Microsoft Windows Server via Agent

Support Added: FortiSIEM 1.1

Last Modification: FortiSIEM 7.0.0

Vendor: Microsoft

Product Information: https://www.microsoft.com/en-us/windows-server

Supported OS Versions

• Windows 2008 and 2008 R2
• Windows 2012 and 2012 R2
• Windows 2016
• Windows 2019
• Windows 2022
• Windows 10
• Windows 11
  
  

Overview

FortiSIEM Windows Agent can collect a wide variety of logs and other telemetry from Windows hosts. This document covers how to configure Windows Services to send the required metrics to FortiSIEM.

Compared to OMI based log collection, Windows Agent has many advantages shown in the following table.

Feature	Agent based collection	OMI based collection
Discovery and Performance Monitoring	Yes	Yes (however, installed software can’t be discovered)
Collect Security, System, Application logs	Yes	Yes
Collect Sysmon	Yes	No
Collect DNS logs (Debug Logs, Analytical logs)	Yes	No
Collect DHCP logs	Yes	No
Collect IIS logs	Yes	No
Collect Generic Application logs	Yes	No
File Integrity Monitoring	Yes	Limited(1)
Certificate Monitoring	Yes	Limited(1)
Registry Change Monitoring	Yes	Limited(1)
Installed Software Change Monitoring	Yes	No
WMI and Powershell output Monitoring	Yes	No
Windows Event Forwarding Support	Yes	No
User Entity Behavior Anomaly (UEBA) Telemetry	Yes	Limited(1)
Use osquery to get current host information for threat hunting and other use cases	Yes	No
High volume log collection	Yes	Limited(2)

Notes:

• Limited(1) means limited capabilities using Security Event logs

• Limited(2) means that noticeable collection delay observed after 100 events per second.

This document covers the following topics.

• Configuring Discovery and Performance Monitoring

• Collecting Windows Security Logs

• Collecting Windows System and Application Logs

• Collecting Windows Sysmon Logs

• Collecting Windows DNS Logs

• Collecting Windows DHCP Logs

• Collecting Windows IIS Logs

• Collecting Generic Application Logs

• Configuring File Integrity Monitoring

• Configuring Certificate Monitoring

• Configuring Registry Change Monitoring

• Configuring Installed Software Change Monitoring

• Configuring WMI and PowerShell Output Monitoring

• Configuring Windows User Entity Behavior Anomaly (UEBA)

• Configuring OpenSSH Operational and Admin Logs

• Configuring Osquery

• Recommended Log Sources by Use Case

• Configuring Windows Event Forwarding

Configuring Discovery and Performance Monitoring

Windows Agent can be configured to discover a host that enables FortiSIEM to populate CMDB, just like Windows OMI based discovery. Discovered information includes:

• General information – Host name, OS, version

• Hardware information – CPU, memory, network interfaces, disk

• Software information – Running services, processes, installed software, patches

Windows Agent can also be configured to monitor system and certain application-level performance metrics:

• System level – Uptime, CPU utilization, memory utilization, disk utilization, network interface utilization

• Process level – CPU utilization and memory utilization per process

• Application level – DNS, DHCP, Active Directory, ASPNET and IIS metrics

No configuration is needed on the Windows side.

On FortiSIEM, follow these steps to configure discovery and performance monitoring:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Monitor tab.

   3. Use the checkboxes to select the various items to be discovered or monitored and configure the polling frequency.

   4. Click Save.

4. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

5. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

6. From the Host drop-down list, select the host(s).

7. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

8. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important Performance Monitoring Events

Type	Event Type	Description
System Performance Monitoring	PH_DEV_MON_SYS_UPTIME	System uptime for a device
	PH_DEV_MON_SYS_CPU_UTIL	System CPU Utilization for a device
	PH_DEV_MON_SYS_MEM_UTIL	System memory Utilization stats for a device
	PH_DEV_MON_SYS_DISK_UTIL	Disk Utilization stats for a device
	PH_DEV_MON_NET_INTF_UTIL	Network Interface utilization stats for a device
	PH_DEV_MON_PROC_RESOURCE_UTIL	Process CPU and Memory Utilization stats
Application-level Performance Monitoring	PH_DEV_MON_APP_DNS_MET	Windows DNS performance metrics
	PH_DEV_MON_APP_DHCP_MET	Windows DHCP performance metrics
	PH_DEV_MON_APP_IIS_MET	Microsoft IIS performance metrics
	PH_DEV_MON_APP_ASPNET_MET	ASP.NET performance metric
	PH_DEV_MON_APP_NTDS_MET	Microsoft directory service performance metrics

Collecting Windows Security Logs

Configuration

On the Windows Server, the following should be done first:

• Configure Security Audit Logging Policy

• Configure File Auditing Policy

• Configure Audit File System Policy

• Disable Audit Token Right Adjusted Success Events

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Event tab.

   3. At Event Log, click New.

   4. From the Type drop-down list, select Security.

   5. In the Include Event field, leave it as "ALL", or enter the list of security event ids.

   6. In the Exclude Event field, leave it as "NONE" or enter in the list of security event ids.

   7. Note that setting Include Event to "ALL" and Exclude Event to "NONE" enables all security events.

   8. Click Save.

4. Click Save.

5. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

6. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

7. From the Host drop-down list, select the host(s).

8. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

9. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Configure Security Audit Logging Policy

Configure this policy to specify the categories of events that you want to be logged and available for monitoring by FortiSIEM.

1. Log in to the machine where you want to configure the policy as an administrator.
2. Go to Programs > Administrative Tools > Local Security Policy.
3. Expand Local Policies and select Audit Policy.
   You will see the current security audit settings.
4. Select a policy and edit the Local Security Settings for the events you want to be audited. The recommended settings are:

Policy	Description	Settings
Audit account logon events and Audit logon events	For auditing log in activity.	Select Success and Failure.
Audit object access events	For auditing access to files and folders. There is an additional configuration requirement for specifying which files and folders, users and user actions will be audited. See the next section, Configuring File Auditing Policy.	Select Success and Failure.
Audit system events	Includes system up/down messages.

5. For an Enterprise Server's Domain Group Policy, make sure you set the following under Group Policy > Local Policies > Audit Policy:

   Policy = Audit object access

   Security Setting = Success or Failure

Configure File Auditing Policy

Configure this configuration to capture user meta data in file auditing Security logs such as Win-Security-4656, Win-Security-4658, etc...

1. Log in to the machine where you want to set the policy with administrator privileges.
   On a domain computer, a Domain administrator account is needed.
2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties. By default, the General tab will be shown. Select the Security tab to continue.
3. In the Security tab, click Advanced.
   
   
4. Select the Auditing tab, and click Add, then click Select a principal.
   This button is labeled Edit in Windows 2008.
   
