cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Getting Windows Events

nafejeries
Copper Contributor

‎May 22 2020 03:41 AM

‎May 22 2020 03:41 AM

Getting Windows Events

Hi folks,

 

I'm trying to create a query to hunt newly created "Allowed Ports" in windows firewall on  a vm.

The monitoring agent is installed and running, but un-fortunately event id 2004/ firewall rule created is not considered a Security Event from MS :) reference below

https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events   

 

My questions:

1- How to hunt for 2004 events ?

2- if we install sysmon on the vm, how to push these events to Azure Sentinel ? 

 

btw: I'm aware of the Windows Firewall connector in Azure Sentinel, but this is for different case.

 

Thanks

 

1,350 Views
0 Likes
2 Replies
Reply
2 Replies
nafejeries

‎May 22 2020 04:05 AM

‎May 22 2020 04:05 AM

Re: Getting Windows Events

I have add the firewall path from Advanced settings, but still the events are not flowing.

wf.PNG

0 Likes
Reply
best response confirmed by nafejeries (Copper Contributor)
Gary Bushey

‎May 22 2020 04:36 AM - edited ‎May 22 2020 04:57 AM

‎May 22 2020 04:36 AM - edited ‎May 22 2020 04:57 AM

Solution

Re: Getting Windows Events

@nafejeries Based on my testing you are definitely looking at the correct log source.   How long have you waited to see if the data shows up?

 

Update:  I added that same log to my Windows Events, created a new Firewall rule, and I did see the value show up in the Event Table

 

Preview file
96 KB
0 Likes
Reply