Send Event log to Sentinel

Send Event log to Sentinel

Send Event log to Sentinel

Why send Event log

Security is an important issue these days. Sending security event logs to Sentinel provides an additional level of security for onPrem servers. For this, we rely on Azure Sentinel, the SIEM from Microsoft. However, this operation has an Azure cost, so it is preferable to limit the events sent to the necessary logs (security, defender, etc.) In this post we will first set up the transfer of events on a collector via WinRMS and then configure the sending in Sentinel

Configure Certificate for WinRMS

Before to setup WinRMS, you need to configure Active Directory Certificate Services (ADCS) to issue certificate.

SentinelEventLog

From the ADCS server (subordinate server), open to IIS console and select CertEnroll Folder. Click on Directory Browsing..

Enable Directory Browing

Click on Enable.

Configure Directory Browsing

Select Default Web Site then click on Request Filtering.

Configure Request filtering

Click on Allow File Name Extension in Action pane.

Allow file name extention

Enter crl in the dialog that appears.

Add CRL extension

CRL extension has been added in IIS console.

CRL extension is present in the console

Run the command IIS Reset to restart IIS services.

IISReset for restart service

IIS is now been configured.

Configure Certificate template

From the Active Directory Certificate Services, right click on Certificate Templates and click on Manage.

create certificate template

Certificate Templates Console appear, right click on Computer template and click on Duplicate Template.

Create template

Configure Compatibility then click on General tab.

Compatibility tab on the template

Enter the desired name and check Publish certificate in Active Directory.

Publish certificate template in AD and configure name

Select Security tab and allow Enroll permission for Authentificated Users groups.

Configure Authentificated Users permission

Select Request Handling tab and check Allow private key to be exported.

Configure private key exported

Select Subject Name and check Supply in the request.

Configure Supply in the request option

Click on OK, the template is now in Certificate Templates Console.

Template is now been configured

Right click on Certificate Template to Issue to add the previously created certificate.

Select previously created certificate

Select WinRM template and click on OK.

Select WinRM template.

Extension in Authority Certification must be modify. Right click on Certification Authority and select Properties.

Access to the properties for modify extension

Select Extensions tab then select http extension. Check the following option.

  • Include in CRLs. Clients use this to find Delta CRL locations.
  • Include in the CDP extension of issued certificates.
Enable extension for the http

Select Authority Information Access (AIA) and select http extension. Select Include in the AIA extension of issued certificates.

Enable extension for AIA

Click on OK then on Yes for restart Active Directory Certificate Services.

Issue certificate

The certificate must be issue on the server. My domain controller is the source server (he contain the events to send to sentinel). I use one of my infrastructure servers for collect all events that it is necessary to send to sentinel.

From the domain controller, open mmc console and add Certificate (computer) snap-in.

mmc console with certificate snap in

Extend Personal and right click on Certificates. Select All Tasks then on Request New certificate.

access to the personal certificate

Select WinRM and click on More information is required to enroll for this certificate.

Select certificate

In the Subject name, select Common name then enter the FQDN of the domain controller. Click on Add.

Enter FQDN of the server

Select DNS in Alternative name then enter the FQDN of the domain controller. Click on Add to add the name. Repeat the same action for the Netbios name of the server.

Enter the name of the server in a certificate

Click on OK then on Enroll. The certificate is now issue.

Certificate is now issue

Certificate must be issue for the collected servers and the collector.

Create WinRM Listener

Before to create WinRM listener, you need to recover the thumbprint of the certificat. From the Collected server, open powershell console with administrative right and run the following command :

  • cd cert:
  • cd localmachine
  • cd my
  • ls

Copy the thumbprint of the desired certificate.

Copy Thumbprint

Open Dos prompt and run the following command (Enter the command manually as copy/paste may generate errors).

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="serverfqdn";CertificateThumbprint="1fd53031caf98df226428069ccfdf3152b6ddc2b"}
Create WinRM connector

Create firewall rules with the following command

netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" protocol=TCP dir=in localport=5986 action=allow
Add firewall rules

The WinRM listener for HTTP protcol can now be deleted. Run the following command to delete the listener.

winrm create winrm/config/Listener?Address=*+Transport=HTTP
Delete WinRM listenet

The WinRM listener is deleted.

The WinRM listener is deleted

Repeat the same step for all servers collected and the collector.