   
5. In the Select User or Group dialog, click Advanced, and find and select the users, or groups, whose access to this file you want to monitor. If you want to audit all users access to the audited folder, select Everyone as shown below.
   
   
6. Click OK after adding the users.
7. In the Permissions tab, set the permissions for each user added.
   

   The configuration is now complete. Windows will generate audit events when the users or groups you specified take the actions specified on the files or folders for which you set the audit policies.

Configure Audit File System Policy

Configure this policy to enable change events for permission and/or ownership changes to files and/or directories. Examples include Win-Security-4662, Win-Security-4663. Without this policy, these events would not be generated.

Complete these steps to enable Audit File System policy:

1. Log in, with administrator privileges, to the machine where you want to set the policy.

   On a domain computer, you must have a Domain administrator account.

2. Go to Programs > Administrative Tools > Local Security Policy.
3. Expand the Advanced Audit Policy Configuration node.
4. Expand System Audit Policies-Local Group Policy Object node.

   You will see the current security audit settings.

5. Select Object Access.
6. Select Audit File System on the left side of the window.
7. Double-click Audit File System. In the pop-up window, select both Success and Failure under Configure the following audit events.
8. Click Apply, then OK.
   

   

The Audit File System Policy is now enabled. Reboot your system to apply the changes.

Disable Audit Token Right Adjusted Success Events

Configure this to disable some high frequency and low value events such as Win-Security-4703.

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703#security-monitoring-recommendations.

1. Log in, with administrator privileges, to the machine where you want to set the policy.

   On a domain computer, you must have a Domain administrator account.

2. Go to Programs > Administrative Tools > Local Security Policy.
3. Expand to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Detailed Tracking.
4. Go to the Detailed Tracking subcategory, and select Audit Token Right Adjusted.
5. Double click Audit Token Right Adjusted, select the Configure the following audit events: checkbox.
6. Uncheck the Success checkbox if needed to disable.
7. Click Apply.

Important Security Events

The full list of Windows Security event types in FortiSIEM can be found by searching for "Win-Security-" in Resources > Event Types from FortiSIEM GUI.

External resource:

• Microsoft's website provides detailed event log descriptions: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/view-the-security-event-log.

A few selected Windows Security events by use cases are shown below. Event Types follow the pattern: Win-Security-<id>

Use case	Event Type	Description
Logon	Win-Security-4624	Windows logon success
	Win-Security-4625	Windows logon failure
	Win-Security-4740	A user account was locked out
	Win-Security-4767	Windows user account unlocked
	Win-Security-4634	Account logoff
	Win-Security-4647	User initiated logoff
Account Management	Win-Security-4720	Windows user account created
	Win-Security-4722	Windows user account enabled
	Win-Security-4725	Windows user account disabled
	Win-Security-4726	Windows user account deleted
	Win-Security-4738	Windows user account changed
	Win-Security-4739	Domain Policy changed
	Win-Security-4741	A computer account was created
	Win-Security-4742	A computer account was changed
	Win-Security-4743	A computer account was deleted
	Win-Security-4727	A security-enabled global group was created
	Win-Security-4728	A member was added to a security-enabled global group
	Win-Security-4729	A member was removed from a security-enabled global group
	Win-Security-4730	A security-enabled global group was deleted
	Win-Security-4731	A security-enabled local group was created
	Win-Security-4732	A member was added to a security-enabled local group
	Win-Security-4733	A member was removed from a security-enabled local group
	Win-Security-4734	A security-enabled local group was deleted
	Win-Security-4735	A security-enabled local group was changed
	Win-Security-4737	A security-enabled global group was changed
	Win-Security-4744	A security-disabled local group was created
	Win-Security-4745	A security-disabled local group was changed
	Win-Security-4746	A member was added to a security-disabled local group
	Win-Security-4747	A member was removed from a security-disabled local group
	Win-Security-4748	A security-disabled local group was deleted
	Win-Security-4749	A security-disabled global group was created
	Win-Security-4750	A security-disabled global group was changed
	Win-Security-4751	A member was added to a security-disabled global group
	Win-Security-4752	A member was removed from a security-disabled global group
	Win-Security-4753	A security-disabled global group was deleted
	Win-Security-4754	A security-enabled universal group was created
	Win-Security-4755	A security-enabled universal group was changed
	Win-Security-4756	A member was added to a security-enabled universal group
	Win-Security-4757	A member was removed from a security-enabled universal group
	Win-Security-4758	A security-enabled universal group was deleted
	Win-Security-4759	A security-disabled universal group was created
	Win-Security-4760	A security-disabled universal group was changed
	Win-Security-4761	A member was added to a security-disabled universal group
	Win-Security-4762	A member was removed from a security-disabled universal group
	Win-Security-4763	A security-disabled universal group was deleted
Configuration Changes	Win-Security-1100	Event logging service shut down
	Win-Security-1102	Windows audit log cleared
	Win-Security-5025	Windows Firewall Service stopped
	Win-Security-4946	A rule added to Windows Firewall exception list
	Win-Security-4947	A Windows Firewall exception rule modified
	Win-Security-4950	A Windows Firewall setting has changed
	Win-Security-4616	The system time was changed
	Win-Security-5030	The Windows Firewall Service failed to start
Network Traffic	Win-Security-5031	Windows Firewall Service blocked an application from accepting incoming connections
	Win-Security-5155	Windows Filtering blocked an application or service from listening on incoming connections
	Win-Security-5157	Windows Filtering blocked a connection
	Win-Security-5152	Windows Filtering blocked a packet
	Win-Security-5153	A more restrictive Windows Filtering Platform filter has blocked a packet
	Win-Security-5156	Windows Filtering allowed a connection
File Audit	Win-Security-4656	A handle to an object was requested
	Win-Security-4658	The handle to an object was closed
	Win-Security-4659	A handle to an object was requested with intent to delete
	Win-Security-4660	An object was deleted
	Win-Security-4661	A handle to an object was requested
	Win-Security-4662	An operation was performed on an object
	Win-Security-4663	An attempt was made to access an object
Startup / Shutdown	Win-Security-4608	Windows is starting up
	Win-Security-4609	Windows is shutting down
Process Activity	Win-Security-4688	A new process has been created
	Win-Security-4689	A process has exited
Scheduled Task	Win-Security-4698	scheduled task was created
	Win-Security-4699	A scheduled task was deleted
	Win-Security-4700	A scheduled task was enabled
	Win-Security-4701	A scheduled task was disabled
	Win-Security-4702	A scheduled task was updated

Sample security events are available here, in the FortiSIEM Online Help Appendix.

Collecting Windows System and Application Logs

Configuration

No configuration is needed on Windows hosts.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Event tab.

