5 Replies Latest reply on Jun 18, 2013 4:53 AM by epoquito

    MS eventlog event ID

    epoquito

      Is it possible McAfee SIEM does not parse the event ID of Microsoft events?

      For example event 4634 is an ID of the event "An account was logged off". I can see the description in Rule Message attribute, however the Windwos Event ID itself does not seem to be stored in any of the event attributes. It would be much easier to define alarms, correlations etc. having this Windows Event ID stored with the event in the SIEM. Do you know whether it is possible to access it or not?

      Thank you.

        • 1. Re: MS eventlog event ID
          infosec_wizard

          The Windows Event ID is not grepped out by McAfee SIEM. If you look in the "Description" section of the event, you can see the Windows Event ID there. When creating Alarms, use the Signature ID for whatever event you want to create an alarm for. The Signature ID is what McAfee SIEM assigns to indivdual event types. So If you find the event that matches up to windows event ID "4634", the Signature ID assiociated with it will be unique to that event type / ID.

           

           

          Thanks,

          • 2. Re: MS eventlog event ID
            kcole

            We support a filter for Windows Event ID's.  It can be found when you access the Signature ID filter in the Windows tab.  To use this filter, type in the Event ID number and then select the group(s) that the number belongs to.  There are situations where multiple windows groups use the same event ID, so you need to select the ones that you would like to use.  Then refresh your view.   

            windows filter.png

            windows filter 1.png

            1 of 1 people found this helpful
            • 3. Re: MS eventlog event ID
              infosec_wizard

              You would still need to use the Signature ID to create an alarm for those events though right? Or can you use the filter syntax that it uses in the SignatureID Field for the Alarm as well (like Microsoft-Windows-Security-Auditing 4634)?

              • 4. Re: MS eventlog event ID
                kcole

                You are correct.  Right now the windows tab is available in the views and reports and not in the alarms so you would need to use the signature ID for that particular event (i.e. 43-263046340). 

                 

                I do not believe that there is a Product Enhancement Request for this tab to be in the alarms but I'll double check. 

                • 5. Re: MS eventlog event ID
                  epoquito

                  Thank you guys, the filtering feature seems pretty ok. Defining the alarm is a bit more complicated, than just defining the Event ID.