IBM QRadar

 View Only

  • 1.  Windows Event Logs Forwarded via Nxlog in LEEF Format

    Posted Thu November 21, 2019 08:05 AM
    Hello team,

    This is my first experience in using Qradar platform.

    I have been doing a POC for a while now and seem to be stuck with the scenario where logs received in Qradar do not seem to parsed. Here are some details below which you might find helpful:

    I would really appreciate it if someone can help me resolve this challenge as its been quite a while now since I have been struggling with this issue. 

    Objective: Forward Windows Event Logs in LEEF via Nxlog EE to Qradar CE 7.3.1

     Screenshot of "Log Activity" Console Attached
    Payload Information: 

    <12>Nov 21 13:44:35 LAPTOP-45Q5L6E5 Microsoft-Windows-Security-Mitigations[4340]: LEEF:2.0|Microsoft|Microsoft-Windows-Security-Mitigations|4.6.4640-trial|10|0x09|devTime=2019-11-21 13:44:35	identHostName=LAPTOP-45Q5L6E5	Keywords=9223372036854775808	EventType=WARNING	sev=6	Severity=WARNING	EventID=10	vSrcName=Microsoft-Windows-Security-Mitigations	ProviderGuid={FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF}	Version=0	TaskValue=5	OpcodeValue=0	RecordNumber=7353	ExecutionProcessID=4340	ExecutionThreadID=5716	Channel=Microsoft-Windows-Security-Mitigations/KernelMode	domain=LAPTOP-45Q5L6E5	accountName=Mervin Marks	UserID=S-1-5-21-2084162637-361975237-1712814021-1001	role=User	Message=Process '\\Device\\HarddiskVolume3\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe' (PID 4340) was blocked from making system calls to Win32k.sys.	Opcode=Info	ProcessPathLength=80	ProcessPath=\\Device\\HarddiskVolume3\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe	ProcessCommandLineLength=449	ProcessCommandLine="C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" --type=renderer --field-trial-handle=1584,907962174893835817,17905728574330560274,131072 --lang=en-US --extension-process --enable-auto-reload --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17231479865238225715 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1	CallingProcessId=4340	CallingProcessCreateTime=2019-11-21T08:14:34.890557700Z	CallingProcessStartKey=2533274790396556	CallingProcessSignatureLevel=0	CallingProcessSectionSignatureLevel=0	CallingProcessProtection=0	CallingThreadId=5716	CallingThreadCreateTime=2019-11-21T08:14:34.890560800Z	EventReceivedTime=2019-11-21 13:44:36	SourceModuleName=MSEvtIN	SourceModuleType=im_msvistalog	Vendor=Microsoft	devTimeFormat=yyyy-MM-dd HH:mm:ss

    Log Source Configuration Details:



    Kindly let me know if any other details are required, it would be really helpful!

    Thanks,


    ------------------------------
    Siddhant Mishra
    ------------------------------


  • 2.  RE: Windows Event Logs Forwarded via Nxlog in LEEF Format

    Posted Fri November 22, 2019 10:02 AM
    Hello,

    While my answer cannot be considered definitive I believe that issue that you're experiencing has to do with the fact that QRadar doesn't recognize that particular log ( Microsoft-Windows-Security-Mitigations) and that particular event. I am not sending any log messages via Universal LEEF but I do have some other events that behave like this / are not getting parsed.

    Here is an example of a log message that is getting sent to QRadar via WinCollect and it still does not get parsed. QRadar just does not understand the messages. Apparently the developers have not gone down the list of the Applications and Services Logs and devoted any time in parsing them (it does parse most of the Sysmon messages - not V10 yet though). This log message is seen as an unknown Event Name, Unknown Low Level Category, and Unknown Event Description.

    If other log messages are getting sent via Universal LEFF and getting parsed then I believe that you're probably experiencing what I am describing. If all of your Universal LEEF log messages are not getting parsed then there is a larger problem.

    <13>Nov 22 07:48:53 <Computer Name redacted> AgentDevice=WindowsLog	AgentLogFile=Microsoft-Windows-NTLM/Operational	PluginVersion=7.2.8.91	Source=Microsoft-Windows-Security-Netlogon	Computer=<fqdn.local.redacted>	OriginatingComputer=<IP Address redacted>	User=SYSTEM	Domain=NT AUTHORITY	EventID=8004	EventIDCode=8004	EventType=4	EventCategory=2	RecordNumber=211941132	TimeGenerated=1574434130	TimeWritten=1574434130	Level=Informational	Keywords=0x8000000000000000	Task=CATEGORY_AUDITNTLM	Opcode=Info	Message=Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller. Secure Channel name: <Computer Name redacted> User name: <User Name redacted> Domain name: <Domain Name redacted> Workstation name: <Workstation Name redacted> Secure Channel type: 2  Audit NTLM authentication requests within the domain <Domain Name redacted> that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.  If you want to allow NTLM authentication requests in the domain <Domain Name redacted>, set the security policy Network Securi



    HTH,

    Robert Strom

    ------------------------------
    Robert Strom
    ------------------------------

    Original Message


  • 3.  RE: Windows Event Logs Forwarded via Nxlog in LEEF Format

    Posted Sat November 23, 2019 03:02 AM
    Hello Robert,

    Thanks for your revert. Really appreciate it. 