   3. At Event Log, create a System Event Log type by clicking New.

   4. From the Type drop-down list, select System.

   5. In the Include Event field, leave it as "ALL", or enter the list of event ids.

   6. In the Exclude Event field, leave it as "NONE" or enter in the list of event ids.

   7. Note that setting Include Event to "ALL" and Exclude Event to "NONE" enables all System events.

   8. Click Save.

   9. At Event Log, create a System Event Log type by clicking New.

   10. From the Type drop-down list, select Application.

   11. From the Source drop-down list, select the source.

   12. In the Include Event field, leave it as "ALL", or enter the list of event ids.

   13. In the Exclude Event field, leave it as "NONE" or enter in the list of event ids.

   14. Note that setting Include Event to "ALL" and Exclude Event to "NONE" enables all Application events.

   15. Click Save.

4. Click Save.

5. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

   1. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

   2. From the Host drop-down list, select the host(s).

   3. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

   4. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important System and Application Events

The full list of event types can be found by searching for "Win-System-" or "Win-App" in Resources > Event Types from FortiSIEM GUI. A few selected events are shown below. Event Types follow the pattern

• Win-System-<Reporting Module>-<id>

• Win-Application-<Reporting Module>-<id>

Type	Event Type	Description
System	Win-System-Microsoft-Windows-Eventlog-104	Application log file was cleared
System	Win-System-EventLog-6005	Windows EventLog service restarted
System	Win-System-EventLog-6006	Windows clean shutdown
System	Win-System-EventLog-6008	Windows dirty shutdown
System	Win-System-Service-Control-Manager-7023	Corrupted or missing system files
System	Win-System-Service-Control-Manager-7036,	Windows Application Status
System	Win-System-Service-Control-Manager-7036-Start	Windows Application Startup
System	Win-System-Service-Control-Manager-7036-Stop	Windows Application Shutdown
System	Win-System-Service-Control-Manager-7040	Windows service status changed
System	Win-System-Service-Control-Manager-7045	Windows Service installed
Application	Win-App-Application-Hang-1002	Application hang
Application	Win-App-Application-Error-1000	Application error
Application	Win-App-Windows-Error-Reporting-1001	Windows Error Reporting
Application	Win-App-MsiInstaller-1033	Windows Installer installed product
Application	Win-App-MsiInstaller-1034	Windows Installer removed the product
Application	Win-App-Microsoft-Windows-SoftwareRestrictionPolicies-868	A user starts a program that is disallowed by a zone rule or hash rule
Application	Win-App-Microsoft-Windows-SoftwareRestrictionPolicies-866	A user starts a program that is disallowed by a path rule
Application	Win-App-Microsoft-Windows-SoftwareRestrictionPolicies-882	Access has been restricted by your Administrator by policy rule
Application	Win-System-USER32-1074	Windows shutdown initiated

Sample Windows system logs are available here. Sample application events are available here.

Collecting Windows Sysmon Logs

System Monitor (Sysmon) is a Windows system service that provides a more detailed view of system activity than the Windows security logs:

• Process creation, termination, and tampering

• Network connections initiated by processes and related activity

• Changes to file creation time stamps

• Loading of drivers or DLLs

• PowerShell launching and command logging

Configuration

Sysmon events collected by FortiSIEM Agent will automatically be parsed and analyzed by FortiSIEM.

On Windows Server side, follow these steps:

Note: The supported Sysmon versions are 5.02 and above. The latest Sysmon download instructions are available here.

1. Log in to the Windows machine.
2. Download the popular Sysmon configuration file and save it as https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
3. Save the configuration file as sysmonconfig.xml
4. Check whether the Sysmon executable is installed or not by running: Sysmon64.exe -c
   1. If Sysmon is running, update the Sysmon configuration by using the command with administrator rights: sysmon.exe -c sysmonconfig.xml
   2. If Sysmon is not available on the system, download and install using the command with administrator rights: sysmon.exe -accepteula -i sysmonconfig.xml
5. Check the new configuration using the command: Sysmon64.exe -c
6. Check for Sysmon events:
   1. Go to Event Viewer > Applications and Service Logs > Microsoft > Windows > Sysmon > Operational.
   2. Check for Sysmon logs on the right panel.
   3. Right-click on Operational and choose Properties.
   4. Note the Full Name (typically "Microsoft-Windows-Sysmon/Operational") for FortiSIEM configuration.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Event tab.

   3. At Event Log, click New.

   4. From the Type drop-down list, select Other.

   5. In the Event Name field, paste the full name that you acquired from the Windows side configuration. Typically this is typically "Microsoft-Windows-Sysmon/Operational".

   6. In the Include Event field, leave it as "ALL", or enter the list of event ids.

   7. In the Exclude Event field, leave it as "NONE" or enter in the list of event ids.

   8. Note that setting Include Event to "ALL" and Exclude Event to "NONE" enables all Sysmon events.

   9. Click Save.

4. Click Save.

5. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

   1. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

   2. From the Host drop-down list, select the host(s).

   3. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

   4. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important Sysmon Events

The full list of event types can be found by searching for "Win-Sysmon-" in Resources > Event Types from FortiSIEM GUI. A few selected events are shown below. Event Types follow the pattern: Win-Sysmon-<id>-<short description>

Event Type	Description
Win-Sysmon-1-Create-Process	A Windows process is created
Win-Sysmon-3-Network-Connect-IPv4	TCP/UDP IPv4 connections created by a process
Win-Sysmon-6-Driver-Loaded	A windows driver is being loaded into the system
Win-Sysmon-7-Image-Loaded	A module is loaded within a specific process
Win-Sysmon-10-ProcessAccess	A process opens another process
Win-Sysmon-11-FileCreate	A file is created or overwritten
Win-Sysmon-12-Registry-CreateKey	Window registry key created
Win-Sysmon-12-Registry-DeleteKey	Window registry key deleted
Win-Sysmon-27-FileBlockExecutable	Sysmon detects and blocks the creation of executable files (PE format)

Sample Sysmon logs are available here.

Collecting Windows DNS Logs

There are 2 types of DNS logs

• DNS Debug Logs

• DNS Analytical Logs

Here are some external references explaining the capabilities of DNS Debug Logs and DNS Analytical Logs:

• https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/secrets-from-the-deep-the-dns-analytical-log-part-1/ba-p/1875094

• https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/secrets-from-the-deep-the-dns-analytical-log-part-3/ba-p/1985830

• https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/secrets-from-the-deep-the-dns-analytical-log-part-4/ba-p/2076293

• https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/secrets-from-the-deep-the-dns-analytical-log-part-5/ba-p/3191119

Configuring DNS Debug Log Collection

DNS Debug Logs contain information about hosts performing DNS Queries, DNS Server configuration changes and DNS Server errors. To collect DNS Debug Logs, take the following steps on the Windows DNS Server:

1. Log in to the Windows machine.
2. Configure DNS logging:
   1. Launch DNS Manager.
   2. Select the specific DNS Server and click Properties.
   3. On Debug Logging tab, enable Log packets for debugging.
   4. Specify the log file name and path, for example C:\DNSLogs.log.
      
