Windows Event IDs logging
AnsweredI've gone through the threat manager and log manger, and have not found a specific way to set up for a certain Event ID. Is there something I am missing, or is this a feature that is not available to set up?
-
Official comment
Hi Nick, thanks for reaching out! You can set up a correlation alert based on the message type that is associated with the Windows Event ID in question.
For example, the message type "Windows Failed Logins" has a Windows Event ID of 4625. You can create an alert based on the "Windows Failed Login" message type, not Windows Event ID #4625.
I'm also attaching a document that gives you step-by-step instructions for creating a correlation alert that I hope helps: Create and Apply Collection Alert Rules
Let us know if you have further trouble or questions.
-
Nick - I wanted to follow up with you on another potential solution for this!
You can use a correlation policy with an alert trigger for a specific Windows Event ID. If you don't know the message type that corresponds to a particular Windows Event ID, search your messages for the Event ID and make note of the message type. An example of this in the Alert Logic console is below:
I'm also including an example of how a correlation policy will be configured using this method. In the Alert Logic console, click Log Manager > Policies > Correlation > orange plus sign and then fill out the Add Correlation form similar to below:
Let us know if you have further questions - we'd be happy to help.
0
Please sign in to leave a comment.
Comments
2 comments