Windows Security Events

Windows Security Events are events logged by the Windows operating system's built-in auditing system, known as the Security Event Log. These events include information about security-related activities such as login attempts, account management changes, and security policy changes, which are crucial for detecting and investigating security incidents. For more information about the events refer the documentation.

Integration Method: Data Collector

Tables: File System Activity (1001), Device Config State (5002), Authentication (3002), Datastore Activity (6005), Device Config State Change (5019), Account Change (3001), Entity Management (3004)

Prerequisites

• The user should have a compatible version of the Windows system and configure the data collector.

• The user should have access to the DataBee console.

Configuration Overview

1. Configure the Data Collector.

2. Install the Data Collector on your machine and configure filters for the data feed.

   1. Install the Data Collector

   2. Configure Filters

3. Create Windows Security Events Data Feed in the DataBee console.
   

Data Collector Configuration

In order to receive logs from Windows Security Events, a Data Collector must be installed and configured. The data collector receives logs from Windows Security Events and sends them to DataBee, encrypted. For more information refer to the DataBee website.

1. Login to the DataBee UI, click on the Settings icon at the top right corner of the UI.

   • From the dropdown menu, select System.
      

2. From the left sidebar, select Data Collectors. The page will display all the data collectors configured, if any.
    

3. To create a new data collector, scroll to the bottom of the page and click on the Add Data Collector.
    

4. Fill in the required fields to add data collector:

   • Collector Name: enter the name of your Data Collector.

   • OS: select Windows option.

   Click Next to proceed to the next step. Installation steps windows will appear.

   

5. Copy the following parameters by clicking Copy to Clipboard. Click on Close.

   • Install Script

   • Tenant ID

   • Receiver URL

   • Collector ID

   • API Key  

    

Windows Configuration

Compatibility Matrix
Supported Platforms for Windows systems acting as collector(s):

Install Data Collector

1. Open the PowerShell terminal as the Administrator.
   

   Note

   Use PowerShell version 7 or above, as lower versions are not compatible.

2. Run the install script command.
    

3. Enter the collector configuration details that you have copied in the earlier step.

   Note:

   Please avoid using Ctrl + V to paste the API key. Instead, double-click to insert it. 

    

4. On successful installation, you will see the following message on the terminal: Installation completed successfully.
    

Configuration Filters

1. Open Event Viewer App.
    

2. In the Event Viewer app, select a Windows Logs > Security channel. On the right-hand side, under the Actions panel, click Filter Current Log.
    

3. You can choose the relevant filters.
    

4. Click the XML tab, copy the query for later use, and then click OK. This filter query will be pasted on the DataBee feed configuration.
    

   DataBee supports the following event types:

   Event	Description
   1102	The audit log was cleared
   4618	A monitored security event pattern has occurred
   4692	Backup of data protection master key was attempted
   4693	Recovery of data protection master key was attempted
   4713	Kerberos policy was changed
   4714	Encrypted data recovery policy was changed
   4715	The audit policy (SACL) on an object was changed
   4716	Trusted domain information was modified
   4719	System audit policy was changed
   4724	An attempt was made to reset an account's password
   4727	A security-enabled global group was created
   4754	A security-enabled universal group was created
   4755	A security-enabled universal group was changed
   4794	An attempt was made to set the Directory Services Restore Mode
   4897	Role separation enabled
   4964	Special groups have been assigned to a new logon
   4624	An account was successfully logged on

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for Windows Security Events and click it as shown below.
    

3. Click on the Data Collector option for collection method.
    

4. Click on the Windows Events option to poll windows events from windows machine.
    

5. Enter the feed contact information, select the collector that you have created, and click on the Next button.
    

6. Fill the required details to configure the data feed:

   • Refresh Interval (seconds): select 1 second to achieve optimum performance. The available options are 1, 5, 10, and 20.

   • Channels: enter the Security, from which the Data Collector will retrieve events.

   • Read Historical Event (optional): enable Read Historical Events to collect all existing events (disabled by default). This may cause duplicate data.

   • Query (optional): to filter data, paste the query for the relevant filter from the earlier step.

   Click on the Next button.

   
   

7. Click on the Submit button.
    

Troubleshooting Tips

• Ensure that the server is reachable by opening the terminal on the receiver machine and running ping <server_ip> command. 

   

• If you encounter any issues regarding log forwarding, refer to the DataBee troubleshooting document for detailed guidance.