Activate the Windows Event Collector
After you have configured and registered your broker VM, activate your Windows Event Collector application.
The Windows Event Collector (WEC) runs on the broker VM collecting event logs from Domain Controllers (DCs). To enable collection of the event logs, you need to configure them as Windows Event Forwarders (WEFs), and establish trust between them and the WEC. Establishing trust between the WEFs and the WEC is achieved by mutual authentication over TLS using server and client certificates.
The WEF, a WinRM plugin, runs under the Network Service account. Therefore, you need to provide the WEFs with the relevant certificates and grant the account access permissions to the private key used for client authentication, for example, authenticate with WEC.
Ensure you meet the following prerequisites before activating the collector:
- Cortex XDR Pro per TB license
- You have knowledge of Windows Active Directory and Domain Controllers.
- Broker VM is registered in the DNS and its FQDN is resolvable from the DCs.
- DCs running on Windows Server 2012 or later.
- In Cortex XDR, navigate totable and locate your broker VM.Cortex XDRSettingsBrokerVMs
- Right-click, select.Windows Event CollectorActivate
- In theActivate Windows Event Collectorwindow, enter yourBroker VM FQDNas it will be defined in your Domain Name System (DNS). This enables connection between Cortex XDR and your Windows Event Collector.
- Activateyour configurations.After a successful activation, theAppsfield displays theWindows Event Collector - Active, Connected.
- In theWindows Event Forwarder Configurationwindow:
To view your Windows Event Forwarder Configuration details at any time, right-click and select.Applet ManagementConfigure Windows Event Forwarder
- Define Client Certificate Export Passwordused to secure the downloaded Windows Event Forwarders (WEF) certificate used to establish connection between Cortex XDR and the Windows Event collector. You will need this password when the certificate is imported to the DC.
- Downloadthe WEF certificate in a PFX format.
- (Optional) In theAppsfield, selectWindows Event Collectorto view the following applet metrics:
- Connectivity Status—Whether the applet is connected to Cortex XDR.
- Logs ReceivedandLogs Sent—Number of logs received and sent by the applet per second over the last 24 hours. If the number of incoming logs received is larger than the number of logs sent, it could indicate a connectivity issue.
- Resources—Displays the amount ofCPU,Memory, andDiskspace the applet is using.
- Manage the Window Event Collector.After the Windows Event Collector has been activated, right-click you broker VM and select:
- to redefine the Windows Event Collector configurations.Windows Event CollectorConfigure
- to disable the Windows Event Collector.Windows Event CollectorDeactivate
- Install your WEF Certificate on the DC to establish connection.
- Copy the PFX file you downloaded from the Cortex XDR console to your DC, double-click the file and import it toLocal Machine.
- Navigate toand verify the following:CertificatesPersonal
- In thePersonal > Certificatesfolder, ensure the certificate has been imported.
- In theTrusted Root Certification Authoritiesfolder, ensure the CA was added.
- Navigate to.CertificatesPersonalCertificates
- Right-click the certificate and navigate to.All tasksManage Private Keys
- In thePermissionswindow, selectAddand in theEnter the object namesection, enterNETWORK SERVICEfollowed byOK.Verify theGroup or user namesappear.
- Add the Network Service account to the DC Event Log Readers group.
- To enable DCs to forward events, the Network Service account must be a member of the Active Directory Event Log Readers group. In PowerShell, execute the following command on the DC:C:\> net localgroup "Event Log Readers" "NT Authority\Network Service" /add
- Create a WEF Group Policy which applies to every DC you want to configure as a WEF.
- Create a new Group Policy and name itWindows Event Forwarding.
- In theGroup Policy Managementwindow, navigate to, right-click and selectDomains<your domain name>Windows Event ForwardingEdit.
- In theGroup Policy Management Editor:
- Set the WinRM service for automatic startup.
- Navigate to, and double-clickComputer ConfigurationPoliciesWindows SettingsSecurity SettingsSystem ServicesWindows Remote Management.
- MarkDefine this policy settingand selectAutomatic.
- Enable collection of Broker VM supported Kerberos events; Kerberos pre-authentication, authentication, request, and renewal tickets.
- Navigate to.Computer ConfigurationPoliciesAdvanced Audit Policy ConfigurationAudit PolicyAccount Logon
- ConfigureAudit Kerberos Authentication ServiceandAudit Kerberos Service Ticket OperationstoSuccess and Failure.
- Configure the subscription manager.Navigate to, and double-clickComputer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsEvent ForwardingConfigure target Subscription Manager.In theConfigure target Subscription Managerwindow, and selectShow
- Add Network Service to Event Log Readers group.Navigate to, right-click and selectComputer ConfigurationPreferencesControl Panel SettingsLocal Users and GroupsNew Local Group.In theEvent Log Readers (built-in) Propertieswindow:
- InGroup namefield, selectEvent Log Readers (built-in).
- InMemberssection,Addand enter in theNamefiledNetwork Service.You must type the name, it cannot select the name from the browse button.
- Configure the Windows Firewall.If Windows Firewall is enabled on your DCs, you will have to define an outbound rule to enable the WEF to reach port 5986 on the WEC.Navigate to, right-click and selectComputer ConfigurationPoliciesWindows SettingsSecurity SettingsWindows Firewall with Advanced SecurityOutbound RulesNew Rule.Configure the following:
- TCP-Port 5986
- Allow the connection
- MarkDomain, disablePrivateandPublic
- Name the ruleWindows Event Forwarding
- Apply the WEF Group Policy.Link the policy to the DC OU or the group of DCs you would like to configure as WEFs.
- Navigate to, right-click and selectGroup Policy Management<your domain nameDomain ControllersLink an existing GPO....
- Select the WEF Group Policy you created,Windows Event Forwarding.
- In an administrative PowerShell console, execute the following command:PS C:\Users\Administrator> gpupdate /force PS C:\Users\Administrator> Restart-Service WinRM
- Verify Windows Event Forwarding.
- In an administrative PowerShell console, run the following command:PS C:\Users\Administrator> Get-WinEvent Microsoft-windows-WinRM/operational -MaxEvents10
- Look forWSMan operation EventDelivery completed successfullymessages. These indicate events forwarded successfully.
Recommended For You
Recommended videos not found.