WEF – Windows Event Logging and Forwarding (Configuration and Design)

WEF – Windows Event Log Forwarding (Configuration and Design)

I never really thought about writing this, because I been using Windows since IBM DOS and MS DOS, but, I realised recently allot of Security folk don’t have a clue about configuring Windows for threat detection and jump at a expensive EDR solution purely for monitoring Windows fleets, which isn’t necessary . (please send me the cheque instead!)

Here is an overview hot to build a rock solid Threat Detection and Hunting for Windows using Native Windows Event logging.

  • Windows 2019
  • Windows 7 – 2016
  • Active Directory / Group Policy
  • SYSMON
  • Powershell
  • WEC and WEF
  • Why collect event logs from Windows workstations? If I have auditing enabled in Active Directory and on the servers in it, shouldn’t that be enough? No! There are events that are generated on a Windows workstation that are stored in that systems local event log and are not stored centrally without the use of Windows Event Forwarding. Below are some examples of use cases for Windows workstations events. While the focus of this document is on workstations, it can also be applied to servers, both in an Active Directory Domain and in a Workgroup…
  • Event Tracking for Windows
  • WinRM forwarders
    • WinRM inherent EPS limitations Given the circumstances with WinRM, the event rate has a limit of around 140 EPS (sustained). Therefore, we do not recommend the use of the WiSC SmartConnector to collect logs from Windows endpoints as they generate higher EPS rates.
  • ATP
  • Defender
  • AppLocker
  • FIM
  • Files/Registry/Memory/Process/Applications/Users/Audit/AppLocker/USB/DNS
  • UberAgent

Microfocus ArcSight SmartConnector for Windows Events

  • WiNC (Windows Native Connector) – Recommended for Production Environments
    • WiNC is a next-generation SmartConnector that supports native event log collection, using the .NET framework.
    • It is scalable
    • It provides high performance event log collection.
    • It can only be deployed on Windows Server operating systems.
    • See the SmartConnector for Microsoft Windows Event Log – Native ‘Configuration Guide’
    • WiNC SmartConnector is a high-performance SmartConnector that can handle large EPS volumes from Hosts.
    • Windows Event Collection (WEC) and Windows Event Forwarding (WEF) are native Microsoft technologies that support Windows event log collection in a Windows environment.
    • WiNC SmartConnector is capable of collecting “Forwarded Events or Other WEC Logs from Local Or Remote Hosts”. As such, you may consider deploying a suitable Windows Event Forwarding architecture for your organization.
    • Directlyon WEF aggregation point (WECServer)
    • Remotely onanother Windows Server, to connec and collect forwarded events from one or many WEC Server(s).

WiNC can be deployed in the following ways:

Reference

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.