Applies to: Advanced Threat Analytics version 1.9

Install ATA - Step 6

Step 6. Configure event collection

Configure Event Collection

To enhance detection capabilities, ATA needs the following Windows events: 4776, 4732, 4733, 4728, 4729, 4756, 4757 and 7045. These can either be read automatically by the ATA Lightweight Gateway or in case the ATA Lightweight Gateway is not deployed, it can be forwarded to the ATA Gateway in one of two ways, by configuring the ATA Gateway to listen for SIEM events or by Configuring Windows Event Forwarding.

Note

For ATA versions 1.8 and higher, event collection configuration is no longer necessary for ATA Lightweight Gateways. The ATA Lightweight Gateway can now read events locally, without the need to configure event forwarding.

In addition to collecting and analyzing network traffic to and from the domain controllers, ATA can use Windows events to further enhance detections. It uses event 4776 for NTLM, which enhances various detections and events 4732, 4733, 4728, 4729, 4756, and 4757 for enhancing detection of sensitive group modifications. This can be received from your SIEM or by setting Windows Event Forwarding from your domain controller. Events collected provide ATA with additional information that is not available via the domain controller network traffic.

SIEM/Syslog

For ATA to be able to consume data from a Syslog server, you need to perform the following steps:

  • Configure your ATA Gateway servers to listen to and accept events forwarded from the SIEM/Syslog server.

Note

ATA only listens on IPv4 and not IPv6.

  • Configure your SIEM/Syslog server to forward specific events to the ATA Gateway.

Important

  • Do not forward all the Syslog data to the ATA Gateway.
  • ATA supports UDP traffic from the SIEM/Syslog server.

Refer to your SIEM/Syslog server's product documentation for information on how to configure forwarding of specific events to another server.

Note

If you do not use a SIEM/Syslog server, you can configure your Windows domain controllers to forward Windows Event ID 4776 to be collected and analyzed by ATA. Windows Event ID 4776 provides data regarding NTLM authentications.

Configuring the ATA Gateway to listen for SIEM events

  1. In ATA Configuration, under Data sources click SIEM and turn on Syslog and click Save.

    Enable syslog listener UDP image

  2. Configure your SIEM or Syslog server to forward Windows Event ID 4776 to the IP address of one of the ATA Gateways. For additional information on configuring your SIEM, see your SIEM online help or technical support options for specific formatting requirements for each SIEM server.

ATA supports SIEM events in the following formats:

RSA Security Analytics

<Syslog Header>RsaSA\n2015-May-19 09:07:09\n4776\nMicrosoft-Windows-Security-Auditing\nSecurity\XXXXX.subDomain.domain.org.il\nYYYYY$\nMMMMM \n0x0

  • Syslog header is optional.

  • “\n” character separator is required between all fields.

  • The fields, in order, are:

    1. RsaSA constant (must appear).

    2. The timestamp of the actual event (make sure it’s not the timestamp of the arrival to the SIEM or when it’s sent to ATA). Preferably in milliseconds accuracy, this is important.

    3. The Windows event ID

    4. The Windows event provider name

    5. The Windows event log name

    6. The name of the computer receiving the event (the DC in this case)

    7. The name of the user authenticating

    8. The name of the source host name

    9. The result code of the NTLM

  • The order is important and nothing else should be included in the message.

HP Arcsight

CEF:0|Microsoft|Microsoft Windows||Microsoft-Windows-Security-Auditing:4776|The domain controller attempted to validate the credentials for an account.|Low| externalId=4776 cat=Security rt=1426218619000 shost=KKKKKK dhost=YYYYYY.subDomain.domain.com duser=XXXXXX cs2=Security cs3=Microsoft-Windows-Security-Auditing cs4=0x0 cs3Label=EventSource cs4Label=Reason or Error Code

  • Must comply with the protocol definition.

  • No syslog header.

  • The header part (the part that’s separated by a pipe) must exist (as stated in the protocol).

  • The following keys in the Extension part must be present in the event:

    • externalId = the Windows event ID

    • rt = the timestamp of the actual event (make sure it’s not the timestamp of the arrival to the SIEM or when it’s sent to ATA). Preferably in milliseconds accuracy, this is important.

    • cat = the Windows event log name

    • shost = the source host name

    • dhost = the computer receiving the event (the DC in this case)

    • duser = the user authenticating

  • The order is not important for the Extension part

  • There must be a custom key and keyLable for these two fields:

    • “EventSource”

    • “Reason or Error Code” = The result code of the NTLM

Splunk

<Syslog Header>\r\nEventCode=4776\r\nLogfile=Security\r\nSourceName=Microsoft-Windows-Security-Auditing\r\nTimeGenerated=20150310132717.784882-000\r\ComputerName=YYYYY\r\nMessage=

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon Account: Administrator

Source Workstation: SIEM

Error Code: 0x0

  • Syslog header is optional.

  • There’s a “\r\n” character separator between all required fields.

  • The fields are in key=value format.

  • The following keys must exist and have a value:

    • EventCode = the Windows event ID

    • Logfile = the Windows event log name

    • SourceName = The Windows event provider name

    • TimeGenerated = the timestamp of the actual event (make sure it’s not the timestamp of the arrival to the SIEM or when it’s sent to ATA). The format should match yyyyMMddHHmmss.FFFFFF, preferably in milliseconds accuracy, this is important.

    • ComputerName = the source host name

    • Message = the original event text from the Windows event

  • The Message Key and value MUST be last.

  • The order is not important for the key=value pairs.

QRadar

QRadar enables event collection via an agent. If the data is gathered using an agent, the time format is gathered without millisecond data. Because ATA necessitates millisecond data, it is necessary to set QRadar to use agentless Windows event collection. For more information, see http://www-01.ibm.com/support/docview.wss?uid=swg21700170.

<13>Feb 11 00:00:00 %IPADDRESS% AgentDevice=WindowsLog AgentLogFile=Security Source=Microsoft-Windows-Security-Auditing Computer=%FQDN% User= Domain= EventID=4776 EventIDCode=4776 EventType=8 EventCategory=14336 RecordNumber=1961417 TimeGenerated=1456144380009 TimeWritten=1456144380009 Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: HOSTNAME Error Code: 0x0

The fields needed are:

  • The agent type for the collection
  • The Windows event log provider name
  • The Windows event log source
  • The DC fully qualified domain name
  • The Windows event ID

TimeGenerated is the timestamp of the actual event (make sure it’s not the timestamp of the arrival to the SIEM or when it’s sent to ATA). The format should match yyyyMMddHHmmss.FFFFFF, preferably in milliseconds accuracy, this is important.

Message is the original event text from the Windows event

Make sure to have \t between the key=value pairs.

Note

Using WinCollect for Windows event collection is not supported.

See Also