Hi,
I am trying to set a filter to alert me for a specific windows security event. I have set up the rules, but I am not getting any alerts. Am I setting the filter the correct way ? The screenshot is attached.
Thanks,
So, the first thing I'd do is put all those criteria in a User Defined Group (UDG). I'm a nice guy, so I already made one and attached it to this post so you can download and import it (the CSV). When imported, it'll look something like this:
Instructions on how to import that list can be found here: Import a text file to create a User Defined Group (UDG) - SolarWinds Worldwide, LLC. Help and Support
Now, let's work on the filter. I suspect the issue is that you used a "SecurityEvent" type class, but not everything in the Security Log gets classified as a SecurityEvent. Things like "UserLogonFailure" and other event classes also come from the Security log, so I'd suggest you use the "AnyAlert" Event Group.
Note: Using "AnyAlert" in a filter or an nDepth search is fine, but using "AnyAlert" in a rule is a bad idea and will result in you having a bad time.
The result will look something like this, and again, I'm awesome and attached it to this post so you can import it.
In my lab, none of these events came up, but I double-checked my spelling, so hopefully this shows you what you want to see.
The nice thing is that you can also reference that group other places, like in nDepth and Rules, so that'll add some flexibility that you won't have with building the events directly into the filter.
