Windows Agent
Pre-requisites
- Server has outbound internet access to:
.soc.foxtech.cloud TCP 1514-1515
Audit Log Configuration
Windows needs to be configured to log important events for DEFEND to pick these up. The Microsoft Security Baseline is a reasonable configuration.
This can be downloaded here
This link has GPO templates that can be imported; plus HTML exports that show the required configurations.
Deploying the whole baseline is good for security, but can have a functional impact on an existing configuration. However the audit log configuration is low risk and should be deployed throughout to ensure sufficient events are being logged.
Out of the baseline policies, the policies in the following sections are those relevant to logging:
- Windows Settings > Security Settings > Advanced Audit Configuration
- Windows Components > Windows PowerShell
Sysmon configuration
To get the best visibility, we recommend installing Sysmon with the SwiftOnSecurity ruleset found at the link below. This provides additional audit events to the Windows Event Log that are useful for detecting suspicious behaviour.
This is always a compromise between generating excessive events and missing important activities. We recommend testing this on lower-risk servers for a time before rolling out more widely in-case we need to tune to exclude something particularly previlant in your environment. (AV Products are the most likely to require specific exclusions to be created).
For the starting ruleset and how to install, see:
Installation
Extract the provided install package, perhaps into c:\temp
Run the following command as an administrator
Install_windows.cmd
Start the Windows System Service “Wazuh”