Overview

The latest release of the QRadar Log Source Management App now provides the functionality to bulk change 1 to many WinCollect log sources.   You will need QRadar 7.3.1+ and to download Version 2.0 or greater of the Log Source Management App to use the bulk change feature.

Use Case

I want to modify the polling interval from 3s to 10s for all of my Microsoft Windows Security Event Log WinCollect log sources.

Launch the QRadar Log Source Management App
Filter the Log Source Types by “Microsoft Windows Security Event Log” and Protocol Type of “WinCollect


Select all of the log sources you want to modify

NOTE you can filter by name as well

If I only wanted the 64-bit boxes I could type in “64-bit” and that would narrow my list to


Select all Log Sources and click on Edit

Click on the “Protocol Tab” and click on the “Polling Interval” entry and change it to 10000, and then click on Save


The selected log sources will now have a polling interval of 10s.  The Agents will need to pick up the changes from QRadar so it could be 5 minutes before the Agent get’s the change from QRadar.

Use Case

Add Noise Filtering XPath to all WinCollect log sources (Microsoft Windows Security Event Log)

Follow same steps as above, and select XPath Query and add the following entry, and click on save

<QueryList><Query Id="0" Path="Security"><Select Path="Security">*</Select>
<Suppress Path="Security">*[System[EventID=4688]] and *[EventData[Data[@Name='SubjectLogonId'] = '0x3e7' and (
Data[@Name='NewProcessName'] = 'C:\Windows\System32\SearchFilterHost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\SysWOW64\SearchProtocolHost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\SearchProtocolHost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\backgroundTaskHost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\conhost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\wbem\WmiPrvSE.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskhost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskeng.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\svchost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\sc.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\rundll32.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskhostex.exe'
)]]</Suppress><Suppress  Path='Security'>(*[System[EventID=4769]] and *[EventData[Data[@Name='ServiceName'] = 'krbtgt']])
 or (*[System[EventID=4770]])
 or (*[System[EventID=4624]] and *[EventData[Data[@Name='LogonType'] = '3']])
 or (*[System[EventID=4634]] and *[EventData[Data[@Name='LogonType'] = '3']])
</Suppress> </Query></QueryList>

Join The Discussion

Your email address will not be published. Required fields are marked *