The security landscape never stands still. Staying on top of new techniques, technologies, and vendors can feel like a full-time job. As cybersecurity professionals, we juggle the challenge of protecting a wide assortment of technologies. Yet, despite this constant evolution, one thing remains true: “The more things change, the more they stay the same.”
Many organizations still rely on Windows workstations and servers, while others are making the leap to Microsoft’s cloud platform, Azure. With its market share steadily climbing, Azure now powers 25% of the cloud infrastructure services market.
Customers often ask us how does Alert Logic protect on-prem, hybrid, and cloud-based Microsoft infrastructure. The quick answer? We have a variety of mechanisms that come with the MDR Professional subscription to help you cover it all. The longer answer? Let’s dive into those now!
Alert Logic and Your Servers
Our first solution should come as no surprise to the reader who has some familiarity with Alert Logic. Our intrusion detection system (IDS) monitoring with the Alert agent and appliance combo is a feature of our Alert Logic MDR Professional, Enterprise, and XDR solutions. Ideal for both on-prem and cloud-based servers, the Alert Logic agent mirrors its traffic to an IDS device with a signature engine that sends events to our analytics backend, and any findings are raised in your Incidents console. The agent also has vulnerability scanning and file integrity monitoring capabilities, as well as the capability I most want to touch on in this blog: log ingestion.
By default for Alert Logic MDR Professional and Enterprise as well as XDR customers, the Alert Logic agent taps into all Windows Event Log streams and sends them back to us over TCP port 443. On our backend, we analyze the data and run analytics to identify any signs of suspicious activity. Our security operations center (SOC) reviews any potentially concerning incidents, and we’ll reach out to you for anything with high or critical severity.
Since the agent doesn’t independently make changes to your servers, we recommend several configurations to enhance visibility into your hosts. This ensures we can detect the most severe threats and provide you with actionable and valuable incident reports.
The great thing for Alert Logic customers is that once you set up these configurations, our agent will pick up your new logs without any further configuration needed!
Windows Command Line Parameter Logs
A significant number of threat actors use the Windows command line during an attack, especially those deploying ransomware or using otherwise benign Windows binaries to perform nefarious actions (Living-Off-the-Land or LOLBins). By default, Windows Event Logs simply show the command that was run, but not the specific options and arguments passed to it. That context is critical, as what looks like a simple call to net.exe could really be a lateral movement attempt like “net use x: \\10.0.0.1\c$/USER:administrator.”
To enable this, we will modify Group Policies on your domain controllers. Specific steps are available in our support portal.
Windows PowerShell Logs
That’s all well and good, but what if the threat actor runs a PowerShell script? Sure, we’d see the name of the script they ran, but unless they passed the entire script directly into the command line, we wouldn’t know what that script is doing.
Threat actors are just as likely to utilize PowerShell as the Windows command line, and with the Alert Logic agent, there are a few Group Policy changes we can make on your domain controller to give us the visibility we need. Learn more about PowerShell module and script block logging.
Windows Object Access Logs
We can take our visibility in your environment to the next level by auditing all system objects with a system access control list (SACL), such as files, folders, registry keys, printers, and services. With the right configuration, Alert Logic can track every time these objects are read, modified, created, or deleted. This level of insight bolsters our ability to identify threats like ransomware and staying ahead of potential risks. Delve into how you would enable this ability.
Windows User Account Events
Another useful configuration, User Account Events show us password authentication attempts, as well as creation/deletion of users, attempts to change a user’s password, disable an account, or modify groups. Read this page to learn more about this security enhancement.
DHCP Server Logs
To round out our list of recommended innate configurations, DHCP Server logs also may be useful to us in creating incidents or tracking down threats. To make sure these are enabled, you can simply login to your DHCP server’s Event Viewer, navigate to Applications and Services Logs > Microsoft > Windows > DHCP-Server, and right-click each item in the list and select Enable Log.
Sysmon
While not included on Windows by default, Microsoft offers a sysinternals tool called Sysmon (System Monitor) that enhances your Event Logs, giving Alert Logic more information about process creations, network connections, and much more. For a full list of Sysmon’s capabilities and how to configure it, review Microsoft’s guidance.
Microsoft Azure Integrations
All the above applies to Microsoft Windows servers, regardless of their residency in the cloud or on-prem. But with enterprises increasingly moving to the cloud, many customers ask how we can protect their Azure environment.
For your servers, Alert Logic MDR works the same way in Azure as it does on-prem. An IDS appliance is deployed in your VNets, which ingests traffic mirrored from agents you’ve installed on your virtual machines. In practice, it requires a little more configuration to allow us the appropriate access to your Azure accounts. Read more on how to setup an Azure deployment.
But Azure is much more than networks and servers — it provides an entire suite of services, many direct analogues of services you may be familiar with from an on-prem environment. We have EntraID (formerly Active Directory), Exchange, SharePoint, Defender, and more. Alert Logic provides mechanisms for ingesting logs from all of these, as well as a generic mechanism for anything else Azure may have to offer.
Office 365 Collector
Our first collection mechanism is an API integration. With this collector, we can ingest audit logs from EntraID, Exchange, SharePoint, and Azure. You can then expect to see incidents like “Risky Azure AD Logon” or “Impossible Travel Activity for a User” or even “Suspicious Inbox Manipulation Rule created by a User.” Learn how to configure your Office 365 Collector.
Event Hub
With Alert Logic, you can stream logs from any Azure service to an Event Hub to have them ingested into the console. Think of this collector as the catch-all collector for any log sources in Azure not already covered by the Office 365 collector.
One particularly important log source we recommend customers ingest with the Event Hub collector right away is the Microsoft Defender for Cloud suite of products. For non-product-specific guidance on setting up the Event Hub collector, view this guidance.
The Microsoft Security Landscape
Safeguarding your Microsoft infrastructure is critical to the success of your organization. Threat actors invest significant effort into crafting sophisticated attacks targeting the Azure platform and the Windows operating system. With Alert Logic by your side and the right level of visibility into your environments, we can uncover the full scope of potential threats. Our advanced detection capabilities will alert you to suspicious activities, keeping you one step ahead of attackers and protecting your business every day.
For current Alert Logic customers with questions, reach out to [email protected]. And if you’re ready to elevate your security posture with Fortra’s Alert Logic, schedule a demo.
Additional Resources:
Muir Group’s Journey with Alert Logic: From On-prem Through Azure Migration
