Discovery Command Audit Logs - "mid.log.command.audit.enable"
- The only resource available on the instance to track the list of all commands that are run on the target/remote servers during discovery so far was ecc_queue and this does not provide in detail information on the commands getting executed.
- From Quebec, logging on the MID for the Powershell (WinRM and WMI) and the SSH commands that gets executed discovery on the target, feature is set up.
- The command execution information related to Powershell and SSH during Discovery alone are included to be captured at the MID and not for the other features like Orchestration as of now.
- Customers need to have the role “agent_security_admin“ assigned to them for accessing this feature.
- To activate this, enable the property “mid.log.command.audit.enable” with value “true” in the “ecc_agent_property” table.
- Once this is enabled, the command information will be captured under the table “ecc_gent_command_audit_log”.
- This feature allows
- To identify the list of all the powershell and ssh commands executed during discovery.
- The hash key for each command is calculated, based on which the change in commands (if any) can be tracked between one discovery and the other.
- The "Execution Status", only implies if the mid server is able to run the command or not, it does not care if the command execution is fetching any result or not. For example, if the mid server is able to run a command on the target, but the result is null, even in such case the execution status would be successful as the mid was able to successfully run the command.
- Activating this feature will have performance implications as there will be a lot of communication between the mid and the instance and hence it is disabled by default and can be enabled based on the requirement.
- Enabling this may make discovery run a slight longer.
- This is not supported for domain separation in Quebec but will be considered for the upcoming releases.
- Data is not populated on the instance as soon as the discovery is executed, a slight delay is expected between the probe/pattern run and the audit capture.
- Duplicate data may be expected in the table, in cases of network issues, as, if the audit log does not receive the acknowledgement for data population, it will try to resend the data even if the is already present.