You are probably better off removing the level and event_id filters, unless there are specific event_ids you want to exclude, or you have a known list of event_ids you want. Here we are going to look for Event ID 4740. Search all occurrences of a field within index B, with additional filters, 5 minutes after that initial event time that occurred from index A Example using Windows logs: after every successful login via event ID 4624 (index="security") for a particular user on a host, search all Sysmon event ID 1 (index="sysmon") process creation events on that … Event Id 4624 is generated when a user logon successfully to the computer. This Event ID is also commonly monitored by SIEM systems to identify potential security threats or brute-force login attempts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |