Kaspersky Next XDR Expert
1.1.9

Contents

[Topic 264776]

Configuring audit of events from Windows devices

You can configure event audit on Windows devices for an individual device or for all devices in a domain.

This section describes how to configure an audit on an individual device and how to use a domain group policy to configure an audit.

In this section

Configuring an audit policy on a Windows device

Configuring an audit using a group policy
Page top
[Topic 264777]

Configuring an audit policy on a Windows device

To configure audit policies on a device:

  1. Open the Run window by pressing the key combination Win+R.
  2. In the opened window, type secpol.msc and click OK.

    The Local security policy window opens.

  3. Select Security SettingsLocal policiesAudit policy.
  4. In the pane on the right, double-click to open the properties of the policy for which you want to enable an audit of successful and unsuccessful attempts.
  5. In the <Policy name> properties window, on the Local security setting tab, select the Success and Failure check boxes to track successful and interrupted attempts.

    It is recommended to enable an audit of successful and unsuccessful attempts for the following policies:

    • Audit Logon
    • Audit Policy Change
    • Audit System Events
    • Audit Logon Events
    • Audit Account Management

Configuration of an audit policy on the device is complete.

Page top
[Topic 264779]

Configuring an audit using a group policy

In addition to configuring an audit policy on an individual device, you can also configure an audit by using a domain group policy.

To configure an audit using a group policy:

  1. Open the Run window by pressing the key combination Win+R.
  2. In the opened window, type gpedit.msc and click OK.

    The Local Group Policy Editor window opens.

  3. Select Computer configurationWindows configurationSecurity settingsLocal policiesAudit policy.
  4. In the pane on the right, double-click to open the properties of the policy for which you want to enable an audit of successful and unsuccessful attempts.
  5. In the <Policy name> properties window, on the Local security setting tab, select the Success and Failure check boxes to track successful and interrupted attempts.

    It is recommended to enable an audit of successful and unsuccessful attempts for the following policies:

    • Audit Logon
    • Audit Policy Change
    • Audit System Events
    • Audit Logon Events
    • Audit Account Management

If you want to receive Windows logs from a large number of servers or if installation of KUMA agents on domain controllers is not allowed, it is recommended to configure Windows log redirection to individual servers that have the Windows Event Collector service configured.

The audit policy is now configured on the server or workstation.

Page top
[Topic 264780]

Configuring centralized receipt of events from Windows devices using the Windows Event Collector service

The Windows Event Collector service allows you to centrally receive data about events on servers and workstations running Windows. You can use the Windows Event Collector service to subscribe to events that are registered on remote devices.

You can configure the following types of event subscriptions:

  • Source-initiated subscriptions. Remote devices send event data to the Windows Event Collector server whose address is specified in the group policy. For details on the subscription configuration procedure, please refer to the Configuring data transfer from the event source server section.
  • Collector-initiated subscriptions. The Windows Event Collector server connects to remote devices and independently gathers events from local logs. For details on the subscription configuration procedure, please refer to the Configuring the Windows Event Collector service section.

In this section

Configuring data transfer from the event source server

Configuring the Windows Event Collector service
Page top
[Topic 264781]

Configuring data transfer from the event source server

You can receive information about events on servers and workstations by configuring data transfer from remote devices to the Windows Event Collector server.

Preliminary steps

  1. Verify that the Windows Remote Management service is configured on the event source server by running the following command in the PowerShell console:

    winrm get winrm/config

    If the Windows Remote Management service is not configured, initialize it by running the following command:

    winrm quickconfig

  2. If the event source server is a domain controller, make the Windows logs available over the network by running the following command in PowerShell as an administrator:

    wevtutil set-log security /ca:’O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

    Verify access by running the following command:

    wevtutil get-log security

Configuring the firewall on the event source server

To enable the Windows Event Collector server to receive Windows log entries, inbound connection ports must be opened on the event source server.

