Role Availability | Read-Only | Investigator | Analyst | Manager |
You can use the Windows Event Collector (WEC) sensor app to collect and store Windows events from the computers in your network. When you use the WEC sensor app, the Windows Server machines function as the sender, and the WEC sensor app itself functions as the collector for the events. However, for most instances LevelBlue recommends that for enhanced performance and functionality, you should use the Windows Agent or the NXLogs plugin to monitor Windows event logs.
Installation of the WEC sensor app includes these prerequisites:
- Windows Server 2008, 2012, or 2019.
- PowerShell 3.0 or newer.
- A USM Anywhere Sensor with a private, static IP address, deployed in the same network forwarding logs to the WEC sensor app.
-
USM Anywhere Sensors require TLS 1.2 for WEC. These are the accepted ciphers:
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
Installation and setup of the sensor requires: