Skip to main content

MicrosoftWSUS

Modeling Rules for the Microsoft WSUS logs collector

Microsoft WSUS

This pack includes XSIAM content.

Configuration on the Server Side

Validation that WSUS server role is enabled:

  • In the Server Manager, click Manage > Add Roles and Features.

  • Click Server Roles in the left menu.

  • Scroll down and validate that Windows Server Update Services is selected.

  • Validate that the following are selected and installed:

    • WID Connectivity
    • WSUS Services

    Server Screenshot

Collect Events from Vendor

In order to use the collector, you need to use the following option to collect events from the vendor:

  • XDRC (XDR Collector)
    You will need to configure the vendor and product for this specific collector.

  • Pay attention: Timestamp parsing is supported in UTC (+0000) timezone for the yyyy-mm-dd HH:MM:SS.3ms UTC format.

XDRC (XDR Collector)

You will need to use the information described here.

You can configure the vendor and product by replacing [vendor]_[product]raw with msft_wsus_raw.

When configuring the instance, you should use a YAML file that configures the vendor and product, as seen in the configuration below for the Microsoft WSUS product.

Filebeat Collection

In order to use the collector, you need to use the following option to collect events from the vendor:

  • XDRC (XDR Collector)
    You will need to configure the vendor and product for this specific collector.

XDRC (XDR Collector)

You will need to use the information described here.

You can configure the vendor and product by replacing [vendor]_[product]_raw with msft_wsus_raw.
When configuring the instance, you should use a YAML that configures the vendor and product, just as seen in the below configuration for the Microsoft NPS product.

Copy and paste the contents of the following YAML in the Filebeat Configuration File section (inside the relevant profile under the XDR Collectors Profiles).

Filebeat Configuration file:

filebeat.inputs:
- type: filestream
  paths:
    - C:\Program Files\Update Services\LogFiles\Change.log
    - C:\Program Files\Update Services\LogFiles\SoftwareDistribution.log
processors:
- add_fields:
    fields:
        vendor: msft
        product: WSUS

PUBLISHER

Cortex

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedAugust 15, 2022
Last ReleaseJuly 25, 2023

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.