Windows Security Events
  • 01 May 2025
  • 3 Minutes to read
  • Dark
    Light

Windows Security Events

  • Dark
    Light

Article summary

Windows Security Events are events logged by the Windows operating system's built-in auditing system, known as the Security Event Log. These events include information about security-related activities such as login attempts, account management changes, and security policy changes, which are crucial for detecting and investigating security incidents. For more information about the events refer the documentation.

Integration Method: Data Collector

Tables: File System Activity (1001), Device Config State (5002), Authentication (3002), Datastore Activity (6005), Device Config State Change (5019), Account Change (3001), Entity Management (3004)

Prerequisites

  • The user should have a compatible version of the Windows system and configure the data collector.

  • The user should have access to the DataBee console.

Configuration Overview

  1. Configure the Data Collector.

  2. Install the Data Collector on your machine and configure filters for the data feed.

    1. Install the Data Collector

    2. Configure Filters

  3. Create Windows Security Events Data Feed in the DataBee console.

Data Collector Configuration

In order to receive logs from Windows Security Events, a Data Collector must be installed and configured. The data collector receives logs from Windows Security Events and sends them to DataBee, encrypted. For more information refer to the DataBee website.

  1. Login to the DataBee UI, click on the Settings icon at the top right corner of the UI.

    • From the dropdown menu, select System.
       

  2. From the left sidebar, select Data Collectors. The page will display all the data collectors configured, if any.
     

  3. To create a new data collector, scroll to the bottom of the page and click on the Add Data Collector.
     

  4. Fill in the required fields to add data collector:

    • Collector Name: enter the name of your Data Collector.

    • OS: select Windows option.

    Click Next to proceed to the next step. Installation steps windows will appear.

  5. Copy the following parameters by clicking Copy to Clipboard. Click on Close.

    • Install Script

    • Tenant ID

    • Receiver URL

    • Collector ID

    • API Key  

     

Windows Configuration

Compatibility Matrix
Supported Platforms for Windows systems acting as collector(s):

OS

Version(s) Support

Architecture Support

Windows Server

WS2022 LTSC (Standard Edition)

X86_64 (64 bit)

Install Data Collector

  1. Open the PowerShell terminal as the Administrator.

    Note

    Use PowerShell version 7 or above, as lower versions are not compatible.

  2. Run the install script command.
     

  3. Enter the collector configuration details that you have copied in the earlier step.

    Note:

    Please avoid using Ctrl + V to paste the API key. Instead, double-click to insert it. 

     

  4. On successful installation, you will see the following message on the terminal: Installation completed successfully.
     

Configuration Filters

  1. Open Event Viewer App.
     

  2. In the Event Viewer app, select a Windows Logs > Security channel. On the right-hand side, under the Actions panel, click Filter Current Log.
     

  3. You can choose the relevant filters.
     

  4. Click the XML tab, copy the query for later use, and then click OK. This filter query will be pasted on the DataBee feed configuration.
     

    DataBee supports the following event types:

    Event

    Description

    1102

    The audit log was cleared

    4618

    A monitored security event pattern has occurred

    4692

    Backup of data protection master key was attempted

    4693

    Recovery of data protection master key was attempted

    4713

    Kerberos policy was changed

    4714

    Encrypted data recovery policy was changed

    4715

    The audit policy (SACL) on an object was changed

    4716

    Trusted domain information was modified

    4719

    System audit policy was changed

    4724

    An attempt was made to reset an account's password

    4727

    A security-enabled global group was created

    4754

    A security-enabled universal group was created

    4755

    A security-enabled universal group was changed

    4794

    An attempt was made to set the Directory Services Restore Mode

    4897

    Role separation enabled

    4964

    Special groups have been assigned to a new logon

    4624

    An account was successfully logged on

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     

  2. Search for Windows Security Events and click it as shown below.
     Inserting image...

  3. Click on the Data Collector option for collection method.
     Inserting image...

  4. Click on the Windows Events option to poll windows events from windows machine.
     

  5. Enter the feed contact information, select the collector that you have created, and click on the Next button.
     

  6. Fill the required details to configure the data feed:

    • Refresh Interval (seconds): select 1 second to achieve optimum performance. The available options are 1, 5, 10, and 20.

    • Channels: enter the Security, from which the Data Collector will retrieve events.

    • Read Historical Event (optional): enable Read Historical Events to collect all existing events (disabled by default). This may cause duplicate data.

    • Query (optional): to filter data, paste the query for the relevant filter from the earlier step.

    Click on the Next button.


  7. Click on the Submit button.
     

Troubleshooting Tips

  • Ensure that the server is reachable by opening the terminal on the receiver machine and running ping <server_ip> command. 

     

  • If you encounter any issues regarding log forwarding, refer to the DataBee troubleshooting document for detailed guidance.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence