Microsoft Security Event Log over MSRPC Protocol

The Microsoft Security Event Log over MSRPC protocol (MSRPC) is an active outbound protocol that collects Windows events without an agent installed on the Windows host.

The MSRPC protocol uses the Microsoft Distributed Computing Environment/Remote Procedure Call (DCE/RPC) specification to provide agentless, encrypted event collection.

The following table lists the supported features of the MSRPC protocol.

Table 1. Supported features of the MSRPC protocol
Features	Microsoft Security Event Log over MSRPC protocol
Manufacturer	Microsoft
Connection test tool	The MSRPC test tool checks the connectivity between the QRadar® appliance and a Windows host. The MSRPC test tool is part of the MSRPC protocol RPM and can be found in /opt/qradar/jars after you install the protocol. For more information, see MSRPC test tool (http://www.ibm.com/support/docview.wss?uid=swg21959348)
Protocol type	The remote procedure protocol type for collecting events. The protocol type depends on your operating system. Select one of the following options from the Protocol Type list: MS-EVEN6 The default protocol type for new log sources. The protocol type that is used by QRadar to communicate with Windows Vista and Windows Server 2012 and later. Important: The MS-EVEN (for Windows XP/2003) option is no longer supported. However, it still appears in the Protocol Type list. auto-detect (for legacy configurations) Previous log source configurations for the Microsoft Windows Security Event Log DSM use the auto-detect (for legacy configurations) protocol type. Upgrade to the MS_EVEN6 protocol type.
Maximum EPS rate	100 EPS / Windows host
Maximum overall EPS rate of MSRPC	8500 EPS / IBM® QRadar 16xx or 18xx appliance
Maximum number of supported log sources	500 log sources / QRadar 16xx or 18xx appliance
Bulk log source support	Yes
Encryption	Yes
Supported event types	Application System Security DNS Server File Replication Directory Service logs
Supported Windows Operating Systems	Windows Server 2022 (including Core) WinCollect v10.1.2 and above Windows Server 2019 (including Core) Windows Server 2016 (including Core) Windows Server 2012 (including Core) Windows 10 Windows 11 WinCollect v10.1.2 and above
Required permissions	The log source user must be a member of the Event Log Readers group. If this group is not configured, then domain admin privileges are usually required to poll a Windows event log across a domain. In some cases, the backup operators group can be used depending on how Microsoft Group Policy Objects are configured. `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog` `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language` `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft Windows\CurrentVersion`
Required RPM files	PROTOCOL-WindowsEventRPC-`QRadar_release-Build_number`.noarch.rpm DSM-MicrosoftWindows-`QRadar_release-Build_number`.noarch.rpm DSM-DSMCommon-`QRadar_release-Build_number`.noarch.rpm
Windows service requirements	Remote Procedure Call (RPC) RPC Endpoint Mapper
Windows port requirements	TCP port 135 TCP port 445 TCP port that is dynamically allocated for RPC, from port 49152 up to 65535
Special features	Supports encrypted events by default.
Automatically discovered?	No
Includes identity?	Yes
Includes custom properties?	A security content pack with Windows custom event properties is available on IBM Fix Central.
Intended application	Agentless event collection for Windows operating systems that can support 100 EPS per log source.
Tuning support	MSRPC is limited to 100 EPS / Windows host. For higher event rate systems, see the IBM QRadar WinCollect User Guide.
Event filtering support	MSRPC does not support event filtering. See the IBM QRadar WinCollect User Guide for this feature.
More information	Microsoft support (http://support.microsoft.com/)