9 Replies Latest reply on Sep 10, 2015 1:53 PM by paul.k

    SIEM: How do you deal with Windows Filtering Platform events?

    paul.k

      I am sure this has been asked before by my search has so far been fruitless.

       

      What do most of you do with windows filtering events.

       

      Particularly Sig ID 43-263051560, Win event ID 5156

       

      These are very numerous and I am struggling to find a justification to continue collecting them, both short and long term.

       

      My only thought is that it does record the application that made the network connection and it could potentially have some forensic value.

       

      Any thoughts and suggestions on how to manage this beast of an event would be greatly appreciated.

       

       

      Thank You,

       

      Paul