USE Case: Large endpoint deployment

Customer needs to collect Windows Security Event logs and Sysmon event logs from all of the endpoints in their company along with specific logs on their Application, Web, and Mail servers.

Architecture

Device count
  • 15,000 endpoints (workstations and laptops)
  • 50 servers (Domain controllers, web, mail, database)
QRadar deployment
1 Console, 10 Event Collectors

Option 1 - Windows Event Forwarding - Several event collectors

Proposed solution
Windows Event Forwarding full deployment. WEF full deployment
Advantages
  • Devices can be brought up and down and will start sending events to WEF Collector after they receive GPO Update.
  • Managing minimal WinCollect Agents.
  • Events can be filtered in the WEF Subscription, reducing a lot of the Event Log noise before the data is sent to QRadar.
Disadvantages

  • IT Group must monitor WEF servers to ensure they do not exceed EPS thresholds.

  • GPO must be configured and maintained by IT Group.

    • Addition / Subtraction of Event IDs is handled by the subscription.

Option 2 - Mix of WEF and Managed WinCollect

Proposed solution
Windows Event Forwarding managed deployment. Managed WEF deployment
Advantages
  • POS devices can be brought up and down and will start sending events to WEF Collector once they receive GPO Update. No need to manage stores POS devices once GPO is configured.
  • Managing minimal WinCollect Agents.
  • Events can be filtered in the WEF Subscription, reducing a lot of the Event Log noise before the data is sent to QRadar.
  • High EPS servers are handled by WinCollect Agent, reducing the load on the WEF Collector.
  • Configuration and code updates can be deployed from QRadar Console.
Disadvantages

  • GPO must be configured and maintained by IT Group (For endpoints, this should be minimal).

    • Addition / Subtraction of Event IDs is handled by the subscription.

Option 3 - Stand-alone deployment

Proposed solution
Stand-alone deployment. Stand-alone deployment
Advantages
  • Installation of Agents can be controlled by Big Fix or Microsoft SCCM tool.
  • EPS rates should be of no concern with local collection on each endpoint.
  • Upgrade issues can be resolved by reinstalling the Agent.
Disadvantages
  • Must rely on Big Fix / SCCM groups to manage installations.
  • Changes to WinCollect configurations are typically slow.
  • Gathering logs from endpoints to troubleshoot issues might take time.
  • Updating WinCollect agents to new versions requires new testing and updates to base image.
  • No control of Agents in QRadar.

Option 4 - Remote-poll deployment

Maximum of 500 Remote Polls per Agent = 30 Agents collecting from 500 endpoints each to collect 15,000 Endpoints.

To avoid reaching the maximum, start with 500 remote polls per Agent, depending on the strength and reliability of the network. If the Agent has quick response times from each of the remote polled servers, you can remote poll more endpoints per Server. Even in a remote poll deployment, run local collection on the high value servers.
  • QRadar Managed
  • 30 Agents remote polling 15,000 endpoints
  • 50 Agents local collection
Proposed solution
Remote poll deployment. Remote poll deployment
Advantages
  • Fewer agents to Manage.
  • Endpoints can be added/subtracted using QRadar bulk Management.
Disadvantages
  • If Servers are turned off or are non-responsive, Agent continues to poll.
  • Must apply correct permissions and firewall rules to all endpoints so they are reachable from Agent server.