We're in the process of tuning our HIPS policies for "Medium" level blocking, and are currently just logging for "Medium" events.
So with several weeks now of "medium" level logging on several hundred servers and workstations, I should be seeing some "medium" events in the event logs, but I seem to only be seeing the events from the "High" level signatures.
When running a query on the event logs, there only seems to be an option to search for "Threat Severity" with options of "critical", "warning", "emergency", etc but not for "High", "Medium", or "Low". (The query I run to view "High" signatures looks for "Threat Severity" 'critical'.)
So then how do you query for HIPS events that are specifically rated "Medium" and exclude "High" or "Low" events?
Hmm, I tried querying for "Warning" level threats but 99% of what came back were AV related events but not HIPS. I'd be surprised that there would be almost no events coming back considering the number of systems that had Medium logging turned on.
Is that normal? I had assumed when we turned on Medium logging there would be a big jump in the number of events, and an even bigger jump when we moved to turning on logging for "Low" signatures.