Home / Monitoring / Centreon / Monitor Windows security events with Centreon & NsClient++

Monitor Windows security events with Centreon & NsClient++

If you don’t have any SIEM yet, you can start to monitor some Windows security events with Centreon & NsClient++. We’ll use the sheet cheat Top Windows events you should monitor to help us create desired services :)

Prerequisites

You need to have the following features already implemented :

  • a Centreon Server
  • NsClient++ deployed on a Windows Server (on your AD & FS)
  • Security Policy events enabled (see the blog post Top Windows events you should monitor first section)
  • Centreon Plugin Packs with the following plugin activated :

Some usefull events to monitor

Account Lockout

Really usefull to see if a bruteforce attack is in progress on your domain.

Configure the service as following :

Macro configuration :

File : Specify the Windows Event log file

Filter : Enter the the source & the Log ID, for our example :

source like ‘Microsoft-Windows-Security-Auditing‘ AND id = 4740

TOPSYNTAX : It’s the message how will be diplayed :

The status is: ${status}: with ${count} entries matching the ID the last 1H Log message:”${list}”

Warning & Critical : Choose the value you want ;)

EXTRAOPTIONS : I like to set a scan-range value, to filter only on last logs. You have to set the scan-range in accordance to the “Check Interval” of Centreon

File Access

In this example, we’ll keep track of the number of file modifications made by a user to detect if an infection is underway. Users add/change/remove files, but the number of changes made by a user in a short amount of time (say 5 mins) is generally small.

Thus, to detect an infection, We will be counting the number of file modifications (event 4663) and we will trigger an action of your choice (Send an alert, disable sharing services …) to limit the damage of the ransomware.

The configuration is similar to the first config :

Macro configuration :

File : Specify the Windows Event log file

Filter : Enter the the source & the Log ID, for our example :

Loading...

source like ‘Microsoft-Windows-Security-Auditing‘ AND id = 4663

TOPSYNTAX : It’s the message how will be diplayed :

The status is: ${status}: with ${count} entries matching the ID the last 5 mins

EXTRAOPTIONS : Set a scan-range of 5 minutes.

scan-range=-5m

Warning & Critical : Before setting this parameter, you’ve to monitor the file access to know the min/avg/max values of a normal usage.

User Added to privileged group

This is an other event I used to monitor :) to track the new privileged users

The configuration is again the same :)

Macro configuration :

File : Specify the Windows Event log file

Filter : Enter the the source & the Log ID, for our example :

source like ‘Microsoft-Windows-Security-Auditing‘ AND id = 4728

TOPSYNTAX : It’s the message how will be diplayed :

The status is: ${status}: with ${count} entries matching the ID the last 1 hour

EXTRAOPTIONS : Set a scan-range of 1 hour.

scan-range=-1h

Warning & Critical : 0 & 1

Conclusion

With Centreon & NsClient++ you can easyly monitor Windows security Event, Check my last blog post Top Windows events you should monitor to have all the Event IDs you can use.

Loading...

About Alexandre Nogard

Check Also

Gophish : Familiarisez vos employés au phishing ! Part I : Installation

Gophish est un framework open-source, vous permettant de créer des campagnes de phishing. L’objectif, ici, …

Gophish : Familiarisez vos employés au phishing ! Part II : Prise en main

Nous avons vu dans le précédent post : Gophish : Familiarisez vos employés au phishing …

Gophish : Familiarisez vos employés au phishing ! Part III : Options avancées

Maintenant que GoPhish est installé et que vous avez lancé votre première campagne, vous souhaitez …

Leave a Reply

Your email address will not be published. Required fields are marked *