Basic setup required
You will need:
- At least one Windows event collecting server.
- Winlogbeat Agent installed on each Windows event collecting server.
- Windows event logging set up on all permanently-networked Windows machines.
- Firewall: Open firewall rules to allow the WEC server to talk to the AARNet SOC SIEM.
- Public IP Address: Dedicate these to sending logs to the AARNet SOC SIEM.
Different setup for mobile devices
For endpoints – like laptops, tablets, and mobile phones – that aren’t always connected to your organisation’s network, AARNet recommends a different event logging approach.
We recommend capturing data from mobile endpoints (including staff laptops) using an Endpoint Detection and Response (EDR) system rather than Windows event logging. Windows hosts that are disconnected from the WEC server will send their events once they connect, and these events are seen in the AARNet SIEM as being created at that time. This delay in event collection causes incorrect information to be fed into our analytics models, therefore we do not recommend collecting using WEC/WEF for mobile devices.
To correctly identify session start and end times, Exabeam needs to receive Windows security events from domain controllers.
AARNet recommends building a WEC server in your non-production/test environment to test and validate the collection method before replicating in your production environment.
Points to keep in mind
When setting up a WEC server, it’s important that event messages not be duplicated. To avoid this, ensure that each machine is sending event logs to a single WEC only. Most customers have deployed a dedicated WEC server for each domain - for example, development, test, and production.
Domain Controllers generate a comparatively large number of event log messages. Consider adding a dedicated WEC for each DC on your network.
Windows audit policies control which events are logged. Configure Windows audit policies to meet Exabeam detection use case requirements and the ACSC’s guidance on Windows forensic logging.
We recommend adding these Windows audit policies to your configuration: