If you don’t have any SIEM yet, you can start to monitor some Windows security events with Centreon & NsClient++. We’ll use the sheet cheat Top Windows events you should monitor to help us create desired services :)
Prerequisites
You need to have the following features already implemented :
- a Centreon Server
- NsClient++ deployed on a Windows Server (on your AD & FS)
- Security Policy events enabled (see the blog post Top Windows events you should monitor first section)
- Centreon Plugin Packs with the following plugin activated :
Some usefull events to monitor
Account Lockout
Really usefull to see if a bruteforce attack is in progress on your domain.
Configure the service as following :
Macro configuration :
File : Specify the Windows Event log file
Filter : Enter the the source & the Log ID, for our example :
source like ‘Microsoft-Windows-Security-Auditing‘ AND id = 4740
TOPSYNTAX : It’s the message how will be diplayed :
The status is: ${status}: with ${count} entries matching the ID the last 1H Log message:”${list}”
Warning & Critical : Choose the value you want ;)
EXTRAOPTIONS : I like to set a scan-range value, to filter only on last logs. You have to set the scan-range in accordance to the “Check Interval” of Centreon
File Access
In this example, we’ll keep track of the number of file modifications made by a user to detect if an infection is underway. Users add/change/remove files, but the number of changes made by a user in a short amount of time (say 5 mins) is generally small.
Thus, to detect an infection, We will be counting the number of file modifications (event 4663) and we will trigger an action of your choice (Send an alert, disable sharing services …) to limit the damage of the ransomware.
The configuration is similar to the first config :
Macro configuration :
File : Specify the Windows Event log file
Filter : Enter the the source & the Log ID, for our example :
source like ‘Microsoft-Windows-Security-Auditing‘ AND id = 4663
TOPSYNTAX : It’s the message how will be diplayed :
The status is: ${status}: with ${count} entries matching the ID the last 5 mins
EXTRAOPTIONS : Set a scan-range of 5 minutes.
scan-range=-5m
Warning & Critical : Before setting this parameter, you’ve to monitor the file access to know the min/avg/max values of a normal usage.
User Added to privileged group
This is an other event I used to monitor :) to track the new privileged users
The configuration is again the same :)
Macro configuration :
File : Specify the Windows Event log file
Filter : Enter the the source & the Log ID, for our example :
source like ‘Microsoft-Windows-Security-Auditing‘ AND id = 4728
TOPSYNTAX : It’s the message how will be diplayed :
The status is: ${status}: with ${count} entries matching the ID the last 1 hour
EXTRAOPTIONS : Set a scan-range of 1 hour.
scan-range=-1h
Warning & Critical : 0 & 1
Conclusion
With Centreon & NsClient++ you can easyly monitor Windows security Event, Check my last blog post Top Windows events you should monitor to have all the Event IDs you can use.
