![]() ![]() If the user does not belong to admin list AND the event is seen than we generate alert. Windows event id 4732 is verified towards static admin list. | 2 | Windows | Windows - Admin task as user | Alert when admin task is initiated by regular user. | 1 | Windows | Windows - Admin night logon | Alert on Windows login events when detected outside business hours | winlogbeat-* | winlogbeat | Widnows Security Eventlog | Every 1min | 1 | | Architecture/Application | Rule Name | Description | Index name | Requirements | Source | Time definition | Threashold | Note: When use: hive_alert_config_type: classic the following parameters are ignored:
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |