Activate the Windows Event Collector
Set up your Windrows Event Collector to connect with the Cortex XDR Broker VM and collect events.
After you have configured and registered your broker VM, activate your Windows Event Collector application.
The Windows Event Collector (WEC) runs on the broker VM collecting event logs from Windows Servers, including Domain Controllers (DCs). The Windows Event Collector may be deployed in multiple setups, it can be connected directly to the multiple event generators (DC or Windows Server) or the events may be routed using one or more Windows Event Collectors. Behind each Windows event collector there may be multiple generating sources.
To enable the collection of the event logs, you need to configure them as Windows Event Forwarders (WEFs), and establish trust between them and the WEC. Establishing trust between the WEFs and the WEC is achieved by mutual authentication over TLS using server and client certificates. The WEF, a WinRM plugin, runs under the Network Service account. Therefore, you need to provide the WEFs with the relevant certificates and grant the account access permissions to the private key used for client authentication, for example, authenticate with WEC.
Ensure you meet the following prerequisites before activating the collector:
- Cortex XDR Pro per TB license
- Broker VM version 8.0 and later
- You have knowledge of Windows Active Directory and Domain Controllers.
- Broker VM is registered in the DNS and its FQDN is resolvable from the events forwarder (Windows server).
- Windows Server 2012 or later.
- In Cortex XDR, navigate totable and locate your broker VM.Cortex XDRSettingsBrokerVMs
- Right-click and select.Windows Event CollectorActivate
- In theActivate Windows Event Collectorwindow, define the following:
- Set yourBroker VM FQDNas it will be defined in your Domain Name System (DNS). This enables connection between the WEF and WEC, acting as the subscription manager.
- Define the events collected by the applet. This lists event sources from which you want to collect events:
For example, to forward all the Windows Event Collector events to the broker VM, define as follows:
- Source—Select from the pre-populated list with the most common event sources on Windows Servers. The event source is the name of the software that logs the events.A source provider can only appear once in your list. When selecting event sources, depending on the type event you want to forward, ensure the event source is enabled, for example auditing security events. If the source is not enabled, the source configuration in the given row will fail.
- Min. Event Level—Minimum severity level of events that are collected.
- Event IDs Group—Whether toInclude,Exclude, or collectAllevent ID groups.
- (Optional)Event IDs— Define specific event IDs or event ID ranges you want to collect.Make sure to select after each entry.
By default, Cortex XDR collects Palo Alto Networks predefinedSecurityevents that are used by the Cortex XDR detectors. Removing the Security collector interferes with the Cortex XDR detection functionality.Restore to Defaultto reinstate the Security event collection.
- Min. Event Level—Verbose
- Event IDs Group—All
- Activateyour configurations.After a successful activation, theAppsfield displays theWindows Event Collector - Active, Connected.
- In theWindows Event Forwarder Configurationwindow:
Cortex XDR monitors the certificate and triggers an Certificate Expiration notification 30 days prior to the expiration date. The notification is sent daily specifying the number of days left on the certificate, or if the certificate has already expired.
- (copy) theSubscription Manage URL. This will be used when you configure the subscription manager in the GPO (Global Policy Object) on your DC.
- Define Client Certificate Export Passwordused to secure the downloaded Windows Event Forwarders (WEF) certificate used to establish the connection between DC/WEF and the WEC. You will need this password when the certificate is imported to the events forwarder.
- Downloadthe WEF certificate in a PFX format.To view your Windows Event Forwarder Configuration details at any time, select your Broker VM, right-click and navigate to.Windows Event CollectorConfigure Forwarder
- Install your WEF Certificate on the events forwarder to establish connection.
- Copy the PFX file you downloaded from the Cortex XDR console to your events forwarder, double-click the file and import it toLocal Machine.
- Navigate toand verify the following:CertificatesPersonal
- In thePersonal > Certificatesfolder, ensure the certificate has been imported.
- In theTrusted Root Certification Authoritiesfolder, ensure the CA was added.
- Navigate to.CertificatesPersonalCertificates
- Right-click the certificate and navigate to.All tasksManage Private Keys
- In thePermissionswindow, selectAddand in theEnter the object namesection, enterNETWORK SERVICEfollowed byOK.Verify theGroup or user namesappear.
