Introduction
Using DataSet, an organization can monitor all of its Microsoft Windows security events from within a single view. This can be accomplished by gathering Windows Event logs, application logs, and metrics, and using the Scalyr Agent to send them through an encrypted connection to DataSet's Event Data Cloud.
Once the data is in DataSet, it is simple to perform forensic analysis on all logs from one to thousands of machines at once. By configuring DataSet Alerts, you can be alerted almost instantly when errors occur.
Since DataSet can ingest events from a wide range of sources, this data can be correlated to other systems such as firewalls, routers, Azure, and Office 365 logs. Through consolidated logging and metrics tracking, an organization can monitor the performance, availability, and security of all its systems and build dashboards to visualize the health of all systems at a glance. Through alerts, the near real-time detection of Windows security events can provide clues to upcoming problems well before they strike.
Before you begin
This guide will walk you through the setup of Windows security event monitoring within DataSet. There are a few things to know before getting started and several prerequisites. Note that DataSet is not a SIEM; however, as demonstrated here, it can be applied to specific security use cases.
This guide applies to Windows 8 (until Jan 2023), Windows 10, Windows 11, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2020 operating systems.
Objectives
- Download the Scalyr Agent for Windows and install it on each Windows Server you wish to monitor (or consolidate events on a single Windows Server via Windows Event Forwarding).
- Configure the Windows Events Monitor to gather security events.
- View the logs in DataSet search
- Setup a customized alerts template to trigger suspicious behavior
DataSet Alerts are highly customizable, so you can utilize the example provided below, although we recommended that you tailor it to your environment.
Tutorial
Install the Scalyr Agent on a Windows Server
- Download the Scalyr Agent for Windows and run it. It will ask for Administrator privileges to install itself.
- Enter an API key with write permissions in the agent configuration file, which is automatically opened in Notepad at the end of the installation (or can be located at C:\Program Files (x86)\Scalyr\config). Be sure to edit as Administrator.
Configure the Windows Events Monitor to gather security events
1. Add your API Key (as explained above). It can be found in your DataSet Account.
2. [Optional] Update the Scalyr Agent's configuration file to upload custom logs, such as IIS, firewall, or other application logs.
Modify the following stanza to point to the logs you want to grab
logs: [
{
path: "C:\\WebServer\\logs\\access.log",
attributes: {parser: "accessLog"}
}
]
3. Add Windows Monitor
monitors: [
{
module: "scalyr_agent.builtin_monitors.windows_event_log_monitor",
channels: [
{
"channel": [ "Application", "Security", "System" ],
"query": "*[System/Level=0 or System/Level=1 or System/Level=2 or System/Level=3 or System/Level=4]"
}
]
}
]
6. [Optional] Add this MSI and config to every server or desktop you would like to manage in your environment. GPOs are a good idea to manage the deployment of the MSI. You can also take advantage of Windows Event Forwarding (WEF) as an alternative. If you use WEF, make sure to add ForwardedEvents
in the channel.
View the logs in DataSet and learn to search
If we look at DataSet, we should see a new serverHost and logfiles. Look for the windows_event_monitor.log file. Click the windows_event_log_monitor.log to explore the logs for that single server.
You will be taken to the search page. To aggregate all servers, remove the server filter from the top "Logs to search" field. You can reference our query syntax to refine the search more.
In the facets column on the left-hand side, there are two important keys. EventID and channel.
You can write a query to find one or more event ids. in this case I want to find if a user id login occurred:
($EventID == 4624) $logfile = "C:\\Program Files (x86)\\Scalyr\\log\\windows_event_log_monitor.log"
This will bring back a noisy dataset so we should refine it better. To see if a specific thread ID instead of applications, we can add the filter.
"user32" ($EventID == 4624) $logfile = "C:\\Program Files (x86)\\Scalyr\\log\\windows_event_log_monitor.log"
Useful Windows Event Ids
Event ID | What it means |
4624 | Successful account log on |
4625 | Failed account log on |
4634 | An account logged off |
4648 | A logon attempt was made with explicit credentials |
4719 | System audit policy was changed. |
4964 | A special group has been assigned to a new log on |
1102 | Audit log was cleared. This can relate to a potential attack |
4720 | A user account was created |
4722 | A user account was enabled |
4723 | An attempt was made to change the password of an account |
4725 | A user account was disabled |
4728 | A user was added to a privileged global group |
4732 | A user was added to a privileged local group |
4756 | A user was added to a privileged universal group |
4738 | A user account was changed |
4740 | A user account was locked out |
4767 | A user account was unlocked |
4735 | A privileged local group was modified |
4737 | A privileged global group was modified |
4755 | A privileged universal group was modified |
4772 | A Kerberos authentication ticket request failed |
4777 | The domain controller failed to validate the credentials of an account. |
4782 | Password hash an account was accessed |
4616 | System time was changed |
4657 | A registry value was changed |
4697 | An attempt was made to install a service |
4698, 4699, 4700, 4701, 4702 | Events related to Windows scheduled tasks being created, modified, deleted, enabled, or disabled |
4946 | A rule was added to the Windows Firewall exception list |
4947 | A rule was modified in the Windows Firewall exception list |
4950 | A setting was changed in Windows Firewall |
4954 | Group Policy settings for Windows Firewall has changed |
5025 | The Windows Firewall service has been stopped |
5031 | Windows Firewall blocked an application from accepting incoming traffic |
5152, 5153 | A network packet was blocked by Windows Filtering Platform |
5155 | Windows Filtering Platform blocked an application or service from listening on a port |
5157 | Windows Filtering Platform blocked a connection |
5447 | A Windows Filtering Platform filter was changed |
Set up an alerts template
Now that you have seen how to query the data, it is useful to refine the searches to your needs. This reference has useful information on all windows security events. docs have quite a bit of useful information about these events and what to look for.
