Activate Windows Event Collector on Windows Core - Learn more about activating the Windrows Event Collector on Windows Core OS to connect with the Broker VM. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Select Settings → Configurations → Data Broker → Broker VMs.

Do one of the following:

In the Activate Windows Event Collector window, define the Collected Events to configure the events collected by the applet. This lists event sources from which you want to collect events.

Click Activate. After a successful activation, the APPS field displays WEC with a green dot indicating a successful connection.

In the APPS column, left-click the WEC connection to display the Windows Event Collector settings, and select Configure.

In the Windows Event Forwarder Configuration window, perform the following tasks.:

1. In the Subscription Manager URL field, click (copy) . This will be used when you configure the subscription manager in the GPO (Global Policy Object) on your domain controller.

2. Enter a password in the Define Client Certificate Export Password field to be used to secure the downloaded WEF certificate that establishes the connection between your DC/WEF and the WEC. You will need this password when the certificate is imported to the events forwarder.

3. Download the WEF certificate in a PFX format to your local machine.

   To view your Windows Event Forwarding configuration details at any time, select your Broker VM, right-click and navigate to Windows Event Collector → Configure.

Cortex XDR monitors the certificate and triggers a Certificate Expiration notification 30 days prior to the expiration date. The notification is sent daily specifying the number of days left on the certificate, or if the certificate has already expired.

Start PowerShell with elevated privileges.

1. Run PowerShell with the following command:

   PowerShell

2. From inside a PowerShell command run the following command:

   Start-Process -Verb RunAs PowerShell

Copy the PFX file that you downloaded to the local Core machine in one of the following ways:

Import the PFX file from PowerShell.

Use the following command to import the PFX file:

certutil -f -importpfx '<path to PFX file from Destination>'

certutil -f -importpfx '.\forwarder.wec.paloaltonetworks.com.pfx'

You will need to enter the Client Certificate Export Password you defined in the Cortex XDR console.

When the import is complete, the following message is displayed:

CertUtil: -importPFX command completed successfully. 

Verify that the certificates are in the correct locations.

Manage the private key of the forwarder.wec.paloaltonetworks.com.pfx certificate.

This entails applying permissions for the NETWORK SERVICE user.

1. Retrieve the Thumbprint of the forwarder.wec.paloaltonetworks.com.pfx certificate by running the following script:

   $store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
   $store.Open("ReadWrite")
   echo $store.Certificates

   After the script runs, copy the relevant thumbprint.

2. Grant NT AUTHORITY\NETWORK SERVICE with read permissions by running the following script with the $thumbprint set to the value you copied in the previous step by replacing <Thumbprint retrieved value>.

   $thumbprint = '<Thumbprint retrieved value>'
   $account = 'NT AUTHORITY\NETWORK SERVICE'
   #Open Certificate store and locate certificate based on provided thumbprint
   $store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
   $store.Open("ReadWrite")
   $cert = $store.Certificates | where {$_.Thumbprint -eq $thumbprint}
    
   #Create new CSP object based on existing certificate provider and key name
   #Note: Ensure this command is pasted to the same row and doesn’t break to multiple rows. 
   #Otherwise, the command will fail with errors.
   $csp = New-Object System.Security.Cryptography.CspParameters($cert.PrivateKey.CspKeyContainerInfo.ProviderType, $cert.PrivateKey.CspKeyContainerInfo.ProviderName,
   $cert.PrivateKey.CspKeyContainerInfo.KeyContainerName)
    
   # Set flags and key security based on existing cert
   $csp.Flags = "UseExistingKey","UseMachineKeyStore"
   $csp.CryptoKeySecurity = $cert.PrivateKey.CspKeyContainerInfo.CryptoKeySecurity
   $csp.KeyNumber = $cert.PrivateKey.CspKeyContainerInfo.KeyNumber
    
   # Create new access rule - could use parameters for permissions, but I only needed GenericRead
   $access = New-Object System.Security.AccessControl.CryptoKeyAccessRule($account,"GenericRead","Allow")
   # Add access rule to CSP object
   
   $csp.CryptoKeySecurity.AddAccessRule($access)
    
   #Create new CryptoServiceProvider object which updates Key with CSP information created/modified above
   $rsa2 = New-Object System.Security.Cryptography.RSACryptoServiceProvider($csp)
    
   #Close certificate store
   $store.Close()
   echo $csp.CryptoKeySecurity

3. After the script runs, validate the permissions are now set correctly.

   

To enable events forwarders to forward events, the Network Service account must be a member of the Active Directory Event Log Readers group. In PowerShell, execute the following command on the domain controller that is acting as the event forwarder:

PS C:\> net localgroup "Event Log Readers" "NT Authority\Network Service" /add

Make sure you see The command completed successfully message.