- Add the Network Service account to the event’s forwarder Event Log Readers group.
- To enable events forwarders to forward events, the Network Service account must be a member of the Active Directory Event Log Readers group. In PowerShell, execute the following command on the event forwarder:C:\> net localgroup "Event Log Readers" "NT Authority\Network Service" /add
- Grant access to view the security event logs.
Make sure you grant access on each of your event forwarder hosts.
- Runwevtutil gl securityand take note of yourchannelAccessvalue.
- Runwevtutil sl security "/ca:<channelAccess value>(A;;0x1;;;S-1-5-20)".
- Create a WEF Group Policy which applies to every Windows server you want to configure as a WEF.
- Create a new Group Policy and name itWindows Event Forwarding.
- In theGroup Policy Managementwindow, navigate to, right-click and selectDomainsyour domain nameWindows Event ForwardingEdit.
- In theGroup Policy Management Editor:
- Set the WinRM service for automatic startup.
- Navigate to, and double-clickComputer ConfigurationPoliciesWindows SettingsSecurity SettingsSystem ServicesAdvanced Audit Policy ConfigurationAudit PolicyAccount LogonWindows Remote Management.
- MarkDefine this policy settingand selectAutomatic.
- Enable collection of Broker VM supported Kerberos events; Kerberos pre-authentication, authentication, request, and renewal tickets.
- Navigate to.Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PolicyAccount Logon
- ConfigureAudit Kerberos Authentication ServiceandAudit Kerberos Service Ticket OperationstoSuccess and Failure.
- Configure the subscription manager.Navigate to, and double-clickComputer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsEvent ForwardingConfigure target Subscription Manager.In theConfigure target Subscription Managerwindow, and selectShow.
- Add Network Service to Event Log Readers group.Navigate to, right-click and selectComputer ConfigurationPreferencesControl Panel SettingsLocal Users and GroupsNew Local Group.In theEvent Log Readers (built-in) Propertieswindow:
- In theGroup namefield, selectEvent Log Readers (built-in).
- In theMemberssection,Addand enter in theNamefiledNetwork Service.You must type the name, it cannot select the name from the browse button.
- Configure the Windows Firewall.If Windows Firewall is enabled on your event forwarders, you will have to define an outbound rule to enable the WEF to reach port 5986 on the WEC.Navigate to, right-click and selectComputer ConfigurationPoliciesWindows SettingsSecurity SettingsWindows Firewall with Advanced SecurityOutbound RulesNew Rule.Configure the following:
- TCP—Port 5986
- Allow the connection
- MarkDomain, disablePrivateandPublic
- Name the ruleWindows Event Forwarding
- Apply the WEF Group Policy.Link the policy to the OU or the group of Windows servers you would like to configure as event forwarders. In the following flow, the domain controllers are configured as an event forwarder.
- Navigate to, right-click and selectGroup Policy Management<your domain nameDomain ControllersLink an existing GPO....
- Select the WEF Group Policy you created,Windows Event Forwarding.
- In an administrative PowerShell console, execute the following command:PS C:\Users\Administrator> gpupdate /force PS C:\Users\Administrator> Restart-Service WinRM
- Verify Windows Event Forwarding.
- In an administrative PowerShell console, run the following command:PS C:\Users\Administrator> Get-WinEvent Microsoft-windows-WinRM/operational -MaxEvents 10
- Look forWSMan operation EventDelivery completed successfullymessages. These indicate events forwarded successfully.
- (Optional) Manage the Window Event Collector.After the Windows Event Collector has been activated in the Cortex XDR Management Console, right-click your broker VM and select:
- to define the event configuration information.Windows Event CollectorConfigure Forwarder
- to disable the Windows Event Collector.Windows Event CollectorDeactivate
- to view or edit existing or add new events to collect.Windows Event CollectorCollection Configuration
- (Optional) In theAppsfield, selectWindows Event Collectorto view the following applet metrics:
- Connectivity Status—Whether the applet is connected to Cortex XDR.
- Logs ReceivedandLogs Sent—Number of logs received and sent by the applet per second over the last 24 hours. If the number of incoming logs received is larger than the number of logs sent, it could indicate a connectivity issue.
- Resources—Displays the amount ofCPU,Memory, andDiskspace the applet is using.
Recommended For You
Recommended videos not found.