Getting Windows Events

nafejeries · ‎May 22 2020

Hi folks,

I'm trying to create a query to hunt newly created "Allowed Ports" in windows firewall on a vm.

The monitoring agent is installed and running, but un-fortunately event id 2004/ firewall rule created is not considered a Security Event from MS :) reference below

https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events

My questions:

1- How to hunt for 2004 events ?

2- if we install sysmon on the vm, how to push these events to Azure Sentinel ?

btw: I'm aware of the Windows Firewall connector in Azure Sentinel, but this is for different case.

Thanks

nafejeries · ‎May 22 2020

I have add the firewall path from Advanced settings, but still the events are not flowing.

nafejeries · ‎May 22 2020

@nafejeries Based on my testing you are definitely looking at the correct log source. How long have you waited to see if the data shows up?

Update: I added that same log to my Windows Events, created a new Firewall rule, and I did see the value show up in the Event Table

nafejeries · ‎May 22 2020

@nafejeries Based on my testing you are definitely looking at the correct log source. How long have you waited to see if the data shows up?

Update: I added that same log to my Windows Events, created a new Firewall rule, and I did see the value show up in the Event Table

View solution in original post

Getting Windows Events

Getting Windows Events

Re: Getting Windows Events

Re: Getting Windows Events

Re: Getting Windows Events

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Getting Windows Events