To do this:
- Navigate to the Alerts page
- Click "Settings" alerts JSON (Video Explanation: https://youtu.be/s5XhogirGig?t=136)
The following is a templated version of the above events table (you may want to refine it to meet your specific needs). You can also refer to https://youtu.be/s5XhogirGig?t=168 for an explanation of how DataSet Alerts templates work.
{
alerts: [
// security events
{
templateParameters: [
{event: 4732, description: "A user was added to a privileged local group", threshold: 0},
{event: 4723, description:"An attempt was made to change the password of an account", threshold: 0},
{event: 1102, description: "Audit log was cleared. This can relate to a potential attack", threshold: 0},
{event: 4624, description: "Successful account log on", threshold: 0},
{event: 4625, description: "Failed account log on", threshold: 0},
{event: 4634, description: "An account logged off", threshold: 0},
{event: 4648, description: "A logon attempt was made with explicit credentials", threshold: 0},
{event: 4719, description: "System audit policy was changed.", threshold: 0},
{event: 4964, description: "A special group has been assigned to a new log on", threshold: 0},
{event: 1102, description: "Audit log was cleared. This can relate to a potential attack", threshold: 0},
{event: 4720, description: "A user account was created", threshold: 0},
{event: 4722, description: "A user account was enabled", threshold: 0},
{event: 4723, description: "An attempt was made to change the password of an account", threshold: 0},
{event: 4725, description: "A user account was disabled", threshold: 0},
{event: 4728, description: "A user was added to a privileged global group", threshold: 0},
{event: 4732, description: "A user was added to a privileged local group", threshold: 0},
{event: 4756, description: "A user was added to a privileged universal group", threshold: 0},
{event: 4738, description: "A user account was changed", threshold: 0},
{event: 4740, description: "A user account was locked out", threshold: 0},
{event: 4767, description: "A user account was unlocked", threshold: 0},
{event: 4735, description: "A privileged local group was modified", threshold: 0},
{event: 4737, description: "A privileged global group was modified", threshold: 0},
{event: 4755, description: "A privileged universal group was modified", threshold: 0},
{event: 4772, description: "A Kerberos authentication ticket request failed", threshold: 0},
{event: 4777, description: "The domain controller failed to validate the credentials of an account.", threshold: 0},
{event: 4782, description: "Password hash an account was accessed", threshold: 0},
{event: 4616, description: "System time was changed", threshold: 0},
{event: 4657, description: "A registry value was changed", threshold: 0},
{event: 4697, description: "An attempt was made to install a service", threshold: 0},
{event: 4946, description: "A rule was added to the Windows Firewall exception list", threshold: 0},
{event: 4947, description: "A rule was modified in the Windows Firewall exception list", threshold: 0},
{event: 4950, description: "A setting was changed in Windows Firewall", threshold: 0},
{event: 4954, description: "Group Policy settings for Windows Firewall has changed", threshold: 0},
{event: 5025, description: "The Windows Firewall service has been stopped", threshold: 0},
{event: 5031, description: "Windows Firewall blocked an application from accepting incoming traffic", threshold: 0},
{event: 5155, description: "Windows Filtering Platform blocked an application or service from listening on a port", threshold: 0},
{event: 5157, description: "Windows Filtering Platform blocked a connection", threshold: 0},
{event: 5447, description: "A Windows Filtering Platform filter was changed", threshold: 0},
],
alerts: [
{
alertAddress: "joel@demo.com",
description: "#description#",
gracePeriodMinutes: 0,
renotifyPeriodMinutes: 0,
resolutionDelayMinutes: 0,
trigger: "countPerSecond:1 minutes(($EventID == #event#) ($logfile = \"C:\\\\Program Files (x86)\\\\Scalyr\\\\log\\\\windows_event_log_monitor.log\")) > #threshold#"
},
]
},
// server uptime monitor if a server goes down
{
byHosts: {
filter: "", // Blank means "all hosts"
fields: ["serverHost"], // Retrieve the "serverHost" (hostname) field for use in alert templates.
// (You can specify "serverHost", "serverIP", and/or any server-level fields
// defined in the Scalyr Agent configuration.)
maxAgeHours: 4 // Ignore hosts which have not sent any data in the last 4 hours
},
alerts: [
{
alertAddress: "alerts@demo.com",
description: "#serverHost# Showing no Logs",
gracePeriodMinutes: 0,
renotifyPeriodMinutes: 0,
resolutionDelayMinutes: 0,
trigger: "count:5 minutes($serverHost == '#serverHost#') == 0"
}
]
}
]
}
Comments
0 comments
Please sign in to leave a comment.