windows – SGBox Next Generation SIEM & SOAR

Centralizing Windows Logs ( Forwarded Events )

SGBox — Wed, 05 Jun 2024 15:44:04 +0000

Centralizing Windows Logs (Forwarded Events)

You can use the tools in this article to centralize your Windows event logs from multiple servers and desktops. By properly administering your logs, you can track the health of your systems, keep your log files secure, and filter contents to find specific information. It is possible for a Windows server to forward its events to a collector server. In this scenario, the collector server becomes a central repository for Windows logs from other servers (called event sources) in the network. The stream of events from a source to a collector is called a subscription. This procedure demonstrates how to set it up. These steps work on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2019. We are using two Active Directory Domain–joined Windows Server 2012 systems. The domain name is mytestdomain.com and both machines are registered with the domain.

Enable the Windows Remote Management Service

Windows Remote Management (WinRM) is a protocol for exchanging information across systems in your infrastructure. You must enable it on each of your source computers to exchange log files.

Remotely log into the source computer (MYTESTSQL) as a local or domain administrator.
Enable Windows Remote Management Service from a Command Prompt:

winrm quickconfig

If it is already running, a message similar to this example is displayed.

Configure the Windows Event Collector Service

You must enable the Windows Event Collector Service on your collector server to allow it to receive logs from your sources.

Remotely log into the collector computer (MYTESTSERVER) as a local or domain administrator.
Configure the Windows Event Collector Service from a Command Prompt:

wecutil qcin

If prompted like the example, press y

Configure the Event Log Readers Group

By default, certain logs are restricted to administrators. This may cause problems when receiving logs from other systems. To avoid this, you can grant access to the collector computer by adding it to the Event Log Readers group.

Go back to the source computer (MYTESTSQL).
Open Server Manager.
Open Computer Management.
Expand Local Users and Groups node from the Navigation pane and select Groups.
Double-click Event Log Readers.

Click Add to open the Select Users, Computers, Service Accounts, or groups dialog
Click Object Types.
Check Computers and click OK.

Enter MYTESTSERVER as the object name and click Check Names. If the computer account is found, it is confirmed with an underline.
Click OK twice to close the dialog boxes.

Configure Windows Firewall

If the source computer is running Windows Firewall, ensure it allows Remote Event Log Management and Remote Event Monitor traffic.

Create a Subscription

Subscriptions define the relationship between a collector and a source. You can configure a collector to receive events from any number of sources (a source-initiated subscription), or specify a limited set of sources (a collector-initiated subscription). In this example, we create a collector-initiated subscription since we know which computer logs we want to receive.

Start the Event Viewer application on the collector server MYTESTSERVER.
Select Subscriptions from the Navigation pane
Click Create Subscription in the Actions pane.

On the Subscription Properties, enter the following as shown in the example:
Subscription name: MYTESTSQL_EVENTS
Description: Events from remote source server MYTESTSQL
Destination log: Forwarded Events
Select Collector initiated and click Select Computers to open the Computers dialog.

Click Add Domain Computers.
Enter MYTESTSQL as the object name and click Check Names. If the computer is found, it is confirmed with an underline.
Click OK.

Click OK to return to the Subscription Properties.
Click Select Events to open the Query Filter and enter the following to set the remote server to forward all application events from the last 24 hours:
Logged: Last 24 hours
Check all Event levels
Select By log
Event logs: Select Application from the drop-down list

Click OK to return to the Subscription Properties.
Click Advanced to open the Advanced Subscription Settings and enter the following:
Select Machine Account
Select Minimize Latency
Protocol: HTTP
Port: 5985

Click OK to return to the Subscription Properties.
Click OK to close.

The Subscription node in the collector computer event viewer now shows the new subscription.

Verify Events on Collector Computer

Select Forwarded Events from the Navigation pane on the collector computer.

