2 Replies Latest reply on Mar 5, 2015 5:25 PM by suhaimi

    How to use query wizard to view Window Event ID : 672, 4768, 673 & 4769 in the McAfee ESM Event view table

    suhaimi

      Hi All,

       

      Good morning! I am Suhaimi and I am very new to this McAfee ESM tool. I have been using this tool for 4 days now and I am learning new things every day. At first I am very confused on how to generate the view and extract the log from the server. However I managed to find my way in on using this tool but still cracking my head to use the Query wizard and look for the Windows Event ID that I want to trace. I really like the speed of this tool compare to my previous SIEM. I know some of you guys here already used this tool for long time and I really appreciate if you guys can help me with my question regarding "How to use query wizard to view Window Event ID : 672, 4768, 673 & 4769 in the McAfee ESM Event view table". The thing is I know how to use the Query Wizard to pull this Event ID 672, 4768, 673 & 4769, I know in ESM the "Signature ID" is 43-211006720, 43-263047680, 43-211006731 , 43-263047690. However still I did not manage to export out the column fields information that I want like Windows Event detail such as User Name, Service Name and Client Address from the original Event message.

       

      I hope you guys can give me some pointer on how to accomplish this. Below is the sample Windows Event ID 672 and 673 but can you let me know what is the column field represent in McAfee ESM so that I can query it and get the right data. Really appreciate your advices and thank you very much in advances.

       

      Windows Event 672&673 =  43-211006720 & 43-211006731

      User Name = field name ?

      Service Name = field name?

      Client Address = field name ?

       

      672.gif

      673.gif

      Regards,

      Suhaimi