WinC (Windows Native Connector) overview
You can find more information on WiNC which is updated here: The WiNC guide: Q&A, Resources, Best Practices, Tips
- Why WINC
- Additional information
Is there a way to specify events to exclude using the WiNC event filter? i.e. send every security event except [list of event id's]...?
Look at the Protect 2015 presentation from Rin Ure from Microsoft on this subject here:
The topic was:
B5390 - Learn from Microsoft how to forward Windows events into HP ArcSight at an enterprise scale
I haven't started investigating WiNC (or WEF) yet but when I do, I will start by rereading the lessons learned in Rin presentation.
I took a quick look at the doc - it talks a lot about the prep work on the WEC side to get things staged for ArcSight collection via WUC. It a good read.
For now we have a simple test case with a single WiNC connector, collecting events from 1 remote host, as well as the local host where the connector is installed. We're looking at an option in the WiNC connector setup (multiple host parameters) that lets us define events to filter at the source. This is the Filter parameter,
the smartConnector document includes these bits:
Filters that apply at the time of event collection from the event source to the connector are supported. With this support, events in which you have no interest can be filtered out, making better use of resources.
This is a filter you can get from the Microsoft event viewer when you want to collect particular events. You can copy the filter text to this field. For more information, see “Configure a Filter.”
I might be missing something really obvious. There are a few heavy hitters in the windows event stream that would be default values for all hosts in this field. But based on these descriptions ("filtered" out vs "want to collect particular events"), I'm not clear if the values added to this field are included or excluded from the event collection.
I did some testing of this today. This is an include filter: what events do I want the Connector to process and send along to Express/ESM/Logger. Everything else is excluded or dropped.
Here are some scenarios I tested. There are two that don't work, but don't make sense to use. There are some that work that don't make sense to use as well. I'll try to track down an answer on the range of event IDs (900-1000); this would be nice to have.
*[System[(EventID=800 or EventID=900 or EventID=1000)]]
-events with ids of 800, 900, or 1000
-events from eventcreate
*[System[Provider[@Name='EventCreate'] and (Level=2)]]
-error events from eventcreate
*[System[(Level=2 or Level=4 or Level=0)]]
-error or informational events
-events from a particular computer
*[System[(Computer='win7.example.com' or Computer='windows.example.com')]]
-events from particular computers
-comma separated: win7.example.com, windows.example.com
-events from a particular user
-microsoft does not allow multiple users, this has to be a particular user
Does not Work
*[System[( (EventID >= 900 and EventID <= 1000) )]]
-events with id's of 900 - 1000, event viewer, written as "900-1000"
-this would be a nice one to be able to do
*[System[TimeCreated[timediff(@SystemTime) <= 3600000]]]
-events last hour
-this doesn't make sense to use
-events with specific keywords
-this doesn't make sense to use
Another quick note, when you are in the Event View finding the syntax for the filter (the XML tab below), note that you can't filter by log at this level (i.e. Security vs. Application vs. System). And in the hosts table in the Connector, the filter will apply to all of the logs that are checked off per host. So there will need to be some consideration for how the filter is configured and how the hosts table is setup.
This might not make sense until you see it. And on Fridays nothing seems to make sense to me. 😉
Would you be able to briefly cover how to setup remote host collection with the WiNC agent that's similar to the older WUC without using subscriptions / windows event forwarding? Also if you know what protocols this agent would use to do that in comparison to the old WUC that would be very helpful.
The setup is the same when you're not using Subscriptions/Windows Event Forwarding, you just wouldn't select that option in the hosts table. See my presentation from Protect 2015 which covers some of the different configurations with and without Windows Event Forwarding. Also see the port/protocols information below.