Table of Contents
Windows Event Forwarding (WEF) allows for the collection of Windows security events from remote systems to a central server. It relies on WinRM (Windows Remote Management) to transmit event data and does not require agents on the originating systems. WEF can use either a push (source-initiated) or pull (collector-initiated) subscription model.
Push Subscription:
Pull Subscription:
To configure event collection, follow these steps:
Category | Event IDs | Description |
---|---|---|
Account Logon | 4624, 4625 | Successful and failed logon attempts. |
Account Management | 4720, 4726 | User account creation and deletion. |
Object Access | 4663 | Access to an object was requested. |
Policy Change | 4704, 4902 | System audit policy was changed. |
Privilege Use | 4672 | Special privileges assigned to new logon. |
Detailed Tracking | 4688 | A new process has been created. |
When designing a security event collection strategy, consider the following best practices:
Effectively collecting and managing security event logs is a key part of a security operations analyst’s role. SC-200 candidates must be familiar with the design and configuration of Windows Security event collections, focusing on the appropriate event IDs, employing best practices, and ensuring that their configurations are secure and efficient. By following the outlined process, analysts can enhance threat detection and response capabilities within their organizations.
The Windows Event Collector Service is responsible for managing the subscriptions to events and the collection of those events from remote computers.
Answer: D) Verbose
The Verbose logging level records detailed information that can be helpful for in-depth troubleshooting.
Both the source and destination systems need to have appropriate Event Channels configured to facilitate the event collection process.
Answer: D) Windows Event Forwarding
Windows Event Forwarding allows the forwarding of security and other event log information to a central server.
Answer: C) Both A and B
Windows Event Forwarding subscriptions can be either collector initiated or source initiated.
SNMP is not required for configuring security event collections on Windows, as they use the Windows Remote Management (WinRM) service.
Answer: A) XML
Windows Event Forwarding uses the XML format to encode and transmit collected events from the source to the collector.
Although using HTTPS is one method to encrypt the transmission of event logs, other methods such as Windows Remote Management with Kerberos or NTLM authentication can also provide encrypted communication.
Answer: B) Source computers
In a source-initiated model, the source computers are configured to determine which events to forward, based on the subscription manager’s policy.
Answer: C) WinRM
Windows Event Forwarding uses the Windows Remote Management (WinRM) protocol to forward events from the source to the collector.
Windows Event Log service can be configured to collect various types of log data, including kernel events.
Answer: A) Event Viewer
Event Viewer has an integrated feature to create and manage subscriptions for Windows Event Forwarding.
Windows Security events are system-generated event logs that provide information about user activity, security-related events, and errors or warnings.
The Event ID of a successful user logon event in Windows Security event logs is 4624.
You can collect Windows Security events using the Microsoft Monitoring Agent (MMA) or a Syslog server.
Collecting Windows Security events in Microsoft Sentinel can help you detect and respond to security incidents by providing real-time alerts and visibility into user activity and security events.
The steps to configure a Windows Security event collection in Microsoft Sentinel include preparing the environment, configuring the Microsoft Monitoring Agent, and configuring the collection in Microsoft Sentinel.
You can validate a Windows Security event collection in Microsoft Sentinel by checking the event count, ensuring that events are being processed and stored in the Log Analytics workspace, and reviewing the event details in the Log Analytics workspace.
Some common issues that can occur when collecting Windows Security events include agent connectivity issues, configuration errors, and incorrect data formatting.
You can troubleshoot Windows Security event collection issues by reviewing the agent logs, checking the connectivity of the agent and the destination workspace, and reviewing the Azure Diagnostics logs.
Windows Security events are collected by default every 15 minutes in Microsoft Sentinel.
Some use cases for Windows Security event collection in Microsoft Sentinel include detecting and responding to insider threats, detecting lateral movement in the network, and detecting malware infections.
If this material is helpful, please leave a comment and support us to continue.