MSRPC parameters on Windows hosts
To enable communication between your Windows host and IBM QRadar over MSRPC, configure the Remote Procedure Calls (RPC) settings on the Windows host for the Microsoft Remote Procedure Calls (MSRPC) protocol.
You must be a member of the administrators group to enable communication over MSRPC between your Windows host and the QRadar appliance.
Specification | Value |
---|---|
Manufacturer | Microsoft |
Protocol type |
The operating system dependant type of the remote procedure protocol for collection of events. Select one of the following options from the Protocol Type list:
|
Supported versions |
Windows Server 2022 (including Core) WinCollect v10.1.2 and above Windows Server 2019 (including Core) Windows Server 2016 (including Core) Windows Server 2012 (including Core) Windows 11 WinCollect v10.1.2 and above Windows 10 |
Intended application | Agentless event collection for Windows operating systems that can support 100 EPS per log source. |
Maximum number of supported log sources | 500 MSRPC protocol log sources for each managed host (16xx or 18xx appliance) |
Maximum overall EPS rate of MSRPC | 8500 EPS for each managed host |
Special features | Supports encrypted events by default. |
Required permissions | The log source user must be a member of the Event Log Readers group.
If this group is not configured, then domain admin privileges are required in most cases to poll a
Windows event log across a domain. In some cases, the
Backup operators group can also be used depending on how Microsoft Group Policy Objects are configured. Windows XP and 2003 operating system users require read access
to the following registry keys:
|
Supported event types | Application System Security DNS Server File Replication Directory Service logs |
Windows service requirements |
For Windows Server 2008 and Windows Vista, use the following services:
For Windows 2003, use the Remote Registry and Server. |
Windows port requirements | Ensure that external firewalls between the Windows
host and the QRadar appliance
are configured to allow incoming and outgoing TCP connections on the following ports: For Windows Server 2008 and Windows Vista, use the following ports:
For Windows 2003, use the following ports:
|
Automatically discovered? | No |
Includes identity? | Yes |
Includes custom properties? | A security content pack with Windows custom event properties is available on IBM® Fix Central. |
Required RPM files | PROTOCOL-WindowsEventRPC-QRadar_release-Build_number.noarch.rpm DSM-MicrosoftWindows-QRadar_release-Build_number.noarch.rpm DSM-DSMCommon-QRadar_release-Build_number.noarch.rpm |
More information | Microsoft support (http://support.microsoft.com/) |
Troubleshooting tool available | MSRPC test tool is part of the MSRPC protocol RPM. After installation of the MSRPC protocol RPM, the MSRPC test tool can be found in /opt/qradar/jars |