This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Software Installation and Uninstallation Alert configuration

Issac08
Beginner
Beginner

‎2017-10-15 03:52 AM

Hi All,

 

   We  are planning to enable Software Installation and Uninstall alerts for windows and Linux servers, What type of rules i should make ...and in what all use cases this alerts must trigger. i:e We have some approved sw from our end we don't want all these alerts. 

Labels:
0 Likes
4 REPLIES 4

EricPartington
Employee
Employee

‎2017-10-16 09:23 AM

I would research the windows and unix events that are triggered during software installations and make sure your enterprise logging policy has those enabled.  once you get the events you can make your alerts and reports based on allowed product whitelists/blacklists.

 

Without the correct event types coming into the SIEM you wont be able to start writing your alerts/reports.

0 Likes

Issac08
Beginner
Beginner
In response to EricPartington

‎2017-10-16 10:25 AM

can you please some basic events 

0 Likes

Issac08
Beginner
Beginner
In response to Issac08

‎2017-10-17 10:32 AM

Any help?

0 Likes

EricPartington
Employee
Employee
In response to Issac08

‎2017-10-18 03:39 PM

Does your logging policy on Windows cover these events?

 

http://eventlogs.blogspot.com/2007/11/tracking-software-installation-and.html

 

if so I would start with these event ID's and base your alerts on what is extracted from them.

 

to check

event.cat.name = 'Config.Software.Installed'

 

you might see events like this

2017-10-18_15h34_49.png

or this

 

2017-10-18_15h35_43.png

and build alerts based on what you want to alert on.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.