Activate the Windows Event Collector - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-06-20
Category
Administrator Guide
Abstract

Set up your Windrows Event Collector to connect with the Cortex XSIAM Broker VM and collect events.

After you have configured and registered your Broker VM, activate your Windows Event Collector application.

The Windows Event Collector (WEC) runs on the Broker VM collecting event logs from Windows Servers, including Domain Controllers (DCs). The Windows Event Collector can be deployed in multiple setups, and can be connected directly to multiple event generators (DCs or Windows Servers) or routed using one or more Windows Event Collectors. Behind each Windows event collector there may be multiple generating sources.

To enable the collection of the event logs, you need to configure and establish trust between the Windows Event Forwarding (WEF) collectors and the WEC. Establishing trust between the WEFs and the WEC is achieved by mutual authentication over TLS using server and client certificates. The WEF, a WinRM plugin, runs under the Network Service account. Therefore, you need to provide the WEFs with the relevant certificates and grant the account access permissions to the private key used for client authentication, for example, authenticate with WEC.

Note

You can also activate the Windows Event Collector on Windows Core. For more information, see Activate the Windows Event Collector on Windows Core.

Danger

Ensure you meet the following prerequisites before activating the Windows Event Collector applet:

  • Cortex XDR Pro per GB license

  • Broker VM version 8.0 and later

  • You have knowledge of Windows Active Directory and Domain Controllers.

  • You must configure different settings related to the FQDN where the instructions differ depending on whether you are configuring a standalone Broker VM or High Availability (HA) cluster.

    • Standalone broker: A FQDN must be configured for the standalone broker as configured in your local DNS server. Therefore, the Broker VM is registered in the DNS, its FQDN is resolvable from the events forwarder (Windows server), and the Broker VM FQDN is configured. For more information, see Edit Your Broker VM Configuration.

    • HA cluster: A FQDN must be configured in the cluster settings as configured in your local DNS server, which points to a Load Balancer. For more information, see Configure a High Availability Cluster.

  • Windows Server 2012 r2 or later.

After ingestion, Cortex XSIAM normalizes and saves the Windows event logs in the dataset xdr_data. The normalized logs are also saved in a unified format in microsoft_windows_raw. This enables you to search the data using Cortex Query Language (XQL) queries, build correlation rules, and generate dashboards based on the data.

How to activate the Windows Event Collector applet
  1. Select SettingsConfigurationsData BrokerBroker VM.

  2. In either the Brokers tab or the Clusters tab, locate your Broker VM.

  3. You can either right-click the Broker VM and select Add AppWindows Event Collector, or in the APPS column, left-click AddWindows Event Collector.

  4. In the Activate Windows Event Collector window, define the Collected Events.

    Configure the events collected by the applet. This lists event sources from which you want to collect events.

    • Source: Select from the pre-populated list with the most common event sources on Windows Servers. The event source is the name of the software that logs the events.

      A source provider can only appear once in your list. When selecting event sources, depending on the type event you want to forward, ensure the event source is enabled, for example auditing security events. If the source is not enabled, the source configuration in the given row will fail.

    • Min. Event Level: Minimum severity level of events that are collected.

    • Event IDs Group: Whether to Include, Exclude, or collect All event ID groups.

    • Event IDs (Optional): Define specific event IDs or event ID ranges you want to collect.

      Make sure to select network-mapper-enter.png after each entry.

    • Minimal TLS Version: Select either 1.0 or 1.2 (default) as the minimum TLS version allowed. Ensure that you verify that all Windows event forwarders are supporting the minimal defined TLS version.

    For example, to forward all the Windows Event Collector events to the Broker VM, define as follows:

    • Source: ForwardedEvents

    • Min. Event Level: Verbose

    • Event IDs Group: All

    Note

    By default, Cortex XSIAM collects Palo Alto Networks predefined Security events that are used by the Cortex XSIAM detectors. Removing the Security collector interferes with the Cortex XSIAM detection functionality. Restore to Default to reinstate the Security event collection.

  5. Activate your configurations.

    After a successful activation, the APPS field displays WEC with a green dot indicating a successful connection.

