Hello. Could u help me to make alert. This alert should work for
This alert should work for creating, changing and deleting users in the domain.
If you create an alert rule using the following, it should give you what you are looking for.
/* This basic template is a placeholder for defining basic EPL content that can be installed and executed in ESA. The sample below is the minimum that would be required to get started. Version: 4.0*/
/*Module debug section. If this is empty then debugging is off.*/
/* EPL section. If there is no text here it means there were no statements. */
@Name('Module_54768373e4b0e51f47f9a9a7_Alert') @Description('') @RSAAlert(oneInSeconds=0)
SELECT * FROM Event( /* Statement: Windows Events */ (reference_id IN ( '4720' ) OR reference_id IN ( '4726' ) OR reference_id IN ( '4728' )) AND /* Statement: windows */ (device_type IN ( 'winevent_nic' )) ) ;
Is it possible to create alert without ESA module?
How should I find logs of create\delete user account (with investigateion->navigate) from window's hosts? I do searching by "device.host", but after that cant find necessary information in the logs.
Retrieving data ...