Skip to content

Enterprise Mobility + Security


Network traffic collection is the main data source Advanced Threat Analytics (ATA) uses to detect threats and abnormal behavior. It also analyzes event log ID 4776, and will likely collect additional events in the future. This is why we’re devoting a topic to understanding methods and configuration for event collection.

You can configure the ATA gateway, both lightweight and standalone, to collect the event via a syslog listener and/or using Windows Event Forwarding (WEF). We recommend using the syslog listener if a SIEM is available and supported. If a supported SIEM is unavailable, you would use WEF.

SIEM
Today, ATA supports four SIEM products: RSA Security Analytics, HP ArcSight, Splunk, and IBM QRadar. The SIEM needs to collect the 4776 event from all Domain Controllers (DC) ATA is monitoring. You need to configure the SIEM to then forward the collected 4776 event from the DCs to an ATA gateway.

You can forward all 4776 events from all DCs to a single gateway in the ATA deployment. The gateway will receive the events, process them and send them to the ATA center. If you have 100% standalone gateways or a mixed gateway deployment, forward the events to a standalone gateway close to the SIEM. The following diagram depicts this configuration, which ensures the load is put on a dedicated server vs. a domain controller.

siem-graphic

If you have a 100% lightweight deployment, forward the events to a gateway that is not only close to the ATA center and SIEM, but also has a lower load than other DCs in the site. The following diagram depicts this configuration.

siem-graphic-2

Windows Event Forwarding
Windows Event Forwarding is a built-in technology that allows you to collect events from Windows operating systems. You can read some basic primers on WEF here and here.

Leverage WEF when you don’t have a supported SIEM in the environment to collect the 4776 event and forward it. WEF can use collector-initiated (pull) or source-initiated (push) subscriptions to get the events from the DCs.

 

Lightweight Gateway—Collector-Initiated
For lightweight gateways, we recommend a collector-initiated subscription configured on the domain controller. Collector-initiated means the subscription will pull the events from the endpoint. The subscription and the endpoint are the same host, so neither the collector nor the endpoint will utilize any network resources. You will need to configure the subscription on each lightweight gateway, which you can script with wecutil.exe.

To script this configuration for LWGWs, you will need a template XML file. Here is a sample you can use:

<?xml version=”1.0″ encoding=”UTF-8″?>

<Subscription xmlns=”http://schemas.microsoft.com/2006/03/windows/events/subscription“>

<SubscriptionId>ATA-4776</SubscriptionId>

<SubscriptionType>CollectorInitiated</SubscriptionType>

<Description></Description>

<Enabled>true</Enabled>

<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>

<ConfigurationMode>Normal</ConfigurationMode>

<Delivery Mode=”Pull”>

<Batching>

<MaxLatencyTime>900000</MaxLatencyTime>

</Batching>

<PushSettings>

<Heartbeat Interval=”900000″/>

</PushSettings>

</Delivery>

<Query>

<![CDATA[

<QueryList><Query Id=”0″><Select Path=”Security”>*[System[(EventID=4776)]]</Select></Query></QueryList>

]]>

</Query>

<ReadExistingEvents>false</ReadExistingEvents>

<TransportName>HTTP</TransportName>

<TransportPort>5985</TransportPort>

<ContentFormat>RenderedText</ContentFormat>

<Locale Language=”en-US”/>

<LogFile>ForwardedEvents</LogFile>

<PublisherName>Microsoft-Windows-EventCollector</PublisherName>

<CredentialsType>Default</CredentialsType>

<EventSources>

<EventSource Enabled=”true”>

<Address>lwgw.contoso.com</Address>

</EventSource>

</EventSources>

</Subscription>

 

Here is the sample PowerShell to create the subscription based on the template.

Import-Module ActiveDirectory

#Copy the template locally

$FileLocation = “\\server\share”

Copy-Item $FileLocation\ATA-4776.xml $ENV:TEMP

#Configure WinRM

winrm qc -quiet

#configure WinEvent Collection service

wecutil.exe qc /q:true

#Get Computer SID

$strDNSName = (Get-ADComputer $ENV:Computername).DNSHostName

#Replace the SID in the temp XML

(Get-Content “$ENV:TEMP\ATA-4776.xml”) -replace ‘lwgw.contoso.com’, “$strDNSName”| Set-Content “$ENV:TEMP\ATA-4776.xml”

#Configure the Subscription

wecutil.exe cs “$ENV:TEMP\ATA-4776.xml”

 

Gateway—Source-Initiated

For domain controllers monitored by gateways, we recommend configuring a source-initiated subscription on the gateway to receive the events from the DCs. You will need to configure the DCs with a subscription manager group policy setting. You can target the subscription manager at the respective DCs using security filtering.

Here are some screen shots of subscription manager configuration found under Computer Policy \ Administrative Templates \ Windows Components \ Event Forwarding – Configure Target Subscription Manager

 

wef-confi-mixed-envir

wef-confi-mixed-envir-2

wef-confi-mixed-envir-3

To recap, we recommend:

  • DCs with LWGW use a local collector-initiated subscription.
  • DCs monitored by a GW use a source-initiated subscription.

The following diagram depicts the WEF configuration for a mixed environment.

wef-confi-mixed-envir-4

 

For questions or feedback contact me directly:

Nicholas DiCola

ndicola@microsoft.com

Principal Program Manager

C+E Security CxP Team