Microsoft Windows Event Log Integration Guide
integrations endpoints microsoft
The Microsoft Windows Event Log can be accessed by various products, facilitating the forwarding of Windows Event Logs to a Secureworks® Taegis™ XDR Data Collector for security event monitoring. A XDR Data Collector accepts Windows Event Logs in the Snare over Syslog format.
Examples of vendors that support the forwarding of Microsoft Windows Event logs in the Snare over Syslog format are:
Commercial Products:
- Intersect Alliance Snare Enterprise
- NXLog Enterprise
- TIBCO Universal Collector
- Syslog-ng Agent for Windows
Open Source Products:
- NXLog Community Edition (CE)
Please refer to the vendor’s site for purchasing and configuration guidance.
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
Windows server | Taegis™ XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integration ⫘
Auth | DHCP | DNS | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | |
---|---|---|---|---|---|---|---|---|---|---|
Microsoft Windows Event Log (Microsoft-Windows-Security-Auditing) | D | Y | Y | D | Y | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Important
The data source must be configured to report timestamps as UTC to ensure that XDR reports the correct time zone.
Note
NXLog CE does not support changing the timestamp into UTC. If that is required, a different product like NXlog Enterprise Edition is required.
Snare Agent Logging Documentation ⫘
Important
Configure the Snare agent using the Snare-over-Syslog format, which is required for XDR.
See the Intersect Alliance documentation for the Snare Enterprise Windows Agent linked below.
- Snare Enterprise — Windows Event Log (WEL), Microsoft DNS Debug Log, Microsoft IIS log, and Microsoft DHCP log collection.
Legacy Secureworks Snare Agent Documentation ⫘
Note
Intersect Alliance has discontinued support for the Secureworks version of the Snare Enterprise agent, now considered legacy. We recommend using the retail version of the Snare Windows Agent. Please contact snaresupport@prophecyinternational.com for assistance in obtaining licensing for the retail version.
Access the legacy documentation for the Secureworks version of the Snare Enterprise and Epilog agents below:
- Snare SCWX Windows Agent Documentation — Windows Event Log (WEL) collection.
- Snare SCWX Epilog Agent Documentation — Microsoft DNS Debug Log, Microsoft IIS log, and Microsoft DHCP log collection.
NXLog Template Downloads ⫘
Important
This configuration template is provided as a convenience to XDR customers. We provide best-effort troubleshooting for our customers, but questions around advanced configuration or issues should be resolved with the vendor.
- nxlog_WEL.txt — This template is for NXLog CE configuration in Snare over Syslog format.