Activate the Windows Event Collector

Set up your Windrows Event Collector to connect with the Cortex XDR Broker VM and collect events.
After you have configured and registered your broker VM, activate your Windows Event Collector application.
The Windows Event Collector (WEC) runs on the broker VM collecting event logs from Windows Servers, including Domain Controllers (DCs). The Windows Event Collector may be deployed in multiple setups, it can be connected directly to the multiple event generators (DC or Windows Server) or the events may be routed using one or more Windows Event Collectors. Behind each Windows event collector there may be multiple generating sources.
To enable the collection of the event logs, you need to configure them as Windows Event Forwarders (WEFs), and establish trust between them and the WEC. Establishing trust between the WEFs and the WEC is achieved by mutual authentication over TLS using server and client certificates. The WEF, a WinRM plugin, runs under the Network Service account. Therefore, you need to provide the WEFs with the relevant certificates and grant the account access permissions to the private key used for client authentication, for example, authenticate with WEC.
Ensure you meet the following prerequisites before activating the collector:
  • Cortex XDR Pro per TB license
  • Broker VM version 8.0 and later
  • You have knowledge of Windows Active Directory and Domain Controllers.
  • Broker VM is registered in the DNS and its FQDN is resolvable from the events forwarder (Windows server).
  • Windows Server 2012 or later.
  1. In Cortex XDR, navigate to
    Cortex XDR
    Settings
    Broker
    VMs
    table and locate your broker VM.
  2. Right-click and select
    Windows Event Collector
    Activate
    .
    (
    Optional
    ) If you already have a Windows Event Collector signed certificate, migrate your existing CA to the Cortex XDR console.
  3. In the
    Activate Windows Event Collector
    window, define the following:
    broker-vm-wec-activation.png
    1. Set your
      Broker VM FQDN
      as it will be defined in your Domain Name System (DNS). This enables connection between the WEF and WEC, acting as the subscription manager.
    2. Define the events collected by the applet
      . This lists event sources from which you want to collect events:
      • Source
        —Select from the pre-populated list with the most common event sources on Windows Servers. The event source is the name of the software that logs the events.
        A source provider can only appear once in your list. When selecting event sources, depending on the type event you want to forward, ensure the event source is enabled, for example auditing security events. If the source is not enabled, the source configuration in the given row will fail.
      • Min. Event Level
        —Minimum severity level of events that are collected.
      • Event IDs Group
        —Whether to
        Include
        ,
        Exclude
        , or collect
        All
        event ID groups.
      • (
        Optional
        )
        Event IDs
        — Define specific event IDs or event ID ranges you want to collect.
        Make sure to select network-mapper-enter.png after each entry.
      For example, to forward all the Windows Event Collector events to the broker VM, define as follows:
      • Source
        ForwardedEvents
      • Min. Event Level
        Verbose
      • Event IDs Group
        All
      By default, Cortex XDR collects Palo Alto Networks predefined
      Security
      events that are used by the Cortex XDR detectors. Removing the Security collector interferes with the Cortex XDR detection functionality.
      Restore to Default
      to reinstate the Security event collection.
  4. Activate
    your configurations.
    After a successful activation, the
    Apps
    field displays the
    Windows Event Collector - Active, Connected
    .
  5. In the
    Windows Event Forwarder Configuration
    window:
    broker-vm-WEF.png
    1. copy-icon.png (copy) the
      Subscription Manage URL
      . This will be used when you configure the subscription manager in the GPO (Global Policy Object) on your DC.
    2. Define Client Certificate Export Password
      used to secure the downloaded Windows Event Forwarders (WEF) certificate used to establish the connection between DC/WEF and the WEC. You will need this password when the certificate is imported to the events forwarder.
    3. Download
      the WEF certificate in a PFX format.
      To view your Windows Event Forwarder Configuration details at any time, select your Broker VM, right-click and navigate to
      Windows Event Collector
      Configure Forwarder
      .
    Cortex XDR monitors the certificate and triggers an Certificate Expiration notification 30 days prior to the expiration date. The notification is sent daily specifying the number of days left on the certificate, or if the certificate has already expired.
  6. Install your WEF Certificate on the events forwarder to establish connection.
    1. Copy the PFX file you downloaded from the Cortex XDR console to your events forwarder, double-click the file and import it to
      Local Machine
      .
    2. Run
      certlm.msc
      .
    3. Navigate to
      Certificates
      Personal
      and verify the following:
      • In the
        Personal > Certificates
        folder, ensure the certificate has been imported.
      • In the
        Trusted Root Certification Authorities
        folder, ensure the CA was added.
      wef-dc-ca-certificate.png
    4. Navigate to
      Certificates
      Personal
      Certificates
      .
    5. Right-click the certificate and navigate to
      All tasks
      Manage Private Keys
      .
    6. In the
      Permissions
      window, select
      Add
      and in the
      Enter the object name
      section, enter
      NETWORK SERVICE
      followed by
      OK
      .
      certificate-permission.png
      Verify the
      Group or user names
      appear.
      verify-permissions.png
  7. Add the Network Service account to the event’s forwarder Event Log Readers group.
    1. To enable events forwarders to forward events, the Network Service account must be a member of the Active Directory Event Log Readers group. In PowerShell, execute the following command on the event forwarder:
      C:\> net localgroup "Event Log Readers" "NT Authority\Network Service" /add
    2. Grant access to view the security event logs.
      1. Run
        wevtutil gl security
        and take note of your
        channelAccess
        value.