Test WinRM listener

Before to create subscription, it’s very important to test WinRMs connection. From the Powershell windows run the following command

Enter-PSSession -ComputerName myHost -UseSSL -Credential (Get-Credential)
Test Powershell connection

If connection is ok, you can create subscription.

Create Subscription

From the collectorn open a regedit console and modify the following registry key (this modification permit to two or more computers/servers connected to the same subscription.

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ Schannel
DWORD ClientAuthTrustMode must be set to 2
Regedit is modify

The listener must be configured to support certificate-based authentication. On the Collector server, open Command prompt and run the following command.

Enable certificat authentification

Repeat the same step in other collected and collector server.

The subscription can be created. From the collector server, open Event viewer console and select Subscription. A message appear, click on Yes.

Click on Yes on the message

Click on Create Subscription in the Actions panel.

Create subscription in event viewer

Enter the desired name and check Source computer initiated option.

Configure subsciption name and select source computer initiated

Click on Add Domain Computers for select the collected servers. Click on OK to validate selection.

Select the desired computer join to the domain

Click on Select Events for configure filter. This filter is used for send only the desired events.

Configure filter for send event

Configure filteras you want and click on OK.

Configure filter as you want

Click on Advanced then select HTTPS protocol.

Select HTTPS protocol

Click twice on OK. The subscriptions is now been created.

Subscription is now been created

Configure collected server

From the domain controller, open mmc console with Computer certificate snap-in.

Open MMC console

Right click on the previously issued certificate then click on All Tasks \ Manage Private Keys.

Manage certificate

Add Network Service and assign read permissioon.

Add Network Service and configure read permission

Create new domain group policy and configure the following parameter

Computer Configuration\Administrative Templates\Windows Components\Event Forwarding
Configure group policy

Enable Configure target Subscription Manager and enter the following value.

Server=HTTPS://<FQDN of the Event Collector server>:5986/wsman/SubscriptionManager/WEC,Refresh= <Refresh interval in seconds>
Enter FQDN for WinRM

Link the group policy with domain controller organizational unit and restart the computer. The server is now been configured.

Server is been configured

On the domain controller, open event viewer and access to the Eventlog-ForwardingPlugin log. You can see if there is an error or if all works fine.

Event viewer permit to view if subscription works

When i have implemented the subscription, i have the error : The subscription Security collector can not be created. The error code is 5004.

I have added on Event Log Readers group the Network Service account. After that I have restarted my domain controller.

Added Network service for fix error code 5004

After the reboot, the event has send to the collector.

subscription works perfectly

In the collector, the event has been fowarded.

Event has been fowarded

Enroll collector server in Azure ARC

Capturing events in Microsoft Sentinel requires a connection to the Log Analytics workspace. The WEC (Windows Event Collector) server must be registered with Microsoft Azure ARC.

From the Azure Portal, enter Azure Arc in the Search bar and click on Azure Arc.

Select Azure ARC Service

Click on Servers then on Add.

Add new server on Azure ARC

Click on Generate script in Add a single server.

Generate script for single server

Click on Next in prerequisites windows.

Click on Next in Prerequisites windows

Select Resource Group and click on Next.

Select resource group

Configure Tags as you want and click on Next. Click on Download or copy Powershell script.

Download Script or copy azure arc script

On the WEC Server, run the powershell script previously generated. Sign in in Azure with the browser

Add Server on Azure Arc Server

The server has been added on Azure ARC.

Server has been added

Add the Windows Forwarded Events Connector

From the Azure portal, enter Sentinel in the search bar.

Select Sentinel in Azure

Select the Azure Sentinel Workspace.

Select Azure Sentinel Workspace

Select the Data connectors blade.

Data connector blade

Enter Windows Forwarded Event and click on it.

Select Windows Forwarded Event

Click on Open connector page to configure it.

configure connector. Click on Open connector page

Click on Create data collection rule for enable data collection rule.

Enale Data collection rule

Enter Rule name and select Subscription and Resource group.

Configure Data collection rule

Click on Add resource and select the server previously added.

Server is previously added

We can select all events or custom.

select event that you want

Click on Create. Data collection rule has been configured.

Configure data collection rule

From the sentinel workspace, select Logs then close the windows that appear.

Select log and close windows

Enter the following query and click on Run.

WindowsEvent
| summarize count() by Computer
Event log has been send in sentinel

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.