3. Check for DNS logs. If logs are present, FortiSIEM Agent will automatically collect these logs.
   1. Go to Event Viewer > Applications and Service Logs > DNS Server.
   2. Check for DNS logs on the right panel.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Event tab.

   3. At Event Log, click New.

   4. From the Type drop-down list, select DNS.

   5. In the Include Event field, leave it as "ALL", or enter the list of event ids.

   6. In the Exclude Event field, leave it as "NONE" or enter in the list of event ids.

   7. Note that setting Include Event to "ALL" and Exclude Event to "NONE" enables all events.

   8. Click Save.

4. Click Save.

5. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

6. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

7. From the Host drop-down list, select the host(s).

8. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

9. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important DNS Debug Log Event Types

The full list of event types can be found by searching for "Win-DNS-" or "AO-WUA-DNS" in Resources > Event Types from FortiSIEM GUI. Events "Win-DNS-<id>" with id more than 500 are considered DNS Debug logs. A few selected events are shown below.

Event Type	Description
AO-WUA-DNS-A-Query-Success	Successful DNS Domain name to IPV4 query
AO-WUA-DNS-A-Query-Failed	Failed DNS Domain name to IPV4 query
AO-WUA-DNS-AAAA-Query-Success	Successful DNS Domain name to IPV6 query
AO-WUA-DNS-AAAA-Query-Failed	Failed DNS Domain name to IPV6 query
AO-WUA-DNS-PTR-Query-Success	Successful DNS IPV4 to domain name query
AO-WUA-DNS-PTR-Query-Failed	Failed DNS IPV4 to domain name query
Win-DNS-548-Restart-server	A request to restart the DNS server service has been received
Win-DNS-549-Clear-debug-logs	The debug logs have been cleared from on DNS server
Win-DNS-515-Record-create	A resource record of type, name, TTL and RDATA was created in scope of zone
Win-DNS-516-Record-delete	A resource record of type, name and RDATA was deleted from scope of zone
Win-DNS-534-Export-DNSSEC	DNSSEC setting metadata was exported key signing key metadata from zone
Win-DNS-535-Import-DNSSEC	DNSSEC setting metadata was imported on zone

Sample DNS logs are available here.

Configuring DNS Analytical Log Collection

DNS Analytical Logs provide high-performance recording of all DNS transactions using Event Tracing for Windows (ETW). Analytic logs are more performant than legacy DNS Debug log.

To collect DNS Debug Logs, take the following steps on the Windows DNS Server:

Notes:

• Microsoft recommends that customers enable DNS Analytical logs only to debug DNS traffic or to troubleshoot DNS server issues. Enabling DNS Analytical logs can cause system performance issues (see Microsoft Logging and Diagnostics).

• If the DNS server is running Windows Server 2012 R2, download the hotfix from http://support.microsoft.com/kb/2956577

• You can find more information on this topic in Enable Analytic and Debug Logs in the Microsoft User Guide.

1. Enter eventvwr.msc at an elevated command prompt and press Enter to open the Event Viewer.
2. In the Event Viewer, navigate to Applications and Services Logs > Microsoft > Windows > DNS-Server.
3. Right-click DNS-Server, point to View, and click Show Analytic and Debug Logs. The Analytical log is displayed.
4. Right-click Analytical and then click Properties.
5. Under When maximum event log size is reached, choose Do not overwrite events (Clear logs manually).
6. Select the Enable logging checkbox.
7. Click OK when you are asked if you want to enable this log. See the following example.
   

   

8. Click OK again to enable the DNS Server Analytic event log.
9. Note the Full Name value in the screenshot in Step7: Microsoft-Windows-DNSServer/Analytical. This name must be entered in FortiSIEM.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Event tab.

   3. At Event Log, click New.

   4. From the Type drop-down list, select Other.

   5. In the Event Name field, paste the full name you acquired during the Windows DNS Server configuration.

   6. In the Include Event field, leave it as "ALL", or enter the list of event ids.

   7. In the Exclude Event field, leave it as "NONE" or enter in the list of event ids.

   8. Note that setting Include Event to "ALL" and Exclude Event to "NONE" enables all events.

   9. Click Save.

4. Click Save.

5. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

6. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

7. From the Host drop-down list, select the host(s).

8. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

9. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important DNS Analytical Log Event Types

The full list of event types can be found by searching for "Win-DNS-" in Resources > Event Types from FortiSIEM GUI. Events "Win-DNS-<id>" with id less than 500 are considered DNS Analytical logs. A few selected events are shown below.

Event Type	Description
Win-DNS-265-IXFR-request-out	Incremental DNS Zone Transfer request sent
Win-DNS-266-IXFR-request-in	Incremental DNS Zone Transfer request received
Win-DNS-267-IXFR-response-out	Incremental DNS Zone Transfer response sent
Win-DNS-268-IXFR-response-in	Incremental DNS Zone Transfer response received
Win-DNS-269-AXFR-request-out	Full DNS Zone Transfer request sent
Win-DNS-270-AXFR-request-in	Full DNS Zone Transfer request received
Win-DNS-271-AXFR-response-out	Full DNS Zone Transfer response sent
Win-DNS-272-AXFR-response-in	Full DNS Zone Transfer response received
Win-DNS-273-XFR-notification-in	Full DNS Zone Transfer notification received
Win-DNS-274-XFR-notification-out	Full DNS Zone Transfer notification sent
Win-DNS-275-XFR-notify-ACK-in	Full DNS Zone Transfer notification acknowledgement received
Win-DNS-276-XFR-notify-ACK-out	Full DNS Zone Transfer notification acknowledgement sent

Sample DNS logs are available here.

Collecting Windows DHCP Logs

DHCP Logs capture DHCP address assignment activity.

Configuration

On Windows DHCP Server, follow these steps.

1. Login to the Windows machine.
2. Configure DHCP logging:
   1. Launch DHCP Manager.
   2. Select the specific DHCP Server and click IPv4 > Properties.
   3. Enable DHCP Audit Logging.
3. Check for DHCP events. If logs are present, FortiSIEM Agent will automatically collect these logs:
   1. Go to EventViewer > Applications and Service Logs > Microsoft > Windows > DHCP Server.
   2. Check for DHCP logs on the right panel.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Event tab.

   3. At File Log, check the DHCP checkbox.

   4. Click Save.

4. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

5. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

6. From the Host drop-down list, select the host(s).

7. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

8. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important DHCP Event Types

The full list of event types can be found by searching for "AO-WUA-DHCP-" in Resources > Event Types from FortiSIEM GUI. A few selected events are shown below.

