Blumira’s modern cloud SIEM platform integrates with Microsoft’s Active Directory to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected on an endpoint.
Once the integration is configured, Active Directory will stream security event logs and alerts to Blumira’s platform for threat detection and actionable response leveraging event information about users and computers.
A few examples of Active Directory detections include user behavioral analytics, credential spraying, rogue domain administration and much more. The integration with Active Directory is also commonly used for audit purposes defined in common compliance frameworks such as PCI DSS and NIST 800-171.
Blumira uses NXLog in order to collect logs from Active Directory. NXLog is a multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs.
In concept NXLog is similar to syslog-ng or Rsyslog, but it is not limited to UNIX and syslog only.
define SENSOR 10.11.12.13
Enabling Additional Logging
If you are using Windows 2003:
With the configuration file change on 2019/10/16, updates to the configuration file are no longer required to support IIS. If you currently use IIS, you should run the following commands in an Administrative command prompt to enable logging:
wevtutil sl Microsoft-IIS-Configuration/Administrative /e:true wevtutil sl Microsoft-IIS-Configuration/Operational /e:true wevtutil sl Microsoft-IIS-Logging/Logs /e:true
If IIS is not installed you will get an error. That’s OK, it’s non-harmful if being used across a broad deployment.
Lastly, each IIS server will need it’s logging configuration changed in Log Event Destination to support the Event Log.
net stop nxlog && net start nxlog
NOTE: This is an option INSTEAD of the recommended collection option above. If you have an older nxlog.conf that you’d like to use.
If you are leveraging IIS on a server and would like to collect the access logs associated with it, a few small modifications are required to the aforementioned nxlog.conf file that you downloaded from above. In most cases just enabling logging for your IIS Site and uncommenting the section in nxlog.conf will be all that is required from the below steps.
NOTE: If you have more than one Site on your host, you will need to ensure that each Site is configured appropriately for Logging. Then, you will need to copy and paste the entire Windows IIS Event Logs START to END block and change the File parameters appropriately for those log files.
*Tested from Server 2012 to Current
Windows Firewall Logging has some significant benefits, but it does increase the amount of logs and data being extracted from your host. Blumira recommends implementing this configuration in areas where you do not have good visibility within the network.
NOTE: Successful logging requires the on-host firewall to be enabled and functioning in the appropriate policies. In situations where your Windows Firewall has been disabled, this will only set the FirewallProfile and not necessarily enable it. Please review Microsoft documentation pertaining to your on-host firewall for more details. Blumira always recommends least-access, only expected protocols should be allowed when possible, however, even just having it to default policies and enabled will allow log collection to function.
To reduce noise, Blumira recommends setting this up to only log out Dropped traffic by the Firewall. While Allowed traffic can be sent, it will drastically increase noise within your logging infrastructure and will essentially log all traffic from that host. Blumira recommends only doing this in situations where you have a highly sensitive host that does not traverse any other logging that Blumira captures.
Recommended Powershell Command
Set-NetFirewallProfile –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed False -LogIgnored True
If significant verbosity is required, use this command which will log Allowed connections as well
Set-NetFirewallProfile –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed True -LogIgnored True
You will need to ensure that logging is enabled for the Windows FW via GPO for Dropped packets only. Adding successful packets will most likely be unnecessarily verbose unless you require visibility due to lack of segmentation.
For each network location type (Domain, Private, Public), perform the following steps.
net stop nxlog && net start nxlog
After testing 2012-2019 Windows kernels we have determined that uncommenting is no longer necessary. The new configuration supports IIS and Windows Firewall out of the box with new methods to collect data. It is no longer required to define per site for IIS, IIS will ingest directly from the Event Viewer. Additionally the Windows Firewall section now has an accompanying Powershell command to enable logging.
As of 2019/10/08 the Blumira NXLog configuration has adopted a new format and style. In some cases you may need to uncomment sections to ensure certain types of data, like IIS and FW, are appropriately consumed. Please refer to sections later in this document that discuss enabling certain log types and configuration for more details. To use this to only collect OS-level logs, you only need to change the IP for the sensor as discussed in the following content. In many cases application logs, such as SQL Server, will flow through Event Viewer so no changes will be required on your part.