IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Collecting SCEP's logs from central server

    Posted Mon December 14, 2020 11:45 AM
    Hi, everybody. I have a task to collect alerts when malware is detected on hosts with System Center Endpoint Protection (Windows Defender with centralized management) installed. We use SCCM as the centralized Windows Defender management. I found the instructions for configuring a Log source for Windows Defender central server: https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_Microsoft_Endpoint_add_JDBC_logsource.html?view=embed I wonder if this option will work for me? I also couldn't find information on how to make a View in the SCCM server database that Qradar will connect to collect logs.

    Please tell me how to set up data collection correctly.



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Collecting SCEP's logs from central server

    Posted Tue December 15, 2020 11:48 AM

    Hi, there are two ways to intergrate SCCM output in qradar. The traditional way is SCCM scanner to be integrated using VIS. Results will be mapped into asset db. The way you described is connecting to the SCCM db using JDBC. Pls use SCCM standard queries to achieve this rather than your own views. However if you seriously need to create your own view pls check MS Technet BR Karl

    https://social.technet.microsoft.com/Forums/en-US/5d87b8ab-8451-4f3e-ac48-cbd752bb6d37/create-custom-database-view-in-sccm?forum=configmanagergeneral



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: Collecting SCEP's logs from central server

    Posted Tue December 15, 2020 12:17 PM

    Thank you for answer.

    Do you know where to get information on SCCM integration using VIS? I found the Vulnerability Assessment Configuration document Guide December 2020 But it is about conducting a vulnerability scan using SCCM. I also need to get results on alerts triggered by malware



    #QRadar
    #Support
    #SupportMigration


  • 4.  RE: Collecting SCEP's logs from central server

    Posted Tue December 15, 2020 07:15 PM

    daniil Documentation on VIS is correct. pls go ahead using the JDBC logsource definition for SCCM. SCCM results I dont have as this is customer data, sorry. For malware detection you need something like SCEP logs being integrated into SCCM. Pls refer to https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=65d82b5d-8e2a-4990-a3f6-383832e39425&CommunityKey=f9ea5420-0984-4345-ba7a-d93b4e2d4864&tab=digestviewer#bm2e873530-4dc0-441e-9fc9-578117977adf



    #QRadar
    #Support
    #SupportMigration