Event Type	Description
AO-WUA-DHCP-IP-ASSIGN	DHCP IP assigned
AO-WUA-DHCP-IP-LEASE-RENEW	DHCP lease renewed
AO-WUA-DHCP-DNS-LEASE-DENY	DHCP lease denied
AO-WUA-DHCP-DNS-UPDATE-SUCCESS	DHCP DNS Update Request Success
AO-WUA-DHCP-DNS-UPDATE-FAILED	DHCP DNS Update Request Fail
AO-WUA-DHCP-STOPPED	DHCP service stopped
AO-WUA-DHCP-DATABASE-CLEANUP-BEGIN	DHCP Database cleanup begin

Sample DHCP logs are available here.

Collecting Windows IIS Logs

IIS Logs capture IIS Web Server activity on Windows host.

Configuration

On Windows IIS Server, follow these steps.

1. Log in to the Windows machine.
2. Configure IIS logging:
   1. Launch IIS Manager.
      • From the Start menu, click Programs or All Programs, and point to Administrative Tools.
      • On Administrative Tools, Click Internet Information Services (IIS) Manager.
   2. Select the specific IIS Server and click the Logging icon on the panel on the right side.

      

   3. Specify the log path if default path (%SystemDrive%\inetpub\logs\LogFiles) does not exist.

      

3. Check for IIS events. If logs are present, FortiSIEM Agent will automatically collect these logs:
   1. Go to IIS logs default path, example: C:\inetpub\logs\LogFiles\.
   2. Check for IIS traffic logs.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Event tab.

   3. At File Log, check the IIS checkbox.

   4. Click Save.

4. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

5. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

6. From the Host drop-down list, select the host(s).

7. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

8. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important IIS Event Types

The full list of event types can be found by searching for "AO-WUA-IIS-" in Resources > Event Types from FortiSIEM GUI. A few selected events are shown below.

Event Type	Description
AO-WUA-IIS-Web-Request-Success	Web request successful
AO-WUA-IIS-Web-Request-Redirect	Web request redirected
AO-WUA-IIS-Web-Client-Error	Web request failed - client error
AO-WUA-IIS-Web-Server-Error	Web request failed - server error
AO-WUA-IIS-Web-Forbidden-Access-Denied	Web request denied - forbidden access
AO-WUA-IIS-Web-Bad-Request	Web request denied - bad request
AO-WUA-IIS-Web-Length-Reqd-Access-Denied	Web request denied - length required

Sample IIS logs are available here.

Collecting Generic Application Logs

Windows Agent can monitor when lines get appended to a log file on the host. When this happens, an event is generated.

Configuration

No configuration is needed on the Windows host.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the User Log tab.

   3. At User Log, click New.

   4. In the Full File Name field, enter the full file name (including the path) to be monitored.

   5. In the Log Prefix field, enter a log prefix that needs to be added to the log.

   6. If the log file contains 1 line split into multiple lines, then add the following to define the multi-line format.

      1. In the Start field, enter a pattern that indicates the start of a multi-line log.

      2. In the End field, enter pattern that indicates the end of a multi-line log.

      3. In the Max Lines field, enter the maximum number of lines that a multi-line log can contain.

   7. Click Save.

4. Click Save.

5. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

6. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

7. From the Host drop-down list, select the host(s).

8. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

9. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Application Log File Monitoring Event Type

The following event is generated when a new line is appended to the log file:

AO-WUA-UserFile-<Log Prefix>. The new line is present in the msg attribute.

Configuring File Integrity Monitoring

Windows Agent can detect the following file or directory changes on a host:

• Addition, deletion, modification, renaming

• Permission change

• Ownership change

Importantly, the Agent can identify the associated user by correlating with the Security logs and add this information to the generated AO-WUA-FileMon log.

Also, the Agent provides two more features generally applicable to system configuration files:

• The file can be pushed from the Windows host to FortiSIEM. The file is saved on CMDB under Devices > Configuration Files. Subsequent changes can be tracked.

• The file can be compared against a baseline and an alert can be generated when the file changes.

Configuration

On Windows host, configure the following:

• Configure File Auditing Policy

• Configure Audit File System Policy

Configure File Auditing Policy

Configure this configuration to capture user meta data in file auditing Security logs such as Win-Security-4656, Win-Security-4658 etc.

1. Log in to the machine where you want to set the policy with administrator privileges.
   On a domain computer, a Domain administrator account is needed.
2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties. By default, the General tab will be shown. Select the Security tab to continue.
3. In the Security tab, click Advanced.
   
   
4. Select the Auditing tab, and click Add, then click Select a principal.
   This button is labeled Edit in Windows 2008.
   
   
5. In the Select User or Group dialog, click Advanced, and find and select the users, or groups, whose access to this file you want to monitor. If you want to audit all users access to the audited folder, select Everyone as shown below.
   
   
6. Click OK after adding the users.
7. In the Permissions tab, set the permissions for each user added.
   

   The configuration is now complete. Windows will generate audit events when the users or groups you specified take the actions specified on the files or folders for which you set the audit policies.

Configure Audit File System Policy

Configure this policy to enable change events for permission and/or ownership changes to files and/or directories. Examples include Win-Security-4662, Win-Security-4663. Without this policy, these events would not be generated.

Complete these steps to enable Audit File System policy:

1. Log in, with administrator privileges, to the machine where you want to set the policy.

   On a domain computer, you must have a Domain administrator account.

2. Go to Programs > Administrative Tools > Local Security Policy.
3. Expand the Advanced Audit Policy Configuration node.
4. Expand System Audit Policies-Local Group Policy Object node.

   You will see the current security audit settings.

5. Select Object Access.
6. Select Audit File System on the left side of the window.
7. Double-click Audit File System. In the pop-up window, select both Success and Failure under Configure the following audit events.
8. Click Apply, then OK.
   

   

The Audit File System Policy is now enabled. Reboot your system to apply the changes.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the FIM tab.

   3. Click New.

   4. In the File/Directory field, enter the File or Directory (including path) to be monitored.

   5. Check the Include Subfolder(s) checkbox if subfolder(s) should be included.

   6. Use the Exclude Subfolder(s) field to enter any subfolders that should not be included.

   7. In the Include File Type and Exclude File Type fields, enter any file types you wish to include or exclude respectively.

   8. File Content Monitoring (typically applies for configuration files)

      1. At On Modify, check the Push Filescheckbox if you want the Agent to push the file to FortiSIEM. It will show up in CMDB > Devices > Configuration Files.

      2. At On Modify, check the Compare Baseline checkbox if you want FortiSIEM to compare the file to a baseline and create an event when a difference is detected.

