SIEM Foundations: Configuring a Windows Data Source

Version 2

    Contents

     

    Creating a Windows Data Source Profile

    The McAfee SIEM provides a facility to store commonly used profiles for such attributes as Windows Account Credentials and data storage mount parameters (CIFS, NFS, etc.). This allows the SIEM administrator to enter the required profile information in a central location which is later referenced by the SIEM when necessary.

     

    One of the most useful profiles to configure is that of a Windows Data Source. The Windows profile stores the credentials and log collection details that can later be used when defining a Windows (WMI) data source in the Event Receiver. By using a profile during the creation of a Windows data source, the SIEM operator need not enter the credentials but instead, assigns the attributes of the profile to the data source. This also allows for the credentials to be maintained in a central location and any modifications to the username/password can be made once within the profile and all data sources making reference to the profile will automatically utilize the modified values.

     

    To create a Windows Data Source Profile:

    1. Click the System Properties icon from the Quick Launch menu in the upper right of the interface.
    2. Click Profile Management.
      System-Properties-ButtonProfMgmt.png
    3. Click the Add button. The Add System Profile window will open.
    4. From the Profile Type dropdown menu, select Data Source.
    5. From the Profile Agent dropdown menu select Windows.
    6. Enter a Profile Name.
    7. Enter a Username. This can be a local account or domain account credentials.
    8. Enter a Password.
    9. In the Event Logs field, enter SYSTEM,SECURITY,APPLICATION.
      System-Properties---Add-System-Profile circle.png
    10. Click OK. Close the System Properties window.

     

    Configuring a Windows Data Source

    There are several methods that can be used to add a Data Source to an Event Receiver for collection – One at a time from the Action Toolbar, Multiple sources from the Data Source section of the Event Receiver Properties window, Bulk creation via CSV file import and Auto Learn.

     

    The following steps will describe the simplest way to add a single Data Source to a Receiver to begin event and log collection – One at a time from the Action Toolbar.

    1. From the System Tree, select the Event Receiver on which you will be configuring the Windows Data Source.
    2. Click the Add Data Source button from the Action Toolbar located in the upper left of the interface. The Add Data Source window will open.
      System-Tree---Receiver---Add-Data-Sourcecircle.png
    3. To use the Windows Data Source Profile created in the previous section, place a check mark in the Use System Profiles option box. The Add Data Source window will populate the Data Source Vendor (Microsoft), Data Source Model (WMI Event Log), Username, Password and Event Log details defined in the Profile.

      To define a Windows Data Source without using a profile:
      1. From the Data Source Vendor dropdown menu, select Microsoft.
      2. From the Data Source Model dropdown menu, select WMI Event Log.
      3. Enter a Username with sufficient privileges to connect to the Windows host and retrieve the WMI logs.
      4. Enter the Password.
      5. In the Event Logs field, enter SYSTEM,SECURITY,APPLICATION.
    4. Enter a Name to be used for this Data Source.
    5. Enter the IP Address for the Windows host.
      NOTE: For Windows hosts that acquire an IP address from DHCP, this field can be left blank. The SIEM will perform a DNS lookup using the hostname to obtain the current IP address at each polling interval.
    6. Enter the NETBIOS Name assigned to the Windows host.
      Example: If the DNS name is hostname.domain.com, the NETBIOS name will likely be just hostname.
    7. Click the Connect button to test the connection to the Windows Data Source.
      Add-Data-Source---WMIcircle.png
    8. If the connection attempt is successful, a dialog box will open indicating that the Windows Data Source configuration is correctly configured to support event collection from the Windows host AND that the credentials provided are sufficient to retrieve the defined WMI logs.
      Test-WMI-Connection---Success.png
      If the connection attempt fails, a dialog box will open to provide details that can be used to troubleshoot the connection. Common connection problems include incorrect IP Address or NETBIOS name, improper user credentials or insufficient user privilege necessary to retrieve the defined WMI log source. Correct any errors and re-test the WMI connection until the response is successful.
      Test-WMI-Connection---Failure.png
    9. Once the WMI Connection Test is successful, click OK. The Apply Data Source Settings dialog box will open.
      Apply-Data-Source-Settings.png
    10. Click Yes to apply the Windows Data Source configuration to the Event Receiver.
    11. Once the Windows Data Source has been written to the Event Receiver, a dialog box will open to confirm. Click Close.
      Command-Execution-Complete---Write-Data-Sources.png
    12. Since a new event collection source has been configured on the Event Receiver, the policy must be rolled out to support the event formats associated with the Windows Data Source. The Rollout Policy window will open listing the Data Sources defined on the Event Receiver that must be applied for event collection to begin.
      NOTE: Some Data Sources in the list may read ‘Skip – This policy is up to date’ while others, like the Windows Data Source recently added, will read ‘Roll this policy out now.’ The SIEM is intelligent enough to know which Data Source policies are new or recently modified and must be rolled out and will skip those policies that are current.
      Rollout-Policy---WMI.png
    13. Click OK to rollout policy to the Event Receiver Data Sources.

     

     

    « previousoutlinenext »