3.16. LogWatcher Service

The LogWatcher real-time service monitors the Windows Event Log using predefined rules in the Sigma format and creates an alert that is forwarded to ASGARD Analysis Cockpit if a match was found. The LogWatcher service is no longer shown by default on newly installed ASGARDs. To enable it go to Settings > Advanced and enable the Show LogWatcher checkbox.

3.16.1. Prerequisites

In order to make full use of ASGARD LogWatcher you need a Windows Audit Policy and Sysmon, both with a reasonable configuration, in place. We expect organizations to take care of providing a sane configuration by their own. This section helps in giving starting points, if needed.

3.16.2. Windows Audit Policy

The default audit policy of Windows is not suitable for security monitoring and needs to be configured. There are Microsoft recommendations available online.

Also auditing the command line for process creation events should be enabled. Documentation for that task is available here.

3.16.3. Sysmon Configuration Template

There are some best practice configurations available. See them as a good starting point to develop your own configuration. If you do not have a Sysmon configuration yet, there are several options we suggest:

  1. The Nextron Systems fork of SwiftOnSecurity's sysmon-config
  2. The SwiftOnSecurity sysmon-config
  3. Olaf Hartong's sysmon-modular

In general we suggest our own configuration, as we test our rules with it and include changes from the upstream configuration. But depending on your preferences, either of those listed configurations is a good starting point for writing your own configuration.

Warning

Do not deploy those configurations to your production environment without prior testing.

It is expected that some tools you use will be the source of huge log volume and should be tuned in the configuration depending your environment.

3.16.4. Sysmon Installation

Sysmon is part of Microsoft Sysinternals and therefore has to be installed as a third party tool. The preferred way to distribute Sysmon and its configuration is using your organization's device management. If you do not have access to one, you can use ASGARD's playbook feature to distribute Sysmon and update its configuration. Documentation which describes the playbook creation and that offers maintenance scripts can be found in our asgard-playbooks repository.

3.17. Logwatcher Operation

This chapter explains how to configure LogWatcher using Sigma rules.

3.17.1. LogWatcher Overview

Under Service Control > LogWatcher > Asset View (Deployed) the overview of all assets with an installed LogWatcher is shown. Clicking on the entry opens a drop-down menu with details and additional information.

LogWatcher Assets View

LogWatcher Asset View

Analogous you can see an overview of all assets without an installed LogWatcher under Service Control > LogWatcher > Asset View (Not Deployed).

3.17.2. Enable Service for an Asset

To enable the LogWatcher service for an asset, navigate to Service Control > LogWatcher > Asset View, select the asset's checkbox and choose Assign Configuration. Then choose the desired service configuration by clicking Assign.

Enable a Service Configuration

Enable a Service Configuration

3.17.3. Creating a Custom Logwatcher Service Configuration

A service configuration is used to group assets of similar type and assign them a set of rules (in form of rulesets).

Go to Service Control > LogWatcher > Configurations > Add Configuration, enter a name and add the rulesets that should apply for this service configuration (i.e. group of assets).

Create a Service Configuration

Create a Service Configuration

If you have not configured a ruleset yet, you need to do so beforehand.