Microsoft Security Event Log over MSRPC protocol

The Microsoft Security Event Log over Microsoft Remote Procedure Call (MSRPC) protocol is an active outbound protocol that collects Windows events without an agent that is installed on the Windows host.

The MSRPC protocol uses the Microsoft Distributed Computing Environment (DCE) or Remote Procedure Call (RPC) specification to provide agentless, encrypted event collection.

The following table lists the supported features of the MSRPC protocol.

Table 1. Supported features of the MSRPC protocol
Features Microsoft Security Event Log over MSRPC protocol
Maximum EPS rate 100 EPS / Windows host
Maximum overall EPS rate of MSRPC 8500 EPS / IBM QRadar 16xx or 18xx appliance
Maximum number of supported log sources 500 log sources / QRadar 16xx or 18xx appliance
Bulk log source support Yes
Encryption Yes
Supported Windows operating systems

Windows Server 2022 (including Core) WinCollect v10.1.2 and later

Windows Server 2019 (including Core)

Windows Server 2016 (including Core)

Windows Server 2012 (including Core)

Windows 10

Windows 11 WinCollect v10.1.2 and later

Required permissions The log source user must be a member of the Event Log Readers group. If this group is not configured, then domain admin privileges are required to poll a Windows event log across a domain. Occasionally, the backup operators group can be used depending on how Microsoft Group Policy Objects are configured.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft Windows\CurrentVersion
Required Rational Portfolio Manager (RPM) files PROTOCOL-WindowsEventRPC-QRadar_release-Build_number.noarch.rpm

DSM-MicrosoftWindows-QRadar_release-Build_number.noarch.rpm

DSM-DSMCommon-QRadar_release-Build_number.noarch.rpm

Windows service requirements
  • Remote Procedure Call (RPC)
  • RPC Endpoint Mapper
Windows port requirements
  • TCP port 135
  • TCP port 445
  • TCP port that is dynamically allocated for RPC, from port 49152 up to 65535
Special features Supports encrypted events by default.
Automatically discovered? No
Includes identity? Yes
Includes custom properties? A security content pack with Windows custom event properties is available on IBM® Fix Central.
Intended application Agentless event collection for Windows operating systems that can support 100 EPS per log source.
Tuning support MSRPC is limited to 100 EPS per Windows host. For higher event rate systems, see the IBM QRadar WinCollect User Guide.
More information Microsoft support (http://support.microsoft.com/)