Threat Stack now provides the ability to monitor Windows instances, hosted in the cloud or on-premise.
Monitoring Windows instances with Threat Stack achieves similar levels of visibility to Linux host monitoring.
This enables our customers to achieve:
- Compliance for Windows environments
- The ability to cover a hybrid OS environment with Linux and Windows servers or an all Windows environment
- Host Intrusion Detection: All user activity, process, and network activity is captured. Accordingly, users can create alerts on abnormal user, process, and network behavior.
- File Integrity Monitoring - Critical file activities (open / delete / create / modify) can trigger alerts
- Threat Intelligence Activity - Connections to / from the monitored host can detect and alert on connections to / from malicious hosts
- Windows Security Event Log Monitoring - a few examples of security events Threat Stack will alert on include:
- Windows policy changes (event id 4732)
- Windows system time changes (event id 4616)
- Windows security group changes
Supported OS / Minimum Server Requirements
- Windows 2012 R2
- Minimum of 2 vCPUs / 4 GB RAM
Windows agent can be downloaded by Clicking Here
Click "Next" to open the configuration page:
Enter your deployment key and change other settings as needed, though the defaults should be good for most situations. Note that when the services start, the Threat Stack Comms service will acquire an agent ID as soon as it connects to the Threat Stack cloud. If you desire to make a "golden master" that can be duplicated, then uncheck the checkbox on this page. The services will then be installed and won't start until the host is rebooted. This provides an opportunity to shutdown the host and make multiple copies.
Click "Next" to continue to the verification page:
Verify your settings are correct, and click the "Install" button to install the Windows Agent.
Click "Finish" to clear the page and end the installation process.
Command Line Installation
The agent can also be installed from the command-line (either PowerShell or a cmd console), as long as it's run as administrator. The simplest execution is:
msiexec /i ThreatStack.Installer.20170120.msi /quiet TSDEPLOYKEY="my-deployment-key"
This will silently run the installer and set the deployment key. Besides "TSDEPLOYKEY" there are three other command-line variables that can be set: INSTALLDIR, TSSTARTSERVICES and TSCLOUDURL. The first gives you an opportunity to install the agent in a directory other than "C:\Program Files\Threat Stack".
The second, TSSTARTSERVICES, acts as a switch. By default, the services will start after installation completes, so the only time you need to put TSSTARTSERVICES on the command-line is if you don't want the services to start after installation. For example:
msiexec /i ThreatStack.Installer.20161214.msi /quiet TSDEPLOYKEY="my-deploy-key" TSSTARTSERVICES=""
To create a "golden image", you can install the agent with `TSSTARTSERVICES=""` and then snapshot.
The final command-line variable, TSCLOUDURL, isn't needed to set.
Note - After the installation, the agent should appear on the servers page - If not, the debugging section towards the end of the article should help you identify the problem
Searching for Events and Creating Rules for Alerts
All events from the Windows security log are captured as event_type = "winsec". Each of the event IDs are captured as win_event_id.
For example, to search for all Windows system time change events, enter event_type = "winsec" and win_event_id = 4616.
The Windows Base Rule Set is available out-of-the-box, and alerts on many of the security events such as logins, file changes in system directory, and various Windows Security events.
Note: After installing the Windows agent, you will need to apply the Windows Base Rule Set.
- Navigate to the Servers page
- Click on the Windows Server you would like to apply the Windows Base Rule Set to
- Click Edit Server
- Remove the Base Rule Set and add the Windows Base Rule Set
Similar to Linux, Windows users can write alert filters on any event search filter. Users can copy any event search filter and create an alert from it.
Below are a few examples of different types of Windows Alerts: