Forum Discussion

nafejeries's avatar
nafejeries
Copper Contributor
May 22, 2020

Getting Windows Events

Hi folks,

 

I'm trying to create a query to hunt newly created "Allowed Ports" in windows firewall on  a vm.

The monitoring agent is installed and running, but un-fortunately event id 2004/ firewall rule created is not considered a Security Event from MS šŸ™‚ reference below

https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events   

 

My questions:

1- How to hunt for 2004 events ?

2- if we install sysmon on the vm, how to push these events to Azure Sentinel ? 

 

btw: I'm aware of the Windows Firewall connector in Azure Sentinel, but this is for different case.

 

Thanks

 

  • nafejeries Based on my testing you are definitely looking at the correct log source.   How long have you waited to see if the data shows up?

     

    Update:  I added that same log to my Windows Events, created a new Firewall rule, and I did see the value show up in the Event Table

     

  • nafejeries's avatar
    nafejeries
    Copper Contributor

    I have add the firewall path from Advanced settings, but still the events are not flowing.

    ā€ƒ

    • GaryBushey's avatar
      GaryBushey
      Bronze Contributor

      nafejeries Based on my testing you are definitely looking at the correct log source.   How long have you waited to see if the data shows up?

       

      Update:  I added that same log to my Windows Events, created a new Firewall rule, and I did see the value show up in the Event Table

       

Resources