Monitor Microsoft Windows Defender Antivirus with Graylog Part 3

: Travis Nuske; 23 Sep 2022

Part 3 of the guide for deploying Graylog to monitor Microsoft Windows Defender Antivirus on Windows endpoints.

This is part 3 of a multi-part guide for setting up Graylog to monitor Windows Defender on your endpoints. In this part, we'll create a dashboard to monitor for detected malware and setup a system to send notifications of detected malware. This part assumes you've got a working Graylog server in your environment and have sidecars installed on your endpoints sending Windows Defender logs into Graylog, if not - take a look at Part 1 or Part 2

Graylog Windows Defender Dashboard

Now that you've got Windows Defender logs coming into Graylog, you are able to create Dashboards that allow you to visualise the data. Graylog Dashboards are made up of widgets that contain either aggregations of data or message tables. In this example, we'll create a dashboard with two widgets; one that shows a graph of the number of malware detections in the last 30 days, and another with a table showing the detection messages.

Log into the Graylog web interface and click Dashboards. Click Create new dashboard.

To create the message table widget, click the + button on the left side of the page and choose Message Table

An Untitled Message Table widget will appear on the page. Double click the widget's heading and change it to Malware Detections. Press Enter to commit the heading change.

Click the Edit button (the small box with a pencil) to

Adjust the Message Table timeframe to only show the last 30 days of messages by clicking the down arrow next to the blue clock icon and adjust the time to 30 days (or your preferred time range).

In the search query field enter the following search term to only show malware detection messages:

winlogbeat_event_code:1116

By default the message table will show the timestamp of the message, the source computer's hostname and the event log message from Windows Defender (which includes the details about the infected file name, path, process etc). Click Apply Changes to return to the dashboard

Save your Dashboard by clicking the Save as button in the top right corner of the page. Give the Dashboard a Title, summary description and longer description, and press Save.

To create a graph of malware detection counts by day, press the + button on the left side of the page, and choose Aggregation. An empty aggregation widget will appear on the page. Click the Edit button in the empty Aggregation widget.

Double click the Title of the widget and adjust it to Malware Detections by Day. Press Enter to commit this change.

Click the down arrow next to the blue clock icon and adjust the time frame to 30 days (or for as far back as you'd like this graph to display counts from).

Enter the following search term into the search query field:

winlogbeat_event_code:1116

Click the Green Perform Search button.

Add a Group By Grouping by pressing the + icon next to Group By. Set the Direction to Row, set the Field to timestamp, Untick the Auto Interval, and set the interval to 1 Days.

Add a Metric by pressing the + icon next to Metrics. Set the Function to Count, set the Field to winlogbeat_event_code and set the name to No. Malware Detections.

Change the Visualisation Type to Bar Chart and set the mode to Group. Click Update Preview. The graph will update and show the number of malware detections by day for the last 30 days. Click Apply Changes.

You can move the widgets by clicking and dragging on the handle in the top left corner of the widget. You can resize the widget by clicking and dragging it in the bottom right corner. Once You've got the Dashboard laid out to your liking, press Save.

Email Notification of Windows Defender Malware Detection

You can utilise Graylog's system of Notifications and Event Definitions to send emails when malware is detected. The first step in configuring Graylog to send emails is to modify the server.conf file on the Graylog server.

On your workstation, open up your SSH client, such as PuTTY and log into the Graylog server. Open the server.conf file with a text editor, such as vim

sudo vim /etc/graylog/server/server.conf

Scroll down to about 80% of the document and edit the Email transport section with your mail server details. At a minimum, you need to uncomment (remove the #) in front of the transport_email_enabled and set it to true.

Remember that in VIM press I to change to insert mode.

