Activate the Windows Event Collector

Set up your Windrows Event Collector to connect with the Cortex XDR Broker VM and collect events.
After you have configured and registered your broker VM, activate your Windows Event Collector application.
The Windows Event Collector (WEC) runs on the broker VM collecting event logs from Windows Servers, including Domain Controllers (DCs). The Windows Event Collector may be deployed in multiple setups, and can be connected directly to multiple event generators (DCs or Windows Servers) or routed using one or more Windows Event Collectors. Behind each Windows event collector there may be multiple generating sources.
To enable the collection of the event logs, you need to configure and establish trust between the Windows Event Forwarding (WEF) collectors and the WEC. Establishing trust between the WEFs and the WEC is achieved by mutual authentication over TLS using server and client certificates. The WEF, a WinRM plugin, runs under the Network Service account. Therefore, you need to provide the WEFs with the relevant certificates and grant the account access permissions to the private key used for client authentication, for example, authenticate with WEC.
Ensure you meet the following prerequisites before activating the collector:
  • Cortex XDR Pro per TB license
  • Broker VM version 8.0 and later
  • You have knowledge of Windows Active Directory and Domain Controllers.
  • Broker VM is registered in the DNS, its FQDN is resolvable from the events forwarder (Windows server), and the Broker VM FQDN is configured. For more information on configuring the Broker VM FQDN, see Edit Your Broker VM Configuration.
  • Windows Server 2012 or later.
  1. In Cortex XDR, select
    Settings ( )
    Configurations
    Broker VM
    and locate your broker VM.
  2. Right-click and select
    Windows Event Collector
    Activate
    .
    (
    Optional
    ) If you already have a Windows Event Collector signed certificate, migrate your existing CA to the Cortex XDR console.
  3. In the
    Windows Event Collection Configuration
    window, define the following:
    Define the events collected by the applet
    . This lists event sources from which you want to collect events:
    • Source
      —Select from the pre-populated list with the most common event sources on Windows Servers. The event source is the name of the software that logs the events.
      A source provider can only appear once in your list. When selecting event sources, depending on the type event you want to forward, ensure the event source is enabled, for example auditing security events. If the source is not enabled, the source configuration in the given row will fail.
    • Min. Event Level
      —Minimum severity level of events that are collected.
    • Event IDs Group
      —Whether to
      Include
      ,
      Exclude
      , or collect
      All
      event ID groups.
    • Event IDs
      —(
      Optional
      ) Define specific event IDs or event ID ranges you want to collect.
      Make sure to select after each entry.
    • Minimal TLS Version
      —Select either
      1.0
      or
      1.2
      (default) as the minimum TLS version allowed. Ensure that you verify that all Windows event forwarders are supporting the minimal defined TLS version.
    For example, to forward all the Windows Event Collector events to the broker VM, define as follows:
    • Source
      ForwardedEvents
    • Min. Event Level
      Verbose
    • Event IDs Group
      All
    By default, Cortex XDR collects Palo Alto Networks predefined
    Security
    events that are used by the Cortex XDR detectors. Removing the Security collector interferes with the Cortex XDR detection functionality.
    Restore to Default
    to reinstate the Security event collection.
  4. Activate
    your configurations.
    After a successful activation, the
    Apps
    field displays
    Windows Event Collector - Active, Connected
    .
  5. In the
    Windows Event Forwarder Configuration
    window:
    1. (copy) the
      Subscription Manage URL
      . This will be used when you configure the subscription manager in the GPO (Global Policy Object) on your domain controller.
    2. Define Client Certificate Export Password
      used to secure the downloaded WEF certificate used to establish the connection between your DC/WEF and the WEC. You will need this password when the certificate is imported to the events forwarder.
    3. Download
      the WEF certificate in a PFX format to your local machine.
      To view your Windows Event Forwarding configuration details at any time, select your Broker VM, right-click and navigate to
      Windows Event Collector
      Configure Forwarder
      .
    Cortex XDR monitors the certificate and triggers an Certificate Expiration notification 30 days prior to the expiration date. The notification is sent daily specifying the number of days left on the certificate, or if the certificate has already expired.
  6. Install your WEF Certificate on the events forwarder to establish connection.
    1. Locate the PFX file you downloaded from the Cortex XDR console and double-click to open the
      Certificate Import Wizard
      .
