Tutorial / Cram Notes
Windows Event Forwarding (WEF) allows for the collection of Windows security events from remote systems to a central server. It relies on WinRM (Windows Remote Management) to transmit event data and does not require agents on the originating systems. WEF can use either a push (source-initiated) or pull (collector-initiated) subscription model.
Push Subscription:
- Source computers are configured to forward events.
- Ideal for decentralized environments.
Pull Subscription:
- A central server collects events from source computers.
- Best suited for centralized control over the collection.
Configuring Event Collection
To configure event collection, follow these steps:
- Enable WinRM: Ensure that Windows Remote Management is enabled on both the collector and the source computers.
- Create a Subscription: This can be a Collector Initiated Subscription or Source Computer Initiated Subscription:
- Collector Initiated Subscription:
- The collector server pulls events from the source computers.
- Ideal when configurations need to be centralized.
- Source Computer Initiated Subscription:
- The source computers push events to the collector.
- Preferred when sources are in different domains or when the configuration should be decentralized.
- Collector Initiated Subscription:
- Configure Group Policy: If using a domain-based approach, configure Group Policy Objects to define which events are collected and where they are sent.
- Define Event Collection Policy: Determine which events are relevant for collection, typically focusing on high-value logs like security, system, and application logs.
- Set Up Filtering: It’s essential to filter events to avoid noise. This can be done through the Event Viewer’s Subscription Properties dialog, where you can select specific event IDs or categories.
- Security and Access Control: Control who has access to the event logs. Ensure that only authorized accounts can create subscriptions and access the collected events.
Examples of Events to Collect
| Category | Event IDs | Description |
|---|---|---|
| Account Logon | 4624, 4625 | Successful and failed logon attempts. |
| Account Management | 4720, 4726 | User account creation and deletion. |
| Object Access | 4663 | Access to an object was requested. |
| Policy Change | 4704, 4902 | System audit policy was changed. |
| Privilege Use | 4672 | Special privileges assigned to new logon. |
| Detailed Tracking | 4688 | A new process has been created. |
Best Practices
When designing a security event collection strategy, consider the following best practices:
- Least Privilege Principle: Only assign permissions necessary to accomplish the task.
- Regular Updates and Configuration Checks: Periodically review and update event forwarding configurations to ensure they meet current security needs.
- Performance Considerations: Be aware of the impact on network and system performance and adjust event collection volume and filters accordingly.
- Event Storage and Retention: Ensure that storage solutions are sufficient for the volume of events collected and that they adhere to data retention policies.
- Integration with SIEM:
Integrate collected events with a Security Information and Event Management (SIEM) system like Microsoft Sentinel for enhanced analysis and correlation.
Conclusion
Effectively collecting and managing security event logs is a key part of a security operations analyst’s role. SC-200 candidates must be familiar with the design and configuration of Windows Security event collections, focusing on the appropriate event IDs, employing best practices, and ensuring that their configurations are secure and efficient. By following the outlined process, analysts can enhance threat detection and response capabilities within their organizations.
Practice Test with Explanation
True or False: Windows Event Collector Service must be running in order to collect security events on a Windows Server.
- Answer: True
The Windows Event Collector Service is responsible for managing the subscriptions to events and the collection of those events from remote computers.
Which log level records the most detailed information in Event Viewer?
- A. Error
- B. Warning
- C. Information
- D. Verbose
Answer: D) Verbose
The Verbose logging level records detailed information that can be helpful for in-depth troubleshooting.
True or False: Event Channels must be configured on both the forwarder (source) and the collector (destination) computers for successful event collection.
- Answer: True
Both the source and destination systems need to have appropriate Event Channels configured to facilitate the event collection process.
Which Windows feature can be used to forward security events from multiple computers to a central console?
- A. Task Scheduler
- B. Performance Monitor
- C. Event Viewer
- D. Windows Event Forwarding
Answer: D) Windows Event Forwarding
Windows Event Forwarding allows the forwarding of security and other event log information to a central server.
How are Windows Event Forwarding subscriptions classified?
- A. Collector initiated
- B. Source-initiated
- C. Both A and B
- D. Neither A nor B
Answer: C) Both A and B
Windows Event Forwarding subscriptions can be either collector initiated or source initiated.
