the changes to take effect. The page will be redirected to the login page once the reload completes.

Dependencies among features

1. It is possible to enable other HaloENGINE features only if Monitor is enabled.

2. Similarly, it is possible to enable “Automatically transform tab-separated content to xlsx”, “Transform .tsv with xls/xlsx extension” and Use .txt on xls/xlsx transformation failure options, only if Classification/Action Engine is enabled.

3. Also, please note that activating the “Automatically transform tab-separated content to xlsx” option or Use .txt on xls/xlsx transformation failure will automatically activate “Transform .tsv with xls/xlsx extension” option.

4. And deactivating “Transform .tsv with xls/xlsx extension” option will automatically deactivate the “Automatically transform tab-separated content to xlsx” option and Use .txt on xls/xlsx transformation failure option.

5. Meantime, “Transform .tsv with xls/xlsx extension” option can be stand-alone activated.

Monitor Configuration

Prerequisite: As mentioned in the section above, ensure that Monitor is enabled.

Note: SAP Monitoring and Sentinel Log options are only applicable to SAP system types. This means that if you are licensed for other system types, these two options will be disabled.

Follow the below steps to configure the Monitor:

1. On the HaloENGINE Features page, click Monitor Properties.

2. The Monitor Configuration page will appear as shown in the figure below:

   

   Monitor Configuration

3. You need to configure Monitor, Syslog, DSI Monitoring, SAP Monitoring, and Sentinel Log one by one, by referring to the following sections.

Monitor Properties

Follow the below steps to configure the monitor properties:

1. On the Monitor tab, click Configure and then enter the following details on the Monitor Properties page as shown in the figure below:

   

   Monitor Log Configuration

2. Enable Monitor Local Log − Choose Yes/No to enable/disable the local monitor log. If enabled, the default path for Single Customer − C:\Program Files\Secude\HaloENGINE\logs\customer_tenants\halo_customer and for Multi-Customer − The path varies based on the customer IDs. For example: C:\Program Files\Secude\HaloENGINE\logs\customer_tenants\DELBONT INDUSTRIES.

3. Monitor Log Format − Choose one of the following monitor log formats (CEF/LEEF/JSON). Please note that it is not possible to change the log format once the Halochain is configured and the field will be disabled once you enable Halochain.

4. Enable Halochain − Choose Yes/No to enable/disable the Halochain feature. If enabled, the default Halochain certificate path for Single Customer − C:\Program Files\Secude\HaloENGINE\config\customer_tenants\halo_customer and Multi-Customer − The path varies based on the customer IDs. For example: C:\Program Files\Secude\HaloENGINE\config\customer_tenants\DELBONT INDUSTRIES.

5. Halochain Certificate Password − Enter a password for Halochain and click Generate Halochain Certificate. You will receive a confirmation message on creating a certificate.

6. Click Apply.

   Results: You will receive a confirmation message after successfully updating the properties.

Syslog Properties

Syslog Requirements

Please make sure that the following requirements are met:

1. UDP/TCP enabled.

2. The firewall accepts UDP/TCP packets on the configured port.

3. To forward audit logs to SPLUNK/RSA, you need to configure the audit Syslog accordingly.

Follow the below steps to configure the Syslog properties:

1. On the Syslog tab, click Configure and then enter the following details on the Syslog Properties page as shown in the figure below:

   

   Syslog Properties

2. Enable Syslog Monitoring − Choose Yes/No to enable/disable Syslog.

3. IP Address/FQDN − If enabled, enter the IP address/FQDN. 

4. System Log Port − Enter the system log port number. The default port is 514.

5. System Log Protocol − Enter the system log protocol (UDP/TCP). The default protocol is UDP.

6. Syslog Facility − Enter the Syslog facility (KERN/USER/SYSLOG/AUDIT). The default facility is SYSLOG. 

7. Click Apply.

   Results: You will receive a confirmation message after successfully updating the properties.

DSI Monitoring

Follow the below steps to configure the DSI monitoring properties:

1. On the DSI Monitoring tab, click Configure and then enter the following details on the Monitor DSI Log Configurations as shown in the figure below:

   

   DSI Monitoring

2. Enable DSI Monitor Log − Choose Yes/No to enable/disable the DSI Monitor log.

3. Retention Period (Days) − Specify how long the logs should be available.

4. Forwarded DSI logs from SAP are stored in the HaloENGINE_DSI.log file.

5. Click Apply.

   Results: You will receive a confirmation message after successfully updating the properties.

