Enabling Windows Event Log Analysis

Windows Event Log Analysis is performed with or without agents. Enabling Window Event Log Analysis is achieved through several steps.

1. Initially, the Elastic server connection setting should be set from the SUPERORG settings for on-premise deployments. Please switch to SUPERORG from the top left organization selector and select Security Management -> Settings. From this section, configure the Elastic username and password. By default, Elastic uses port 9200.

2. From Rules & Policies -> Artifact Collection Parameters -> Windows Event Log Rules menu, rules for collecting logs are configured. The rules specify the filter to be executed for log collection. The filter is executed, and the matched records are sent to Elastic for initial storage.

3. Windows Event Log rule consists of the below sections for configuration:

a. Name: The name given to the rules.

a. Description: An optional description is provided for the rule.

b. Channel: The log type to be collected from the endpoint.

c. Filter: Xpath is used to define the filter options. [TimeCreated[@SystemTime >= #{last_collection_time}] must be included in the filter. #{last_collection_time} is a variable used by the platform to track the last execution time and execute queries effectively. More information on Xpath is available from https://powershell.org/2019/08/a-better-way-to-search-events/ page.

d. Tags: For matched events, a tag can be added.

e. Mitre Technique: A value for mitre technique can be added for matched events.

f. Risk Score: For matched events, a risk score can be set.

g. Labels: For matched events, a label can be added.

h. Is Malicious: For matched events, the malicious flag can be set

4. Once the rules are configured, a policy should be created to select which Windows Event Log rules will be executed for collection. Create a policy from Rules & Policies -> Policy Management -> Policy Rules with the type Windows Event Log Analysis. From the policy settings, set the time interval for log collection and the rules for collection.

5. The final step is to assign the policy to the groups. From Rules & Policies -> Policy Management -> Group Management settings, choose the created policy. The group members will retrieve the policy and start the log collection.