# Email transport
transport_email_enabled = true
transport_email_hostname = <your SMTP server hostname>
transport_email_port = <port no. of your SMTP server>, typically 25 for unencrypted mail, 465 for older encrypted servers or 587 for more modern servers
#transport_email_use_auth = false
#transport_email_auth_username = This email address is being protected from spambots. You need JavaScript enabled to view it.
#transport_email_auth_password = secret
transport_email_from_email = <the email address to show the email was sent from>

# Encryption settings
#
# ATTENTION:
# Using SMTP with STARTTLS *and* SMTPS at the same time is *not* possible.

# Use SMTP with STARTTLS, see https://en.wikipedia.org/wiki/Opportunistic_TLS
transport_email_use_tls = false

# Use SMTP over SSL (SMTPS), see https://en.wikipedia.org/wiki/SMTPS
# This is deprecated on most SMTP services!
transport_email_use_ssl = false

Once you are done editing the file, press ESC then :wq then Enter to save and exit. Restart the Graylog server:

sudo service graylog-server restart

Now that the server is set up to send emails, it's time to configure an email notification in Graylog. Log into the Graylog web interface and click Alerts. On the Alerts & Events page click Notifications.

Click Create Notification. You may instead see a Get Started! button.

In the Title field, enter a title - such as Malware Detected

Optionally in the Description field enter a description, such as Email notification on malware detected event.

Change the Notification Type to Email Notification

By default the Subject of the email will be Graylog event notification: ${event_definition_title} adjust this to your liking, or leave it as is.

The Sender field will use the transport_email_from_email setting from server.conf if you leave it blank here.

If your Graylog user accounts have email addresses associated with them, you can specify a user in the User recipient(s) field, otherwise specify one or more recipients in the Email recipient(s) field.

Optionally change the Time zone for date/time values to your local time zone.

The Body Template and HTML Body Template will be pre-filled with a generic layout. You can adjust this now, or come back and change it after you've seen how the message looks.

Click Execute Test Notification to be sent a test version of this notification email. Click Create.

Note: If you don't receive the test email, open PuTTY again and check and adjust the transport_email settings in server.conf and restart the server again.

Now that we've got an email notification configured, we can now set up Event Definition that will trigger the notification when malware is detected.

Click Alerts. On the Alerts & Events page click Event Definitions. Click the green Create Event Definition button. You may instead see a Get Started! button.

Enter a title for the Event, such as Malware Detection Alert. Optionally enter a Description such as Malware detected event and set a Priority such as High. Click Next.

On the Event Condition page, change the Condition Type to Filter & Aggregation.

Set the Search Query to winlogbeat_event_code:1116 This is the event code that if seen in the messages will trigger the event.

Set the Streams field to All messages.

Set the Search within the last field to 1 minutes

Set the Execute search every field to 1 minutes - You can set these values to a longer time frame if you like. This will reduce load on the server, but will delay your notification email by up to the time specified.

Tick the Enable checkbox.

In the Create Events for Definition if... section, choose Filter has results

Click Next.

On the Fields page we don't need any custom fields for this Event, click Next.

On the Notifications page, click the green Add Notification button. Choose the Malware Detected notification from the drop-down list an click Done. Tick the Message Backlog checkbox and enter 1 into the field. Click Next. Including 1 message backlog will allow us to receive the windows event log message that triggered this event. This means we can get the virus name, file path etc. of the detected malware and the hostname of the endpoint that this event came from.

On the Summary page, click Done.

OK! we've now got an email notification and an event definition that will trigger the notification. It's time to test it out. On one of the endpoint with the sidecar running, navigate to : https://www.eicar.org/download-anti-malware-testfile/

Towards the bottom of the page is the 68 bytes that make up the EICAR test file. The EICAR test file is a completely safe method of testing your antivirus software - if the antivirus software detects a file that is exactly 68 bytes long containing the exact string of characters as shown on that site, it will trigger the antivirus software and delete / quarantine the file.

Copy the special 68 byte string and paste it into a new text file. Save the file. Try to open the file again. At this point Windows Defender should block access to the file and delete it. If everything is configured correctly, you should receive an email from the server with the malware detection alert.

This brings us to the end of the this series of posts on setting up Graylog to monitor Windows Defender Antivirus.