   9. Click Save.

4. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

5. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

6. From the Host drop-down list, select the host(s).

7. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

8. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important FIM Event Types

These event types can be found by searching for "AO-WUA-FileMon-" in Resources > Event Types from FortiSIEM GUI.

Event Type	Description
AO-WUA-FileMon-Added	A windows file or directory created
AO-WUA-FileMon-Modified	A windows file or directory modified
AO-WUA-FileMon-Removed	A windows file or directory deleted
AO-WUA-FileMon-ArchivedBitChange	A windows file archive bit changed
AO-WUA-FileMon-OwnershipChange	A windows file or directory ownership changed
AO-WUA-FileMon-PermissionChange	A windows file or directory permission changed
AO-WUA-FileMon-Renamed-New-Name	A windows file or directory renamed: shows new name
AO-WUA-FileMon-Renamed-Old-Name	A windows file or directory renamed: shows old name
AO-WUA-FileMon-BaselineChange	A Windows file baseline changed

Sample File Integrity Monitoring logs are available here.

Configuring Windows Certificate Monitoring

Windows Agent can detect when a certificate is added / deleted / expiring / expired.

Configuration

No configuration is needed on the Windows host.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Certificate Monitoring tab.

   3. For each Certificate Store, indicate the operations that need to be monitored by adding a check to its checkbox: Add/ Delete / Expiring / Expired.

   4. Click Save.

4. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

5. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

6. From the Host drop-down list, select the host(s).

7. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

8. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important Certificate Monitoring Event Types

These event types can be found by searching for "AO-WUA-Certificate-" in Resources > Event Types from FortiSIEM GUI.

Event Type	Description
AO-WUA-Certificate-Added	A Windows certificate was added
AO-WUA-Certificate-Removed	A Windows certificate was removed
AO-WUA-Certificate-Expired	A Windows certificate was expired
AO-WUA-Certificate-Expiring	A Windows certificate is expiring

Sample Certificate Monitoring logs are available here.

Configuring Windows Registry Change Monitoring

Windows Agent can detect when a windows registry changes.

Configuration

No configuration is needed on the Windows host.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Change tab.

   3. For Registry Change, indicate the root key that need to be monitored and the subkeys that need to be excluded.

   4. Click Save.

4. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

5. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

6. From the Host drop-down list, select the host(s).

7. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

8. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important Registry Change Event Types

These event types can be found by searching for "AO-WUA-Registry-" in Resources > Event Types from FortiSIEM GUI.

Event Type	Description
AO-WUA-Registry-Added	A registry entry was created
AO-WUA-Registry-Modified	A registry entry was modified
AO-WUA-Registry-Removed	A registry entry was deleted

Sample Registry Change logs are available here.

Configuring Installed Software Change Monitoring

Windows Agent can detect when installed software changes.

Configuration

No configuration is needed on the Windows host.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Change tab.

   3. Check the Installed Software Change checkbox.

   4. Click Save.

4. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

5. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

6. From the Host drop-down list, select the host(s).

7. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

8. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important Event Types

These event types can be found by searching for "AO-WUA-Certificate-" in Resources > Event Types from FortiSIEM GUI.

Event Type	Description
AO-WUA-InstSw-Added	A software was installed
AO-WUA-InstSw-Removed	A software was removed

Sample Installed Software logs are available here.

Configuring WMI and PowerShell Output Monitoring

Windows Agent can collect the output of any WMI and PowerShell script. The event containing the script output can be parsed and utilized for creating alerts and reports.

Configuration

No configuration is needed on the Windows host.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Script tab.

   3. Under WMI Classes, click New.

      1. From the Name drop-down list, select a name representing the WMI Class category.

      2. From the WMI Class drop-down list, select the specific WMI Class.

      3. Click Save.

   4. Complete the list of WMI Classes you want to monitor by repeating step c.

   5. Under Power Shell Script, click New.

      1. In the Name field, enter a name.

      2. In the Script Content field, enter/paste the PowerShell script.

      3. Click Save.

   6. Complete the list of PowerShell scripts you want to monitor by repeating step e.

   7. Click Save.

4. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

5. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

6. From the Host drop-down list, select the host(s).

7. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

8. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important Event Types

Event Type	Description
AccelOps-WUA-WMI	WMI script monitoring output
AccelOps-WUA-Powershell	PowerShell script monitoring output

Sample PowerShell logs are available here. Sample WMI log is available here.

Configuring Windows User Entity Behavior Anomaly (UEBA)

Agent provides a clean telemetry of file accesses by generating 1 event per file action and including the following fields.

• Host

• User

• Domain

• Resource

• Activity

Such a clean data set enables Anomaly detection via Machine Learning.

Note:

1. Agent UEBA is generated by a kernel module and hence is very efficient

2. Windows Security logs can provide this information but, more than 1 (typically 6-8) Security logs are generated for 1 file action and requires further expensive correlation.

3. Agent FIM can also generate such events. However, the files have to be configured. Agent FIM file change detection is deep (e.g. permission changes) and not as efficient. Also, this needs correlation with Security logs to get user meta data.

Configuration

No configuration is needed on the Windows host.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the UEBA tab.

   3. Check the UEBA checkbox.

   4. Click Save.

4. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

5. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

6. From the Host drop-down list, select the host(s).

7. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

8. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important Event Types

Event Type	Description
FINS-Windows-file-created	Windows user created file
FINS-Windows-file-deleted	Windows user deleted file
FINS-Windows-file-read	Windows user read file
FINS-Windows-file-written	Windows user wrote file
FINS-Windows-file-moved	Windows user moved file
FINS-Windows-file-downloaded	Windows user downloaded file
FINS-Windows-file-uploaded	Windows user uploaded file
FINS-Windows-new-process-created	Windows new process created
FINS-Windows-process-stopped	Windows process stopped

Sample UEBA logs are available here.

Configuring OpenSSH Operational and Admin Logs

Configuration

On Windows host, take the following steps

1. Make sure that you have installed or have a preinstalled OpenSSH service.

2. Go to C:\ProgramData\ssh\ and edit the sshd_config file.

   1. Find the two lines below and set them to LOCAL6, and INFO respectively and uncomment them.
      

         # Logging
         SyslogFacility LOCAL6 
         LogLevel INFO
      

   2. Save the file.

   3. Restart the sshd service by running the following commands.

      net stop sshd

      net start sshd

3. Go to Event Viewer and navigate to Applications and Services Logs > OpenSSH > Operational log section to confirm logs are now being generated.

On FortiSIEM side, follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Event tab.

