It's one thing to know we can track all Windows events and see alarms when an anomaly has been detected through our correlation engine in AlienVault USM Anywhere. Aside from having these rules that are already analyzing Windows data and alerting us from the start, what about creating our own alarms, notifications and or views based off of specificities like Windows Event ID's? It seems practical to track by Windows IDs, so let's use USM to help us accomplish this.
Let's first create a view to track three Windows Event ID's for a 24 hour period. In USM Anywhere, navigate to Activity --> Events. On this page, let’s filter by Windows NxLog under the Data Source Plugin section. What we've done here is filter out all the other events just leaving Windows Event Logs. Next, we click on the filter icon next to the Search & Filters bar.
On the Filters Configuration page, search for "Reporting Device Rule ID" which is used by the data source (or reporting device) to generate the event. In this case, the reporting device is Windows. Choose the selection and click on the right arrow to add it the select list of Filters that are on the Events Page and then press Apply.
Back on the Events page, you can see the "Reporting Device Rule ID" filter applied to the page along with results of the aggregated Windows Event ID's listed. Clicking on the padlock icon, it will change to an unlocked position, and you can choose multiple items, in this case I chose three different ID's and then applied it.
With the filters set on the data source and my selected Windows Event ID's, I can now save this as a view if we need to return to pull specific windows events by Event ID. On the top right, there is a Save option where you can choose Save as to create your custom views. This can also be used to export data as a report where they can be dumped in a CSV or HTLM format or even print or save as PDF.
How about if we want to create a notification rule to email us if a certain Windows Event ID is reported? No problem, when creating an Orchestration Rule, we use the same Reporting Device Rule ID attribute and specify the Windows identifier.
Let's take a Windows event in this example, in this case an "Engine State is changed from Available to Stopped." This is a Windows Event ID 403 reported by the Windows OS. Now, we can create a Notification Rule and setup our conditions to be notified using the Windows Event ID.
Under the Rule Name, I named it something descriptive for easy identification for rule management, choose Email as my Notification Method, added my Destination Email I want the alert sent to and added a descriptive Email Subject. Under Rule Condition, I typed in Reporting Device Rule ID in the field and have 'Equals' as an operator and then '403' for the Windows ID. From here, we can now save the rule which will not apply to these Windows events going forward.
That's it! With USM Anywhere, creating views and notifications can be completed on demand in just a few minutes. You will have the satisfaction of knowing that you are covered when it comes to reporting on defined views and also receiving proactive notifications.
If anyone has any questions about what we covered, please leave a comment. Also, for creating other views or anything else specific you would like to see just let me know. See you next time!