cancel
Showing results for 
Search instead for 
Did you mean: 
paul.k
Level 10
Report Inappropriate Content
Message 1 of 10

SIEM: How do you deal with Windows Filtering Platform events?

Jump to solution

I am sure this has been asked before by my search has so far been fruitless.

What do most of you do with windows filtering events.

Particularly Sig ID 43-263051560, Win event ID 5156

These are very numerous and I am struggling to find a justification to continue collecting them, both short and long term.

My only thought is that it does record the application that made the network connection and it could potentially have some forensic value.

Any thoughts and suggestions on how to manage this beast of an event would be greatly appreciated.

Thank You,

Paul

1 Solution

Accepted Solutions

Re: SIEM: How do you deal with Windows Filtering Platform events?

Jump to solution

Just as an FYI, If you have ePO deployed it would make the process of deploying agents across all 100 servers fast and convenient. If you don't want to deploy agents then yes, you can filter on that specific event ID and uncheck Logging box on the data source.

9 Replies

Re: SIEM: How do you deal with Windows Filtering Platform events?

Jump to solution

If it's not required by security policy of your organization, I would disable those type of logs.

acommons
Level 10
Report Inappropriate Content
Message 3 of 10

Re: SIEM: How do you deal with Windows Filtering Platform events?

Jump to solution

Ideally you keep it enabled and logging locally, because it does contain some good forensic information, but you disable the pull to the SIEM. How this is done is something I would be very interested in!

Re: SIEM: How do you deal with Windows Filtering Platform events?

Jump to solution

you have an option on the SIEM collector agent to review the logs you want sent to the receiver. try unchecking the option for windows filtering

acommons
Level 10
Report Inappropriate Content
Message 5 of 10

Re: SIEM: How do you deal with Windows Filtering Platform events?

Jump to solution

I suspected that deploying an Agent was going to be a requirement. We have avoided that so far to minimise SIEM footprint.

paul.k
Level 10
Report Inappropriate Content
Message 6 of 10

Re: SIEM: How do you deal with Windows Filtering Platform events?

Jump to solution

I am trying to avoid the agents as I have over 100 windows servers I am collecting from.

My ESM is an X4 so I have plenty of overhead there, however my ELM is complaining that it will not give me enough retention even at high compression.

I was wondering if I write a filter specific for this event ID and uncheck send to ELM.Will it actually be sent to ESM only?

This would probably be enough to meet my minimal retention period without compromising my long term requirements.

Thank You.

Re: SIEM: How do you deal with Windows Filtering Platform events?

Jump to solution

Just as an FYI, If you have ePO deployed it would make the process of deploying agents across all 100 servers fast and convenient. If you don't want to deploy agents then yes, you can filter on that specific event ID and uncheck Logging box on the data source.

paul.k
Level 10
Report Inappropriate Content
Message 8 of 10

Re: SIEM: How do you deal with Windows Filtering Platform events?

Jump to solution

In fact I do.

I did not know ePO supports McAfee log collections agents, (mind blown). Are you referring to the ePO ability to execute shell scripts on each device, or is there an actual documented process?

Still going to avoid agents (for now at least).

I'll look at the filter option as I original stated.

Re: Re: SIEM: How do you deal with Windows Filtering Platform events?

Jump to solution

ePO can deploy SIEM agents just like any other ePO package I've attache the how to.

paul.k
Level 10
Report Inappropriate Content
Message 10 of 10

Re: SIEM: How do you deal with Windows Filtering Platform events?

Jump to solution

Thanks