   3. Under Event Log, click New.

      1. From the Type drop-down list, select Other.

      2. In the Event Name field, enter "OpenSSH/Operational".

      3. Click Save.

   4. Click Save.

4. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

5. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

6. From the Host drop-down list, select the host(s).

7. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

8. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Important Event Types

Events will have the following event type: FSM-WUA-WinLog-OpenSSH/Operational

As an example:

2024-10-04T23:05:48Z test-lab01.example.com 192.0.2.0 FSM-WUA-WinLog-OpenSSH/Operational [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="9265b0da-aa12-48d3-b5d0-d14e711e4713" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [domain]="NT AUTHORITY" [user]="SYSTEM" [userSIDAcctType]="User" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='OpenSSH' Guid='{c4b57d35-0636-3bc3-bb32-370f205f9802}'/><EventID>4</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated SystemTime='2024-10-04T23:05:47.559828200Z'/><EventRecordID>3</EventRecordID><Correlation/><Execution ProcessID='11360' ThreadID='13740'/><Channel>OpenSSH/Operational</Channel><Computer>test-lab01.example.com</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='process'>sshd</Data><Data Name='payload'>Server listening on :: port 2222.</Data></EventData><RenderingInfo Culture='en-US'><Message>sshd: Server listening on :: port 2222.</Message><Level>Information</Level><Task></Task><Opcode>Info</Opcode><Channel></Channel><Provider></Provider><Keywords></Keywords></RenderingInfo></Event>

Configuring Osquery

Osquery features enables you to query the host for a wide variety of information using SQL query language. For details about osquery, see https://osquery.readthedocs.io/en/latest/.

The osquery framework is integrated into FortiSIEM GUI.

• You can run built-in osquery queries on demand by navigating to Resources > Reports > Osquery, selecting a report, and clicking Run.

• You can create your own osquery by navigating to Resources > Osquery and clicking New.

• You can schedule the osquery queries to run periodically. Events are generated when osqueries run. Then you can run osquery reports, or write correlation rules or built machine learning models, like any other event. Built-in osquery rules can be found by going to Resources > Rules and searching for "osquery".

• You can run osqueries during Incident Investigation.

Osquery framework is built-in to the Windows Agent. No configuration is needed.

On FortiSIEM side, if you wish to run specific osquery queries from Windows Agent(s), follow these steps:

1. Login to GUI.

2. Navigate to Admin > Setup > Windows Agent.

3. Under Windows Agent Monitor Templates, click New to create a Windows Agent Monitoring Template, or select an existing Windows Agent Monitoring Template, and click Edit.

   1. If creating a new Windows Agent Monitor Template, from the Generic tab, in the Name field, enter a name for the template.

   2. Click the Osquery tab.

   3. At the Osquery drop-down list, select an osquery.

   4. To add another osquery, click +, then make another osquery selection from the drop-down list.

   5. When done, click Save.

4. Under Host To Template Associations, click New to create an Host To Template Associations, or select an existing one and click Edit.

5. If creating a new Host To Template Associations, in the Name field, enter a name for this Host To Template Associations.

6. From the Host drop-down list, select the host(s).

7. At Template, attach the template to one or more hosts by selecting its checkbox, then click Save.

8. Under Host to Template Associations, click Apply.

For configuration information details, see Configuring Windows Agent.

Recommended Log Sources by Use Case

Use Case	Recommended Log Source	Sample Event Type
Logon Audit and Anomaly Detection	Windows Security Log
Account Management Audit	Windows Security Log
System Configuration Change Audit	Windows Security Log
Network Traffic Audit and Anomaly Detection	Windows Security Log
Service install	Windows System Log
Application errors	Windows Application Log
Process Activity Anomaly	Windows Sysmon
Registry Change Audit	Sysmon or Agent Registry Change
File Change Audit	Agent FIM
File Content Change Audit and validating against Golden Image	Agent FIM
File Activity Anomaly (UEBA) via Machine Learning	Agent UEBA
Installed Software Changes	Agent Install Software Change
Certificate Monitoring	Agent Certificate Monitoring
IP Address Assignment Audit	Agent DHCP Log
DNS Activity Audit and Anomaly Detection	Agent DNS Debug Log
Web Server Activity	Agent IIS Log
System Performance Monitoring	Agent Performance Monitoring
Getting information from host on demand (for threat hunting)	Agent osquery
Application Log Monitoring	Agent Userfile

Configuring Windows Event Forwarding

Using Windows Event Forwarding, it is possible for Windows Servers (called Event Source Computers) to forward events to a central Windows Server where FortiSIEM Windows Agent (called Event Collector Computer) is running. The Agent can then send to FortiSIEM Collector, Worker, and Supervisor nodes. This is an alternative to running FortiSIEM Agent on every Windows Server. FortiSIEM can parse the forwarded Windows events so that the actual reporting Windows Server is captured and all the attributes are parsed as sent by native agents.

The advantage of this approach is that you need fewer agents to deploy. However, this approach has the following disadvantages:

• Only Windows (Security, Application, and System) events can be collected in this way, while FortiSIEM native Agent can collect other information such as User Entity Behavior Monitoring, File Integrity Monitoring, Custom log, Sysmon, Install Software detection, Certificate Monitoring, etc...

• There is a limitation on the number of Event Source Computers that can forward events to a single Event Collector Computer. This depends on the number of events they generate and the hardware resources on the Event Collector Computer.

• Configure the Event Collector Computer
• Non-Domain Environments: Configure the Event Source Computer
• Domain Environments: Configure the Domain Controller

Configure the Event Collector Computer

You must complete the following steps on the Event Collector computer where the FSM Agent is installed:

1. Open a command prompt in an elevated privilege (for example,Run as Administrator…) and run this command to configure the Windows Remote Management (WinRM) service:

   winrm qc -q

2. Run this command to configure the Windows Event Collector service:

   wecutil qc /q

3. Copy and save the following XML in a file (Configuration.xml) and edit the values depending on your requirements or scenario.

   The XML configuration will grant the Domain Computers and Network Service accounts as the local event forwarder for the source computers. The XML configuration will contain the language locale, which is same as the Collector computer's language locale.

   <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">

   <SubscriptionId>FwdSubscription</SubscriptionId>

   <SubscriptionType>SourceInitiated</SubscriptionType>

   <Description>Source Initiated Subscription</Description>

   <Enabled>true</Enabled>

   <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>

   <!-- Use Normal (default), Custom, MinLatency, MinBandwidth -->

   <ConfigurationMode>Custom</ConfigurationMode>

   <Delivery Mode="Push">

   <Batching>

   <MaxItems>1</MaxItems>

   <MaxLatencyTime>1000</MaxLatencyTime>

   </Batching>

   <PushSettings>

   <Heartbeat Interval="30000" />

   </PushSettings>

   </Delivery>

   <Expires>2025-01-01T00:00:00.000Z</Expires>

   <Query>

   <![CDATA[

   <QueryList>

   <Query Path="Security">

   <Select>*</Select>

   </Query>

   </QueryList>]]>

   </Query>

   <ReadExistingEvents>true</ReadExistingEvents>

   <TransportName>http</TransportName>

   <ContentFormat>RenderedText</ContentFormat>

   <Locale Language="en-US" />

   <LogFile>ForwardedEvents</LogFile>

   <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>

   <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>

   </Subscription>

4. From the Command Prompt, enter the following command to create the subscription according to the specified XML configuration file:

   wecutil cs Configuration.xml

5. From the Command Prompt, enter the following command to add an inbound and outbound exception in the firewall for port 5985 (http). This enables the Event Source Computer to connect to the Event Collector Computer.:

   netsh advfirewall firewall add rule name=“Winrm HTTP Remote Management” protocol=TCP dir=in localport=5985 action=allow
   

   netsh advfirewall firewall add rule name=“Winrm HTTP Remote Management” protocol=TCP dir=out remoteport=5985 action=allow

Non-Domain Environments: Configure Event Source Computer

You must complete these steps on the Event Source computer.

