Windows - Cloud Security Monitoring and Analytics - OpenTelemetry
Windows - Cloud Security Monitoring and Analytics - OpenTelemetry is a unified log app that ingests distribution of Windows data to Sumo Logic via OpenTelemetry filelog receiver. The app's preconfigured dashboards provide insight into user accounts, login activity, and Windows updates.
Fields created in Sumo Logic for Windows
The following tag will be created as part of Windows app installation, if not already present.
sumo.datasource. Has a fixed value of windows.host.group. User configured tag which signifies a group of hosts for the operating system.deployment.environment. User configured tag which identifies the environment where the windows system resides. For example: dev, prod or qa.
Log types
The Windows app assumes events are coming from the Windows Event Log receiver in JSON format. It does not work with third party logs.
Standard Windows event channels include:
- Security
- System
Collection configuration and app installation
- You can skip this section if you have already set up the logs collection through Windows PCI or Windows or Active Directory app installation. Additional collection is not required as the logs used by this app are already ingested into Sumo Logic.
As part of data collection setup and app installation, you can select the App from App Catalog and click on Install App. Follow the steps below.
Step 1: Set up Collector
If you want to use an existing OpenTelemetry Collector, you can skip this step by selecting the Use an existing Collector option.
To create a new Collector:
- Select the Add a new Collector option.
- Select the platform where you want to install the Sumo Logic OpenTelemetry Collector.
This will generate a command that you can execute in the machine environment you need to monitor. Once executed, it will install the Sumo Logic OpenTelemetry Collector.
Step 2: Configure integration
In this step, you will configure the YAML file required for Windows event logs and metrics Collection.
Any custom fields can be tagged along with the data in this step.
Once the details are filled in, click on the Download YAML File button to get the yaml file.
Step 3: Send logs to Sumo Logic
Once you have downloaded the yaml file as described in the previous step, follow the below steps based on your platform.
- Windows
- Chef
- Ansible
- Puppet
- Copy the yaml file to
C:\ProgramData\Sumo Logic\OpenTelemetry Collector\config\conf.dfolder in the machine that needs to be monitored. - Restart the collector using:
Restart-Service -Name OtelcolSumo
- Copy the yaml file into your Chef cookbook files directory
files/<downloaded_yaml_file>. - Use a Chef file resource in a recipe to manage it.
cookbook_file '/etc/otelcol-sumo/conf.d/<downloaded_yaml_file>' do mode 0644 notifies :restart, 'service[otelcol-sumo]', :delayed end - Add the recipe to your collector setup to start collecting the data. Every team typically has their established way of applying the Chef recipe. The resulting Chef recipe should look something like:
cookbook_file '/etc/otelcol-sumo/conf.d/<downloaded_yaml_file>' do
mode 0644
notifies :restart, 'service[otelcol-sumo]', :delayed
end
- Place the file into your Ansible playbook files directory.
- Run the Ansible playbook.
ansible-playbook -i inventory install_sumologic_otel_collector.yaml
-e '{"installation_token": "<YOUR_TOKEN>", "collector_tags": {<YOUR_TAGS>}, "src_config_path": "files/conf.d"}'
- Place the file into your Puppet module files directory
modules/install_otel_collector/files/<downloaded_yaml>. - Use a Puppet file resource to manage it.
file { '/etc/otelcol-sumo/conf.d/<downloaded_yaml_file>':
ensure => present,
source => 'puppet:///modules/install_otel_collector/<downloaded_yaml_file>',
mode => '0644',
notify => Service[otelcol-sumo],
} - Apply the Puppet manifest. Every team typically has their established way of applying the Puppet manifest. The resulting Puppet manifest should look something like:
node 'default' {
class { 'install_otel_collector'
installation_token => '<YOUR_TOKEN>',
collector_tags => { <YOUR_TAGS> },
}
service { 'otelcol-sumo':
provider => 'systemd',
ensure => running,
enable => true,
require => Class['install_otel_collector'],
}
file { '/etc/otelcol-sumo/conf.d/<downloaded_yaml_file>':
ensure => present,
source => 'puppet:///modules/install_otel_collector/<downloaded_yaml_file>',
mode => '0644',
notify => Service[otelcol-sumo],
}
}
After successfully executing the above command, Sumo Logic will start receiving data from your host machine.
Click Next. This will install the app (dashboards and monitors) to your Sumo Logic Org.
Dashboard panels will start to fill automatically. It's important to note that each panel fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but within 20 minutes, you'll see full graphs and maps.
