Renew WEC Certificates - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-02
Category
Administrator Guide
Abstract

Learn more about renewing your WEC certificates in Cortex XSIAM.

Renewing your WEC certificates in Cortex XSIAM includes renewing your Windows Event Forwarding (WEF) client certificate and your WEC server certificate. You must install the WEF certificate on every Windows server, whether a Domain Controller (DC) or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the Broker VM.

Important

After you receive a notification for renewing your WEC CA certificate, we recommend that you do not add any new WEF clients until the WEC certification renewal process is complete. Events from these WEF clients that are added afterwards will not be collected by the server until the WEC certificates are renewed.

In addition, Cortex XSIAM manages the renewal of your WEC certificates by implementing the following time limits.

  • The WEC CA certificate is increased for an extended period of time for a maximum of 20 years.

  • The Broker VM applet includes an automatic renewal mechanism for a WEC server certificate, which has a lifespan of 12 months.

  • The WEC client certificate after the renewal is issued with a lifespan of 5 years.

To renew your WEC certificates:

  1. Renew your WEF client certificate in Cortex XSIAM .

    1. Select SettingsConfigurationsData BrokerBroker VMs.

    2. In either the Brokers tab or the Clusters tab, locate your Broker VM.

    3. Left-click the WEC connection in the APPS column to display the Windows Event Collector settings, and select Configure.

    4. In the Windows Event Forwarder Configuration window:

      1. copy-icon.png (copy) the Subscription Manager URL. This will be used when you Renew WEC Certificates in the GPO (Global Policy Object) on your domain controller.

      2. Define Client Certificate Export Password used to secure the downloaded WEF certificate used to establish the connection between your DC/WEF and the WEC. You will need this password when the certificate is imported to the events forwarder.

      3. Download the WEF certificate in a PFX format to your local machine.

    5. Install your WEF Certificate on the WEF to establish connection.

      Note

      You must install the WEF certificate on every Windows Server, whether DC or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the Broker VM.

      1. Locate the PFX file you downloaded from the Cortex XSIAM console and double-click to open the Certificate Import Wizard.

      2. In the Certificate Import Wizard:

        1. Select Local Machine followed by Next.

        2. Verify the File name field displays the PFX certificate file you downloaded and select Next.

        3. In the Passwords field, enter the Client Certificate Export Password you defined in the Cortex XSIAM console followed by Next.

        4. Select Automatically select the certificate store based on the type of certificate followed by Next and Finish.

      3. From a command prompt, run certlm.msc.

      4. In the file explorer, navigate to Certificates and verify the following for each of the folders:

        • In the PersonalCertificates folder, ensure the certificate forwarder.wec.paloaltonetworks.com appears.

        • In the Trusted Root Certification AuthoritiesCertificates folder, ensure the CA ca.wec.paloaltonetworks.com appears.

        Note

        You can see more than one ca.wec.paloaltonetworks.com and forwarder.wec.paloaltonetworks.com file from a previous installation in the directory, so select the file with the most extended Expiration Date. You can verify that you are using the correct certificate:

        • To verify the client certificate in the PersonalCertificates folder is related to the CA, you can select your forwarder.wec.paloaltonetworks.com file and from the Certification Path tab, double-click ca.wec.paloaltonetworks.com. In the Details tab, Show: Properties only, and verify the Thumbprint matches the ca.wec.paloaltonetworks.com file Thumbprint.

        • For the Trusted Root Certificate (i.e. CA certificate), you can verify the Thumbprint of your ca.wec.paloaltonetworks.com file matches the Subscription Manager URL by double-clicking the file and from the Details tab verifying the Thumbprint.

      5. Navigate to CertificatesPersonalCertificates.

      6. Right-click the certificate and navigate to All tasksManage Private Keys.

      7. In the Permissions window, select Add and in the Enter the object name section, enter NETWORK SERVICE followed by Check Names to verify the object name. The object name is displayed with an underline when valid. and then OK.

        certificate-permission.png
      8. Select OK, verify the Group or user names appear, and then Apply Permissions for private keys.

        verify-permissions.png
    6. Configure the subscription manager.

      Navigate to Computer ConfigurationPoliciesAdministrative Templates: Policy definitionsWindows ComponentsEvent Forwarding, right-click Configure target Subscription Manager and select Edit.

      target-subscription-manager.png

      In the Configure target Subscription Manager window:

      1. Mark Configure target Subscription Manager as Enabled.

      2. In the Options section, select Show, and in the Show Contents window, paste the Subscription Manager URL that you copied from the Cortex XSIAM console followed by OK.

      3. Select Apply and OK to save your changes.

    7. Complete the WEF Client certificate renewal.

      On every WEF DC, perform the following from a command prompt.

      1. Run gpupdate /force to update the group policy.

      2. Restart-Service WinRM to apply the configurations.

  2. Renew your WEC server certificate in Cortex XSIAM .

    Note

    Only perform this step under the following conditions.

    • You have completed the WEF certification renewal process for ALL clients in your environment. Otherwise, events from the WEFs that you did not install the new client certificate will not be collected by the WEC.

    • You are approaching the WEC server CA certificate expiration date, which is 2 years after the Windows Event Collector applet activation, and receive a notification in the Cortex XSIAM console.

    1. Select SettingsConfigurationsData BrokerBroker VMs.

    2. In either the Brokers tab or the Clusters tab, locate your Broker VM.

    3. Left-click the WEC connection in the APPS column to display the Windows Event Collector settings, and select Renew WEC Server Certificate.

    4. Click Renew.

      Once Cortex XSIAM renews the WEC server certificate, the status of the WEC in the APPS field on the Broker VMs machine is Connected indicating the applet is running. In addition, the health status of the Windows Event Collector applet is now green instead of yellow and the warning message that appeared when you hovered over the health status no longer appears. Your WEC server certificate is issued with a lifespan of 12 months.

      We also suggest that in XQL Search that you run the following query to verify that your event logs are being captured.

      dataset = xdr_data 
      | filter _product = "Windows" 
      | fields _vendor,_product,action_evtlog_level,action_evtlog_event_id 
      | sort desc _time | limit 20

      Note

      If this query does not display results with a timestamp from after the renewal process, it could indicate that the renewal process is not complete, so wait a few minutes before running another query. If you are still having a problem, contact Technical Support.