Cloud SIEM & Threat Detection for Microsoft Windows Firewall

Windows Server/Workstation – Firewall

Click here for the most updated version of this documentation.

Blumira integrates with Microsoft Windows operating systems to provide automated threat detection and actionable response for Windows Firewall. Blumira supports the following Microsoft Windows server operating systems:

Windows Server 2019

Windows Server 2016

Windows Server 2012R2

Windows Server 2012

Blumira provides broad coverage for Windows Server including collecting logs using NXLog, Command Line Logging, DNS Debugging, and Winlogbeat.

Recommended: Automated Windows Setup

We recommend using Blumira’s automated Windows log setup agent, Poshim (PowerShell Shim), designed to help ensure you’re collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.

Note: This recommended setup using Poshim requires Windows Server 2012 R2 and above.

If using Poshim, nothing further is needed on this page. For manual configuration, continue reading below.

Recommended: Automated Windows Setup

Recommended: Use Blumira’s automated Windows log setup agent, Poshim (PowerShell Shim), designed to help ensure you’re collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.

If using Poshim, nothing further is needed on this page. For manual config, continue reading below.

Setting up NXLog for Windows

You will need to first install and configure NXLog on the windows host using these instructions: Integrating with Microsoft Windows Server.

Setting up Windows Firewall Logging

*Tested from Server 2012 to Current

Windows Firewall Logging has some significant benefits, but does increase the amount of logs and data being extracted from your host. Blumira recommends implementing this configuration in areas where you do not have good visibility within the network.

NOTE: Successful logging requires the on-host firewall to be enabled and functioning in the appropriate policies. In situations where your Windows Firewall has been disabled this will only set the FirewallProfile and not necessarily enable it. Please review Microsoft documentation pertaining to your on-host firewall for more details. Blumira always recommends least-access, only expected protocols should be allowed when possible, however even just having it to default policies and enabled will allow log collection to function.

Enabling Logging using GPO

You will need to ensure that logging is enabled for the Windows FW via GPO for Dropped packets only. Adding successful packets will most likely be unnecessarily verbose unless you require visibility due to lack of segmentation.

Open the appropriate group policy object
Navigate to Computer Configuration>Windows Settings>Security Settings>Windows Defender Firewall with Advanced Security>Windows Defender Firewall Properties* Example of the local Group Policy editor, refer to this link for Domain-specific guidance to deploy GPOs for Windows Firewall. For each network location type (Domain, Private, Public), perform the following steps.
Click the tab that corresponds to the network location type.
Under Logging, click Customize.
No need to change the location, the configuration assumes that you will have it in the default place.
Ensure that you only selected Log dropped packets as Yes, unless you require significant visibility Log successful connections should be No.
Click OK

Edit the NXLog Configuration File

If you did not change the default path for the Logging file, you only need to uncomment the Windows Firewall Logs section.
Uncomment by removing the #, starting at #<Extension csv_windows_fw> until #</Route> above the Windows Firewall Logs END block.

Restart nxlog from the services console or with the following command

net stop nxlog && net start nxlog

Data from the firewall will start flowing

Microsoft Windows Firewall

Windows Server/Workstation – Firewall

Recommended: Automated Windows Setup

Sign Up For Your Free Account Today

Recommended: Automated Windows Setup

Set Up Instructions

Setting up NXLog for Windows

Setting up Windows Firewall Logging

Enabling Logging using GPO

Edit the NXLog Configuration File

Contact Sales

Reach Out