Microsoft Windows Event Log Integration Guide
The Microsoft Windows Event Log can be accessed by various products, facilitating the forwarding of Windows Event Logs to a Secureworks® Taegis™ XDR Data Collector for security event monitoring. A Secureworks® Taegis™ XDR Data Collector accepts Windows Event Logs in the Snare over Syslog format.
Examples of vendors that support the forwarding of Microsoft Windows Event logs in the Snare over Syslog format are:
- Intersect Alliance Snare Enterprise
- NXLog Enterprise
- TIBCO Universal Collector
- Syslog-ng Agent for Windows
Open Source Products:
- NXLog Community Edition (CE)
Please refer to the vendor’s site for purchasing and configuration guidance.
Connectivity Requirements ⫘
|Taegis™ XDR Collector (mgmt IP)
Data Provided from Integration ⫘
|Microsoft Windows Event Log (Microsoft-Windows-Security-Auditing)
Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
The data source must be configured to report timestamps as UTC to ensure that Secureworks® Taegis™ XDR reports the correct time zone.
NXLog CE does not support changing the timestamp into UTC. If that is required, a different product like NXlog Enterprise Edition is required.
Intersect Alliance Documentation ⫘
- Snare Enterprise — Windows Event Log (WEL) collection.
- Epilog Enterprise — Microsoft DNS Debug Log collection.
NXLog Template Downloads ⫘
This configuration template is provided as a convenience to Secureworks® Taegis™ XDR customers. We provides best-effort troubleshooting for our customers, but questions around advanced configuration or issues should be resolved with the vendor.