Hi,
Eventually we manage to collect Windows Defender logs with the JDBC protocol.
You just have to fill the mandatory parameters and choose "Microsoft Endpoint Protectio" for "Predefined Query".
You will also need a valid account to query the database.
After that, you can just test the log source.
Regards
------------------------------
Mathieu Bouillaguet
------------------------------
Original Message:
Sent: Tue January 12, 2021 09:13 AM
From: Даниил Ивашин
Subject: Integrating SCCM Logs into QRadar
Hi.
Were you able to resolve the issue with collecting SCEP logs in QRadar.
------------------------------
Даниил Ивашин
Original Message:
Sent: Tue October 27, 2020 04:17 AM
From: saqib mehmood
Subject: Integrating SCCM Logs into QRadar
Dear,
Will you share the log source creation for SCCM, i wanna cross check with my integration.
Thanks.
Saqib.
------------------------------
saqib mehmood
Original Message:
Sent: Thu November 14, 2019 01:38 PM
From: Alexandre Laquerre
Subject: Integrating SCCM Logs into QRadar
Hi,
so the logs are now collecting however there seems to be a bit of a confusion on the ibm troubleshooting since it suggest for us to test out the query however when selecting the predefined query (Microsoft Endpoint Protection) it does not tell us what the query is which means we cannot really test it out.....
Does anyone know what the predefined SQL query is ?
Regards,
Alexandre Laquerre
------------------------------
Alexandre Laquerre
Original Message:
Sent: Thu October 31, 2019 03:59 PM
From: Alexandre Laquerre
Subject: Integrating SCCM Logs into QRadar
Hi Mathieu,
so the collection is working which is with the Microsoft Endpoint Protection DSM - > MSDE - > Prequery Microsoft Endpoint Protection
The issue is that all the logs that are collected are unknown and furthermore when reviewing the DSM (under DSM Editor ) i noticed under Event Mappings that all the mapping is done for ForeFront Endpoint Protection which is somewhat problematic since it should have mappings for SCEP as well.....
Is there any documentation for Microsoft System Center Endpoint Protection (SCEP) ....
Regards,
Alexandre Laquerre
------------------------------
Alexandre Laquerre
Original Message:
Sent: Tue September 24, 2019 06:15 AM
From: Mathieu Bouillaguet
Subject: Integrating SCCM Logs into QRadar
Hi Alexandre,
Could you confirm that you were able to collect Windows defender events by querying SCCM database and that the events are correctly parsed using the Microsoft Endpoint Protection DSM.
If this is the case could you share some of your configuration.
Thanks for your help.
Regards
------------------------------
Mathieu Bouillaguet
Original Message:
Sent: Mon August 26, 2019 09:30 AM
From: Alexandre Laquerre
Subject: Integrating SCCM Logs into QRadar
Excellent,
thank you very much for that :)
actually the collection can apparently be done via Microsoft Endpoint Protection through JDBC as you mentionned.
Have a good Day.
Alexandre LAquerre
------------------------------
Alexandre Laquerre
Original Message:
Sent: Mon August 26, 2019 03:25 AM
From: Dusan VIDOVIC
Subject: Integrating SCCM Logs into QRadar
I remember seeing in the DSM guide that Windows Defender is supported as log source (using REST API). So, if you would e.g. have the events collected in a separate section in SCCM's database, I guess it would probably mean preparing a custom specification using e.g. JDBC to read the events from the database (and mapping the events afterwards accordingly).
------------------------------
Dusan VIDOVIC
Original Message:
Sent: Fri August 23, 2019 04:35 PM
From: Alexandre Laquerre
Subject: Integrating SCCM Logs into QRadar
Hi everyone,
so we are currently looking at different antivirus option and one of them is going with Windows Defender which would be centralised in SCCM and so the question i have on this is as follows : Is there a way for us to collect such logs into QRadar ?
Cheers,
Alexandre Laquerre
------------------------------
Alexandre Laquerre
------------------------------