To open ports for inbound connections:

  1. On the event source server, open the Run window by pressing the key combination Win+R.
  2. In the opened window, type wf.msc and click OK.

    The Windows Defender Firewall with Advanced Security window opens.

  3. Go to the Inbound Rules section and click New Rule in the Actions pane.

    The New Inbound Rule Wizard opens.

  4. At the Rule type step, select Port.
  5. At the Protocols and ports step, select TCP as the protocol. In the Specific local ports field, indicate the relevant port numbers:
    • 5985 (for HTTP access)
    • 5986 (for HTTPS access)

    You can indicate one of the ports, or both.

  6. At the Action step, select Allow connection (selected by default).
  7. At the Profile step, clear the Private and Public check boxes.
  8. At the Name step, specify a name for the new inbound connection rule and click Done.

Configuration of data transfer from the event source server is complete.

The Windows Event Collector server must have the permissions to read Windows logs on the event source server. These permissions can be assigned to both the Windows Event Collector server account and to a special user account. For details on granting permissions, please refer to the Granting user permissions to view the Windows Event Log.

Page top
[Topic 264783]

Configuring the Windows Event Collector service

The Windows Event Collector server can independently connect to devices and gather data on events of any severity.

To configure the receipt of event data by the Windows Event Collector server:

  1. On the event source server, open the Run window by pressing Win+R.
  2. In the opened window, type services.msc and click OK.

    The Services window opens.

  3. In the list of services, find and start the Windows Event Collector service.
  4. Open the Event Viewer snap-in by doing the following:
    1. Open the Run window by pressing the key combination Win+R.
    2. In the opened window, type eventvwr and click OK.
  5. Go to the Subscriptions section and click Create Subscription in the Actions pane.
  6. In the opened Subscription Properties window, specify the name and description of the subscription, and define the following settings:
    1. In the Destination log field, select Forwarded events from the list.
    2. In the Subscription type and source computers section, click the Select computers button.
    3. In the opened Computers window, click the Add domain computer button.

      The Select computer window opens.

    4. In the Enter the object names to select (examples) field, list the names of the devices from which you want to receive event information. Click OK.
    5. In the Computers window, check the list of devices from which the Windows Event Collector server will gather event data and click OK.
    6. In the Subscription properties window, in the Collected events field, click the Select events button.
    7. In the opened Request filter window, specify how often and which data about events on devices you want to receive.
    8. If necessary, in the <All event codes> field, list the codes of the events whose information you want to receive or do not want to receive. Click OK.
  7. If you want to use a special account to view event data, do the following:
    1. In the Subscription properties window, click the Advanced button.
    2. In the opened Advanced subscription settings window, in the user account settings, select Specific user.
    3. Click the User and password button and enter the account credentials of the selected user.

Configuration of the Event Collector Service is complete.

To verify that the configuration is correct and event data is being received by the Windows Event Collector server:

In the Event Viewer snap-in, go to Event Viewer (Local)Windows logsForwarded events.

Page top
[Topic 264784]

Granting permissions to view Windows events

You can grant permissions to view Windows events for a specific device or for all devices in a domain.

To grant permissions to view events on a specific device:

  1. Open the Run window by pressing the key combination Win+R.
  2. In the opened window, type compmgmt.msc and click OK.

    The Computer Management window opens.

  3. Go to Computer Management (local)Local users and groupsGroups.
  4. In the pane on the right, select the Event Log Readers group and double-click to open the policy properties.
  5. Click the Add button at the bottom of the Properties: Event Log Readers window.

    The Select Users, Computers or Groups window opens.

  6. In the Enter the object names to select (examples) field, list the names of the users or devices to which you want to grant permissions to view event data. Click OK.

To grant permissions to view events for all devices in a domain:

  1. Log in to the domain controller with administrator privileges.
  2. Open the Run window by pressing the key combination Win+R.
  3. In the opened window, type dsa.msc and click OK.

    The Active Directory Users and Computers window opens.

