Set Up a Windows Event Collector
The Windows Event Collector (WEC) runs on the broker VM collecting event logs from Domain Controllers (DCs). To enable collection of the event logs, you need to configure them as Windows Event Forwarders (WEFs), and establish trust between them and the WEC. Establishing trust between the WEFs and the WEC is achieved by mutual authentication over TLS using server and client certificates.
The WEF, a WinRM plugin, runs under the Network Service account. Therefore, you need to provide the WEFs with the relevant certificates and grant the account access permissions to the private key used for client authentication, for example, authenticate with WEC.
Ensure you meet the following prerequisites:
- Cortex XDR Pro per TB license
- You have knowledge of Windows Active Directory and Domain Controllers.
- You haveopensslinstalled on a secure Linux or macOS host.
- Broker VM supports a working DNS name resolution and valid DNS domain zone records.
- DCs are running on Windows Server 2012 or later.
- Generate CA and WEC certificates.
- On your secure Linux/macOS host, download the scripts and save each of the following files to the same directory:
The CA, WEC, and WEF private keys are generated on this host. Ensure you are working on a secure host and store the CA private key securely with password protection, so you are able to generate WEF certificates for any DC you would want to turn into a WEF in the future.
- Set execution permission ongenerate_certs.shfile by running:$ chmod +x generate_certs.sh
- Run the script, providing the broker VM CN, as registered in the DNS, on which the WEC will be activated. You will be prompted for a password to protect the PFX file.If you are running the script for the first time, use the--create-caflag to also generate the CA certificate.$ ./generate_certs.sh --create-ca --cn broker.etac-tlv.local Creating the CA It is recommended to protect the CA certificate/key pair from overriding/deleting it unintentionally. Set readOnly permissions? [y/n] y Creating the cert Packing all to a PFX Enter Export Password: Verifying - Enter Export Password: Done exporting to /Users/test/Projects/WEC/out: PFX: broker.etac-tlv.local.pfx (SHA1 Fingerprint=6A1DF3BE9C9875C1DC3167DE1805F6FBCC1D3861) CA: ca.cert (SHA1 Fingerprint=D9DFCC987F21839A65682DF527193F78296FBBA2) $After completing, the script prints the location of the output files along with their SHA1 hashes:
- PFX file containing the WEC key pair and the signing CA certificate.
- The CA certificate file in PEM format.
- Activate WEC on the Cortex XDR Broker VM.
- In Cortex XDR app, navigate to.SettingsBroker VMs
- Locate the broker VM on which you want to activate WEC, right-click and selectActivate Windows Event Collector.
- In theActivate Windows Event Collectorwindow,Browseto the WEC certificate PFX file you generated.The PFX file contains the certificate and key pair of the WEC along with its certificate chain. Normally the same CA will sign both the WEC and the DCs' certificates. If this is not the case - upload the CA file which will be used to validate the DCs' client certificate in theCA BUNDLEfield.
- On successful activation, copy the displayed subscription URL.
- Generate the WEF certificate.
- In your secure Linux/macOS host, run the script using the copied subscription URL:$ ./generate_certs.sh --cn ETAC-DC-2016.etac-tlv.local Not creating a new CA cert/key pair. Existing ones will be used Creating the cert Packing all to a PFX Enter Export Password: Verifying - Enter Export Password: Done exporting to /Users/test/Projects/WEC/out: PFX: ETAC-DC-2016.etac-tlv.local.pfx (SHA1 Fingerprint=BFD922E214DB6A0F5C3A176118FA76C82895A8DF) CA: ca.cert (SHA1 Fingerprint=D9DFCC987F21839A65682DF527193F78296FBBA2) $
- Repeat this step for each DC you want to configure as a WEF.
- Install WEF Certificate on the DC.
- Copy the PFX file you created to your DC, double-click the file and import it toLocal Machine.
- Navigate toand verify the following:CertificatesPersonal
- In thePersonal > Certificatesfolder, ensure the certificate has been imported.
- In theTrusted Root Certification Authoritiesfolder, ensure the CA was added.
- Navigate to.CertificatesPersonalCertificates
- Right-click the certificate and navigate to.All tasksManage Private Keys
- In thePermissionswindow, selectAddand in theEnter the object namesection, enterNETWORK SERVICEfollowed byOK.Verify theGroup or user namesappear.
- Add the Network Service account to the DC Event Log Readers group.
- To enable DCs to forward events, the Network Service account must be a member of the Active Directory Event Log Readers group. In PowerShell, execute the following command on the DC:C:\> net localgroup "Event Log Readers" "NT Authority\Network Service" /add
- Create a WEF Group Policy which applies to every DC you want to configure as a WEF.
- Create a new Group Policy and name itWindows Event Forwarding.
- In theGroup Policy Managementwindow, navigate to, right-click and selectDomains<your domain name>Windows Event ForwardingEdit.
- In theGroup Policy Management Editor:
- Set the WinRM service for automatic startup.
- Navigate to, and double-clickComputer ConfigurationPoliciesWindows SettingsSecurity SettingsSystem ServicesWindows Remote Management.
- MarkDefine this policy settingand selectAutomatic.
- Enable collection of Broker VM supported Kerberos events; Kerberos pre-authentication, authentication, request, and renewal tickets.
- Navigate to.Computer ConfigurationPoliciesAdvanced Audit Policy ConfigurationAudit PolicyAccount Logon
- ConfigureAudit Kerberos Authentication ServiceandAudit Kerberos Service Ticket OperationstoSuccess and Failure.
- Configure the subscription manager.Navigate to, and double-clickComputer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsEvent ForwardingConfigure target Subscription Manager.In theConfigure target Subscription Managerwindow, and selectShow
- Add Network Service to Event Log Readers group.Navigate to, right-click and selectComputer ConfigurationPreferencesControl Panel SettingsLocal Users and GroupsNew Local Group.In theEvent Log Readers (built-in) Propertieswindow:
- InGroup namefield, selectEvent Log Readers (built-in).
- InMemberssection,Addand enter in theNamefiledNetwork Service.You must type the name, it cannot select the name from the browse button.
- Configure the Windows Firewall.If Windows Firewall is enabled on your DCs, you will have to define an outbound rule to enable the WEF to reach port 5986 on the WEC.Navigate to, right-click and selectComputer ConfigurationPoliciesWindows SettingsSecurity SettingsWindows Firewall with Advanced SecurityOutbound RulesNew Rule.Configure the following:
- TCP-Port 5986
- Allow the connection
- MarkDomain, disablePrivateandPublic
- Name the ruleWindows Event Forwarding
- Apply the WEF Group Policy.Link the policy to the DC OU or the group of DCs you would like to configure as WEFs.
- Navigate to, right-click and selectGroup Policy Management<your domain nameDomain ControllersLink an existing GPO....
- Select the WEF Group Policy you created,Windows Event Forwarding.
- In an administrative PowerShell console, execute the following command:PS C:\Users\Administrator> gpupdate /force PS C:\Users\Administrator> Restart-Service WinRM
- Verify Windows Event Forwarding.
- In an administrative PowerShell console, run the following command:PS C:\Users\Administrator> Get-WinEvent Microsoft-windows-WinRM/operational -MaxEvents10
- Look forWSMan operation EventDelivery completed successfullymessages. These indicate events forwarded successfully.
Recommended For You
Recommended videos not found.