The Alert Logic agent for Windows provides in-depth visibility into network traffic, facilitates OS-level vulnerability scanning, performs file integrity monitoring, and ingests security-relevant system logs all in a lightweight, easy-to-install package.
The Alert Logic agent ingests every event log stream out of the box. However, several third-party and built-in Microsoft services don't sends logs to the event log by default. By focusing on those logs that produce incident content, you can ensure Alert Logic has sufficient visibility into your Windows environment.
Note: System log settings are configured in the Alert Logic console per deployment. To manage Windows Event Logics, navigate to Configure > select a deployment > System Logs > Windows Event Logs.
Malware/LOLBins/Ransomware Configurations
There are four main categories of logs that help Alert Logic get a better view into potential malicious activity. See below for these logs and our public guidance on how to configure them.
Windows Command Line Parameter Logs
By default, extra parameters run after a command are not logged to Windows event logs. Refer to Enable Windows Command Line Parameter Logging for details on how to capture these logs.
Windows PowerShell Script Block Logs
By default, PowerShell scripts are not logged in Windows event logs, except where the entire script is passed as a one-liner. Refer to Enable Windows Powershell Logging for details on how to capture these logs.
Windows Object Access Logs
Due to the potential noisiness of logging all file reads, modifies, deletes, and creations, Windows does not log this activity by default. Refer to Enable Windows Object Access Logging for details on how to capture these logs.
Windows User Account Events
These logs allow Alert Logic to identify password attacks by showing the number of authentication attempts, as well as other events like the creation or deletion of users, attempts to change passwords, etc. Refer to Enable Windows User Account Events Logging for details on how to capture these logs.
Sysmon
Sysmon is a sysinternals tool that provides more granular logging to your event logs, such as new network connections created, use of WMI, and registry changes. Alert Logic supports this tool with custom incident content for many of its events. If you use this tool, all these events are sent to event log and ingested by our agent by default.
OSSEC HIDS
OSSEC is a host-based IDS solution (HIDS) that performs log analysis, and registry monitoring, among other things. It ingests Windows event logs to a centralized server from which Alert Logic can then collect the logs.
To collect these logs, you can set up log forwarding to an Alert Logic Remote Collector, allowing Alert Logic to run incident analytics against them.
- Login to OSSEC server and navigate to: /var/ossec/etc/ossec.conf
- Edit file such that:
<syslog_output>
<server>$IPADDRESS</server>
<port>1515</port>
<level>6</level>
</syslog_output>
where $IPADDRESS is the address of your Remote Collector
- Run the following commands to enable syslog and restart the OSSEC control service:
/var/ossec/bin/ossec-control enable client-syslog
/var/ossec/bin/ossec-control restart
Extra Configurations
DHCP
It can be useful to analyze information about DHCP scope or IP requests. However, not all DHCP Client/Server operational logs are enabled by default in Windows. This can be enabled by running the following steps on your DHCP server:
- Open Event Viewer.
- Navigate to Applications and Services Logs > Microsoft > Windows > DHCP-Server.
- Right-click on each item in the list and select Enable Log.
Powershell Module Logging
This records pipeline execution events, which can catch malicious PowerShell scripts that fail to run or give Alert Logic visibility into the purpose and outputs of scripts.
This can be enabled via GPO:
- On your domain controller, select Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell, and set Turn on Module Logging to enabled.
- In the Options pane, click the button to show Module Name.
- In the Module Names window, enter * to record all modules.
- Click OK in the Module Names window.
- Click OK in the Module Logging window.
Comments
0 comments
Please sign in to leave a comment.