Skip to content
KYRA MDR KYRA MDR Docs

Windows Server Integration

Overview

This integration collects Windows Security, System, Application, PowerShell, and Sysmon event logs for threat detection, Active Directory monitoring, and forensic investigation. Windows Server accounts for 60-70% of SMB server deployments in Korea and is a core requirement for ISMS-P compliance.

Supported versions: Windows Server 2016, 2019, 2022

Prerequisites

  • A KYRA MDR Collector installed and running (Installation Guide)
  • Administrator access on the Windows Server
  • Network connectivity from the server to the collector on port 514

Configuration

The KYRA EDR Agent collects Windows event logs directly via the Win32 Event Log API:

Terminal window
# Install the KYRA EDR Agent
.\kyra-agent-installer.exe /S /COLLECTOR=KYRA_COLLECTOR_IP

The agent collects from Security, System, Application, PowerShell, and Sysmon channels automatically.

Option 2: Windows Event Forwarding (WEF)

For agentless collection, enable Windows Event Collector via Group Policy:

Terminal window
wecutil qc    # Enable Windows Event Collector service

Configure a subscription to forward Security events to a central collector.

Option 3: NXLog Forwarding

<Input eventlog>
    Module im_msvistalog
    Query <QueryList><Query Id="0"><Select Path="Security">*</Select></Query></QueryList>
</Input>
<Output syslog>
    Module om_udp
    Host KYRA_COLLECTOR_IP
    Port 514
</Output>
<Route eventlog_to_syslog>
    Path eventlog => syslog
</Route>

Collected Log Types

Event IDSecurity UsePriority
4624/4625Logon success/failure — brute force detectionCritical
4672Special privilege logon — admin account usageHigh
4720/4726Account created/deleted — backdoor account detectionCritical
4732User added to admin group — privilege escalationCritical
7045Service installed — malicious persistenceHigh
4688Process creation — suspicious execution detectionHigh
4768/4769Kerberos TGT/TGS — Pass-the-Ticket attackHigh
1102Audit log cleared — evidence destruction attemptCritical

Troubleshooting

No Logs Received

  1. Verify the Windows Audit Policy is enabled: auditpol /get /category:*
  2. Check that the KYRA EDR Agent or NXLog service is running
  3. Ensure port 514 is open between the server and collector
  4. For WEF, confirm the subscription is active: wecutil gs <subscription-name>

Missing Security Events

  • Enable advanced audit policies via Group Policy for comprehensive event collection
  • Ensure “Audit Logon Events” and “Audit Object Access” are set to Success and Failure

For additional help, contact kyra@seekerslab.com.