Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-22 16:39:01 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 121
fleet/schema/tables/windows_eventlog.yml
Rebecca Cowart bf83f0309b
Update windows_eventlog.yml (#24711) 
Stray quotation in example query

---------

Co-authored-by: Eric <eashaw@sailsjs.com>
2024-12-12 15:31:32 -06:00

19 lines
1 KiB
YAML
Raw Blame History

name: windows_eventlog
examples: |-
Tracking user account changes is a key part of both detection & incident response. This query lists all Windows Eventlogs from the Security channel with an EventID of 4720 - A user account was created. There are many other relevant EventIDs that should be monitored as well:
- [4722: Account enabled](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4722)
- [4724: Password reset](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724)
- [4728: Added to a security-enabled global group](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728)
```
SELECT datetime,computer_name,data FROM windows_eventlog WHERE eventid=4720 AND channel='Security'
```
notes: |-
* This is not an evented table - instead, it pulls directly from the local system's existing eventlogs.
* The information returned in the `data` column will be JSON formatted, which will require additional parsing.
Reference in a new issue View git blame Copy permalink