I've just started working with SIEM (9.6.0 MR 3 Combo box) and would like to know what each part in a signature ID represents.
I've seen this information somewhere, but am unable to find it now.
For example the signature id "43-263047400" (Account lockout).
I have figured out already that the 43-263047400 represents the event id in windows. What meaning do the other parts of the id represent?
Is someone able to explain or point me to some documentation on this please?
there is no official documentation for this.
But the 43- stands for all Windows Events parsed with the Standard Windows Parser and collected via WMI and for the other parts there is no information.
Additionally you can look at the data sources rules in the policy and note the device type for the data source, i.e windows data sources will be device type 43