Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

About The Device

Microsoft Windows Defender Antivirus is a built-in antimalware solution that provides protection for desktops, portable computers, and servers. It operates as an Endpoint Protection Platform (EPP) alongside Windows Firewall, Device Guard, and other security technologies in Windows 10. Windows Defender Antivirus makes extensive use of Microsoft's cloud-based detection, advanced real-time heuristics, and integrated reputation-based identification of files, URLs, and emails.

Device Information

 Entity

Particulars

Vendor Name

Microsoft 

Product Name

Windows Defender Antivirus

Type of Device

Hosted

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Windows Defender AV

WINDOWS_DEFENDER_AV

NXLog = JSON over Syslog

CyberHub

Port Requirements

Source

Destination

Port

Microsoft Windows Defender AV

CyberHub

6514 (TCP)

To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.

While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 6514 for seamless integration.

In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.

Device Configuration

Prerequisite

  1. Generate certificate on CyberHub using the following steps.

    1. Go to support user mode by executing following command "su - support" on CyberHub terminal and choose “option 29 - Manage the TLS certificates".

    2. Choose “option 2 - View EA Server TLS certificate" and this will print Private Key and Certificate content on console.

    3. Copy certificate from the console output to a file and save it.
      Note:- Here you should copy and paste content from ----BEGIN CERTIFICATE---- to ----END CERTIFICATE---- .

  2. Despite Windows Defender AV being automatically enabled in Windows Servers by default, it is essential to verify that it remains activated.

To Configure NXLog Agent for log forwarding

  1. Download and install the NXLog agent from the following location: https://nxlog.co/products/nxlog-community-edition/download.

  2. Navigate to services.msc and stop the nxlog service.

  3. Go to the folder "C:\Program Files\nxlog\data" and delete the file "configcache.dat" if it present.

  4. Navigate to the installed location "C:\Program Files\nxlog\conf." Rename the attached file to "nxlog.conf" and copy it into this folder.

  5. Replace the placeholder "CyberHub IP" with the actual CyberHub IP in the nxlog.conf file.

  6. Copy the previously created certificate file on Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against "CAFile" on line number 53.

  7. Now, start the nxlog service from services.msc.

  8. NXLog agent logs will be available at the location "C:\Program Files\nxlog\data\nxlog.log".

  9. The log flow should work, and you can check it using tcpdump with the command "tcpdump -AA port 6514"

Integration Parameters

Parameters required from customer for Integration.

Property

Default Value

Description

IP Address

Microsoft Windows Defender AV interface IP address

Hostname or IP address of the device which forwards logs to the CyberHub.

  • No labels