Microsoft Windows Event Log Integration Guide

integrations endpoints microsoft

The Microsoft Windows Event Log can be accessed by various products, facilitating the forwarding of Windows Event Logs to a Secureworks® Taegis™ XDR Data Collector for security event monitoring. A XDR Data Collector accepts Windows Event Logs in the Snare over Syslog format.

Examples of vendors that support the forwarding of Microsoft Windows Event logs in the Snare over Syslog format are:

Commercial Products:

Intersect Alliance Snare Enterprise
NXLog Enterprise
TIBCO Universal Collector
Syslog-ng Agent for Windows

Open Source Products:

NXLog Community Edition (CE)

Please refer to the vendor’s site for purchasing and configuration guidance.

Connectivity Requirements ⫘

Source	Destination	Port/Protocol
Windows server	Taegis™ XDR Collector (mgmt IP)	UDP/514

Data Provided from Integration ⫘

	Auth	DHCP	DNS	File	HTTP	Management	Netflow	NIDS	Process	Thirdparty
Microsoft Windows Event Log (Microsoft-Windows-Security-Auditing)	D			Y		Y	D		Y	Y

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Important

The data source must be configured to report timestamps as UTC to ensure that XDR reports the correct time zone.

Note

NXLog CE does not support changing the timestamp into UTC. If that is required, a different product like NXlog Enterprise Edition is required.

Intersect Alliance Documentation ⫘

Snare Enterprise — Windows Event Log (WEL) collection.
Epilog Enterprise — Microsoft DNS Debug Log collection.

NXLog Template Downloads ⫘