SIEM Design – Filtering Windows Events

A SIEM solution accepts logs from a wide variety of log sources including network security appliances, Linux systems and often windows domain joined systems to name a few. SIEM solutions are designed to analyse these logs and look for patterns and or suspicious behaviour that may indicate a security incident that could impact your business. Windows systems have many log files with each log entry given a unique ‘Event ID’. SIEM vendors will often state that SIEM systems need to have all Windows Event Id’s from all windows systems sent so that they won’t miss anything. This naturally, plays on the client’s wish to not to be in the position that their SIEM system was found to be missing events when it matters. This idea of ‘sending all logs and all Event logs ID with in a log file’ into a SIEM solution has negative effects for the SIEM customer though.

Firstly, it creates a large volume of ‘noise events’ which makes finding events relating to a possible attack more difficult as both the analyst and the SIEM system has to wade through this ‘noise’. Secondly, it has an impact on the performance of the system and other aspects such as the disk space required to hold logs for systems as well as the network bandwidth needed to transport the logs. Thirdly, this has a financial impact on the customer as the majority of SIEM systems are priced and sized systems based on Events Per Second (EPS), this means that this ‘sending all’ philosophy benefits the SIEM vendor as the system will cost more compared sending only a filtered set of events within certain log files. So, if you are looking at a SIEM solution, ask you vendor this question “Does your solution support filtering of windows Event log by ID?”.

“How many events do we actually need and from which log files?” Well, there is an interesting conference paper that suggests you only need six event id’s, however there are approximately 418 security events according to Microsoft that are part of the security log alone. This means that there is a balance that must be struck to maintain visibility for security events.

At Defence Logic, we have conducted research that shows that 187 Windows Event ID’s across all windows log files will give us the visibility we need to detect and protect windows systems allowing a business to respond to a security incident. Next, we need to understand how to send these filtered events into a SIEM solution.

The next part of our journey was to find a method that allows us to ship just the events that we need. We looked at several options, but eventually choose to use NXLog.

NxLog offers a flexible method (called XPATH queries) to query windows log specific Windows Event Id’s and then transport them to our SIEM solution. These queries may also be used with other SIEM solutions, if the vendor supports them.

How to filter events in Event Viewer

Let’s look at how to filter events on windows by starting event viewer.
Suppose, we want to filter Windows Event Id’s 1102 and 4720 to 4728 in the security log. In event viewer we select the ‘Security Log’ and then click on ‘Create Custom View’ in the right hand pane.

Now click on the XML tab and copy the text as shown below:

				
					<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=1102 or  (EventID &gt;= 4720 and EventID &lt;= 4728) )]]</Select>
  </Query>
</QueryList>
				
			

This is the XPATH query that we need to insert into the Input section of an NXLog configuration file.

				
					<Input in>
   Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
</Input>
				
			

Let’s modify it with our security XPATH query from above.

				
					<Input in>
   Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                          <Select Path="Security">*[System[(EventID=1102 or  (EventID &gt;= 4720 and EventID &lt;= 4728) )]]</Select>\
                    </Query>\
                </QueryList>
</Input>

				
			

As we can see, we have now selected eight events compared to the 418 possible events!!!

For a good primer on what events id’s are recommended, please read the NSA’s paper called ”Spotting the Adversary”.

Happy windows event filtering.