IBM Security QRadar

 View Only
Expand all | Collapse all

Notice: WMI-based protocols for Microsoft Windows Security Event Log end of life (31 Oct)

  • 1.  Notice: WMI-based protocols for Microsoft Windows Security Event Log end of life (31 Oct)

    Posted Tue September 27, 2022 02:03 PM

    Hey all,

    I wanted to put up an announcement that QRadar is planning to deprecate our older WMI-based event collection protocols for Microsoft Security Event Log sources. A technical note was sent via IBM My Notifications yesterday about this to alert users that a future auto update is going to officially mark WMI event collection protocols for Windows as end of life. Most users are not leveraging this protocol to collect events as it maxes out at 50 EPS and instead use the MSRPC variant (DCE/RPC), which is supported or WinCollect, which sends in events using Syslog.

    The technical note lists how to identify if you are using WMI-based protocols for Windows event collection. After 31 October, the protocol will be marked as end of life in the user interface.

    What to do
    1. Review the technical note to identify if you are using either of the protocol types planned for end of life: https://ibm.biz/protocolwmi

    2. If you have a WMI-based protocol type collecting events, you should plan to transition it next month to either WinCollect (Syslog) or the Microsoft Security Event Log over MSRPC.

    This change only impacts WMI-based integrations for Windows event collection, not all of our Microsoft event collection protocols. Eventually, development is going to disable these protocols, so we want admins to review and confirm if there is any work to be done related to this protocol change. It is unlikely that this issue impacts a large number of users after the security issues related to WMI that have occurred in the past. However, we wanted to post a notice for visibility to all users to audit for this upcoming change to EoL the specific WMI protocols.



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------


  • 2.  RE: Notice: WMI-based protocols for Microsoft Windows Security Event Log end of life (31 Oct)

    Posted Tue September 27, 2022 02:22 PM
    As always, if there are questions about this change, feel free to ask.

    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------