SOLVED

Getting Windows Events

%3CLINGO-SUB%20id%3D%22lingo-sub-1411364%22%20slang%3D%22en-US%22%3EGetting%20Windows%20Events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1411364%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20folks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20create%20a%20query%20to%20hunt%20newly%20created%20%22Allowed%20Ports%22%20in%20windows%20firewall%20on%26nbsp%3B%20a%20vm.%3C%2FP%3E%3CP%3EThe%20monitoring%20agent%20is%20installed%20and%20running%2C%20but%20un-fortunately%20event%20id%202004%2F%20firewall%20rule%20created%20is%20not%20considered%20a%20Security%20Event%20from%20MS%20%3A)%3C%2Fimg%3E%20reference%20below%3C%2FP%3E%3CP%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%26nbsp%3B%3C%2FA%3E%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20questions%3A%3C%2FP%3E%3CP%3E1-%20How%20to%20hunt%20for%202004%20events%20%3F%3C%2FP%3E%3CP%3E2-%20if%20we%20install%20sysmon%20on%20the%20vm%2C%20how%20to%20push%20these%20events%20to%20Azure%20Sentinel%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebtw%3A%20I'm%20aware%20of%20the%20Windows%20Firewall%20connector%20in%20Azure%20Sentinel%2C%20but%20this%20is%20for%20different%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1411403%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1411403%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20add%20the%20firewall%20path%20from%20Advanced%20settings%2C%20but%20still%20the%20events%20are%20not%20flowing.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22wf.PNG%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F193862iEFE8249F32F0C0F5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22wf.PNG%22%20alt%3D%22wf.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1411429%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1411429%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643874%22%20target%3D%22_blank%22%3E%40nafejeries%3C%2FA%3E%26nbsp%3BBased%20on%20my%20testing%20you%20are%20definitely%20looking%20at%20the%20correct%20log%20source.%26nbsp%3B%20%26nbsp%3BHow%20long%20have%20you%20waited%20to%20see%20if%20the%20data%20shows%20up%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUpdate%3A%26nbsp%3B%20I%20added%20that%20same%20log%20to%20my%20Windows%20Events%2C%20created%20a%20new%20Firewall%20rule%2C%20and%20I%20did%20see%20the%20value%20show%20up%20in%20the%20Event%20Table%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1412295%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20Windows%20Events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1412295%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi folks,

 

I'm trying to create a query to hunt newly created "Allowed Ports" in windows firewall on  a vm.

The monitoring agent is installed and running, but un-fortunately event id 2004/ firewall rule created is not considered a Security Event from MS :) reference below

https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events   

 

My questions:

1- How to hunt for 2004 events ?

2- if we install sysmon on the vm, how to push these events to Azure Sentinel ? 

 

btw: I'm aware of the Windows Firewall connector in Azure Sentinel, but this is for different case.

 

Thanks

 

2 Replies
Highlighted

I have add the firewall path from Advanced settings, but still the events are not flowing.

wf.PNG

Highlighted
Best Response confirmed by nafejeries (Occasional Contributor)
Solution

@nafejeries Based on my testing you are definitely looking at the correct log source.   How long have you waited to see if the data shows up?

 

Update:  I added that same log to my Windows Events, created a new Firewall rule, and I did see the value show up in the Event Table