cancel
Showing results for 
Search instead for 
Did you mean: 

Signature ID explaination

Good Afternoon,

I've just started working with SIEM (9.6.0 MR 3 Combo box) and would like to know what each part in a signature ID represents.

I've seen this information somewhere, but am unable to find it now.

For example the signature id "43-263047400" (Account lockout).

I have figured out already that the 43-263047400 represents the event id in windows. What meaning do the other parts of the id represent?

Is someone able to explain or point me to some documentation on this please?

Kindly advise.

Regards,

K

0 Kudos
4 Replies
xded
Level 12

Re: Signature ID explaination

Hi kevinsweeting,

there is no official documentation for this.

But the 43- stands for all Windows Events parsed with the Standard Windows Parser and collected via WMI and for the other parts there is no information. 

0 Kudos
itgfcsys
Level 9

Re: Signature ID explaination

Additionally you can look at the data sources rules in the policy and note the device type for the data source, i.e windows data sources will be device type 43

0 Kudos

Re: Signature ID explaination

OK thank you.

0 Kudos
McAfee Employee

Re: Signature ID explaination

0 Kudos