Activate the Windows Event Collector
Set up your Windrows Event Collector to connect with the Cortex XDR Broker VM and collect events.
After you have configured and registered your broker VM, activate your Windows Event Collector application.
The Windows Event Collector (WEC) runs on the broker VM collecting event logs from Windows Servers, including Domain Controllers (DCs). The Windows Event Collector can be deployed in multiple setups, and can be connected directly to multiple event generators (DCs or Windows Servers) or routed using one or more Windows Event Collectors. Behind each Windows event collector there may be multiple generating sources.
To enable the collection of the event logs, you need to configure and establish trust between the Windows Event Forwarding (WEF) collectors and the WEC. Establishing trust between the WEFs and the WEC is achieved by mutual authentication over TLS using server and client certificates. The WEF, a WinRM plugin, runs under the Network Service account. Therefore, you need to provide the WEFs with the relevant certificates and grant the account access permissions to the private key used for client authentication, for example, authenticate with WEC.
Ensure you meet the following prerequisites before activating the collector.
- CortexXDRPro per TB license
- Broker VM version 8.0 and later
- You have knowledge of Windows Active Directory and Domain Controllers.
- Broker VM is registered in the DNS, its FQDN is resolvable from the events forwarder (Windows server), and the Broker VM FQDN is configured. For more information on configuring the Broker VM FQDN, see Edit Your Broker VM Configuration.
- Windows Server 2012 r2 or later.
- InCortexXDR, selectand locate your broker VM.SettingsConfigurationsData BrokerBroker VM
- Right-click and select.Windows Event CollectorActivate
- In theWindows Event Collection Configurationwindow, define the following.Define the events collected by the applet. This lists event sources from which you want to collect events.
For example, to forward all the Windows Event Collector events to the broker VM, define as follows:
- Source—Select from the pre-populated list with the most common event sources on Windows Servers. The event source is the name of the software that logs the events.A source provider can only appear once in your list. When selecting event sources, depending on the type event you want to forward, ensure the event source is enabled, for example auditing security events. If the source is not enabled, the source configuration in the given row will fail.
- Min. Event Level—Minimum severity level of events that are collected.
- Event IDs Group—Whether toInclude,Exclude, or collectAllevent ID groups.
- Event IDs—(Optional) Define specific event IDs or event ID ranges you want to collect.Make sure to select after each entry.
- Minimal TLS Version—Select either1.0or1.2(default) as the minimum TLS version allowed. Ensure that you verify that all Windows event forwarders are supporting the minimal defined TLS version.
By default,CortexXDRcollects Palo Alto Networks predefinedSecurityevents that are used by theCortexXDRdetectors. Removing the Security collector interferes with theCortexXDRdetection functionality.Restore to Defaultto reinstate the Security event collection.
- Min. Event Level—Verbose
- Event IDs Group—All
- Activateyour configurations.After a successful activation, theAppsfield displaysWindows Event Collector - Active, Connected.
- In theWindows Event Forwarder Configurationwindow, perform the following tasks.
CortexXDRmonitors the certificate and triggers a Certificate Expiration notification 30 days prior to the expiration date. The notification is sent daily specifying the number of days left on the certificate, or if the certificate has already expired.
- (copy) theSubscription Manage URL. This will be used when you configure the subscription manager in the GPO (Global Policy Object) on your domain controller.
- Define Client Certificate Export Passwordused to secure the downloaded WEF certificate used to establish the connection between your DC/WEF and the WEC. You will need this password when the certificate is imported to the events forwarder.
- Downloadthe WEF certificate in a PFX format to your local machine.To view your Windows Event Forwarding configuration details at any time, select your Broker VM, right-click and navigate to.Windows Event CollectorConfigure Forwarder
- Install your WEF Certificate on the WEF to establish connection.You must install the WEF certificate on every Windows Server, whether DC or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the broker VM.
- Locate the PFX file you downloaded from theCortexXDRconsole and double-click to open theCertificate Import Wizard.
- In theCertificate Import Wizard:
- SelectLocal Machinefollowed byNext.
- Verify theFile namefield displays the PFX certificate file you downloaded and selectNext.
- SelectAutomatically select the certificate store based on the type of certificatefollowed byNextandFinish.
- From a command prompt, runcertlm.msc.
- In the file explorer, navigate toCertificatesand verify the following for each of the folders.
- In thefolder, ensure the certificatePersonalCertificatesforwarder.wec.paloaltonetworks.comappears.
- In thefolder, ensure the CATrusted Root Certification AuthoritiesCertificatesca.wec.paloaltonetworks.comappears.
- Navigate to.CertificatesPersonalCertificates
- Right-click the certificate and navigate to.All tasksManage Private Keys
- In thePermissionswindow, selectAddand in theEnter the object namesection, specifyNETWORK SERVICEfollowed byCheck Namesto verify the object name. The object name is displayed with an underline when valid. and thenOK.
- SelectOK, verify theGroup or user namesappear, and thenApplyPermissions for privet keys.
- Add the Network Service account to the domain controller Event Log Readers group.You must install the WEF certificate on every Windows Server, whether DC or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the broker VM.
- To enable events forwarders to forward events, the Network Service account must be a member of the Active Directory Event Log Readers group. In PowerShell, execute the following command on the domain controller that is acting as the event forwarder:PS C:\> net localgroup "Event Log Readers" "NT Authority\Network Service" /addMake sure you seeThe command completed successfullymessage.Grant access to view the security event logs.
Create a WEF Group Policy that applies to every Windows server you want to configure as a WEF.
