Activate the Windows Event Collector

Use this workflow for Broker VM version 8.0 and later. For earlier Broker VM versions follow the process detailed in Set up a Windows Event Collector.
After you have configured and registered your broker VM, activate your Windows Event Collector application.
The Windows Event Collector (WEC) runs on the broker VM collecting event logs from Domain Controllers (DCs). To enable collection of the event logs, you need to configure them as Windows Event Forwarders (WEFs), and establish trust between them and the WEC. Establishing trust between the WEFs and the WEC is achieved by mutual authentication over TLS using server and client certificates.
The WEF, a WinRM plugin, runs under the Network Service account. Therefore, you need to provide the WEFs with the relevant certificates and grant the account access permissions to the private key used for client authentication, for example, authenticate with WEC.
Ensure you meet the following prerequisites before activating the collector:
  • Cortex XDR Pro per TB license
  • You have knowledge of Windows Active Directory and Domain Controllers.
  • Broker VM is registered in the DNS and its FQDN is resolvable from the DCs.
  • DCs running on Windows Server 2012 or later.
  1. In Cortex XDR, navigate to
    Cortex XDR
    Settings
    Broker
    VMs
    table and locate your broker VM.
  2. Right-click, select
    Windows Event Collector
    Activate
    .
    (
    Optional
    ) If you already have an Windows Event Collector signed certificate, migrate your existing CA to the Cortex XDR console.
  3. In the
    Activate Windows Event Collector
    window, enter your
    Broker VM FQDN
    as it will be defined in your Domain Name System (DNS). This enables connection between Cortex XDR and your Windows Event Collector.
    broker-vm-wec-activation.png
  4. Activate
    your configurations.
    After a successful activation, the
    Apps
    field displays the
    Windows Event Collector - Active, Connected
    .
  5. In the
    Windows Event Forwarder Configuration
    window:
    • copy-icon.png (copy) the
      Subscription Manage URL
      . This will be used when you configure the subscription manager in the GPO (Global Policy Object) on your DC.
    • Define Client Certificate Export Password
      used to secure the downloaded Windows Event Forwarders (WEF) certificate used to establish connection between Cortex XDR and the Windows Event collector. You will need this password when the certificate is imported to the DC.
      broker-vm-WEF.png
    • Download
      the WEF certificate in a PFX format.
    To view your Windows Event Forwarder Configuration details at any time, right-click and select
    Applet Management
    Configure Windows Event Forwarder
    .
  6. (
    Optional
    ) In the
    Apps
    field, select
    Windows Event Collector
    to view the following applet metrics:
    • Connectivity Status
      —Whether the applet is connected to Cortex XDR.
    • Logs Received
      and
      Logs Sent
      —Number of logs received and sent by the applet per second over the last 24 hours. If the number of incoming logs received is larger than the number of logs sent, it could indicate a connectivity issue.
    • Resources
      —Displays the amount of
      CPU
      ,
      Memory
      , and
      Disk
      space the applet is using.
    wec-metrics.png
  7. Manage the Window Event Collector.
    After the Windows Event Collector has been activated, right-click you broker VM and select:
    • Windows Event Collector
      Configure
      to redefine the Windows Event Collector configurations.
    • Windows Event Collector
      Deactivate
      to disable the Windows Event Collector.
  8. Install your WEF Certificate on the DC to establish connection.
    1. Copy the PFX file you downloaded from the Cortex XDR console to your DC, double-click the file and import it to
      Local Machine
      .
    2. Run
      certlm.msc
      .
    3. Navigate to
      Certificates
      Personal
      and verify the following:
      • In the
        Personal > Certificates
        folder, ensure the certificate has been imported.
      • In the
        Trusted Root Certification Authorities
        folder, ensure the CA was added.
      wef-dc-ca-certificate.png
    4. Navigate to
      Certificates
      Personal
      Certificates
      .
    5. Right-click the certificate and navigate to
      All tasks
      Manage Private Keys
      .
