Tactical Defense Software’s Windows Agent is the entry point for all logs into the system. Any log you want to save, query, or match against a Sigma Rule must enter the system via the Windows Agent. (We have future plans of pulling logs from M365 and Google, without needing a Windows Agent.)
MSP & Client Association#
All Windows Agents are assigned a UUID. This unique identifier is what ties logs from the agent to a specific MSP and client.
The Agent UUID to MSP and client mapping is done via a callback to an endpoint controlled by the vendor. The endpoint
must accept a GET
request with the agent UUID as the path, and return the following response: /agent_uuid
{ "msp_uuid": "uuid", "client_uuid": "uuid" }
Any other response results in logs from that agent not being added to the system. Logs will continue to be queued on the agent, but will fail to be ingested. Responses from these requests are cached for 12 hours.
Filtering Logs#
Any log in the Windows Event Log can be added to the system. However, the following filters are applied to the channel to reduce noise, and control expenses:
- Application
- Security
- System
- Microsoft-Windows-Sysmon/Operational
- Microsoft-Windows-Windows Defender/Operational
The filter is saved in the registry, and therefore can be changed by modifying a registry setting. Please contact support if you would like to modify this filter.