  6. Left-click the WEC connection in the APPS column to display the Windows Event Collector settings, and select Configure.

    In the Windows Event Forwarder Configuration window, perform the following tasks.

    1. copy-icon.png (copy) the Subscription Manager URL. This will be used when you configure the subscription manager in the GPO (Global Policy Object) on your domain controller.

    2. Define Client Certificate Export Password used to secure the downloaded WEF certificate used to establish the connection between your DC/WEF and the WEC. You will need this password when the certificate is imported to the events forwarder.

    3. Download the WEF certificate in a PFX format to your local machine.

      To view your Windows Event Forwarding configuration details at any time, select your Broker VM, right-click and navigate to Windows Event CollectorConfigure.

    Cortex XSIAM monitors the certificate and triggers a Certificate Expiration notification 30 days prior to the expiration date. The notification is sent daily specifying the number of days left on the certificate, or if the certificate has already expired.

  7. Install your WEF Certificate on the WEF to establish connection.

    Note

    You must install the WEF certificate on every Windows Server, whether DC or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the Broker VM.

    1. Locate the PFX file you downloaded from the Cortex XSIAM console and double-click to open the Certificate Import Wizard.

    2. In the Certificate Import Wizard:

      1. Select Local Machine followed by Next.

      2. Verify the File name field displays the PFX certificate file you downloaded and select Next.

      3. In the Passwords field, specify the Client Certificate Export Password you defined in the Cortex XSIAM console followed by Next.

      4. Select Automatically select the certificate store based on the type of certificate followed by Next and Finish.

    3. From a command prompt, run certlm.msc.

    4. In the file explorer, navigate to Certificates and verify the following for each of the folders.

      • In the PersonalCertificates folder, ensure the certificate forwarder.wec.paloaltonetworks.com appears.

      • In the Trusted Root Certification AuthoritiesCertificates folder, ensure the CA ca.wec.paloaltonetworks.com appears.

    5. Navigate to CertificatesPersonalCertificates.

    6. Right-click the certificate and navigate to All tasksManage Private Keys.

    7. In the Permissions window, select Add and in the Enter the object name section, specify NETWORK SERVICE followed by Check Names to verify the object name. The object name is displayed with an underline when valid. and then OK.

      certificate-permission.png
    8. Select OK, verify the Group or user names appear, and then Apply Permissions for private keys.

      verify-permissions.png
  8. Add the Network Service account to the domain controller Event Log Readers group.

    Note

    You must install the WEF certificate on every Windows Server, whether DC or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the Broker VM.

    1. To enable events forwarders to forward events, the Network Service account must be a member of the Active Directory Event Log Readers group. In PowerShell, execute the following command on the domain controller that is acting as the event forwarder:

      PS C:\> net localgroup "Event Log Readers" "NT Authority\Network Service" /add

      Make sure you see The command completed successfully message.

    2. Grant access to view the security event logs.

      1. Run wevtutil gl security and take note of your channelAccess value.

        For example:

        `PS C:\Users\Administrator> wevtutil gl security
        name: security
        enabled: true
        type: Admin
        owningPublisher:
        isolation: Custom
        channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
        logging:
          logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
          retention: false
          autoBackup: false
          maxSize: 134217728
        publishing:
          fileMax: 1
        

        Take note of value: channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

      2. Run wevtutil sl security "/ca:<channelAccess value>(A;;0x1;;;S-1-5-20)"

        For example:

        PS C:\Users\Administrator> wevtutil sl security "/ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"

      Make sure you grant access on each of your domain controller hosts.

  9. Create a WEF Group Policy that applies to every Windows server you want to configure as a WEF.

    1. In a command prompt, open gpmc.msc.

    2. In the Group Policy Management window, navigate to Domainsyour domain nameGroup Policy Object, right-click and select New.

    3. In the New GPO window, enter your group policy Name: Windows Event Forwarding followed by OK.

    4. Navigate to Domainsyour domain nameGroup Policy ObjectsWindows Event Forwarding, right-click and select Edit.