WELI via NXLog

This article is meant as a companion to the main Windows Event Log Ingestion (WELI) article and gives configuration advice for using WELI with an NXLog forwarding agent on Windows domain controller(s).

Windows event log ingestion allows for Vectra to ingest Microsoft Windows security event logs to drive Privileged Access Analytics (PAA) detections. This feature can be used to complement the coverage from network traffic and will also provide Host-ID information for IP to Host mappings observed in the event logs. Vectra ingests two Windows security event id’s: 4768 (Ticket Granting Ticket) and 4769 (Ticket Granting Service). Further, only successful events are ingested. Any other windows security event IDs sent to the Vectra Brain will be discarded.

Make sure that Security Audit Logging is enabled on every Domain Controller. Follow Microsoft documentation.

Both events are under Account Logon: Event 4768 - Audit Kerberos Authentication Service Event 4769 - Audit Kerberos Service Ticket Operations

With the option for receiving XML over TCP, Vectra supports different sources to send windows event logs in XML format to the Brain. One such system is the NXLog agent. This article describes the steps required to set up Windows event log ingestion using NXLog.

Enabling Windows logs ingestion in the Vectra UI

• Login to the Vectra UI.

• Navigate to ‘Settings -> External Connectors’

• Click edit on ‘Windows Event log Ingestion’ and toggle it On

• Select ‘Raw TCP’ from the ‘Type’ dropdown

• Enter the IP address or Domain name of the domain controller sending the logs. Add more if there are more than 1

• Click the save button

Enabling forwarding on NXLog:

• Install NXLog on the domain controllers. NxLog community edition can be found here: https://nxlog.co/products/nxlog-community-edition/download

• Download the attached ‘nxlog.conf’ file. Modify the ‘Host’ under the ‘<Output>’ section with the IP address of the Brain.

• Open Services and start NXLog (or restart if NXLog has already been started).

As security events are logged, they will be forwarded over into the Vectra Brain and processed for detections and host ID.

!! Note that service names are not reported in Windows event logs, instead, unique security identifiers (SID) are reported which subsequently map to a unique service. SID values will be reported as the service in Vectra metadata reported to Recall and Stream and in Privilege Access Anomaly Detections reported in Detect. Analysts can look to leverage tools like PowerShell's PsGetSid to preform look-ups where necessary.

Attachments