cancel
Showing results for 
Search instead for 
Did you mean: 

MS eventlog event ID

Jump to solution

Is it possible McAfee SIEM does not parse the event ID of Microsoft events?

For example event 4634 is an ID of the event "An account was logged off". I can see the description in Rule Message attribute, however the Windwos Event ID itself does not seem to be stored in any of the event attributes. It would be much easier to define alarms, correlations etc. having this Windows Event ID stored with the event in the SIEM. Do you know whether it is possible to access it or not?

Thank you.

1 Solution

Accepted Solutions

Re: MS eventlog event ID

Jump to solution

You would still need to use the Signature ID to create an alarm for those events though right? Or can you use the filter syntax that it uses in the SignatureID Field for the Alarm as well (like Microsoft-Windows-Security-Auditing 4634)?

5 Replies

Re: MS eventlog event ID

Jump to solution

The Windows Event ID is not grepped out by McAfee SIEM. If you look in the "Description" section of the event, you can see the Windows Event ID there. When creating Alarms, use the Signature ID for whatever event you want to create an alarm for. The Signature ID is what McAfee SIEM assigns to indivdual event types. So If you find the event that matches up to windows event ID "4634", the Signature ID assiociated with it will be unique to that event type / ID.

Thanks,

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: MS eventlog event ID

Jump to solution

We support a filter for Windows Event ID's.  It can be found when you access the Signature ID filter in the Windows tab.  To use this filter, type in the Event ID number and then select the group(s) that the number belongs to.  There are situations where multiple windows groups use the same event ID, so you need to select the ones that you would like to use.  Then refresh your view.   

windows filter.png

windows filter 1.png

Re: MS eventlog event ID

Jump to solution

You would still need to use the Signature ID to create an alarm for those events though right? Or can you use the filter syntax that it uses in the SignatureID Field for the Alarm as well (like Microsoft-Windows-Security-Auditing 4634)?

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: MS eventlog event ID

Jump to solution

You are correct.  Right now the windows tab is available in the views and reports and not in the alarms so you would need to use the signature ID for that particular event (i.e. 43-263046340). 

I do not believe that there is a Product Enhancement Request for this tab to be in the alarms but I'll double check. 

Re: MS eventlog event ID

Jump to solution

Thank you guys, the filtering feature seems pretty ok. Defining the alarm is a bit more complicated, than just defining the Event ID.