Cortex XDR - Windows Event per collect tool
9994
Created On 01/19/21 08:28 AM - Last Modified 04/23/24 00:17 AM
Question
Which events are been collected by each tool?
Environment
- XDR agent - Utilizing Endpoint Detection and Response (EDR) data collection
- Broker VM (BVM) - Windows Event Collector applet (WEC)
- Windows Active Directory
Answer
Broker VM WEC applet - event IDs list:
| Event category | Event Description | Event ID |
|---|---|---|
| Security | Kerberos authentication protocol | 4768 |
| Security | Kerberos service ticket request | 4769 |
| Security | Kerberos service ticket renew | 4770 |
| Security | Kerberos pre- authentication failed | 4771 |
| Security | The computer attempted to validate the credentials for an account | 4776 |
| Security | An account was successfully logged on | 4624 |
| Security | An account was successfully logged off | 4634 |
| Security | A logon was attempted using explicit credentials | 4648 |
| Security | Special privileges assigned to new logon | 4672 |
| Security | A user account was created | 4720 |
| Security | A user account was enabled | 4722 |
| Security | An attempt was made to change an account's password | 4723 |
| Security | An attempt was made to reset an account's password | 4724 |
| Security | A user account was disabled | 4725 |
| Security | A user account was deleted | 4726 |
| Security | A user account was changed | 4738 |
| Security | A user account was locked out | 4740 |
| Security | A user account was unlocked | 4767 |
| Security | The ACL was set on accounts which are members of administrators groups | 4780 |
| Security | The name of an account was changed | 4781 |
| Security | An attempt was made to set the Directory Services Restore Mode administrator password | 4794 |
Important Notes:
- By default the WEC applet collects the above event IDs. To collect all the events, navigate to the Configuration > Data Broker > BrokerVM > WEC config page and select all the sources.
- WEC configuration on Cortex XDR should be aligned with the DC configuration