Overview
The latest release of the QRadar Log Source Management App now provides the functionality to bulk change 1 to many WinCollect log sources. You will need QRadar 7.3.1+ and to download Version 2.0 or greater of the Log Source Management App to use the bulk change feature.
Use Case
I want to modify the polling interval from 3s to 10s for all of my Microsoft Windows Security Event Log WinCollect log sources.
Launch the QRadar Log Source Management App
Filter the Log Source Types by “Microsoft Windows Security Event Log” and Protocol Type of “WinCollect”
Select all of the log sources you want to modify
NOTE you can filter by name as well
If I only wanted the 64-bit boxes I could type in “64-bit” and that would narrow my list to
Select all Log Sources and click on Edit
Click on the “Protocol Tab” and click on the “Polling Interval” entry and change it to 10000, and then click on Save
The selected log sources will now have a polling interval of 10s. The Agents will need to pick up the changes from QRadar so it could be 5 minutes before the Agent get’s the change from QRadar.
Use Case
Add Noise Filtering XPath to all WinCollect log sources (Microsoft Windows Security Event Log)
Follow same steps as above, and select XPath Query and add the following entry, and click on save
<QueryList><Query Id="0" Path="Security"><Select Path="Security">*</Select> <Suppress Path="Security">*[System[EventID=4688]] and *[EventData[Data[@Name='SubjectLogonId'] = '0x3e7' and ( Data[@Name='NewProcessName'] = 'C:\Windows\System32\SearchFilterHost.exe' or Data[@Name='NewProcessName'] = 'C:\Windows\SysWOW64\SearchProtocolHost.exe' or Data[@Name='NewProcessName'] = 'C:\Windows\System32\SearchProtocolHost.exe' or Data[@Name='NewProcessName'] = 'C:\Windows\System32\backgroundTaskHost.exe' or Data[@Name='NewProcessName'] = 'C:\Windows\System32\conhost.exe' or Data[@Name='NewProcessName'] = 'C:\Windows\System32\wbem\WmiPrvSE.exe' or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskhost.exe' or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskeng.exe' or Data[@Name='NewProcessName'] = 'C:\Windows\System32\svchost.exe' or Data[@Name='NewProcessName'] = 'C:\Windows\System32\sc.exe' or Data[@Name='NewProcessName'] = 'C:\Windows\System32\rundll32.exe' or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskhostex.exe' )]]</Suppress><Suppress Path='Security'>(*[System[EventID=4769]] and *[EventData[Data[@Name='ServiceName'] = 'krbtgt']]) or (*[System[EventID=4770]]) or (*[System[EventID=4624]] and *[EventData[Data[@Name='LogonType'] = '3']]) or (*[System[EventID=4634]] and *[EventData[Data[@Name='LogonType'] = '3']]) </Suppress> </Query></QueryList>