    Actually, the same problem is encountered for all the Windows 10 log events that are forwarded and not a specific log event that was shared. Could you please let me know your suggestions on how to overcome this challenge?

    Thanks,

    ------------------------------
    Siddhant Mishra
    ------------------------------

    Original Message


  • 4.  RE: Windows Event Logs Forwarded via Nxlog in LEEF Format

    Posted Mon November 25, 2019 04:04 PM
    The only LEEF formatted log file that we are collecting are our Zscaler logs and these are parsing correctly.

    For Windows logs we are using a combination of the WInCollect agent on Domain Controllers (high volume log generation) and Windows Event Collection (WEC).

    I highly recommend the WEC method of event collection. Google "jessica payne windows event forwarding". There used to be a series of videos on this but they don't appear to existing anymore but you will still get a good start with that Google and then I would branch out from there.

    I currently have two Windows Event Collectors configured for our Client computers (desktops and laptops) to send their logs to and one Event Collector for our servers (except for the Domain controllers) to send their logs to.

    NOTE: The computers are not sending all their logs, they are sending specific Event ID's from specific logs (Security, Application, System, Sysmn, PowerShell, etc., etc., etc.) to the Event Collectors and then onto QRadar via a WinCollect agent installed on the Event Collectors that then forward the logs.

    This is pretty easy to configure using some Group Policies and some subscription definitions (subscription definitions guidelines are available on Microsoft and from the NSA via GitHub). I would also suggest looking at the SwiftonSecurity Sysmon template as a starting point for filtering Sysmon logging.

    You might also want to look at the https://www.ultimatewindowssecurity.com/ website for past webinars on WEC. They also product a software for managing Windows Event Collection infrastructures.

    I don't know how large your environment is but IMHO having an agent on every system is probably not the best way to do log collection. When deployed properly the WEC solution works very well.

    HTH,

    Robert

    ------------------------------
    Robert Strom
    ------------------------------

    Original Message


  • 5.  RE: Windows Event Logs Forwarded via Nxlog in LEEF Format

    Posted Tue November 26, 2019 04:40 AM

    Windows log collection is always a pia.. what we do now, is using wincollect agent to send directly to Qradar because it is formatted correctly, however I plan to change it a bit to forward it to a central log collect server and from there forward to Qradar using the same format because Wincollect basically only formats according to LEEF and sending through syslog, so any good standard syslog server (either nxlog or syslog-ng) can handle. Please be sure you are using nxlog CE only for private because regardless of its opensource fashion, the licensing prohibit to use it for business. In that case, I suggest to use syslog-ng OSE instead combined with wincollect

     

    Pál László

    Security Architect




    Original Message


  • 6.  RE: Windows Event Logs Forwarded via Nxlog in LEEF Format

    Posted Tue November 26, 2019 10:48 AM
    One thing to keep in mind if you send Windows log messages via Syslog

    Syslog has a maximum packet size when sending via UDP and you will lose parts of some of the larger log messages.

    If you send via Syslog I would send using TCP.

    IMHO everything should move to a JSON log format. Having a standard would be nice!

    ------------------------------
    Robert Strom
    ------------------------------

    Original Message


  • 7.  RE: Windows Event Logs Forwarded via Nxlog in LEEF Format

    Posted Mon December 02, 2019 04:04 AM
    Hello Team,

    Thanks for your revert. I really appreciate it. 

    The idea here is to not use WinCollect all together. I am using Nxlog EE to forward Windows Event Logs directly to Qradar in LEEF format. I tried with both LEEFv1.0 and LEEFv2.0 but all the events are not being parsed.

    Is there any workaround that might result in LEEF events to be parsed? 

    Thanks,



    ------------------------------
    Siddhant Mishra
    ------------------------------

    Original Message


  • 8.  RE: Windows Event Logs Forwarded via Nxlog in LEEF Format

    Posted Mon December 02, 2019 06:41 AM

    Hi,

     

    What I would do is to check the format Wincollect sends, then work with nxlog to make it the same. This is how I did with syslog-ng

     

    template t_leefwin {

        template("<${PRI}>${BSDDATE} ${HOST} LEEF:1.0|Microsoft|Windows|2k8r2|${EVENT_ID}|devTime=${R_YEAR}-${R_MONTH}-${R_DAY}T${R_HOUR}:${R_MIN}:${R_SEC}GMT${TZOFFSET} devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz cat=${EVENT_TYPE} sev=${EVENT_LEVEL} resource=${HOST} usrName=${EVENT_USERNAME} application=${EVENT_SOURCE} message=${EVENT_MSG}\n");

    };

     

    Also make sure you keep the original hostname/IP in the syslog header of the forwarded log ( $HOST macro above), otherwise Qradar will think the log is coming from the relay. I'm not sure how it can be done in nxlog, but in syslog-ng it is keep-hostname genric option

     

    Good luck and please share your solution because someday someone else also can use it

     

    Laszlo

     




    Original Message