Microsoft Security Event Log over MSRPC log source parameters for Microsoft Windows Security Event Log

If QRadar does not automatically detect the log source, add a Microsoft Windows Security Event Log log source on the QRadar Console by using the Microsoft Security Event Log over MSRPC protocol.

When using the Microsoft Security Event Log over MSRPC protocol, you must use some specific parameters.

The following table describes the parameters that require specific values to collect Microsoft Security Event Log over MSRPC events from Microsoft Windows Security Event Log:
Table 1. Microsoft Security Event Log over MSRPC log source parameters for the Microsoft Windows Security Event Log DSM
Parameter Value
Log Source type Microsoft Windows Security Event Log
Protocol Configuration Microsoft Security Event Log over MSRPC
Log Source Identifier

Type the IP address or hostname for the log source as an identifier for events from your Microsoft Windows Security Event Log devices.

The following table lists the configuration options of the MSRPC protocol.

Table 2. Configuration options for MSRPC protocol
Features Configuration options for MSRPC protocol
Protocol type

The protocol type for collecting events through the remote procedure. The protocol type depends on your operating system.

Select one of the following options from the Protocol Type list:

MS-EVEN6
The default protocol type for new log sources.
The protocol type that is used by QRadar to communicate with Windows Vista and Windows Server 2012 and later.
Important: The MS-EVEN (for Windows XP/2003) option is no longer supported. However, it still appears in the Protocol Type list.
auto-detect (for legacy configurations)
Previous log source configurations for the Microsoft Windows Security Event Log DSM use the auto-detect (for legacy configurations) protocol type.
Upgrade to the MS_EVEN6 protocol type.
Log Source Identifier An identifier string for this log source. It must not include spaces and must be unique among all log sources of the protocol type that is configured with the Windows Security Event Log over MSRPC protocol.
Domain If your username requires you to specify the domain, include it separately in this field rather than using <DOMAIN\USERNAME> as the username.
Username Username required to access the Windows host.
Password Password required to access the Windows host.
Polling Interval (sec) The frequency at which the log source attempts to obtain data. The default value is 5000, but the upper limit of the protocol is around 100 EPS.
Standard Log Types The event channels from where you need to pull events:

Application

System

Security

DNS Server

File Replication

Directory Service logs

Event Types The level of event type from where you need to pull the selected event channels:

Informational

Warning

Error

Success Audit

Failure Audit

For a complete list of supported features of Microsoft Security Event Log over MSRPC protocol parameters, see Microsoft Security Event Log over MSRPC Protocol.