Overview

The latest release of the QRadar Log Source Management App now provides the functionality to bulk change 1 to many WinCollect log sources.   You will need QRadar 7.3.1+ and to download Version 2.0 or greater of the Log Source Management App to use the bulk change feature.

Use Case

I want to modify the polling interval from 3s to 10s for all of my Microsoft Windows Security Event Log WinCollect log sources.

Launch the QRadar Log Source Management App
Filter the Log Source Types by “Microsoft Windows Security Event Log” and Protocol Type of “WinCollect


Select all of the log sources you want to modify

NOTE you can filter by name as well

If I only wanted the 64-bit boxes I could type in “64-bit” and that would narrow my list to


Select all Log Sources and click on Edit

Click on the “Protocol Tab” and click on the “Polling Interval” entry and change it to 10000, and then click on Save


The selected log sources will now have a polling interval of 10s.  The Agents will need to pick up the changes from QRadar so it could be 5 minutes before the Agent get’s the change from QRadar.

Use Case

Add Noise Filtering XPath to all WinCollect log sources (Microsoft Windows Security Event Log)

Follow same steps as above, and select XPath Query and add the following entry, and click on save

<QueryList><Query Id="0" Path="Security"><Select Path="Security">*</Select>
<Suppress Path="Security">*[System[EventID=4688]] and *[EventData[Data[@Name='SubjectLogonId'] = '0x3e7' and (
Data[@Name='NewProcessName'] = 'C:\Windows\System32\SearchFilterHost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\SysWOW64\SearchProtocolHost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\SearchProtocolHost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\backgroundTaskHost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\conhost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\wbem\WmiPrvSE.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskhost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskeng.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\svchost.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\sc.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\rundll32.exe'
 or Data[@Name='NewProcessName'] = 'C:\Windows\System32\taskhostex.exe'
)]]</Suppress><Suppress  Path='Security'>(*[System[EventID=4769]] and *[EventData[Data[@Name='ServiceName'] = 'krbtgt']])
 or (*[System[EventID=4770]])
 or (*[System[EventID=4624]] and *[EventData[Data[@Name='LogonType'] = '3']])
 or (*[System[EventID=4634]] and *[EventData[Data[@Name='LogonType'] = '3']])
</Suppress> </Query></QueryList>

2 comments on"Bulk Change WinCollect Log Sources using QRadar Log Source Management App"

  1. scott searls April 01, 2022

    Can one use XPATHs and blacklist filters together, or is is one or the other. e.g. XPATH for those (ID and “string”), but just use blacklist filter for an entire ID?

    Reply
    • JonathanP_QRadar May 26, 2022

      Yes, if you have both an XPath Query and a Predefined Filter in the log source, they are both applied. As XPath is a query in itself, the data is retrieved based off of the XML and returned to WinCollect as described here: https://www.ibm.com/support/pages/wincollect-event-filtering.

      XPath is more powerful then using a Predefined filter as you can create special conditions like suppress EventID 4663, but only when the service is {servicename}. The XPath is smart enough to filter based on these conditions. Where as the predefined filter will look for exact matches from the retrieve data, such as 4663 and not forward over the matches event for EventID=4663 to QRadar. XPath is more flexible when it comes to special conditions where as the predefined filter is more of a “if matches, then drop” filter.

      Both XPath and Predefined filters can be used in coordination together, but you want to ensure that your XPath special conditions and your predefined filters do not overlap. If both exist in a log source, this is the order of operations:

      1 – XPath queries the remote endpoint to retrieve the data. Only the data in the XPath query is returned, meaning that you can use the XPath to add special conditions to your filtering or selectively filter at the endpoint.
      2 – WinCollect processes the event and applies the Predefined filter from the log source configuration based on the EventID number or service name.


      What should I use?

      XPath Queries – More flexible and can be conditional, but limited to 10 event logs. You can add special filtering like processname, LoginID, eventID, computername, path, and more to target specific data or use cases. The data is filtered based on the query before it is returned to WinCollect.
      Predefined filter – Gets all data from the endpoint, then filters are applied by the WinCollect agent to exclude event IDs or a service name. These can be used in coordination with XPath, but are not conditional and any matches are not forwarded as events to QRadar.

      Reply

Join The Discussion

Your email address will not be published.