Windows event log ingestion allows for Cognito to ingest windows security event logs to drive Privileged Access Analytics (PAA) detections and also enhance host ID. This feature can be used to complement the coverage from network traffic. Cognito ingests two windows security event id’s: 4768 (Ticket Granting Ticket) and 4769 (Ticket Granting Service). Further, only successful events are ingested. Any other windows security event ids sent to the Cognito Brain will be discarded.
Make sure that Security Audit Logging is enabled on every Domain Controller. Follow Microsoft documentation. Both events are under Account Logon:
Event 4768 - Audit Kerberos Authentication Service
Event 4769 - Audit Kerberos Service Ticket Operations
With the option for receiving XML over TCP, Cognito supports different sources to send windows event logs in XML format to the Brain. One such system is the NXLog agent. This article describes the steps required to setup windows event log ingestion using NXLog.
Enabling windows logs ingestion in the Cognito UI
- Login to the Cognito UI.
- Navigate to ‘Settings -> External Connectors’
- Click edit on ‘Windows Event log Ingestion’ and toggle it On
- Select ‘Raw TCP’ from the ‘Type’ dropdown
- Enter the IP address or Domain name of the domain controller sending the logs. Add more if there are more than 1
- Click the save button
Enabling forwarding on NXLog:
- Install NXLog on the domain controllers. NxLog community edition can be found here: https://nxlog.co/products/nxlog-community-edition/download
- Download the attached ‘nxlog.conf’ file. Modify the ‘Host’ under the ‘<Output>’ section with the IP address of the Brain.
- Replace the nxlog.conf file under ‘C:\Program Files (x86)\nxlog\conf’ with the one in Step 2
- Open Services and start NXLog (or restart if NXLog has already been started)
As security events are logged, they will be forwarded over into the Cognito Brain and processed for detections and host ID.
Note that service names are not reported in Windows event logs, instead, unique security identifiers (SID) are reported which subsequently map to a unique service. SID values will be reported as the service in Vectra metadata reported to Recall and Stream and in Privilege Access Anomaly detections reported in Detect. Analysts can look to leverage tools like PowerShell's PsGetSid to preform look-ups where necessary.