How To
Summary
This article contains the steps to configure a WinCollect 10 agent to collect and forward PowerShell logs to QRadar.
Steps
Notes:
- PowerShell events are collected by using an XPath.
- The PowerShell events referred in article are the ones found under Applications and Services Logs:
- Open WinCollect 10 in the Windows host by clicking the IBM WinCollect 10 Console icon.
- Click Create Source.
- Select the source group type:
- Select a group in the Select Source Group section, then click Step 3: Source Type.
- In the next section, select the Microsoft Windows Events option, then click Step 4: Source Parameters:
- In the Configure Source Parameters section, select XPath Query, and give it a name:
In the XPath Query, enter the next XPath:
Then click Step 5: Summary:<QueryList> <Query Id="0" Path="Windows PowerShell"> <Select Path="Windows PowerShell">*</Select> </Query> </QueryList> - Click Apply in the Summary section.
- Confirm in QRadar, under Log Activity that the events for PowerShell are received.
• The events are classified under the same log source that is collecting the Windows Security logs for the server.
• The events have the Windows PowerShell value in AgentLogFile:<13>Jan 04 15:13:03 hostname AgentDevice=WindowsLog AgentLogFile=Windows PowerShell PluginVersion=WC.MSEVEN6.10.1.1.30 Source=PowerShell Computer=hostname...
Result
The PowerShell events are collected and forwarded by the WinCollect 10 agent to QRadar.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
09 January 2023
UID
ibm16852665