Notification on Raw Log data


Just as the topic says, can AlienVault read and alert/notify on window's event raw log data

For example

Event Name: User Account Management

in the raw log data there is a “Don’t Expire Password” attribute which means that the password is set to never expire. 
If we use the Custom Field condition and have it set to Contains and the condition is “Expire Password”, will Alien Vault notify on this event?

  • Hello @scatester,

       As long as the rule is configured as a 'contains' and the spelling is correct, I do not see any reason why this would not work. 


    - kratos
  • Greetings,

    For message stored in raw logs you can create and email notification rule using the raw log field.

    From the Activity - Events Page - Query to see just the events that contain this specific “Don’t Expire Password”

    Click on one event, From Detailed view
    <click> Create Notification Rule.
    Simply remove all non related fields and create a rule as
    Packet Type     - Equals     -  Log
    Raw Log           -  Contains - "Don't Expire Password"

    (packet_type == 'log' AND log contains '"Don\'t Expire Password"')

