Hi,

in order to filter by an event ID of Windows, just use this query in the 
search bar of kibana:
decoder.name:"windows" AND id:"4625"

In this case, you are filtering events with id 4625:
2016 Sep 20 07:50:17 WinEvtLog: Security: AUDIT_FAILURE(*4625*): Microsoft-
Windows-Security-Auditing: (no user): no domain: WIN-....: An account 
failed to log on...

I assume you are sending the file *alerts.json* to elasticsearch.

Regards.

On Monday, September 19, 2016 at 10:11:37 PM UTC+2, namobud...@gmail.com 
wrote:
>
> Based on this storm center article:
>
> https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/
>
> I'm trying to figure out how to query Kibana for specific event ID numbers 
> from the dashboard search area the article mentions. Is there a definitive 
> guide for searching OSSEC with Kibana.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to