Hello Community!
I recently went through a thought experiment with some colleagues: how can QRadar monitor active and inactive WinCollect agents, in particular in Stand-Alone mode. This, being an intriguing use case, made me think immediately about possibilities and given that WinCollect also sends heartbeats when in Stand-Alone mode, there was the answer!
The WinCollect heartbeat makes its way from a host’s agent to the designated destination every 300 seconds and contains a specific set of information, including hostname. With some parsing, reference sets and rules QRadar can track the status of WinCollect agents and with that, visualizations can be created for Pulse.
Sample Log:
Apr 14 18:50:35 192.168.2.14 Apr 14 11:50:37 LAPTOP-B5AN0I LEEF:1.0|IBM|WinCollect|7.2.9.72|2|src=LAPTOP-B5AN0I os=Windows 10 (Build 19042 64-bit) dst= sev=3 log=Code.SSLConfigServerConnection msg=ApplicationHeartbeat
Parsings:
|
Extracted Field Name
|
Regular Expression
|
Field Type
|
Log Source Type
|
|
wincollectHost
|
Log source 'WinCollect @ (.*?)' has stopped
|
AlphaNumeric
|
Custom Rule Engine
|
|
wincollectHost
|
\d{2}:\d{2}:\d{2}\s+(.*?)\s+LEEF
|
AlphaNumeric
|
WinCollect
|
|
wincollectOS
|
os=(.*?)\s+dst=
|
AlphaNumeric
|
WinCollect
|
|
wincollectVersion
|
IBM\|WinCollect\|([0-9\.]+)
|
Numeric
|
WinCollect
|
|
wincollectVersionFull
|
IBM\|WinCollect\|([0-9\.]+)
|
AlphaNumeric
|
WinCollect
|
Reference Sets:
|
Reference Set Name
|
Field Type
|
TTL
|
|
wincollectSilentHost
|
AlphaNumeric (ignore case)
|
None
|
|
wincollectRecoveredHost
|
AlphaNumeric (ignore case)
|
1 hour
|
Rules:
|
Apply WinCollect: No heartbeat in a given amount of time on events which are detected by the Local|Global system
|
|
and when the event(s) have not been detected by one or more of WinCollect for 350 seconds
|
|
Response:
Dispatch new event: Name: WinCollect - No Heartbeat from system
Description: A heartbeat has not been received for a WinCollect agent
High-Level Category: System
Low-Level Category: Error
|
|
Apply WinCollect: No heartbeat in a given amount of time - ReferenceSet on events which are detected by the Local|Global system
|
|
and when the event QID is one of the following (67500490) WinCollect - No Heartbeat from system
and NOT when any of wincollectHost (custom) are contained in any of wincollectSilentHost - AlphaNumeric (Ignore Case)
|
|
Response:
Add to a Reference Set: Add the wincollectHost (custom) of the event or flow payload to the Reference Set: wincollectSilentHost – AlphaNumeric (Ignore Case)
|
|
Apply WinCollect: Heartbeat after a given amount of time on events which are detected by the Local|Global system
|
|
and when the event QID is one of the following (63500003) WinCollect Info
and when any of wincollectHost (custom) are contained in any of wincollectSilentHost - AlphaNumeric (Ignore Case)
|
|
Response:
Dispatch new event: Name: WinCollect - Heartbeat from system - Recovery
Description: A wincollect agent has begun to send heartbeats again
High-Level Category: System
Low-Level Category: Alert
Add to a Reference Set: Add the wincollectHost (custom) of the event or flow payload to the Reference Set: wincollectRecoveredHost – AlphaNumeric (Ignore Case)
Remove from a Reference Set: Remove the wincollectHost (custom) of the event or flow payload from the Reference Set: wincollectSilentHost – AlphaNumeric (Ignore Case)
|
The way this method tracks items watches for a lapse in heartbeats and places those hosts into a watch list. This permanent watch list allows for use in other rules or in reporting elements via the GUI Reference Set management listing.
When a new heartbeat is seen come in for a host who sits on this watch list, it is dropped from the list and added to a recently recovered watch list, this one has a time to live of an hour so as to only see a recent list of recovery into healthy state.
Through this method, it is possible to create Pulse visualizations for these agent heartbeats, and thus the active and potentially inactive agents. In order to leverage this method to its fullest extent, a few requirements must be met:
- In the ‘install_config.txt’ file, the StatusServer must be a QRadar collection point: Data Gateway, Event Collector, Event Processor or Console.
- For at least one of these widgets, an accurate count for expected agents in the environment will be required. Without an exact number, the widget will only provide a close approximation for the intended value.
Pulse Dashboard and Widgets:
Most recent inactive hosts
Screenshot:
AQL:
select "wincollectHost" as "Host" from events WHERE qid = '67500490' last 5 MINUTES
WinCollect Versions
Screenshot:
AQL:
select "wincollectVersionFull" as "WinCollect Version", COUNT(*) from events where logsourcetypename(devicetype) ilike '%wincollect%' and "wincollectVersionFull" != NULL GROUP BY wincollectVersionFull last 5 MINUTES
OS Versions
Screenshot:
AQL:
select "wincollectOS" as "OS Version", COUNT(*) from events where logsourcetypename(devicetype) ilike 'wincollect' and "wincollectOS" != NULL GROUP BY wincollectOS last 5 MINUTES
Recently Recovered Hosts:
Screenshot:
AQL:
select "wincollectHost" as "Host" from events where logsourcetypename(devicetype) ilike '%wincollect%' and referencesetcontains('wincollectRecoveredHost', "wincollectHost") GROUP BY "Host" last 5 MINUTES
Percentage of Active Agents
Screenshot:
AQL:
select 100*COUNT(wincollectHost)/{totalAgents} as "Percentage of Active WinCollect Agents" from events where logsourcetypename(devicetype) ilike '%wincollect%' last 5 MINUTES
Note here: The {totalAgents} is a parameter that is added as a baseline count of known or expected agents as defined by inventory or change management details.