The Computer column in the Details pane indicates the events are from the remote computer MYTESTSQL.MYTESTDOMAIN.COM. You can enable or disable the collector subscription by right-clicking on the subscription and choosing Disable. The status of the subscription is then shown as disabled in the main window. An active collector subscription does not mean it is succeeding. To see if the collector can connect to the source, right-click on the subscription and select Runtime Status. In this example, the collector can’t connect to the source. By default, it retries every five minutes.

If all is OK, Subscription Runtime Status shows a green tick with an active status.

Create a Custom View (Optional)

Once the events are forwarded, you can create custom views to see the consolidated events. For example, you might create a custom view for error events. This example creates a custom view for SQL Server–related messages. A collector computer may host thousands of records from dozens of servers. Using a custom view enables you to create order from an overload of information.

AWA – Advanced Windows Audit

SGBox — Fri, 02 Jul 2021 15:40:09 +0000

How to configure and run AWA – Advanced Windows Audit

AWA is an SGBox feature that leverage on the Microsoft Sysmon free Tool to increase the visibility of your Windows environment. AWA will help to detect malicious activity and promote better understanding of the in-deep aspect of Windows machines, by tracking many events and detailed information such as DNS Queries, Inbound/Outbound Connections, Registry changes, File tampering, Process Creation, Process Memory Usage, and many more.

AWA PACKAGE	The AWA Package comes with a rich set of dashboards to explore and drill on the information gathered. SGBox easy approach to customization, will allow customers to extend base packages based on their needs, creating new LCE Detections, Reports and Dashboards.
REAL TIME MONITORING	It is very easy and useful to create specific alert using the detailed AWA generated events to monitor the under the hood process and potential malicious activities.
MITRE ATT&CK MAPPING	Based on the work of Olaf Hartong, on the Sysmon configuration file, AWA is also capable to map specific events to the MITRE ATT&CK framework. The AWA package extends the MITRE mapping capability with specific functionalities as the on-line Tactic & Techniques viewer matrix, or the Dashboard embedded contextual Technique browser.
CUSTOMIZABLE	AWA Sysmon configuration file is completely customizable, so the starting set can be extended to include customer needed events generation by updating the configuration. For example, it is possible to monitor the termination of specific process, the changes made to a specific registry key and many other hidden events.
EASY SETUP	The AWA Package is extremely easy to install and deploy, so switch from a normal to an in-deep visibility is a matter of minutes. Sysmon and his, SGBox customized, configuration can be easily deployed through a GPO login script or any other Software Distribution tool, it does not require a machine reboot. Once the Sysmon executable has been deployed you just need to install the SGBox Advanced Windows Auditing package to have everything up and running.

First of all you need to download Sysmon and the its configuration file. Install it in the computer you want to monitor

TIP
The package currently support Sysmon v13.02, so please be sure to install and configure the proper Sysmon version. Please follow the previous links to download the right Sysmon version and the corresponding configuration file.
After that you need to download the AWA package from SGBox: SCM > Application > Packages > AWA – Advanced Windows Audit. After installed: Run the package, select the hosts with Sysmon installed, then click on Install

The AWA package -as explained before- creates a lot of classes, reports as dashboards. You can see the Sysmon events in Windows Sysmon Events class.
You can select one of the interested events and analyzed it.

Search in the event the Mitre Technique ID. In this case is the parameter TID.

From SCM > Dashboard > Dashboard. Create new dashboard and select Mitre Att&ck. Select the parameter you want to see and in particular the Mitre parameter

The discovered techniques will turn on on the dashboard.

Configure SNMP service on Windows

SGBox — Tue, 17 Dec 2019 11:42:32 +0000

The Simple Network Management Protocol (SNMP)

This section explain how to configure SNMP service on Windows systems in order to monitoring and collect detailed information about the server.

Requirements:

The SNMP service must be installed.

If you want to check or install the SNMP service you can follow this steps:
Clink on Windows > Administrative Tools > Server Manager.
Select Manage > Add Roles and Functions and install the SNMP.

Clink on Windows > Administrative Tools > Services.
Right-click SNMP Service and select Properties.
Swtich on Security tab.
Choose the community name and specify the SGBox IP address in the accepted hosts.

Click on Apply.