Bearbeiten

Freigeben über


Listen for SIEM events on your Defender for Identity standalone sensor

This article describes the required message syntax when configuring a Defender for Identity standalone sensor to listen for supported SIEM event types. Listening for SIEM events is one method for enhancing your detection abilities with extra Windows events that aren't available from the domain controller network.

For more information, see Windows event collection overview.

Important

Defender for Identity standalone sensors do not support the collection of Event Tracing for Windows (ETW) log entries that provide the data for multiple detections. For full coverage of your environment, we recommend deploying the Defender for Identity sensor.

RSA Security Analytics

Use the following message syntax to configure your standalone sensor to listen for RSA Security Analytics events:

<Syslog Header>RsaSA\n2015-May-19 09:07:09\n4776\nMicrosoft-Windows-Security-Auditing\nSecurity\XXXXX.subDomain.domain.org.il\nYYYYY$\nMMMMM \n0x0

In this syntax:

  • The syslog header is optional.

  • The \n character separator is required between all fields.

  • The fields, in order, are:

    1. (Required) RsaSA constant
    2. The timestamp of the actual event. Make sure that it's not the timestamp of the arrival to the SIEM, or when it's sent to Defender for Identity. We highly recommend using an accuracy of milliseconds.
    3. The Windows event ID
    4. The Windows event provider name
    5. The Windows event log name
    6. The name of the computer receiving the event, such as the domain controller
    7. The name of the user authenticating
    8. The name of the source host name
    9. The result code of the NTLM

Important

The order of the fields is important and nothing else should be included in the message.

MicroFocus ArcSight

Use the following message syntax to configure your standalone sensor to listen for MicroFocus ArcSight events:

CEF:0|Microsoft|Microsoft Windows||Microsoft-Windows-Security-Auditing:4776|The domain controller attempted to validate the credentials for an account.|Low| externalId=4776 cat=Security rt=1426218619000 shost=KKKKKK dhost=YYYYYY.subDomain.domain.com duser=XXXXXX cs2=Security cs3=Microsoft-Windows-Security-Auditing cs4=0x0 cs3Label=EventSource cs4Label=Reason or Error Code

In this syntax:

  • Your message must comply with the protocol definition.

  • No syslog header is included.

  • The header part, separated by a pipe (|) must be included, as stated in the protocol

  • The following keys in the Extension part must be present in the event:

    Key Description
    externalId The Windows event ID
    rt The timestamp of the actual event. Make sure that the value isn't the timestamp of the arrival to the SIEM, or when it's sent to Defender for Identity. Also make sure to use an accuracy of milliseconds.
    cat The Windows event log name
    shost The source host name
    dhost The computer receiving the event, such as the domain controller
    duser The user authenticating

    The order isn't important for the Extension part.

  • You must have a custom key and keyLable for the following fields:

    • EventSource
    • Reason or Error Code = The result code of the NTLM

Splunk

Use the following message syntax to configure your standalone sensor to listen for Splunk events:

<Syslog Header>\r\nEventCode=4776\r\nLogfile=Security\r\nSourceName=Microsoft-Windows-Security-Auditing\r\nTimeGenerated=20150310132717.784882-000\r\ComputerName=YYYYY\r\nMessage=

In this syntax:

  • The syslog header is optional.

  • There's a \r\n character separator between all required fields. These are CRLF control characters, (0D0A in hex), and not literal characters.

  • The fields are in key=value format.

  • The following keys must exist and have a value:

    Name Description
    EventCode The Windows event ID
    Logfile The Windows event log name
    SourceName The Windows event provider name
    TimeGenerated The timestamp of the actual event. Make sure that the value isn't the timestamp of the arrival to the SIEM, or when it's sent to Defender for Identity. The timestamp format must be The format should match yyyyMMddHHmmss.FFFFFF, and you must use an accuracy of milliseconds.
    ComputerName The source host name
    Message The original event text from the Windows event
  • The Message Key and value must be last.

  • The order isn't important for the key=value pairs.

A message similar to the following appears:

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon Account: Administrator

Source Workstation: SIEM

Error Code: 0x0

QRadar

QRadar enables event collection via an agent. If the data is gathered using an agent, the time format is gathered without millisecond data.

Because Defender for Identity needs millisecond data, you must first configure QRadar to use agentless Windows event collection. For more information, see QRadar: Agentless Windows Events Collection using the MSRPC Protocol.

Use the following message syntax to configure your standalone sensor to listen for QRadar events:

<13>Feb 11 00:00:00 %IPADDRESS% AgentDevice=WindowsLog AgentLogFile=Security Source=Microsoft-Windows-Security-Auditing Computer=%FQDN% User= Domain= EventID=4776 EventIDCode=4776 EventType=8 EventCategory=14336 RecordNumber=1961417 TimeGenerated=1456144380009 TimeWritten=1456144380009 Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: HOSTNAME Error Code: 0x0

In this syntax, you must include the following fields:

  • The agent type for the collection
  • The Windows event log provider name
  • The Windows event log source
  • The DC fully qualified domain name
  • The Windows event ID
  • TimeGenerated, which is the timestamp of the actual event. Make sure that the value isn't the timestamp of the arrival to the SIEM, or when it's sent to Defender for Identity. The timestamp format must be The format should match yyyyMMddHHmmss.FFFFFF, and must have an accuracy of milliseconds.

Make sure that the message includes the original event text from the Windows event, and that you have \t between the key=value pairs.

Note

Using WinCollect for Windows event collection is not supported.

For more information, see: