Custom JDBC Query For Microsoft WSUS
Hello,
it looks like the microsoft WSUS is not supported as log source
my customer want to integrate this to Qradar
i know that other SIEM vendors are supports WSUS integartion
i want to know how use already know query (custom for Qradar) for Microsoft WSUS DB in Qradar
thanks
Hello Vova,
Some ideas to share with you. Hope this help.
Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. WSUS fully manage the distribution of updates that are released through Microsoft Update to computers.
Windows Server 2008 and 2012 includes WSUS as a role/feature, and you can see a lot of things with it, such as subscribed update categories, download updates status, registered clients to the server, updates agents deployed, IIS logs from WSUS... But you can check also a lot of things on system side too...
You have to check what the Customer want to see with the WSUS role with the SIEM (security operational or security correlation ?)
Some ideas :
Wincollect agent software
First of all, maybe you can use the "Qradar Wincollect" agent on your server containing the WSUS role. It will allow you to collect informations such as : Application, Security, System, Sysinternals Sysmon, DHCP, DNS, File Forwarder, IAS, IIS, ISA, SQLServer, XPath...
Ref : http://public.dhe.ibm.com/software/security/products/qradar/documents/iTeam_addendum/b_wincollect.pdf http://www-01.ibm.com/support/docview.wss?uid=swg27049809
Microsoft security Event Log
If you don't want to use Wincollect (and want to stay agentless) you can use the MSRPC Log (The Microsoft Security Event Log) wich only supports standard Windows event logs for workstations and servers. This allows you to collect Security, System, Application, DNS Server, File Replication, and Directory Service event . But MSRPC is not capable of retrieving or parsing non-Standard windows logs, such as Microsoft IIS, Microsoft SQL. If you require events from any of these systems,you better have to install the WinCollect agent software.
Ref : http://www-01.ibm.com/support/docview.wss?uid=swg21700170
Operational Idea If you use QVM too, you can also fil in the information of email of the technical guys from WSUS Customer in the Assets or Group of Assets, to inform them with a profile type of the critical vulnerabilities they have to manage.
Hope this give you some ideas.