Renewing your WEC certificates in Cortex XDR includes renewing your Windows Event Forwarding (WEF) client certificate and your WEC server certificate. You must install the WEF certificate on every Windows server, whether a Domain Controller (DC) or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the broker VM.
Cortex XDR displays a notification for any tenant with an active WEC applet containing a Certificate Authority (CA) certificate that expires in less than 90 days. You will see these notifications in the following places until the WEC certificates are replaced.
After you receive a notification for renewing your WEC CA certificate, we recommend that you do not add any new WEF clients until the WEC certification renewal process is complete. Events from these WEF clients that are added afterwards will not be collected by the server until the WEC certificates are renewed.
In the Broker VMs page, the health status of the Windows Event Collector applet is yellow. When your mouse hovers over the health status, a warning message is displayed indicating that Your Windows Event Collector server certificate expires in X days.
Until you renew your broker VM WEC server certificate, a warning message is displayed in the Windows Event Forwarder Configurations window.
A new notification entitled WEC Certificate Authority Expiration is displayed in the notification area until the certificates are renewed.
In addition, Cortex XDR manages the renewal of your WEC certificates by implementing the following time limits.
The WEC CA certificate is increased for an extended period of time for a maximum of 20 years.
The broker VM applet includes an automatic renewal mechanism for a WEC server certificate, which has a lifespan of 12 months.
The WEC client certificate after the renewal is issued with a lifespan of 5 years.
To renew your WEC certificates:
Renew your WEF client certificate in Cortex XDR .
In Cortex XDR , select → → → , and locate your broker VM.
Hover over the WEC connection in the APPS column to display the Windows Event Collector settings, and select Configure.
In the Windows Event Forwarder Configuration window:
(copy) the Subscription Manage URL. This will be used when you Renew WEC Certificates in the GPO (Global Policy Object) on your domain controller.
Define Client Certificate Export Password used to secure the downloaded WEF certificate used to establish the connection between your DC/WEF and the WEC. You will need this password when the certificate is imported to the events forwarder.
Download the WEF certificate in a PFX format to your local machine.
Install your WEF Certificate on the WEF to establish connection.
You must install the WEF certificate on every Windows Server, whether DC or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the broker VM.
Locate the PFX file you downloaded from the Cortex XDR console and double-click to open the Certificate Import Wizard.
In the Certificate Import Wizard:
Select Local Machine followed by Next.
Verify the File name field displays the PFX certificate file you downloaded and select Next.
In the Passwords field, enter the Client Certificate Export Password you defined in the Cortex XDR console followed by Next.
Select Automatically select the certificate store based on the type of certificate followed by Next and Finish.
From a command prompt, run
In the file explorer, navigate to Certificates and verify the following for each of the folders:
In the→ folder, ensure the certificate
In the→ folder, ensure the CA
You can see more than one
forwarder.wec.paloaltonetworks.comfile from a previous installation in the directory, so select the file with the most extended Expiration Date. You can verify that you are using the correct certificate:
To verify the client certificate in the→ folder is related to the CA, you can select your
forwarder.wec.paloaltonetworks.comfile and from the Certification Path tab, double-click ca.wec.paloaltonetworks.com. In the Details tab, Show: Properties only, and verify the Thumbprint matches the
For the Trusted Root Certificate (i.e. CA certificate), you can verify the Thumbprint of your
ca.wec.paloaltonetworks.comfile matches the 1 by double-clicking the file and from the Details tab verifying the Thumbprint.
Navigate to→ → .
Right-click the certificate and navigate to→ .
In the Permissions window, select Add and in the Enter the object name section, enter
NETWORK SERVICEfollowed by Check Names to verify the object name. The object name is displayed with an underline when valid. and then OK.
Select OK, verify the Group or user names appear, and then Apply Permissions for privet keys.
Configure the subscription manager.
Navigate to Configure target Subscription Manager and select Edit.→ → → → , right-click
In the Configure target Subscription Manager window:
Mark Configure target Subscription Manager as Enabled.
In the Options section, select Show, and in the Show Contents window, paste the 1 that you copied from the Cortex XDR console followed by OK.
Select Apply and OK to save your changes.
Complete the WEF Client certificate renewal.
On every WEF DC, perform the following from a command prompt.
gpupdate /forceto update the group policy.
Restart-Service WinRMto apply the configurations.
Renew your WEC server certificate in Cortex XDR .
You should only perform this step under the following conditions.
You have completed the WEF certification renewal process for ALL clients in your environment. Otherwise, events from the WEFs that you did not install the new client certificate will not be collected by the WEC.
You are approaching the WEC server CA certificate expiration date, which is 2 years after the Windows Event Collector applet activation, and receive a notification in the Cortex XDR console.
In Cortex XDR , select → → → , and locate your broker VM.
Hover over the WEC connection in the APPS column to display the Windows Event Collector settings, and select Renew WEC Server Certificate.
Once Cortex XDR renews the WEC server certificate, the status of the WEC in the APPS field on the Broker VMs machine is Connected indicating the applet is running. In addition, the health status of the Windows Event Collector applet is now green instead of yellow and the warning message that appeared when you hovered over the health status no longer appears. Your WEC server certificate is issued with a lifespan of 12 months.
We also suggest that in XQL Search that you run the following query to verify that your event logs are being captured.
dataset = Cortex XDR _data | filter _product = "Windows" | fields _vendor,_product,action_evtlog_level,action_evtlog_event_id | sort desc _time | limit 20
If this query does not display results with a timestamp from after the renewal process, it could indicate that the renewal process is not complete, so wait a few minutes before running another query. If you are still having a problem, contact Technical Support.