Forum Discussion
Getting Windows Events
Hi folks,
I'm trying to create a query to hunt newly created "Allowed Ports" in windows firewall on a vm.
The monitoring agent is installed and running, but un-fortunately event id 2004/ firewall rule created is not considered a Security Event from MS š reference below
https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events
My questions:
1- How to hunt for 2004 events ?
2- if we install sysmon on the vm, how to push these events to Azure Sentinel ?
btw: I'm aware of the Windows Firewall connector in Azure Sentinel, but this is for different case.
Thanks
nafejeries Based on my testing you are definitely looking at the correct log source. How long have you waited to see if the data shows up?
Update: I added that same log to my Windows Events, created a new Firewall rule, and I did see the value show up in the Event Table
- nafejeriesCopper Contributor
I have add the firewall path from Advanced settings, but still the events are not flowing.
ā
- GaryBusheyBronze Contributor
nafejeries Based on my testing you are definitely looking at the correct log source. How long have you waited to see if the data shows up?
Update: I added that same log to my Windows Events, created a new Firewall rule, and I did see the value show up in the Event Table