Microsoft Security Event Log over MSRPC protocol
The Microsoft Security Event Log over Microsoft Remote Procedure Call (MSRPC) protocol is an active outbound protocol that collects Windows events without an agent that is installed on the Windows host.
The MSRPC protocol uses the Microsoft Distributed Computing Environment (DCE) or Remote Procedure Call (RPC) specification to provide agentless, encrypted event collection.
The following table lists the supported features of the MSRPC protocol.
Features | Microsoft Security Event Log over MSRPC protocol |
---|---|
Maximum EPS rate | 100 EPS / Windows host |
Maximum overall EPS rate of MSRPC | 8500 EPS / IBM QRadar 16xx or 18xx appliance |
Maximum number of supported log sources | 500 log sources / QRadar 16xx or 18xx appliance |
Bulk log source support | Yes |
Encryption | Yes |
Supported Windows operating systems |
Windows Server 2022 (including Core) WinCollect v10.1.2 and later Windows Server 2019 (including Core) Windows Server 2016 (including Core) Windows Server 2012 (including Core) Windows 10 Windows 11 WinCollect v10.1.2 and later |
Required permissions | The log source user must be a member of the Event Log Readers group. If this group is not
configured, then domain admin privileges are required to poll a Windows event log across a domain. Occasionally, the backup operators group can be used
depending on how Microsoft Group Policy Objects are
configured.
|
Required Rational Portfolio Manager (RPM) files | PROTOCOL-WindowsEventRPC-QRadar_release-Build_number.noarch.rpm DSM-MicrosoftWindows-QRadar_release-Build_number.noarch.rpm DSM-DSMCommon-QRadar_release-Build_number.noarch.rpm |
Windows service requirements |
|
Windows port requirements |
|
Special features | Supports encrypted events by default. |
Automatically discovered? | No |
Includes identity? | Yes |
Includes custom properties? | A security content pack with Windows custom event properties is available on IBM® Fix Central. |
Intended application | Agentless event collection for Windows operating systems that can support 100 EPS per log source. |
Tuning support | MSRPC is limited to 100 EPS per Windows host. For higher event rate systems, see the IBM QRadar WinCollect User Guide. |
More information | Microsoft support (http://support.microsoft.com/) |