True or False: The Simple Network Management Protocol (SNMP) is required to configure security event collections on Windows.
- Answer: False
SNMP is not required for configuring security event collections on Windows, as they use the Windows Remote Management (WinRM) service.
Which format is used by Windows Event Forwarding to transmit collected events?
- A. XML
- B. JSON
- C. CSV
- D. TXT
Answer: A) XML
Windows Event Forwarding uses the XML format to encode and transmit collected events from the source to the collector.
True or False: Encrypted transmission of event logs can only be configured using HTTPS.
- Answer: False
Although using HTTPS is one method to encrypt the transmission of event logs, other methods such as Windows Remote Management with Kerberos or NTLM authentication can also provide encrypted communication.
In a source-initiated subscription model, which component determines which events to forward?
- A. Collector server
- B. Source computers
- C. Event Viewer
- D. Subscription manager
Answer: B) Source computers
In a source-initiated model, the source computers are configured to determine which events to forward, based on the subscription manager’s policy.
Which protocol is used by Windows Event Forwarding?
- A. TCP
- B. UDP
- C. WinRM
- D. FTP
Answer: C) WinRM
Windows Event Forwarding uses the Windows Remote Management (WinRM) protocol to forward events from the source to the collector.
True or False: Kernel events can be collected via Windows Event Log service collection methods.
- Answer: True
Windows Event Log service can be configured to collect various types of log data, including kernel events.
Which tool is used to create and manage subscriptions for Windows Event Forwarding?
- A. Event Viewer
- B. Event Subscription Tool
- C. Performance Monitor
- D. Security and Compliance Toolkit
Answer: A) Event Viewer
Event Viewer has an integrated feature to create and manage subscriptions for Windows Event Forwarding.
Interview Questions
What are Windows Security events?
Windows Security events are system-generated event logs that provide information about user activity, security-related events, and errors or warnings.
What is the Event ID of a successful user logon event in Windows Security event logs?
The Event ID of a successful user logon event in Windows Security event logs is 4624.
How can you collect Windows Security events?
You can collect Windows Security events using the Microsoft Monitoring Agent (MMA) or a Syslog server.
What is the benefit of collecting Windows Security events in Microsoft Sentinel?
Collecting Windows Security events in Microsoft Sentinel can help you detect and respond to security incidents by providing real-time alerts and visibility into user activity and security events.
What are the steps to configure a Windows Security event collection in Microsoft Sentinel?
The steps to configure a Windows Security event collection in Microsoft Sentinel include preparing the environment, configuring the Microsoft Monitoring Agent, and configuring the collection in Microsoft Sentinel.
How can you validate a Windows Security event collection in Microsoft Sentinel?
You can validate a Windows Security event collection in Microsoft Sentinel by checking the event count, ensuring that events are being processed and stored in the Log Analytics workspace, and reviewing the event details in the Log Analytics workspace.
What are some common issues that can occur when collecting Windows Security events?
Some common issues that can occur when collecting Windows Security events include agent connectivity issues, configuration errors, and incorrect data formatting.
How can you troubleshoot Windows Security event collection issues?
You can troubleshoot Windows Security event collection issues by reviewing the agent logs, checking the connectivity of the agent and the destination workspace, and reviewing the Azure Diagnostics logs.
How often are Windows Security events collected by default in Microsoft Sentinel?
Windows Security events are collected by default every 15 minutes in Microsoft Sentinel.
What are some use cases for Windows Security event collection in Microsoft Sentinel?
Some use cases for Windows Security event collection in Microsoft Sentinel include detecting and responding to insider threats, detecting lateral movement in the network, and detecting malware infections.
Great post! This really helped me understand how to set up event collections for Windows Security.
I’m having trouble configuring the Data Collector Set. Any tips?
What specific events should I be looking for in Windows Security logs for SC-200?
Can you collect Windows Security events using Azure Sentinel as well?
The blog post was very insightful, thanks!
Didn’t find it useful. Could use more detailed steps.
Is there any way to automate alert generation for specific security events?
What logs are essential to monitor for compliance with SC-200?