- 01 May 2025
- 3 Minutes to read
- Print
- DarkLight
Windows Security Events
- Updated on 01 May 2025
- 3 Minutes to read
- Print
- DarkLight
Windows Security Events are events logged by the Windows operating system's built-in auditing system, known as the Security Event Log. These events include information about security-related activities such as login attempts, account management changes, and security policy changes, which are crucial for detecting and investigating security incidents. For more information about the events refer the documentation.
Integration Method: Data Collector
Tables: File System Activity (1001), Device Config State (5002), Authentication (3002), Datastore Activity (6005), Device Config State Change (5019), Account Change (3001), Entity Management (3004)
Prerequisites
The user should have a compatible version of the Windows system and configure the data collector.
The user should have access to the DataBee console.
Configuration Overview
Install the Data Collector on your machine and configure filters for the data feed.
Create Windows Security Events Data Feed in the DataBee console.
Data Collector Configuration
In order to receive logs from Windows Security Events, a Data Collector must be installed and configured. The data collector receives logs from Windows Security Events and sends them to DataBee, encrypted. For more information refer to the DataBee website.
Login to the DataBee UI, click on the Settings icon at the top right corner of the UI.
From the dropdown menu, select System.
From the left sidebar, select Data Collectors. The page will display all the data collectors configured, if any.
To create a new data collector, scroll to the bottom of the page and click on the Add Data Collector.
Fill in the required fields to add data collector:
Collector Name: enter the name of your Data Collector.
OS: select Windows option.
Click Next to proceed to the next step. Installation steps windows will appear.
Copy the following parameters by clicking Copy to Clipboard. Click on Close.
Install Script
Tenant ID
Receiver URL
Collector ID
API Key
Windows Configuration
Compatibility Matrix
Supported Platforms for Windows systems acting as collector(s):
OS | Version(s) Support | Architecture Support |
---|---|---|
Windows Server | WS2022 LTSC (Standard Edition) | X86_64 (64 bit) |
Install Data Collector
Open the PowerShell terminal as the Administrator.
Note
Use PowerShell version 7 or above, as lower versions are not compatible.
Run the install script command.
Enter the collector configuration details that you have copied in the earlier step.
Note:
Please avoid using Ctrl + V to paste the API key. Instead, double-click to insert it.
On successful installation, you will see the following message on the terminal: Installation completed successfully.
Configuration Filters
Open Event Viewer App.
In the Event Viewer app, select a Windows Logs > Security channel. On the right-hand side, under the Actions panel, click Filter Current Log.
You can choose the relevant filters.
Click the XML tab, copy the query for later use, and then click OK. This filter query will be pasted on the DataBee feed configuration.
DataBee supports the following event types:
Event
Description
1102
The audit log was cleared
4618
A monitored security event pattern has occurred
4692
Backup of data protection master key was attempted
4693
Recovery of data protection master key was attempted
4713
Kerberos policy was changed
4714
Encrypted data recovery policy was changed
4715
The audit policy (SACL) on an object was changed
4716
Trusted domain information was modified
4719
System audit policy was changed
4724
An attempt was made to reset an account's password
4727
A security-enabled global group was created
4754
A security-enabled universal group was created
4755
A security-enabled universal group was changed
4794
An attempt was made to set the Directory Services Restore Mode
4897
Role separation enabled
4964
Special groups have been assigned to a new logon
4624
An account was successfully logged on
DataBee Configuration
Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
Search for Windows Security Events and click it as shown below.
Click on the Data Collector option for collection method.
Click on the Windows Events option to poll windows events from windows machine.
Enter the feed contact information, select the collector that you have created, and click on the Next button.
Fill the required details to configure the data feed:
Refresh Interval (seconds): select 1 second to achieve optimum performance. The available options are 1, 5, 10, and 20.
Channels: enter the Security, from which the Data Collector will retrieve events.
Read Historical Event (optional): enable Read Historical Events to collect all existing events (disabled by default). This may cause duplicate data.
Query (optional): to filter data, paste the query for the relevant filter from the earlier step.
Click on the Next button.
Click on the Submit button.
Troubleshooting Tips
Ensure that the server is reachable by opening the terminal on the receiver machine and running ping <server_ip> command.
If you encounter any issues regarding log forwarding, refer to the DataBee troubleshooting document for detailed guidance.