IBM Security QRadar

 View Only
Expand all | Collapse all

Wincollect Powershell/Sysmon/Taskscheduler logs collection

  • 1.  Wincollect Powershell/Sysmon/Taskscheduler logs collection

    Posted Thu May 07, 2020 09:51 AM
    Can wincollect collect the Powershell/Sysmon/Taskscheduler logs from windows systems? is there any document or steps availble to configure as nothing realted found in wincollect guide

    ------------------------------
    Akash Bhardwaj
    ------------------------------


  • 2.  RE: Wincollect Powershell/Sysmon/Taskscheduler logs collection

    Posted Fri May 08, 2020 12:51 PM
    Hi Akash at least you'll need to do the following:


    Also Jose Bravo has several youtube videos about it: https://www.youtube.com/watch?v=Xl31zNp4YUY&list=PLHh9jhztlMyrlWsozcrUEOvByfLJvRBDy


    Have fun

    ------------------------------
    Juan Paulo
    IBM
    Santiago
    ------------------------------



  • 3.  RE: Wincollect Powershell/Sysmon/Taskscheduler logs collection

    Posted Tue May 12, 2020 08:11 AM
    Hi Juan,
    What about the proper way of collecting the sysmon events from a microsoft event collector/forwarder? 
    Is the procedure  documented in some way?

    ------------------------------
    Itzik Shviro
    ------------------------------



  • 4.  RE: Wincollect Powershell/Sysmon/Taskscheduler logs collection

    Posted Fri February 18, 2022 03:27 PM

    this might help:

    https://www.ibm.com/docs/en/qradar-common?topic=sysmon-setting-up



    ------------------------------
    [Ashish] [Khandewale] [Security Consultant]
    [SIOC]
    [IBM Canada]
    ------------------------------



  • 5.  RE: Wincollect Powershell/Sysmon/Taskscheduler logs collection

    Posted Thu February 17, 2022 03:34 PM
    Hello,  Can someone confirm if we can collect sysmon events with a managed WinCollect Agent Deployment.  I'm reviewing documentation now.  Thanks.

    ------------------------------
    Ben McHarg
    ------------------------------



  • 6.  RE: Wincollect Powershell/Sysmon/Taskscheduler logs collection

    Posted Fri February 18, 2022 03:26 PM

    yes you can certainly collect sysmon logs with managed wincollect agent. You would need to deploy sysmon on endpoints and create log source with XPATH query so wincollect can fetch logs



    ------------------------------
    [Ashish] [Khandewale] [Security Consultant]
    [SIOC]
    [IBM Canada]
    ------------------------------



  • 7.  RE: Wincollect Powershell/Sysmon/Taskscheduler logs collection

    Posted Mon February 21, 2022 03:10 AM
    Hi,

    Please make sure using ONLY Xpath Query because mixture of "check boxes" and xpath query will not work. Here is an example from our environment

    Of course, you can filter the standard logs

    <QueryList> <Query Id="0" Path="Events of Interest"> <Select Path="Security">*</Select> <Select Path="System">*</Select> <Select Path="Application">*</Select> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select> <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select> <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select> <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select> </Query> </QueryList>
    
    ​
    ​I also recommend using Sciencesoft's MITRE Windows integration App with the provided Sysmon.xml

    L:

    ------------------------------
    Vladx(x)
    ------------------------------



  • 8.  RE: Wincollect Powershell/Sysmon/Taskscheduler logs collection

    Posted Tue February 22, 2022 01:24 PM
    Thanks for the reply.  Some additional information that my help.  I have a Windows 10 machine in my lab and I have WinCollect installed in managed mode.  The log source auto created and is working properly.  Sysmon was then installed and configured.  I'm do not even seeing an option in the log source configuration on the console to use an XPATH query.  Documentation seems to point to using WEC and or syslog forwarding only unless WinCollect is setup in Stand-a-Lone mode.

    ------------------------------
    Ben McHarg
    ------------------------------



  • 9.  RE: Wincollect Powershell/Sysmon/Taskscheduler logs collection

    Posted Tue February 22, 2022 01:33 PM

           This screenshot may help

     

    Graphical user interface  Description automatically generated with low confidence

     

    Laszlo

     

     






  • 10.  RE: Wincollect Powershell/Sysmon/Taskscheduler logs collection

    Posted Tue February 22, 2022 09:59 PM
    Not sure how I missed this before.   Thank you.

    ------------------------------
    Ben McHarg
    ------------------------------



  • 11.  RE: Wincollect Powershell/Sysmon/Taskscheduler logs collection

    Posted Tue February 22, 2022 01:34 PM
    You can provide xpath queries in unmanaged wincollect using a few options:
    installs with command line strings, especially suggest conversion to
    base 64 for the xpath strings for this. I have used large filter sets
    powrshell and sysmon this way.

    or leverage wincollect templates to do so

    or stop service edit agentconfig.xml files on systems and restart service.

    Using a test host with wincollect UI to create install strings is
    useful. Note most of the above is more wincollect 7 (pre 10) focused.

    For WEF, the config is on the windows side and the target server is
    configured to fwd collected events and that lies in MS Event
    Subscriptions to send Sysmon, etc.

    Al