Scribd
Upload
177 views

Cortex XDR-Windows Event Collection

The document discusses the Windows events collected by the Cortex XDR Broker VM Windows Event Collector (WEC) and XDR agent, including security events like logins, firewall changes, and more. The WEC collects over 40 different security, DNS, and other events while the agent collects additional application crash, PowerShell, and other operational events. Together these provide comprehensive visibility into endpoint activity for detection and investigation.

Uploaded by

punzango73
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
177 views

Cortex XDR-Windows Event Collection

The document discusses the Windows events collected by the Cortex XDR Broker VM Windows Event Collector (WEC) and XDR agent, including security events like logins, firewall changes, and more. The WEC collects over 40 different security, DNS, and other events while the agent collects additional application crash, PowerShell, and other operational events. Together these provide comprehensive visibility into endpoint activity for detection and investigation.

Uploaded by

punzango73
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

3/21/22, 10:45 PM https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?

id=kA14u000000HCQHCA4
Cortex XDR - Windows Event per collect tool
Created On 01/19/21 08:28 AM - Last Modified 03/17/22 04:19 AM

Cortex XDR

Question 204
Which events are been collected by each tool?

Environment
XDR agent - Utilizing Endpoint Detection and Response (EDR) data collection
Broker VM (BVM) - Windows Event Collector applet (WEC)
Windows Active Directory

Answer
Below is the events list which is being collected by the Broker VM WEC:
Event category Event Description Event ID
Security Kerberos authentication protocol 4768
Security Kerberos service ticket request 4769
Security Kerberos service ticket renew 4770
Security Kerberos pre- authentication failed 4771
The computer attempted to validate the credentials for an
Security 4776
account

Security An account was successfully logged on 4624


Security An account was successfully logged off 4634
Security A logon was attempted using explicit credentials 4648
Security Special privileges assigned to new logon 4672
Security A user account was created 4720
Security A user account was enabled 4722
Security An attempt was made to change an account's password 4723
Security An attempt was made to reset an account's password 4724
Security A user account was disabled 4725
Security A user account was deleted 4726
Security A user account was changed 4738
Security A user account was locked out 4740
Security A user account was unlocked 4767
The ACL was set on accounts which are members of
Security 4780
administrators groups

Security The name of an account was changed 4781


An attempt was made to set the Directory Services
Security 4794
Restore Mode administrator password

Most of the events are collected by the EDR data collection, (below list):
Event category Event Name Event ID Event Description
Microsoft-Windows-User User logging on with temporary profile (1511), Cannot create profile using temporary
Application 1511, 1518
Profiles Service profile (1518)
Application crash/hang events, similar to WER/1001. These include full path to faulting
Application Application Error 1000
EXE/Module
Application crash/hang events, similar to WER/1001. These include full path to faulting
Application Application Hang 1002
EXE/Module
Microsoft-Windows-
11, 70, 90 CAPI events Build Chain (11), Private Key accessed (70), X509 object (90)
CAPI2/Operational

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCQHCA4 1/3
3/21/22, 10:45 PM https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCQHCA4

Event category Event Name Event ID Event Description


Microsoft-Windows-DNS- DNS Query Completed (3008) without local machine, resolution events and without
3008
Client/Operational empty name resolution events
Microsoft-Windows-
DriverFrameworks- 2004 Detect User-Mode drivers loaded - for potential Bad USB detection
UserMode/Operational
Microsoft-Windows- 4103, 4104, PowerShell execute block activity (4103), Remote Command (4104), Start Command
PowerShell/Operational 4105, 4106 (4105), Stop Command (4106)
106, 129,
Microsoft-Windows-Task Microsoft-Windows-Task
141, 142,
Scheduler/Operational Scheduler
200, 201
Microsoft-Windows-
TerminalServices- 1024 Log attempted TS connect to remote server
RDPClient/Operational
Microsoft-Windows-Windows
1006, 1009 Modern Windows Defender event provider Detection events (1006 and 1009)
Defender/Operational
Microsoft-Windows-Windows
1116, 1119 Modern Windows Defender event provider Detection events (1116 and 1119)
Defender/Operational
Microsoft-Windows-Windows Microsoft-Windows- 2004, 2005,
Firewall With Advanced Windows Firewall With 2006, 2009, Windows Firewall With Advanced Security Local Modifications (Levels 0, 2, 4)
Security/Firewall Advanced Security 2033
Security 4698, 4702
Security 4778, 4779 TS Session reconnect (4778), TS Session disconnect (4779)
Security 5140 Network share object access without IPC$ and Netlogon shares
Network Share create (5142), Network Share Delete (5144), A network share object
5140, 5142,
Security was checked to see whether client can be granted desired access (5145), Network
5144, 5145
share object access (5140)
Security 4616 System Time Change (4616)
Security 4624 Local logons without network or service events
Security 1100, 1102 Security Log cleared events (1102), EventLog Service shutdown (1100)
Security 4647 User initiated logoff
Security 4634 User logoff for all non-network logon sessions
Service logon events if the user account isn't LocalSystem, NetworkService,
Security 4624
LocalService
Security 5142, 5144 Network Share create (5142), Network Share Delete (5144)
Security 4688 Process Create (4688)
Microsoft-Windows-
Security Event log service events specific to Security channel
Eventlog
Special Privileges (Admin-equivalent Access) assigned to new logon, excluding
Security 4672
LocalSystem
Security 4732 New user added to local security group
Security 4728 New user added to global security group
Security 4756 New user added to universal security group
Security 4733 User removed from local Administrators group
4886, 4887, Certificate Services received certificate request (4886), Approved and Certificate
Security
4888 issued (4887), Denied request (4888)
4720, 4722, New User Account Created(4720), User Account Enabled (4722), User Account
Security
4725, 4726 Disabled (4725), User Account Deleted (4726)
Security 4624 Network logon events
4880, 4881, CA Service Stopped (4880), CA Service Started (4881), CA DB row(s) deleted (4896),
Security
4896, 4898 CA Template loaded (4898)
Security 4634 Logoff events - for Network Logon events
Security 6272, 6280 RRAS events – only generated on Microsoft IAS server
Security 4689 Process Terminate (4689)
Security 4648, 4776 Local credential authentication events (4776), Logon with explicit credentials (4648)

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCQHCA4 2/3
3/21/22, 10:45 PM https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCQHCA4

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCQHCA4 3/3

You might also like