1. Open a Command Prompt in an elevated privilege (for example, Run as Administrator…) and run the following commands:
   

   net localgroup "Event log readers" "NT Authority\Network Service" /add
   winrm qc -q

2. From the command prompt, enter the following command to add an inbound and outbound exception in the firewall for port 5985 (http):
   

   netsh advfirewall firewall add rule name=“Winrm HTTP Remote Management” protocol=TCP dir=in localport=5985 action=allow	

   netsh advfirewall firewall add rule name=“Winrm HTTP Remote Management” protocol=TCP dir=out remoteport=5985 action=allow	

Now, run the local group policy editor to configure the subscription manager settings, by taking the following steps:

1. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Event Forwarding.

   

2. Open Configure target Subscription Manager.

   

   Choose the Enabled option.
3. Click the Show... button beside SubscriptionManagers.
4. Add the value Server=http://<Collector FQDN>:5985/wsman/SubscriptionManager/WEC to the list and click OK.

   

5. In the Configure target Subscription Manager dialog box, click Apply and then OK.
6. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service.

   

7. Open Turn On Compatibility HTTP Listener.
8. Choose the option Enabled.

   

9. Click Apply and then OK.
10. Close the local policy editor.

Domain Environments: Configure the Domain Controller

The following policy changes must be performed on the Domain Controller.

1. Run the domain group policy editor.
2. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Event Forwarding.

   

3. Open Configure target Subscription Manager.

   

4. Choose the Enabled option.
5. Click the Show... button beside SubscriptionManagers.
6. Add the value Server=http://<Collector FQDN>:5985/wsman/SubscriptionManager/WEC to the list and click OK.

   

7. In the Configure target Subscription Manager dialog box, click Apply and then OK.
8. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service.

   

9. Open Turn On Compatibility HTTP Listener.
10. Choose the option Enabled.

    

11. Click Apply and then OK.
12. Close the group policy editor.
13. Start the Command Prompt in admin mode and run the following command:

    gpupdate /force

Configuring Auditing Policies

The following policy changes must be performed on the Domain Controller (for domain environments) or Source Computers (for non-domain environments).

• Configure Security Audit Logging Policy
• Configure File Auditing Policy
• Configure Audit File System Policy
• Disable Audit Token Right Adjusted Success Events

Configure Security Audit Logging Policy

Configure this policy to control Windows logging. Because Windows generates many security logs, specify the categories of events that you want to be logged and available for monitoring by FortiSIEM.

1. Log in to the machine where you want to configure the policy as an administrator.
2. Go to Programs > Administrative Tools > Local Security Policy.
3. Expand Local Policies and select Audit Policy.
   You will see the current security audit settings.
4. Select a policy and edit the Local Security Settings for the events you want to be audited. The recommended settings are:

Policy	Description	Settings
Audit account logon events and Audit logon events	For auditing log in activity.	Select Success and Failure.
Audit object access events	For auditing access to files and folders. There is an additional configuration requirement for specifying which files and folders, users and user actions will be audited. See the next section, Configuring File Auditing Policy.	Select Success and Failure.
Audit system events	Includes system up/down messages.

5. For an Enterprise Server's Domain Group Policy, make sure you set the following under Group Policy > Local Policies > Audit Policy:

   Policy = Audit object access

   Security Setting = Success or Failure

Configure File Auditing Policy

Configure this policy to see user meta data in file auditing events.

1. Log in to the machine where you want to set the policy with administrator privileges.
   On a domain computer, a Domain administrator account is needed.
2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties. By default, the General tab will be shown. Select the Security tab to continue.
3. In the Security tab, click Advanced.
   

   

4. Select the Auditing tab, and click Add, then click Select a principal.
   This button is labeled Edit in Windows 2008.
   

   

5. In the Select User or Group dialog, click Advanced, and find and select the users, or groups, whose access to this file you want to monitor. If you want to audit all users access to the audited folder, select Everyone as shown below.
   

   

6. Click OK after adding the users.
7. In the Permissions tab, set the permissions for each user added.
   

   The configuration is now complete. Windows will generate audit events when the users or groups you specified take the actions specified on the files or folders for which you set the audit policies.

Configure Audit File System Policy

Configure this policy to enable change events for permission and/or ownership changes to files and/or directories. The policy will also upload the monitored files to FortiSIEM.

Complete these steps to enable Audit File System policy:

1. Log in, with administrator privileges, to the machine where you want to set the policy.

   On a domain computer, you must have a Domain administrator account.

2. Go to Programs > Administrative Tools > Local Security Policy.
3. Expand the Advanced Audit Policy Configuration node.
4. Expand System Audit Policies-Local Group Policy Object node.

   You will see the current security audit settings.

5. Select Object Access.
6. Select Audit File System on the left side of the window.
7. Double-click Audit File System. In the pop-up window, select both Success and Failure under Configure the following audit events.
8. Click Apply, then OK.

   

The Audit File System Policy is now enabled. Reboot your system to apply the changes.

Disable Audit Token Right Adjusted Success Events

As per Microsoft, it is recommended to Disable "Success" auditing for "Audit Token Right Adjusted".

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703#security-monitoring-recommendations.

By enabling "Success Auditing" for Audit Token Right Adjusted (Detailed Tracking ), 800+ (4703) events can be generated in a second, resulting in this high volume event impacting system performance.

Complete these steps to disable "Success" for "Audit Token Right Adjusted".

1. Log in, with administrator privileges, to the machine where you want to set the policy.

   On a domain computer, you must have a Domain administrator account.

2. Go to Programs > Administrative Tools > Local Security Policy.
3. Expand to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Detailed Tracking.
4. Go to the Detailed Tracking subcategory, and select Audit Token Right Adjusted.
5. Double click Audit Token Right Adjusted, select the Configure the following audit events: checkbox.
6. Uncheck the Success checkbox if needed to disable.
7. Click Apply.