SOLVED

Stale security event / Windows firewall reporting

%3CLINGO-SUB%20id%3D%22lingo-sub-1022900%22%20slang%3D%22en-US%22%3EStale%20security%20event%20%2F%20Windows%20firewall%20reporting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1022900%22%20slang%3D%22en-US%22%3E%3CP%3EWondering%20if%20anyone%20has%20a%20solution%20they%20are%20happy%20with%20for%20monitoring%20stale%20security%20events%20and%20Windows%20firewall%20logs.%26nbsp%3B%20Not%20heartbeats%20or%20latest%20general%20response%2C%20but%20the%20specific%20event%2Flog%20collections%20to%20assure%20active%20collection%20from%20both%20sources.%26nbsp%3B%20Could%20do%20something%20like%20%22If%20a%20recent%20heartbeat%20received%20in%20the%20last%20%22x%22%20time%2C%20but%20no%20security%20or%20firewall%20events%20collected%20(separately)%20within%20%22y%22%20time%2C%20then%20report%20the%20computer.%22%26nbsp%3B%20Not%20sure%20how%20best%20to%20address%20normal%20computer%20downtime%20when%20monitoring%20PCs.%26nbsp%3B%20If%20a%20PC%20has%20been%20off%20all%20weekend%2C%20then%20would%20likely%20trigger%20a%20false%20alarm%20Monday%20morning%20due%20to%20the%20log%20ingestion%20delay.%26nbsp%3B%20Could%20extend%20%22y%22%20to%20be%20longer%20than%20the%20normal%20PC%20downtime%20scenarios%2C%20but%20wondered%20if%20anyone%20already%20had%20a%20more%20elegant%20solution%20in%20place%3F%26nbsp%3B%20Thx!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1068319%22%20slang%3D%22en-US%22%3ERe%3A%20Stale%20security%20event%20%2F%20Windows%20firewall%20reporting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068319%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353838%22%20target%3D%22_blank%22%3E%40g_mac%3C%2FA%3E%26nbsp%3B%2C%20it%20is%20a%20very%20common%20issue%20with%20monitoring%20systems%2C%20not%20just%20security.%20End%20point%20inactivity%20tends%20to%20be%20variable.%20I%20think%20that%20the%20way%20to%20tackle%20that%20is%20to%20start%20from%20the%20response%20process.%20i.e.%20what%20will%20you%20do%20if%20you%20don't%20get%20events%20from%20an%20endpoint%20for%20a%20day%3F%20Probably%20nothing.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETherefore%2C%20I%20would%20suggest%20setting%20up%20a%20fix%20time%20period%20after%20which%20you%20start%20getting%20%22worried%22%20and%20check%20things.%20A%20week%3F%20Two%20weeks%3F%20A%20rule%20that%20fires%20if%20events%20have%20not%20been%20observed%20for%20that%20period%20would%20be%20a%20good%20solution.%20You%20can%20have%20a%20playbook%20triggered%20that%20asks%20the%20user%20if%20things%20are%20OK%20and%20closes%20the%20incident%20automatically%20if%20he%20confirms.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELastly%2C%20you%20will%20probably%20need%20a%20white%20list%20that%20will%20prevent%20triggering%20on%20known%20unresponsive%20computers.%20We%20will%20publish%20a%20blog%20on%20how%20to%20do%20that%20shortly.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Wondering if anyone has a solution they are happy with for monitoring stale security events and Windows firewall logs.  Not heartbeats or latest general response, but the specific event/log collections to assure active collection from both sources.  Could do something like "If a recent heartbeat received in the last "x" time, but no security or firewall events collected (separately) within "y" time, then report the computer."  Not sure how best to address normal computer downtime when monitoring PCs.  If a PC has been off all weekend, then would likely trigger a false alarm Monday morning due to the log ingestion delay.  Could extend "y" to be longer than the normal PC downtime scenarios, but wondered if anyone already had a more elegant solution in place?  Thx!

1 Reply
Highlighted
Solution

Hi @g_mac , it is a very common issue with monitoring systems, not just security. End point inactivity tends to be variable. I think that the way to tackle that is to start from the response process. i.e. what will you do if you don't get events from an endpoint for a day? Probably nothing.

 

Therefore, I would suggest setting up a fix time period after which you start getting "worried" and check things. A week? Two weeks? A rule that fires if events have not been observed for that period would be a good solution. You can have a playbook triggered that asks the user if things are OK and closes the incident automatically if he confirms.

 

Lastly, you will probably need a white list that will prevent triggering on known unresponsive computers. We will publish a blog on how to do that shortly.