QRadar integration has always been a stained-glass window for many of us, be it either an experienced SIEM professional dealing with a new device integration or a SIEM professional in his/her early phase of SIEM journey.
For one such scenario, here are my two cents to avoid such time-consuming researches and hit-and-trials for windows server integrations based on different types of QRadar setups.
Though QRadar is flexible with environmental setups, it is also equally flexible with integration of windows devices, but that flexibility comes at a cost of confusion for many of us. Questions like which integration is best out of
Now we are only going to discuss the predominant ways of integration, in this post, which are WMI and WinCollect. And how one is better than the other.
Nature of WinCollect Deployment
Ideal for Enterprise
· Easy to identify errors using wincollect events.
· Easy to integrate multiple log types from same server (Applications/Forwarded events etc.).
· Less resource utilization on ECs/EPs since it's based on push mechanism.
· Easy upgrade of wincollect agents.
· Filtering of events and using X-path queries are a treat for EPS reduction.
Only 500 WinCollect Agents are recommended per managed host in an environment.
Every distributed QRadar environment.
If the managed hosts (ECs/EPs) are location specific, then while installing wincollect, using closest managed host as configuration server is best.
· No limitation on heartbeat management per managed host.
· No authentication token is needed
· Centralized upgrade is not possible.
· Non logging troubleshooting may become tedious.
Environment where count of windows server is higher than the available QRadar managed hosts can support for heartbeats.
Should only go for this when endpoint management is strong in the environment. (SCCM/bigfix etc for agent upgrades)
Using Intermediate Jump server for MSRPC polling
Easy to designate and distribute servers per agent server,
· Centralized credentials used for MSRPC can be compromised.
· If the agent server gets disconnected logs can fill up the space of the agent server.
· Ports needed for MSRPC are vulnerable in general
Enterprise where segment level security is strong, and credentials can be vaulted for better safety.
I do not recommend this method over managed one as it costs a lot of inconvenience for its value delivered.
For better understanding on Managed Wincollect please check Annexure I.
For better understanding of Standalone WinCollect and Using Intermediate Jump server for MSRPC polling please refer Click Here