  4. Go to Active Directory Users and Computers<Domain name>Builtin.
  5. In the pane on the right, select the Event Log Readers group and double-click to open the policy properties.

    In the Properties: Event Log Readers window, open the Members tab and click the Add button.

    The Select Users, Computers or Groups window opens.

  6. In the Enter the object names to select (examples) field, list the names of the users or devices to which you want to grant permissions to view event data. Click OK.
Page top
[Topic 264786]

Granting permissions to log on as a service

You can grant permission to log on as a service to a specific device or to all devices in a domain. The "Log on as a service" permission allows you to start a process using an account that has been granted this permission.

To grant the "Log on as a service" permission to a device:

  1. Open the Run window by pressing the key combination Win+R.
  2. In the opened window, type secpol.msc and click OK.

    The Local security policy window opens.

  3. Go to Security settingsLocal policiesUser rights assignment.
  4. In the pane on the right, double-click to open the properties of the Log on as a service policy.
  5. In the opened Properties: Log on as a Service window, click the Add User or Group button.

    The Select Users or Groups window opens.

  6. In the Enter the object names to select (examples) field, list the names of the accounts or devices to which you want to grant the permission to log on as a service. Click OK.

Before granting the permission, make sure that the accounts or devices to which you want to grant the Log on as a service permission are not listed in the properties of the Deny log on as a service policy.

To grant the "Log on as a service" permission to devices in a domain:

  1. Open the Run window by pressing the key combination Win+R.
  2. In the opened window, type gpedit.msc and click OK.

    The Local Group Policy Editor window opens.

  3. Select Computer configurationWindows configurationSecurity settingsLocal policiesUser rights assignment.
  4. In the pane on the right, double-click to open the properties of the Log on as a service policy.
  5. In the opened Properties: Log on as a Service window, click the Add User or Group button.

    The Select Users or Groups window opens.

  6. In the Enter the object names to select (examples) field, list the names of the users or devices to which you want to grant the permission to log on as a service. Click OK.

Before granting the permission, make sure that the accounts or devices to which you want to grant the Log on as a service permission are not listed in the properties of the Deny log on as a service policy.

Page top
[Topic 264787]

Configuring the KUMA Collector for receiving events from Windows devices

After you finish configuring the audit policy on devices, creating subscriptions to events and granting all the necessary permissions, you need to create a collector in the KUMA Console for events from Windows devices.

For details on creating a KUMA collector, refer to Creating a collector.

To receive events from Windows devices, define the following collector settings in the KUMA Collector Installation Wizard:

  1. At the Transport step, define the following settings:
    1. In the Connector window, select Create.
    2. In the Type field, select http.
    3. In the Delimiter field, select \0.
  2. On the Advanced settings tab, in the TLS mode field, select With verification.
  3. At the Event parsing step, click the Add event parsing button.
  4. In the opened Basic event parsing window, in the Normalizer field, select [OOTB] Windows Extended v.1.0 and click OK.
  5. At the Routing step, add the following destinations:
    • Storage. To send processed events to the storage.
    • Correlator. To send processed events to the correlator.

    If the Storage and Correlator destinations were not added, create them.

  6. At the Setup validation tab, click Create and save service.
  7. Copy the command for installing the KUMA collector that appears.
Page top
[Topic 264788]

Installing the KUMA Collector for receiving events from Windows devices

After configuring the collector for receiving Windows events, install the KUMA Collector on the server of the network infrastructure intended for receiving events.

For details on installing the KUMA collector, refer to the Installing collector in the network infrastructure section.

Page top
[Topic 264789]

Configuring forwarding of events from Windows devices to KUMA using KUMA Agent (WEC)

To complete the data forwarding configuration, you must create a WEC KUMA agent and then install it on the device from which you want to receive event information.

For more details on creating and installing a WEC KUMA Agent on Windows devices, please refer to the Forwarding events from Windows devices to KUMA section.

Page top
[Topic 264790]