-
Notifications
You must be signed in to change notification settings - Fork 2
Group Policy Configuration
Each Windows endpoint needs to know which subscription manager to talk to so that it can get the associated subscription information we've configured, and ultimately, forward the desired event information. The easiest way to get this information out to our endpoints in through group policy. The particular settings that we are interested in are located under Computer Configuration/Policies/Administrative Templates/Windows Components/Event Forwarding. We want to Enable the setting called Configure target Subscription Manager and specify the desired server we want the endpoints to talk to. In our case, we used three separate Group Policy Objects to accomplish this, since we have three groups of systems that each reside within a particular OU of Active Directory (client computers, servers, and Domain Controllers).
It's important to note that the syntax required for the SubscriptionManagers setting is Server= and not just the hostname.
The GPOs are all very similar, but they point to different event collectors. Again, we're using azurebox1 for Domain Controllers, azurebox2 for Windows servers, and azurebox3 for client computers. Once you have this configured and saved, Windows will process the information according to its normal group policy update cycle and then attempt to connect to the specified subscription manager, read the configuration that has been set, and send events as prescribed.
Another group of relevant settings that we enabled through group policy has to do with enhanced PowerShell logging. Including enhanced PowerShell logging in your forwarded events is one of the most important steps you will take in this entire process as this can grant you invaluable insight into malicious activity occurring on your endpoints. FireEye has a great article on this subject, which you can read here - https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html. While we have only chosen to enable Module Logging and Script Block Logging, a third option is to enable Transcription as well. For the time being, we've decided that the other two settings give us enough visibility, but you can read about the potential benefits of transcription in the referenced article.
The settings we're interested in are located under Computer Configuration/Policies/Administrative Templates/Windows Components/Windows PowerShell. We want to Enable settings Turn on Module Logging and Turn on PowerShell Script Block Logging. For the module logging, you must also specify the names of the modules that you want to log. In our case, we don't want to limit this, so we entered an asterisk which indicates to the system that we want logs from all modules. A secondary option for script block logging is to enable script block invocation start/stop events. While these events do not contain the actual code that is being run, it can provide you with more information on when certain commands were initiated and stopped.
Remember, friends don't let friends configure Windows Event Forwarding without including enhanced PowerShell logging.