How-To: Export your RADIUS Logs to Huntress

EZRADIUS enables your security team to monitor critical user actions by pushing the information to your SIEM. In this page we will show you how to connect your RADIUS logs to Huntress.

Prerequisites

How To Export Your Cloud RADIUS Audit Logs To Huntress

How To Enable Log Export in EZRADIUS Portal

  1. Go to your EZRADIUS Portal.

  2. Click on Settings.

    EZRADIUS Cloud RADIUS portal Radius Authentication Overview dashboard with Settings option highlighted in navigation

  3. Scroll down to SIEM Settings and enable the Send Audit Logs to SIEM option.

    EZRADIUS Cloud RADIUS SIEM Settings panel with Send Audit Logs to SIEM checkbox highlighted in red

How To Configure the Huntress Exporter in the Huntress Portal

  1. In another tab, go to your Huntress instance.

  2. Click on the SIEM menu. Then, click Source Management.

    Huntress Source Management

  3. Click Add Source. Then, click Generic HEC (HTTP Event Collector).

    Huntress Source Management HTTP Event Collector

  4. Click + Add to add a new HEC.

    Huntress Configure Generic HEC Add HEC

  5. Add an Organization, Name, and optional Description. Then, click Save.

    Huntress Configure Generic HEC

  6. After the HEC is created, copy the HTTP Event Collector URL and the HTTP Event Collector Token.

    Huntress Generic HEC Details

How To Configure the Huntress SIEM in EZRADIUS Portal

  1. Now go back to the EZRADIUS Portal.

  2. Select Huntress as the SIEM Provider.

    EZRADIUS Cloud RADIUS SIEM Settings with Huntress selected and Event Collector URL and Token fields displayed

  3. Input the values that you copied from the Huntress portal. Then, click Test Connection. This will create a test log in your Huntress SIEM (please allow a few minutes for the log to show up in the Huntress portal).

    EZRADIUS Cloud RADIUS SIEM Settings showing Huntress Event Collector URL and Token filled in with Test Connection button

  4. If the connection test is successful, click Save changes

    EZRADIUS Cloud RADIUS Settings page with Save Changes button highlighted to confirm Huntress SIEM configuration

  5. Done! EZRADIUS will now send your security alerts to your SIEM. If an error occurs it will email your subscription administrators.

How To Create Alerts in Huntress to Monitor Your Cloud RADIUS Activity

Using a SIEM enables you to create alerts for critical operations or abnormal behavior. We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Below are sample queries for the Administrator events.

from logs | where generic_hec.EventType == "EZRadiusAdministrator" and generic_hec.Action == "SubscriptionUpdated"