      2. Run
        wevtutil sl security "/ca:<channelAccess value>(A;;0x1;;;S-1-5-20)"
        .
      Make sure you grant access on each of your event forwarder hosts.
  8. Create a WEF Group Policy which applies to every Windows server you want to configure as a WEF.
    1. Open
      gpmc.msc
      .
    2. Create a new Group Policy and name it
      Windows Event Forwarding
      .
    3. In the
      Group Policy Management
      window, navigate to
      Domains
      your domain name
      Windows Event Forwarding
      , right-click and select
      Edit
      .
      group-policy-management.png
    4. In the
      Group Policy Management Editor
      :
      • Set the WinRM service for automatic startup.
        • Navigate to
          Computer Configuration
          Policies
          Windows Settings
          Security Settings
          System Services
          Advanced Audit Policy Configuration
          Audit Policy
          Account Logon
          , and double-click
          Windows Remote Management
          .
        • Mark
          Define this policy setting
          and select
          Automatic
          .
      • Enable collection of Broker VM supported Kerberos events; Kerberos pre-authentication, authentication, request, and renewal tickets.
        • Navigate to
          Computer Configuration
          Policies
          Windows Settings
          Security Settings
          Advanced Audit Policy Configuration
          Audit Policy
          Account Logon
          .
        • Configure
          Audit Kerberos Authentication Service
          and
          Audit Kerberos Service Ticket Operations
          to
          Success and Failure
          .
    5. Configure the subscription manager.
      Navigate to
      Computer Configuration
      Policies
      Administrative Templates
      Windows Components
      Event Forwarding
      , and double-click
      Configure target Subscription Manager
      .
      target-subscription-manager.png
      In the
      Configure target Subscription Manager
      window, and select
      Show
      .
    6. Add Network Service to Event Log Readers group.
      Navigate to
      Computer Configuration
      Preferences
      Control Panel Settings
      Local Users and Groups
      , right-click and select
      New Local Group
      .
      event-log-readers.png
      In the
      Event Log Readers (built-in) Properties
      window:
      • In the
        Group name
        field, select
        Event Log Readers (built-in)
        .
      • In the
        Members
        section,
        Add
        and enter in the
        Name
        filed
        Network Service
        .
        You must type the name, it cannot select the name from the browse button.
      • Ok
        .
    7. Configure the Windows Firewall.
      If Windows Firewall is enabled on your event forwarders, you will have to define an outbound rule to enable the WEF to reach port 5986 on the WEC.
      Navigate to
      Computer Configuration
      Policies
      Windows Settings
      Security Settings
      Windows Firewall with Advanced Security
      Outbound Rules
      , right-click and select
      New Rule
      .
      Configure the following:
      • Type
        Port
      • TCP
        Port 5986
      • Allow the connection
      • Mark
        Domain
        , disable
        Private
        and
        Public
      • Name the rule
        Windows Event Forwarding
      • Finish
  9. Apply the WEF Group Policy.
    Link the policy to the OU or the group of Windows servers you would like to configure as event forwarders. In the following flow, the domain controllers are configured as an event forwarder.
    1. Navigate to
      Group Policy Management
      <your domain name
      Domain Controllers
      , right-click and select
      Link an existing GPO...
      .
    2. Select the WEF Group Policy you created,
      Windows Event Forwarding
      .
      windows-event-forwarding.png
    3. In an administrative PowerShell console, execute the following command:
      PS C:\Users\Administrator> gpupdate /force PS C:\Users\Administrator> Restart-Service WinRM
  10. Verify Windows Event Forwarding.
    1. In an administrative PowerShell console, run the following command:
      PS C:\Users\Administrator> Get-WinEvent Microsoft-windows-WinRM/operational -MaxEvents 10
    2. Look for
      WSMan operation EventDelivery completed successfully
      messages. These indicate events forwarded successfully.
  11. (
    Optional
    ) Manage the Window Event Collector.
    After the Windows Event Collector has been activated in the Cortex XDR Management Console, right-click your broker VM and select:
    • Windows Event Collector
      Configure Forwarder
      to define the event configuration information.
    • Windows Event Collector
      Deactivate
      to disable the Windows Event Collector.
    • Windows Event Collector
      Collection Configuration
      to view or edit existing or add new events to collect.
  12. (
    Optional
    ) In the
    Apps
    field, select
    Windows Event Collector
    to view the following applet metrics:
    • Connectivity Status
      —Whether the applet is connected to Cortex XDR.
    • Logs Received
      and
      Logs Sent
      —Number of logs received and sent by the applet per second over the last 24 hours. If the number of incoming logs received is larger than the number of logs sent, it could indicate a connectivity issue.
    • Resources
      —Displays the amount of
      CPU
      ,
      Memory
      , and
      Disk
      space the applet is using.
    wec-metrics.png

Recommended For You