This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

alert windows's events

NikitaBuzlov
Beginner
Beginner

‎2017-09-26 09:27 AM

Hello. Could u help me to make alert. This alert should work for

0 Likes
3 REPLIES 3

NikitaBuzlov
Beginner
Beginner

‎2017-09-26 09:28 AM

This alert should work for creating, changing and deleting users in the domain.

0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-09-26 09:54 AM

If you create an alert rule using the following, it should give you what you are looking for.

 

 

**************

 

 

/*
This basic template is a placeholder for defining basic EPL content that can be
installed and executed in ESA. The sample below is the minimum that would be
required to get started.

Version: 4.0
*/


/*
Module debug section. If this is empty then debugging is off.
*/

/* EPL section. If there is no text here it means there were no statements. */

module Module_54768373e4b0e51f47f9a9a7;




@Name('Module_54768373e4b0e51f47f9a9a7_Alert')
@Description('')
@RSAAlert(oneInSeconds=0)

SELECT * FROM Event(
/* Statement: Windows Events */
(reference_id IN ( '4720' ) OR reference_id IN ( '4726' ) OR reference_id IN ( '4728' ))
AND
/* Statement: windows */
(device_type IN ( 'winevent_nic' ))

)



;

0 Likes

NikitaBuzlov
Beginner
Beginner

‎2017-10-10 07:00 AM

Hello,

 

Is it possible to create alert without ESA module?

 

How should I find logs of create\delete user account (with investigateion->navigate) from window's hosts? I do searching by "device.host", but after that cant find necessary information in the logs.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.