Grant access to view the security event logs.

1. Run wevtutil gl security and take note of your channelAccess value.

   Example 52. 

   `PS C:\Users\Administrator> wevtutil gl security
   name: security
   enabled: true
   type: Admin
   owningPublisher:
   isolation: Custom
   channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
   logging:
     logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
     retention: false
     autoBackup: false
     maxSize: 134217728
   publishing:
     fileMax: 1
   

   Take note of value: channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

   
   

2. Run wevtutil sl security "/ca:<channelAccess value>(A;;0x1;;;S-1-5-20)"

   Example 53. 

   PS C:\Users\Administrator> wevtutil sl security "/ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"

   
   

Make sure you grant access on each of your domain controller hosts.

Use any DC that has the Group Policy Management Console available in the same domain as the Core server, and verify the connection between the servers with a simple ping.

Run cmd as an administrator.

Run the following command:

gpmc.msc /gpcomputer: <computer name.Domain>

gpmc.msc /gpcomputer: WIN-SI2SVDOKIMV.ENV21.LOCAL

In the Group Policy Management window, navigate to Domains → your domain name → Group Policy Object, right-click and select New.

In the New GPO window, enter your group policy Name: as Windows Event Forwarding, and click OK.

Navigate to Domains → your domain name → Group Policy Objects → Windows Event Forwarding, right-click and select Edit.

In the Group Policy Management Editor:

Configure the subscription manager.

Navigate to Computer Configuration → Policies → Administrative Templates: Policy definitions → Windows Components → Event Forwarding, right-click Configure target Subscription Manager and select Edit.

In the Configure target Subscription Manager window:

1. Mark Configure target Subscription Manager as Enabled.

2. In the Options section, select Show and in the Show Contents window, paste the Subscription Manage URL you copied from the Cortex XDR console, and then click OK.

3. Click Apply and OK to save your changes.

Add Network Service to Event Log Readers group.

Select Computer Configuration → Preferences → Control Panel Settings → Local Users and Groups, right-click and select New → Local Group.

In the New Local Group Properties window:

1. In the Group name field, select Event Log Readers (built-in).

2. In the Members section, click Add and enter in the Name filed Network Service followed by OK.

   Note

   You must type out the name, do not select the name from the browse button.

3. Click Apply and OK to save your changes, and close the Group Policy Management Editor window.

Configure the Windows Firewall.

In the Group Policy Management window, select Computer Configuration → Policies → Windows Settings → Security Settings → Windows Firewall with Advanced Security → Outbound Rules, right-click and select New Rule.

In the New Outbound Rule Wizard define the following Steps:

1. Rule Type: Select Port followed by Next.

2. Protocols and Ports: Select TCP and in the Specific Remote Ports field enter 5986 followed by Next.

3. Action: Select Allow the connection followed by Next.

4. Profile: Select Domain and disable Private and Public followed by Next.

5. Name: Specify Windows Event Forwarding.

6. To save your changes, click Finish.

Select Group Policy Management → <your domain name> → Domain Controllers, right-click and select Link an existing GPO....

In the Select GPO window, click Windows Event Forwarding followed by OK.

In an administrative PowerShell console, execute the following commands:

1. PS C:\Users\Administrator> gpupdate /force

   Verify that the Computer Policy update has completed successfully. User Policy update has completed successfully. confirmation message is displayed.

2. PS C:\Users\Administrator> Restart-Service WinRM

In an administrative PowerShell console, run the following command:

PS C:\Users\Administrator> Get-WinEvent Microsoft-windows-WinRM/operational -MaxEvents 10

Look for WSMan operation EventDelivery completed successfully confirmation messages. These indicate events forwarded successfully.