I'm new to SEM so excuse my noob question. I am wanting to monitor a specific Windows Security Event and have this rule alert only 1 specific system. Firstly I would just like to get this to alert on the event, and then narrow it down. I am interested in the FIle Audit event 4663 in the Windows Security log.
So far I have a Windows Security Connector on the node, and a rule with "FIleAudit.EventInfo is equal to String "An attempt was made*" However I really just want to look out for Event ID 4663 but I cannot see how to do this.
Thanks in advance
Matt