Network traffic collection is the main data source Advanced Threat Analytics (ATA) uses to detect threats and abnormal behavior. It also analyzes event log ID 4776, and will likely collect additional events in the future. This is why we’re devoting a topic to understanding methods and configuration for event collection.
You can configure the ATA gateway, both lightweight and standalone, to collect the event via a syslog listener and/or using Windows Event Forwarding (WEF). We recommend using the syslog listener if a SIEM is available and supported. If a supported SIEM is unavailable, you would use WEF.
Today, ATA supports four SIEM products: RSA Security Analytics, HP ArcSight, Splunk, and IBM QRadar. The SIEM needs to collect the 4776 event from all Domain Controllers (DC) ATA is monitoring. You need to configure the SIEM to then forward the collected 4776 event from the DCs to an ATA gateway.
You can forward all 4776 events from all DCs to a single gateway in the ATA deployment. The gateway will receive the events, process them and send them to the ATA center. If you have 100% standalone gateways or a mixed gateway deployment, forward the events to a standalone gateway close to the SIEM. The following diagram depicts this configuration, which ensures the load is put on a dedicated server vs. a domain controller.
If you have a 100% lightweight deployment, forward the events to a gateway that is not only close to the ATA center and SIEM, but also has a lower load than other DCs in the site. The following diagram depicts this configuration.
Leverage WEF when you don’t have a supported SIEM in the environment to collect the 4776 event and forward it. WEF can use collector-initiated (pull) or source-initiated (push) subscriptions to get the events from the DCs.
For lightweight gateways, we recommend a collector-initiated subscription configured on the domain controller. Collector-initiated means the subscription will pull the events from the endpoint. The subscription and the endpoint are the same host, so neither the collector nor the endpoint will utilize any network resources. You will need to configure the subscription on each lightweight gateway, which you can script with wecutil.exe.
To script this configuration for LWGWs, you will need a template XML file. Here is a sample you can use:
<?xml version=”1.0″ encoding=”UTF-8″?>
<QueryList><Query Id=”0″><Select Path=”Security”>*[System[(EventID=4776)]]</Select></Query></QueryList>
Here is the sample PowerShell to create the subscription based on the template.
#Copy the template locally
$FileLocation = “\\server\share”
Copy-Item $FileLocation\ATA-4776.xml $ENV:TEMP
winrm qc -quiet
#configure WinEvent Collection service
wecutil.exe qc /q:true
#Get Computer SID
$strDNSName = (Get-ADComputer $ENV:Computername).DNSHostName
#Replace the SID in the temp XML
(Get-Content “$ENV:TEMP\ATA-4776.xml”) -replace ‘lwgw.contoso.com’, “$strDNSName”| Set-Content “$ENV:TEMP\ATA-4776.xml”
#Configure the Subscription
wecutil.exe cs “$ENV:TEMP\ATA-4776.xml”
For domain controllers monitored by gateways, we recommend configuring a source-initiated subscription on the gateway to receive the events from the DCs. You will need to configure the DCs with a subscription manager group policy setting. You can target the subscription manager at the respective DCs using security filtering.
Here are some screen shots of subscription manager configuration found under Computer Policy \ Administrative Templates \ Windows Components \ Event Forwarding – Configure Target Subscription Manager
To recap, we recommend:
- DCs with LWGW use a local collector-initiated subscription.
- DCs monitored by a GW use a source-initiated subscription.
The following diagram depicts the WEF configuration for a mixed environment.
For questions or feedback contact me directly:
Principal Program Manager
C+E Security CxP Team