    6. In the
      Permissions
      window, select
      Add
      and in the
      Enter the object name
      section, enter
      NETWORK SERVICE
      followed by
      OK
      .
      certificate-permission.png
      Verify the
      Group or user names
      appear.
      verify-permissions.png
  9. Add the Network Service account to the DC Event Log Readers group.
    1. To enable DCs to forward events, the Network Service account must be a member of the Active Directory Event Log Readers group. In PowerShell, execute the following command on the DC:
      C:\> net localgroup "Event Log Readers" "NT Authority\Network Service" /add
  10. Create a WEF Group Policy which applies to every DC you want to configure as a WEF.
    1. Open
      gpmc.msc
      .
    2. Create a new Group Policy and name it
      Windows Event Forwarding
      .
    3. In the
      Group Policy Management
      window, navigate to
      Domains
      <your domain name>
      Windows Event Forwarding
      , right-click and select
      Edit
      .
      group-policy-management.png
    4. In the
      Group Policy Management Editor
      :
      • Set the WinRM service for automatic startup.
        • Navigate to
          Computer Configuration
          Policies
          Windows Settings
          Security Settings
          System Services
          , and double-click
          Windows Remote Management
          .
        • Mark
          Define this policy setting
          and select
          Automatic
          .
      • Enable collection of Broker VM supported Kerberos events; Kerberos pre-authentication, authentication, request, and renewal tickets.
        • Navigate to
          Computer Configuration
          Policies
          Advanced Audit Policy Configuration
          Audit Policy
          Account Logon
          .
        • Configure
          Audit Kerberos Authentication Service
          and
          Audit Kerberos Service Ticket Operations
          to
          Success and Failure
          .
    5. Configure the subscription manager.
      Navigate to
      Computer Configuration
      Policies
      Administrative Templates
      Windows Components
      Event Forwarding
      , and double-click
      Configure target Subscription Manager
      .
      target-subscription-manager.png
      In the
      Configure target Subscription Manager
      window, and select
      Show
    6. Add Network Service to Event Log Readers group.
      Navigate to
      Computer Configuration
      Preferences
      Control Panel Settings
      Local Users and Groups
      , right-click and select
      New Local Group
      .
      event-log-readers.png
      In the
      Event Log Readers (built-in) Properties
      window:
      • In
        Group name
        field, select
        Event Log Readers (built-in)
        .
      • In
        Members
        section,
        Add
        and enter in the
        Name
        filed
        Network Service
        .
        You must type the name, it cannot select the name from the browse button.
      • Ok
        .
    7. Configure the Windows Firewall.
      If Windows Firewall is enabled on your DCs, you will have to define an outbound rule to enable the WEF to reach port 5986 on the WEC.
      Navigate to
      Computer Configuration
      Policies
      Windows Settings
      Security Settings
      Windows Firewall with Advanced Security
      Outbound Rules
      , right-click and select
      New Rule
      .
      Configure the following:
      • Type
        -
        Port
      • TCP
        -
        Port 5986
      • Allow the connection
      • Mark
        Domain
        , disable
        Private
        and
        Public
      • Name the rule
        Windows Event Forwarding
      • Finish
  11. Apply the WEF Group Policy.
    Link the policy to the DC OU or the group of DCs you would like to configure as WEFs.
    1. Navigate to
      Group Policy Management
      <your domain name
      Domain Controllers
      , right-click and select
      Link an existing GPO...
      .
    2. Select the WEF Group Policy you created,
      Windows Event Forwarding
      .
      windows-event-forwarding.png
    3. In an administrative PowerShell console, execute the following command:
      PS C:\Users\Administrator> gpupdate /force PS C:\Users\Administrator> Restart-Service WinRM
  12. Verify Windows Event Forwarding.
    1. In an administrative PowerShell console, run the following command:
      PS C:\Users\Administrator> Get-WinEvent Microsoft-windows-WinRM/operational -MaxEvents10
    2. Look for
      WSMan operation EventDelivery completed successfully
      messages. These indicate events forwarded successfully.

Recommended For You