Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Windows Defender Configuration

Overview

We are providing you with the steps to integrate your Microsoft Defender with Seceon SIEM so you can have comprehensive visibility and proactive threat detection in your environment. A log transfer between your firewall and APE (Analytics and Policy Engine) via CCE (Collection and Control Engine) will occur. In this document, we are guiding you through the steps for Log and NetFlow's forwarding.

Steps Of Configuration

NXLOG is used to process the collected information and send it to the OTM CCE.

  • Login on collector/AD computer.

  • Download the latest version of nxlog. It is easiest to choose the Windows msi file which includes an installer. Use the link below:

    http://nxlog.org/products/nxlog-community-edition/download     

  • Open the Nxlog configuration file at:

        C:\Program Files (x86)\nxlog\conf\nxlog.conf

Replace the entire configuration file by pasting the following Below – Note to replace the variable (IP Address of CCE) with the actual Seceon Server IP address:

## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. define ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog #define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _json> Module xm_json </Extension> define aisiem \ 1, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 17, 18,19, 20, 21, 104, 258, 259, 260, \ 261, 262, 500, 517, 520, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539,\ 540, 551, 552, 565, 600, 608, 609, 621, 622, 626, 627, 628, 629, 630, 636, 642, 644,\ 645, 647, 632, 663, 664, 671, 673, 675, 676, 677, 679, 680, 681, 682, 683, 684, 689,\ 690, 692, 1001, 1006, 1007, 1008, 1015, 1102, 1116, 1117, 1118, 1119, 2003, 2100, \ 7034, 4624, 4625, 4634, 4647, 4649, 4656, 4657, 4659, 4661, 4663, 4670, 4688, 4697, \ 4704, 4705, 4717, 4718, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, \ 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, \ 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, \ 4760, 4761, 4762, 4763, 4764, 4767, 4769, 4771, 4772, 4773, 4775, 4776, 4777, 4778, \ 4779, 4780, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4793, 4794, \ 4797, 4798, 4800, 4801, 4802, 4803, 5001, 5004, 5007, 5010, 5012, 5136, 5137, 5140, \ 5141, 5142, 5143, 5144, 5145, 5376, 5377, 7045, 8003, 8004, 8007, 64004 <Input in> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Security">* </Select>\ <Select Path="Application">* </Select>\ <Select Path="Setup">* </Select>\ <Select Path="System">* </Select>\ <Select Path="Microsoft-Windows-Windows Defender/Operational">* </Select>\ </Query>\ </QueryList> <Exec> if ($EventID NOT IN (%aisiem%)) drop(); </Exec> </Input> <Output out> Module om_udp Host CCE_IP_ADDRESS Port 5154 Exec to_json(); </Output> <Route 1> Path in => out </Route>
  • Restart nxlog from services or type the following at an elevated command prompt: 

net stop nxlog

 net start nxlog

Verification of Configuration

Verification can be done either from CCE Server or from UI.

Using UI

STEP 1: Log in to UI >> SYSTEM

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS.

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

Using CCE Server

“sudo tcpdump -i any host 514 (for logs) and 9995 (for flows) and host <IP address> -AAA” command should be running on the CCE server to check whether or not we are getting logs.

 

Seceon Inc. All rights reserved. https://www.seceon.com