IBM Security QRadar

 View Only
  • 1.  Ingest log from AD

    Posted Fri April 19, 2019 12:36 AM
    Hi 

    I need to ingest log from AD without agent installed. Is it imposslble?

    ------------------------------
    MAC Strater
    ------------------------------


  • 2.  RE: Ingest log from AD

    Posted Fri April 19, 2019 04:09 AM
    QRadar supports MSRCP protocol which can do what you want. You need to take
    care though about performance as MSRPC wont do much more then 20 EPS
    (Windows limitation).

    Other option could be to use "Windows Event Subscription" and push the logs
    to another machine which runs Wincollect.


    Sent from mobileTenzij hierboven anders aangegeven: / Unless stated otherwise above:
    IBM Nederland B.V.
    Gevestigd te Amsterdam
    Inschrijving Handelsregister Amsterdam Nr. 33054214




  • 3.  RE: Ingest log from AD

    Posted Sun April 21, 2019 11:25 PM
    Hi Nico,
    I'm interested your recommened by using Windows Event Subscription.
    In this case, no need to install Wincollect agent on Windows host but I must dedicate one of server to install Wincollect to collect log and forward log to Qradar. Am I correct?

    Do you have a guideline and link to download Wincollect version 7.2.8?

    Regards,


    ------------------------------
    MAC Strater
    ------------------------------



  • 4.  RE: Ingest log from AD

    Posted Mon April 22, 2019 03:28 AM
    Hi Mac, you're correct, the WES target should be a windows machine with wincollect installed to interpret/forward logs to qradar 


    Related links 


    All software can be downloaded from fixcentral, including all wincollect versions.


    Sent from mobile
    Tenzij hierboven anders aangegeven: / Unless stated otherwise above:
    IBM Nederland B.V.
    Gevestigd te Amsterdam
    Inschrijving Handelsregister Amsterdam Nr. 33054214





  • 5.  RE: Ingest log from AD

    Posted Fri April 19, 2019 04:43 PM
    Edited by Anthony Gayadeen Fri April 19, 2019 04:44 PM

    Hi Mac,

    the limit is a little higher than 20EPS -> 100 EPS / Windows host.
    Unless you have a very small enterprise, you won't have enough capacity for an AD server. These beasts are quite verbose.

    Anyways, if you want to have a look at MSRPC,
    IBM support has published some info on this webpage: https://www-01.ibm.com/support/docview.wss?uid=swg21700170

    You will find the procedure for the detailed configuration in this document:
    ftp://ftp.software.ibm.com/software/security/products/qradar/documents/iTeam_addendum/b_dsm_guide.pdf
    Look for "Microsoft Security Event Log over MSRPC Protocol"

    Good Luck!

    ------------------------------
    Anthony Gayadeen
    Analyst
    Videotron
    QC
    ------------------------------



  • 6.  RE: Ingest log from AD

    Posted Sat April 20, 2019 07:04 AM
    Thank you all guys! 
    I will explain to my customer with limitation :)

    ------------------------------
    MAC Strater
    ------------------------------