Sample log messages
{
"record_id":161812,
"channel":"Security",
"event_data":{
"WorkstationName":"-",
"TargetDomainName":"",
"SubjectUserSid":"S-1-0-0",
"LogonProcessName":"NtLmSsp ",
"TargetUserName":"ADMINISTRATOR",
"TargetUserSid":"S-1-0-0",
"IpAddress":"3.137.149.192",
"ProcessId":"0x0",
"KeyLength":"0",
"ProcessName":"-",
"SubjectUserName":"-",
"LogonType":"3",
"TransmittedServices":"-",
"FailureReason":"%%2313",
"SubjectLogonId":"0x0",
"IpPort":"0",
"AuthenticationPackageName":"NTLM",
"Status":"0xc000006d",
"LmPackageName":"-",
"SubStatus":"0xc000006a",
"SubjectDomainName":"-"
},
"task":"Logon",
"provider":{
"name":"Microsoft-Windows-Security-Auditing",
"guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}",
"event_source":""
},
"system_time":"2023-07-11T14:14:51.1731050Z",
"computer":"EC2AMAZ-V57A85N",
"opcode":"Info",
"keywords":[
"Audit Failure"
],
"details":{
"Account For Which Logon Failed":{
"Security ID":"S-1-0-0",
"Account Name":"ADMINISTRATOR",
"Account Domain":"-"
},
"Network Information":{
"Workstation Name":"-",
"Source Network Address":"3.137.149.192",
"Source Port":"0"
},
"Failure Information":{
"Failure Reason":"Unknown user name or bad password.",
"Status":"0xC000006D",
"Sub Status":"0xC000006A"
},
"Detailed Authentication Information":{
"Transited Services":"-",
"Key Length":"0",
"Logon Process":"NtLmSsp",
"Authentication Package":"NTLM",
"Package Name (NTLM only)":"-"
},
"Subject":{
"Security ID":"S-1-0-0",
"Account Name":"-",
"Account Domain":"-",
"Logon ID":"0x0"
},
"Process Information":{
"Caller Process ID":"0x0",
"Caller Process Name":"-"
},
"Logon Type":"3",
"Additional Context":[
"This event is generated when a logon request fails. It is generated on the computer where access was attempted.",
"The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.",
"The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).",
"The Process Information fields indicate which account and process on the system requested the logon.",
"The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.",
"The authentication information fields provide detailed information about this specific logon request.",
"- Transited services indicate which intermediate services have participated in this logon request.",
"- Package name indicates which sub-protocol was used among the NTLM protocols.",
"- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
]
},
"message":"An account failed to log on.",
"event_id":{
"qualifiers":0,
"id":4625
},
"level":"Information"
}
Sample queries
This sample log query is from the Windows - Security Analytics - User Account Changes dashboard > Failed Logins Summary panel.
sumo.datasource=windows "Microsoft-Windows-Security-Auditing" ("4770" OR "4771" OR "4772" OR "4776" OR "4777" OR "4768" OR "4769" OR "4820" OR "4625" OR "4624" OR "4647" OR "4778" OR "4779" OR "4800" OR "4801" OR "4802" OR "4803") "Audit Failure" * * * * *
| json "channel", "provider", "event_id", "computer","task","keywords","event_data","message" as Channel, Provider, EventID, Computer, Task, Keywords, Event_Data, Message nodrop
| json field=EventID "qualifiers","id" as qualifiers, EventID
| json field=Provider "guid","event_source","name" as Guid, EventSource,Provider
| where Channel = "Security"
| where provider = "Microsoft-Windows-Security-Auditing"
| where EventID in ("4770", "4771", "4772", "4776", "4776", "4768", "4769", "4820", "4625", "4624", "4647", "4778", "4779", "4800", "4801", "4802","4803")
| where EventID matches "{{EventID}}"
| where Keywords matches "*Audit Failure*"
| where Computer matches "{{Computer}}"
| json field=Event_Data "TargetDomainName","TargetUserName", "SubjectDomainName", "SubjectUserName", "IpAddress", "LogonType" as TargetDomainName, TargetUserName, SubjectDomainName, SubjectUserName, IpAddress, LogonType nodrop
| where !(TargetUserName matches "*$")
| replace(IpAddress, "::ffff:", "") as IpAddress
| formatDate(_messageTime, "yyyy-MM-dd hh:mm:ss") as date
| format("%s/%s", SubjectDomainName, SubjectUserName) as subject
| format("%s/%s", TargetDomainName, TargetUserName) as target
| parse field=Message "*\n" as message nodrop
| where subject matches "{{{Subject}}}"
| where target matches "{{{Target}}}"
| where IpAddress matches "{{{IpAddress}}}"
| timeslice 1h
| count as Total _timeslice
| order by _timeslice
Viewing Windows - Cloud Security Monitoring and Analytics dashboards
All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.
- You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
- If required, configure the refresh interval rate for a dashboard or panel by clicking the drop-down arrow next to the refresh icon.
- Click the funnel icon in the dashboard top menu bar to filter dashboard with Template Variables.
Default Accounts Usage
The Windows - Security Analytics - Default Accounts Usage dashboard displays analytics of default account usage including Administrator, Guest, System, and Root accounts.
TLS Certificates and Secure Channels
The Windows - Security Analytics - TLS Certificates and Secure Channels dashboard provides security analytics on TLS and Schannel events.
User Account Changes
The Windows - Security Analytics - User Account Changes dashboard provides analytics on user account changes and events.
User Authentication
The Windows - Security Analytics - User Authentication dashboard provides security analytics on successful and failed account logins.
User Group Updates
The Windows - Security Analytics - User Group Updates dashboard provides security analytics on user group updates.
Windows Defender
The Windows - Security Analytics - User Authentication dashboard provides security analytics on Windows Defender events.
Windows Firewall
The Windows - Security Analytics - Windows Firewall dashboard provides security analytics on Windows Firewall events.
Windows Updates
The Windows - Security Analytics - Windows Updates dashboard provides security Windows Updates events.
Critical Events
The WWindows - Security Monitoring - Critical Events dashboard provides analysis of critical security events related to services stopped, audit logs tampered, and logging ingestion delays.
Inventory
The Windows - Security Monitoring - Inventory dashboard helps you to monitor windows events provided by computer, channel, and provider. This dashboard also provides additional information on computer reboots.