    2. In the
      Certificate Import Wizard
      :
      1. Select
        Local Machine
        followed by
        Next
        .
      2. Verify the
        File name
        field displays the PFX certificate file you downloaded and select
        Next
        .
      3. In the
        Passwords
        field, enter the Client Certificate Export Password you defined in the Cortex XDR console followed by
        Next
        .
      4. Select
        Automatically select the certificate store based on the type of certificate
        followed by
        Next
        and
        Finish
        .
    3. From a command prompt, run
      certlm.msc
      .
    4. In the file explorer, navigate to
      Certificates
      and verify the following for each of the folders:
      • In the
        Personal
        Certificates
        folder, ensure the certificate
        forwarder.wec.paloaltonetwroks.com
        appears.
      • In the
        Trusted Root Certification Authorities
        Certificates
        folder, ensure the CA
        ca.wec.paloaltonetworks.com
        appears.
    5. Navigate to
      Certificates
      Personal
      Certificates
      .
    6. Right-click the certificate and navigate to
      All tasks
      Manage Private Keys
      .
    7. In the
      Permissions
      window, select
      Add
      and in the
      Enter the object name
      section, enter
      NETWORK SERVICE
      followed by
      Check Names
      to verify the object name. The object name is displayed with an underline when valid. and then
      OK
      .
    8. Select
      OK
      , verify the
      Group or user names
      appear, and then
      Apply
      Permissions for privet keys
      .
  7. Add the Network Service account to the domain controller Event Log Readers group.
    1. To enable events forwarders to forward events, the Network Service account must be a member of the Active Directory Event Log Readers group. In PowerShell, execute the following command on the domain controller that is acting as the event forwarder:
      PS C:\> net localgroup "Event Log Readers" "NT Authority\Network Service" /add
      Make sure you see
      The command completed successfully
      message.
    2. Grant access to view the security event logs.
      1. Run
        wevtutil gl security
        and take note of your
        channelAccess
        value.
        For example:
        `PS C:\Users\Administrator> wevtutil gl security name: security enabled: true type: Admin owningPublisher: isolation: Custom channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573) logging: logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx retention: false autoBackup: false maxSize: 134217728 publishing: fileMax: 1
        Take note of value:
        channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
      2. Run
        wevtutil sl security "/ca:<channelAccess value>(A;;0x1;;;S-1-5-20)"
        For example:
        PS C:\Users\Administrator> wevtutil sl security "/ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"
      Make sure you grant access on each of your domain controller hosts.
  8. Create a WEF Group Policy that applies to every Windows server you want to configure as a WEF.
    1. In a command prompt, open
      gpmc.msc
      .
    2. In the
      Group Policy Management
      window, navigate to
      Domains
      your domain name
      Group Policy Object
      , right-click and select
      New
      .
    3. In the
      New GPO
      window, enter your group policy
      Name:
      Windows Event Forwarding
      followed by
      OK
      .
    4. Navigate to
      Domains
      your domain name
      Group Policy Objects
      Windows Event Forwarding
      , right-click and select
      Edit
      .
    5. In the
      Group Policy Management Editor
      :
      • Set the Windows Remote Management Service for automatic startup.
        • Navigate to
          Computer Configuration
          Policies
          Windows Settings
          Security Settings
          System Services
          , and in the view panel locate and double-click
          Windows Remote Management (WS-Management)
          .
        • Mark
          Define this policy setting
          and select
          Automatic
          followed by
          Apply
          and
          OK
          .
      • Enable collection of Broker VM supported Kerberos events; Kerberos pre-authentication, authentication, request, and renewal tickets.
        • Navigate to
          Computer Configuration
          Policies
          Windows Settings
          Security Settings
          Advanced Audit Policy Configuration
          Audit Policies
          Account Logon
          .
        • In the view pain, right-click
          Audit Kerberos Authentication Service
          and select
          Properties
          . In the
          Audit Kerberos Authentication Service
          window, mark
          Configure the following audit events:
          , select to
          Success
          and
          Failure
          followed by
          Apply
          and
          OK
          .
          Repeat for
          Audit Kerberos Service Ticket Operations
          .