SAP Monitoring

SAP Monitoring applies to SAP system types and allows you to configure monitor features.

SAPJCo Configuration

SAPJCo is the component that connects HaloENGINE with your SAP instance.

1. Select the SAP Monitoring tab to install or update SAPJCo.

   

   SAPJCo configuration page

2. To Install: Click on the slider button and enter the file path of SAP JCo files.

3. To update: Disable the slider button and then enable it. Now, specify the new file path.

4. Click Install & Apply.

   Results: You will receive a confirmation message after successfully updating the properties.

SAP HaloENGINE Monitor Log

Follow the below steps to configure the SAP monitoring properties:

1. Click the SAP Monitoring tab and enter the following details on the SAP HaloENGINE Monitor Log page, as shown in the figure below:

   

   SAP Monitoring

2. Enable Monitoring to SAP HaloENGINE Display Download Log − Choose Yes/No to enable/disable SAP HaloENGINE Monitor Log.

3. SAP Application Server (IP Address / FQDN) − Enter the SAP application server name. For example, 10.91.0.115 or SLUV0001.secude-sap.com

4. SAP Instance Number − Enter the SAP instance number. The default number is 00.

5. SAP Client − Enter the SAP client. The default client is 800.

6. SAP Language − Enter the SAP language. The default language is EN.

7. SAP Connection Pool Capacity − Enter the SAP pool capacity. The default capacity is 10.

8. SAP User Peak Limit − Enter the SAP user peak limit. The default limit is 50. 

9. Enable SNC mode − If SNC is disabled, you need to specify the SAP User password and confirm it. If SNC is enabled, you need to specify the following details:

10. Enter SNC Initiator Name (SNC_MYNAME). Based on the certificate details, your default name will be populated automatically. For example, p:CN=HCCS, O=SECUDE, C=CH

11. Enter Communication Partner (SNC_PARTNERNAME). For example, p:CN=SAP, O=SECUDE, C=CH 

12. Enter External Security Library Path (SNC_LIB). Please note that the environment variable must be set manually. For more details, please refer to the section "Appendix 1 - SNC Configuration (Step 4)".

13. Choose any one of the Quality of Protection Level (SNC_QOP) settings. (1 - Authentication only, 2 - Integrity protection, 3 - Privacy protection, 8 - Protection (default), 9 - Maximum protection) 

14. Click Apply.

    Results: You will receive a confirmation message after successfully updating the properties.

Sentinel Log

Prerequisite: Microsoft Sentinel must be configured. Please refer to the section “Forwarding Logs to Microsoft Sentinel”.

Follow the below steps to configure the Sentinel log properties:

1. Click the Sentinel Log tab and enter the following details in the Sentinel Log dialog as shown in the figure below: 

   

   Sentinel Log

2. Enable Sentinel Log − Choose Yes/No to enable/disable Sentinel Log.

3. Sentinel Workspace ID − Enter the Workspace ID of your Microsoft Entra ID. For example, 395ar44h-h8u3-1kl2-c7n1-21xc6pdlmn86.

4. Shared Key − Enter the Primary Key of your Workspace ID. For example, /mjnjgjbKIUTv5M/FJDBFDmdfnidfidi8ujsasusd09uu=ndhdihdkij.

5. Click Apply.

   Results: You will receive a confirmation message after successfully updating the properties.  

What to do next
Test the log after configuration.
Prerequisites:

1. Make sure that the HaloENGINE admin portal is restarted after configuring Sentinel properties.

2. Make sure that actions like uploading and downloading take place after the admin portal has been configured so that a sufficient number of logs can be obtained and forwarded.

Follow the steps to obtain logs in Microsoft Sentinel.

1. Log in to the Microsoft Azure portal.

2. On the search bar, type Microsoft Sentinel. As you start typing, the list filters according to your input.

3. Select Microsoft Sentinel from the search results.

4. The Microsoft Sentinel page will appear. Here, you need to click Create from the top of the page.

5. The page displays available workspaces.

6. Select your workspace.

7. Navigate to General > Logs. Forwarded logs will be stored in the HALOCORE_CL table.

8. Type HALOCORE_CL in the right-side query panel. As you start typing, the list filters based on your input.

9. Select the table HALOCORE_CL and choose the appropriate query to fetch the logs. For example. where action_s contains ""

10. Run it to get the results.

11. Based on the query applied, logs will be retrieved.