Learn more about renewing your WEC certificates in Cortex XSIAM.
Renewing your WEC certificates in Cortex XSIAM includes renewing your Windows Event Forwarding (WEF) client certificate and your WEC server certificate. You must install the WEF certificate on every Windows server, whether a Domain Controller (DC) or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the Broker VM.
Important
After you receive a notification for renewing your WEC CA certificate, we recommend that you do not add any new WEF clients until the WEC certification renewal process is complete. Events from these WEF clients that are added afterwards will not be collected by the server until the WEC certificates are renewed.
In addition, Cortex XSIAM manages the renewal of your WEC certificates by implementing the following time limits.
The WEC CA certificate is increased for an extended period of time for a maximum of 20 years.
The Broker VM applet includes an automatic renewal mechanism for a WEC server certificate, which has a lifespan of 12 months.
The WEC client certificate after the renewal is issued with a lifespan of 5 years.
To renew your WEC certificates:
Renew your WEF client certificate in Cortex XSIAM .
Select
→ → → .In either the Brokers tab or the Clusters tab, locate your Broker VM.
Left-click the WEC connection in the APPS column to display the Windows Event Collector settings, and select Configure.
In the Windows Event Forwarder Configuration window:
(copy) the Subscription Manager URL. This will be used when you Renew WEC Certificates in the GPO (Global Policy Object) on your domain controller.
Define Client Certificate Export Password used to secure the downloaded WEF certificate used to establish the connection between your DC/WEF and the WEC. You will need this password when the certificate is imported to the events forwarder.
Download the WEF certificate in a PFX format to your local machine.
Install your WEF Certificate on the WEF to establish connection.
Note
You must install the WEF certificate on every Windows Server, whether DC or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the Broker VM.
Locate the PFX file you downloaded from the Cortex XSIAM console and double-click to open the Certificate Import Wizard.
In the Certificate Import Wizard:
Select Local Machine followed by Next.
Verify the File name field displays the PFX certificate file you downloaded and select Next.
In the Passwords field, enter the Client Certificate Export Password you defined in the Cortex XSIAM console followed by Next.
Select Automatically select the certificate store based on the type of certificate followed by Next and Finish.
From a command prompt, run
certlm.msc
.In the file explorer, navigate to Certificates and verify the following for each of the folders:
In the
→ folder, ensure the certificateforwarder.wec.paloaltonetworks.com
appears.In the
→ folder, ensure the CAca.wec.paloaltonetworks.com
appears.
Note
You can see more than one
ca.wec.paloaltonetworks.com
andforwarder.wec.paloaltonetworks.com
file from a previous installation in the directory, so select the file with the most extended Expiration Date. You can verify that you are using the correct certificate:To verify the client certificate in the
→ folder is related to the CA, you can select yourforwarder.wec.paloaltonetworks.com
file and from the Certification Path tab, double-click ca.wec.paloaltonetworks.com. In the Details tab, Show: Properties only, and verify the Thumbprint matches theca.wec.paloaltonetworks.com
file Thumbprint.For the Trusted Root Certificate (i.e. CA certificate), you can verify the Thumbprint of your
ca.wec.paloaltonetworks.com
file matches the Subscription Manager URL by double-clicking the file and from the Details tab verifying the Thumbprint.
Navigate to
→ → .Right-click the certificate and navigate to
→ .In the Permissions window, select Add and in the Enter the object name section, enter
NETWORK SERVICE
followed by Check Names to verify the object name. The object name is displayed with an underline when valid. and then OK.Select OK, verify the Group or user names appear, and then Apply Permissions for private keys.
Configure the subscription manager.
Navigate to Configure target Subscription Manager and select Edit.
→ → → → , right-clickIn the Configure target Subscription Manager window:
Mark Configure target Subscription Manager as Enabled.
In the Options section, select Show, and in the Show Contents window, paste the Subscription Manager URL that you copied from the Cortex XSIAM console followed by OK.
Select Apply and OK to save your changes.
Complete the WEF Client certificate renewal.
On every WEF DC, perform the following from a command prompt.
Run
gpupdate /force
to update the group policy.Restart-Service WinRM
to apply the configurations.
Renew your WEC server certificate in Cortex XSIAM .
Note
Only perform this step under the following conditions.
You have completed the WEF certification renewal process for ALL clients in your environment. Otherwise, events from the WEFs that you did not install the new client certificate will not be collected by the WEC.
You are approaching the WEC server CA certificate expiration date, which is 2 years after the Windows Event Collector applet activation, and receive a notification in the Cortex XSIAM console.
Select
→ → → .In either the Brokers tab or the Clusters tab, locate your Broker VM.
Left-click the WEC connection in the APPS column to display the Windows Event Collector settings, and select Renew WEC Server Certificate.
Click Renew.
Once Cortex XSIAM renews the WEC server certificate, the status of the WEC in the APPS field on the Broker VMs machine is Connected indicating the applet is running. In addition, the health status of the Windows Event Collector applet is now green instead of yellow and the warning message that appeared when you hovered over the health status no longer appears. Your WEC server certificate is issued with a lifespan of 12 months.
We also suggest that in XQL Search that you run the following query to verify that your event logs are being captured.
dataset = xdr_data | filter _product = "Windows" | fields _vendor,_product,action_evtlog_level,action_evtlog_event_id | sort desc _time | limit 20
Note
If this query does not display results with a timestamp from after the renewal process, it could indicate that the renewal process is not complete, so wait a few minutes before running another query. If you are still having a problem, contact Technical Support.