    6. Configure the subscription manager.
      Navigate to
      Computer Configuration
      Policies
      Administrative Templates: Policy definitions
      Windows Components
      Event Forwarding
      , right-click
      Configure target Subscription Manager
      and select
      Edit
      .
      In the
      Configure target Subscription Manager
      window:
      1. Mark
        Configure target Subscription Manager
        as
        Enabled
        .
      2. In the
        Options
        section, Select
        Show
        and in the
        Show Contents
        window, paste the Subscription Manage URL you copied from the Cortex XDR console followed by
        OK
        .
      3. Select
        Apply
        and
        OK
        to save your changes.
    7. Add Network Service to Event Log Readers group.
      Navigate to
      Computer Configuration
      Preferences
      Control Panel Settings
      Local Users and Groups
      , right-click and select
      New
      Local Group
      .
      In the
      New Local Group Properties
      window:
      • In the
        Group name
        field, select
        Event Log Readers (built-in)
        .
      • In the
        Members
        section, select
        Add
        and enter in the
        Name
        filed
        Network Service
        followed by
        OK
        .
        You must type out the name, do not select the name from the browse button.
      • Select
        Apply
        and
        OK
        to save your changes, and close the
        Group Policy Management Editor
        window.
    8. Configure the Windows Firewall.
      If Windows Firewall is enabled on your event forwarders, you will have to define an outbound rule to enable the WEF to reach port 5986 on the WEC.
      In the
      Group Policy Management
      window, navigate to
      Computer Configuration
      Policies
      Windows Settings
      Security Settings
      Windows Firewall with Advanced Security
      Outbound Rules
      , right-click and select
      New Rule
      .
      In the
      New Outbound Rule Wizard
      define the following
      Steps
      :
      1. Rule Type
        —Select
        Port
        followed by
        Next
        .
      2. Protocols and Ports
        — Select
        TCP
        and in the
        Specific Remote Ports
        field enter
        5986
        followed by
        Next
        .
      3. Action
        —Select
        Allow the connection
        followed by
        Next
        .
      4. Profile
        —Select
        Domain
        and disable
        Private
        and
        Public
        followed by
        Next
        .
      5. Name
        —Enter
        Windows Event Forwarding
        .
      6. Select
        Finish
        to save your configurations.
  9. Apply the WEF Group Policy.
    Link the policy to the OU or the group of Windows servers you would like to configure as event forwarders. In the following flow, the domain controllers are configured as an event forwarder.
    1. Navigate to
      Group Policy Management
      <your domain name>
      Domain Controllers
      , right-click and select
      Link an existing GPO...
      .
    2. In the
      Select GPO
      window, select
      Windows Event Forwarding
      followed by
      OK
      .
    3. In an administrative PowerShell console, execute the following commands:
      1. PS C:\Users\Administrator> gpupdate /force
        Verify
        Computer Policy update has completed successfully. User Policy update has completed successfully.
        confirmation message appears.
      2. PS C:\Users\Administrator> Restart-Service WinRM
  10. Verify Windows Event Forwarding.
    1. In an administrative PowerShell console, run the following command:
      PS C:\Users\Administrator> Get-WinEvent Microsoft-windows-WinRM/operational -MaxEvents10
    2. Look for
      WSMan operation EventDelivery completed successfully
      confirmation messages. These indicate events forwarded successfully.
  11. (
    Optional
    ) Manage the Window Event Collector.
    After the Windows Event Collector has been activated in the Cortex XDR Management Console, right-click your broker VM and select:
    • Windows Event Collector
      Configure Forwarder
      to define the event configuration information.
    • Windows Event Collector
      Deactivate
      to disable the Windows Event Collector.
    • Windows Event Collector
      Collection Configuration
      to view or edit existing or add new events to collect.
  12. (
    Optional
    ) In the
    Apps
    field, select
    Windows Event Collector
    to view the following applet metrics:
    • Connectivity Status
      —Whether the applet is connected to Cortex XDR.
    • Logs Received
      and
      Logs Sent
      —Number of logs received and sent by the applet per second over the last 24 hours. If the number of incoming logs received is larger than the number of logs sent, it could indicate a connectivity issue.
    • Resources
      —Displays the amount of
      CPU
      ,
      Memory
      , and
      Disk
      space the applet is using.

Recommended For You