- Runwevtutil gl securityand take note of yourchannelAccessvalue.For example:`PS C:\Users\Administrator> wevtutil gl security name: security enabled: true type: Admin owningPublisher: isolation: Custom channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573) logging: logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx retention: false autoBackup: false maxSize: 134217728 publishing: fileMax: 1Take note of value:channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)Runwevtutil sl security "/ca:<channelAccess value>(A;;0x1;;;S-1-5-20)"For example:PS C:\Users\Administrator> wevtutil sl security "/ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"Make sure you grant access on each of your domain controller hosts.
Apply the WEF Group Policy.Link the policy to the OU or the group of Windows servers you would like to configure as event forwarders. In the following flow, the domain controllers are configured as an event forwarder.
- In a command prompt, opengpmc.msc.
- In theGroup Policy Managementwindow, navigate to, right-click and selectDomainsyour domain nameGroup Policy ObjectNew.
- In theNew GPOwindow, enter your group policyName:Windows Event Forwardingfollowed byOK.
- Navigate to, right-click and selectDomainsyour domain nameGroup Policy ObjectsWindows Event ForwardingEdit.
- In theGroup Policy Management Editor:
- Set the Windows Remote Management Service for automatic startup.
- Select, and in the view panel locate and double-clickComputer ConfigurationPoliciesWindows SettingsSecurity SettingsSystem ServicesWindows Remote Management (WS-Management).
- MarkDefine this policy settingand selectAutomaticfollowed byApplyandOK.
- At a minimum for your WEC configuration, you must enable logging of the same events that you have configured to be collected in your WEC configuration on your domain controller. Otherwise, you will not be able to view these events as the WEC only controls querying not logging. For example, if you have configured authentication events to be collected by your WEC using an authentication protocol, such as Kerberos, you should ensure all relevant audit events for authentication are configured on your domain controller. In addition, you should ensure that all relevant audit events that you want collected, such as the success and failure of account logins for Windows Event ID 4625, are properly configured, particularly for those that you wantCortexXDRto apply grouping and analytics inspection.This step overrides any local policy settings.Here is an example of how to configure the WEC to collect authentication events using Kerberos as the authentication protocol to enable the collection of Broker VM supported Kerberos events, Kerberos pre-authentication, authentication, request, and renewal tickets.
- Select.Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesAccount Logon
- In the view pain, right-clickAudit Kerberos Authentication Serviceand selectProperties. In theAudit Kerberos Authentication Servicewindow, markConfigure the following audit events:, select toSuccessandFailurefollowed byApplyandOK.Repeat forAudit Kerberos Service Ticket Operations.
- Configure the subscription manager.Navigate to, right-clickComputer ConfigurationPoliciesAdministrative Templates: Policy definitionsWindows ComponentsEvent ForwardingConfigure target Subscription Managerand selectEdit.In theConfigure target Subscription Managerwindow.
- MarkConfigure target Subscription ManagerasEnabled.
- SelectApplyandOKto save your changes.
- Add Network Service to Event Log Readers group.Select, right-click and selectComputer ConfigurationPreferencesControl Panel SettingsLocal Users and Groups.NewLocal GroupIn theNew Local Group Propertieswindow.
- In theGroup namefield, selectEvent Log Readers (built-in).
- In theMemberssection, selectAddand enter in theNamefiledNetwork Servicefollowed byOK.You must type out the name, do not select the name from the browse button.
- SelectApplyandOKto save your changes, and close theGroup Policy Management Editorwindow.
- Configure the Windows Firewall.If Windows Firewall is enabled on your event forwarders, you will have to define an outbound rule to enable the WEF to reach port 5986 on the WEC.In theGroup Policy Managementwindow, select, right-click and selectComputer ConfigurationPoliciesWindows SettingsSecurity SettingsWindows Firewall with Advanced SecurityOutbound RulesNew Rule.In theNew Outbound Rule Wizarddefine the followingSteps.
- Rule Type—SelectPortfollowed byNext.
- Protocols and Ports— SelectTCPand in theSpecific Remote Portsfield enter5986followed byNext.
- Action—SelectAllow the connectionfollowed byNext.
- Profile—SelectDomainand disablePrivateandPublicfollowed byNext.
- Name—SpecifyWindows Event Forwarding.
- SelectFinishto save your configurations.
- Select, right-click and selectGroup Policy Management<your domain name>Domain ControllersLink an existing GPO....
- In theSelect GPOwindow, selectWindows Event Forwardingfollowed byOK.
- In an administrative PowerShell console, execute the following commands.
- PS C:\Users\Administrator> gpupdate /forceVerifyComputer Policy update has completed successfully. User Policy update has completed successfully.confirmation message appears.PS C:\Users\Administrator> Restart-Service WinRM
- Verify Windows Event Forwarding.
- In an administrative PowerShell console, run the following command.PS C:\Users\Administrator> Get-WinEvent Microsoft-windows-WinRM/operational -MaxEvents 10Look forWSMan operation EventDelivery completed successfullyconfirmation messages. These indicate events forwarded successfully.
- (Optional) Manage the Window Event Collector.After the Windows Event Collector has been activated in theCortexXDRManagement Console, right-click your broker VM and select:
- to define the event configuration information.Windows Event CollectorConfigure Forwarder
- to disable the Windows Event Collector.Windows Event CollectorDeactivate
- to view or edit existing or add new events to collect.Windows Event CollectorCollection Configuration
- (Optional) In theAppsfield, selectWindows Event Collectorto view the following applet metrics.
- Connectivity Status—Whether the applet is connected toCortexXDR.
- Logs ReceivedandLogs Sent—Number of logs received and sent by the applet per second over the last 24 hours. If the number of incoming logs received is larger than the number of logs sent, it could indicate a connectivity issue.
- Resources—Displays the amount ofCPU,Memory, andDiskspace the applet is using.
Recommended For You
Recommended VideosRecommended videos not found.