About The Device
Microsoft Windows Defender Antivirus is a built-in antimalware solution that provides protection for desktops, portable computers, and servers. It operates as an Endpoint Protection Platform (EPP) alongside Windows Firewall, Device Guard, and other security technologies in Windows 10. Windows Defender Antivirus makes extensive use of Microsoft's cloud-based detection, advanced real-time heuristics, and integrated reputation-based identification of files, URLs, and emails.
Device Information
Entity | Particulars |
---|---|
Vendor Name | Microsoft |
Product Name | Windows Defender Antivirus |
Type of Device | Hosted |
Collection Method
Log Type | Ingestion label | Preferred Logging Protocol - Format | Log Collection Method |
---|---|---|---|
Windows Defender AV | WINDOWS_DEFENDER_AV | NXLog = JSON over Syslog | CyberHub |
Port Requirements
Source | Destination | Port |
---|---|---|
Microsoft Windows Defender AV | CyberHub | 6514 (TCP) |
To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.
While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 6514 for seamless integration.
In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.
Device Configuration
Prerequisite
Generate certificate on CyberHub using the following steps.
Go to support user mode by executing following command
"su - support"
on CyberHub terminal and choose“option 29 - Manage the TLS certificates"
.Choose
“option 2 - View EA Server TLS certificate"
and this will print Private Key and Certificate content on console.Copy certificate from the console output to a file and save it.
Note:- Here you should copy and paste content from----BEGIN CERTIFICATE----
to----END CERTIFICATE----
.
Despite Windows Defender AV being automatically enabled in Windows Servers by default, it is essential to verify that it remains activated.
To Configure NXLog Agent for log forwarding
Download and install the NXLog agent from the following location: https://nxlog.co/products/nxlog-community-edition/download.
Navigate to
services.msc
and stop the nxlog service.Go to the folder
"C:\Program Files\nxlog\data"
and delete the file"configcache.dat"
if it present.Navigate to the installed location
"C:\Program Files\nxlog\conf."
Rename the attached file to"nxlog.conf"
and copy it into this folder.Replace the placeholder
"CyberHub IP"
with the actual CyberHub IP in the nxlog.conf file.Copy the previously created certificate file on Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against "CAFile" on line number 53.
Now, start the nxlog service from services.msc.
NXLog agent logs will be available at the location
"C:\Program Files\nxlog\data\nxlog.log"
.The log flow should work, and you can check it using tcpdump with the command
"tcpdump -AA port 6514"
Integration Parameters
Parameters required from customer for Integration.
Property | Default Value | Description |
---|---|---|
IP Address | Microsoft Windows Defender AV interface IP address | Hostname or IP address of the device which forwards logs to the CyberHub. |