5 Replies Latest reply on Feb 15, 2017 8:59 AM by xded

    Parsing Windows Events

    tallmega

      Hello ESM Operators!

       

      I've been trying to create a correlation rule that detects the behavior in this article: » Detecting Kerberoasting Activity » Active Directory Security .

       

      If you aren't an AD guy, don't worry - the long and short of it is I have a windows event that includes a bit of data that is not already a field in custom types or details tabs when viewing the event in ESM, but I need to use it in a correllation rule.  The data i need to evaluate is in  %6 and the description of the Windows event.

       

      How can i parse windows events beyond what ESM does out of the box, so I can create a correlation rule based on some information in that event?

       

      Thanks!