Versions Compared

Old Version 4

changes.mady.by.user Aparna Rr

Saved on

compared with

New Version 5

changes.mady.by.user Aparna Rr

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Windows Defender AV

WINDOWS_DEFENDER_AV

NXLog = JSON over Syslog

CyberHub

Port Requirements

Source

Destination

Port

Windows Microsoft Windows Defender AV

CyberHub

6514 (TCP)

To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.

Device Configuration

Pre-requisite While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 6514 for seamless integration.

In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.

Device Configuration

Prerequisite

  1. Generate certificate on CyberHub using the following steps.

    1. Go to support user mode by executing following command "su - support" on CyberHub terminal and choose “option 29 - Manage the TLS certificates".

    2. Choose “option 2 - View EA Server TLS certificate" and this will print Private Key and Certificate content on console.

    3. Copy certificate from the console output to a file and save it.
      Note:- Here you should copy and paste content from ----BEGIN CERTIFICATE---- to ----END CERTIFICATE---- .

  2. Despite Windows Defender AV being automatically enabled in Windows Servers by default, it is essential to verify that it remains activated.

...

To Configure NXLog Agent for log forwarding

  1. Download and install the NXLog agent from the following location: https://nxlog.co/products/nxlog-community-edition/download.

  2. Navigate to services.msc and stop the nxlog service.

  3. Go to the folder "C:\Program Files\nxlog\data" and delete the file "configcache.dat" if it present.

  4. Navigate to the installed location "C:\Program Files\nxlog\conf." Rename the attached

    View file
    nameNXLog.conf
    file to "nxlog.conf" and copy it into this folder.

  5. Replace the placeholder "CyberHub IP" with the actual CyberHub IP in the nxlog.conf file.

  6. Copy the previously created certificate file on Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against "CAFile" on line number 53.

  7. Now, start the nxlog service from services.msc.

  8. NXLog agent logs will be available at the location "C:\Program Files\nxlog\data\nxlog.log".

  9. The log flow should work, and you can check it using tcpdump with the command "tcpdump -AA port 6514"

...

Property

Default Value

Description

IP Address

Windows Microsoft Windows Defender AV interface IP address

Hostname or IP address of the device which forwards logs to the CyberHub.