Windows Event Collector Sensor App

Role Availability Read-Only Investigator Analyst Manager

You can use the Windows Event Collector (WEC) sensor app to collect and store Windows events from the computers in your network. When you use the WEC sensor app, the Windows Server machines function as the sender, and the WEC sensor app itself functions as the collector for the events. However, for most instances AT&T Cybersecurity recommends that for enhanced performance and functionality, you should use the Windows Agent or the NXLogs plugin to monitor Windows event logs.

Installation of the WEC sensor app includes these prerequisites:

  • Windows Server 2008, 2012, or 2019.
  • PowerShell 3.0 or newer.
  • A USM Anywhere Sensor with a private, static IP address, deployed in the same network forwarding logs to the WEC sensor app.
  • USM Anywhere Sensors require TLS 1.2 for WEC. These are the accepted ciphers:

    TLS_RSA_WITH_AES_256_GCM_SHA384

    TLS_RSA_WITH_AES_128_GCM_SHA256

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

    TLS_RSA_WITH_AES_256_CBC_SHA

    TLS_RSA_WITH_AES_128_CBC_SHA

Installation and setup of the sensor requires:

Related Video Content

To view other related training videos, click here.