AWS Windows Event

About the Device

Windows Server provides a stable and secure platform for managing network infrastructure, data storage, and application deployment. Key features include Active Directory for centralized user management, Group Policy for configuration consistency, and Hyper-V for virtualization. It supports a variety of server roles such as file server, web server, and domain controller, allowing organizations to tailor their server environment to meet specific requirements. With features like Remote Desktop Services, Windows Server facilitates remote access and administration. Additionally, it incorporates advanced security measures, such as Windows Defender and BitLocker, to safeguard data and systems. As a versatile and scalable solution, Windows Server plays a crucial role in powering the infrastructure of diverse businesses and enterprises.

Device Information

 Entity

Particulars

 Entity

Particulars

Vendor Name

Amazon Web Services

Product Name

Windows

Type of Device

Cloud

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Data Source

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Data Source

Windows Event

 WINEVTLOG

 XML

C2C - Storage

https://cloud.google.com/chronicle/docs/reference/feed-management-api#amazon_sqs

Device Configuration

Pre-requisites

Below steps are specifically for EC2 Instance based Windows Deployments.

To Configure Unified CloudWatch Agent to fetch logs from the EC2 Windows instances

  1. Setup IAM instance profile roles for Systems Manager.

    1. Create IAM Role.

image-20240904-102721.png

b. Attach all the policies displayed in below image and save the Role.

 

image-20240904-102803.png

c. Attach the Role created to Windows EC2 server.

  1. To install Cloud Watch Agent on Windows server,

a. Navigate to AWS Systems Manager > Run Command 

b. Select AWS-ConfigureAWSPackage

c. In Command Parameter, in Name, enter AmazonCloudWatchAgent.

d. Select target Windows machine(s) where you want to install AWS CloudWatch Agent.

e. Scroll down and click on Run.

f. Once the command gets executed. Select the instance id and view the output. There should not be any error in output.

  1. Creating Configurations file and saving it to AWS Systems Parameter Store.

a. Login to the Instance which has been selected as the target for CloudWatchAgent installation in the previous step and verify the installation of the Agent in C:\Program Files\Amazon\AmazonCloudWatchAgent.

b. Open command prompt run amazon-cloudwatch-agent-config-wizard.exe file and provide parameters as shown in below screenshots.

c. Provide the response to every query asked on the config_wizard as shown in below screenshots.

In the below snapshots, the windows log name should be selected as Security, System and Application one after another to enable logging from all relevant Windows Channels. To accomplish this, you will need to perform the same steps from config_wizard to configure logging from these Channels. We have included all possible screenshots with all possible selections.

  1. Once done, the Systems Manager Parameter store can be checked for the newly created configuration file with the parameters provided as an input.

a. Navigate to AWS Systems Manager > Parameter Store

b. Copy the newly created Parameter Store name.

  1. Start the Agent while pointing to the configuration file using AWS Systems Manager.

a. In order to start the newly configured Cloud Watch Agents on the instances, we need to use Run Command.

b. Navigate to AWS Systems Manager > Run Command

c. Navigate to next Page and search for the specific Command using the search box.

d. Search for "AmazonCloudWatch-ManageAgent".

e. Specify the name of newly created Parameter Store Configuration file.

f. Select target (EC2 Windows Machine) where you want run the command and click Run.

g. For Other Parameters, use default Values (i.e., timeout time is 600 Seconds by default).

h. Retain default values for Rate Control.

i. Since we're not currently sending any events to the S3 bucket, please leave it unchecked.

j. SNS notifications are not currently enabled. Once they are enabled, you can configure them with the SNS details. For now, please keep it unchecked.

k. The AWS Command Line Interface command has not been modified and is using the default value.

l. After completing above configurations, click RUN > Systems manager will start the CloudWatch Agent on the instance and the log Flow will start.

 

  1. Navigate to CloudWatch > Logs to see the logs getting collected. The newly created Log Groups will automatically be created once the logs are getting shipped through the instance by the agents.

Configure continuous export of CloudWatch Logs to S3 bucket

Once you are done creating CloudWatch Log Groups, kindly follow below guide to automate continuous export of logs from CloudWatch Log group to S3 bucket using lambda.

AWSMSWIN: Cloudwatch Log Group to S3 Bucket Export Automation using Lambda

 Configure SQS

Once you followed the above guide and the continuous export of logs are available in the S3 bucket then we need to create SQS and attach it with S3. Kindly follow the below guide.

Configuring AWS Simple Queue Service (SQS) with S3 Storage

Important Links:

Integration Parameters

SQS

Parameter

Default Value

Description

Parameter

Default Value

Description

REGION

N/A

Select the region of your S3 bucket

QUEUE NAME

N/A

The SQS queue name.

ACCOUNT NUMBER

N/A

The account number for the SQS queue and S3 bucket.

QUEUE ACCESS KEY ID

N/A

This is the 20 character ID associated with your Amazon IAM account.

QUEUE SECRET ACCESS KEY

N/A

This is the 40 character access key associated with your Amazon IAM account.

SOURCE DELETION OPTION

N/A

Whether to delete source files after they have been transferred to Chronicle. This reduces storage costs. Valid values are:

  • SOURCE_DELETION_NEVER: Never delete files from the source.

  • SOURCE_DELETION_ON_SUCCESS:Delete files and empty directories from the source after successful ingestion.

  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY:Delete files from the source after successful ingestion.

S3 BUCKET ACCESS KEY ID

No

This is the 20 character ID associated with your Amazon IAM account. Only specify if using a different access key for the S3 bucket.

S3 BUCKET SECRET ACCESS KEY

No

This is the 40 character access key associated with your Amazon IAM account. Only specify if using a different access key for the S3 bucket.

ASSET NAMESPACE

No

To assign an asset namespace to all events that are ingested from a particular feed, set the "namespace" field within details. The namespace field is a string.

 

 



About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.