Generic Windows Event Log

Connecting this event source to InsightIDR will allow for a highly thorough view into one or a small number of high risk assets, such as shared systems, compromised users, or assets with frequent suspicious activity. InsightIDR will pull only the Security logs when polling for the Generic Windows Event Log.

The Collector will poll the Generic Windows Event Log every 75 seconds.

Warning!

Only use this event source with a single or small number of assets, as the Windows Security log will have a massive bandwidth impact and can potentially bring down your network

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Click Add Raw Data > Rapid7 Generic Windows Event Log.
    • Alternatively, you can search for Custom Logs or filter by the Rapid7 Product Type, and then select the Rapid7 Generic Windows Event Log event source tile.
  3. Choose your collector and event source. You can also name your event source if you want.
  4. Choose the timezone that matches the location of your event source logs.
  5. Select a collection method and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP unparsed logs.
  6. Click Save.

Data Collection Method Recommendations

It is recommended to configure this event source via the WMI (Windows Management Instrumentation), which seeks out and collects the data rather than receiving it. This collection method allows you to collect data from a single IP or a small range.

Reading the Event Code Monitor

As a security product, InsightIDR seeks specific security information from the data it ingests. Below are the codes pulled from the Security Log for the generic Windows event code monitor. These Windows event IDs are collected by the Generic Windows Event Log (not the Insight Agent).

Read about what each code means here: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx.

1100 1101 1102 1103 1104 1105 1106 1107 1108 4608 4609 4610 4611 4612 4614 4615 4616 4618 4621 4622 4624 4625 4626 4627 4634 4646 4647 4648 4649 4650 4651 4652 4653 4654 4655 4656 4657 4658 4659 4660 4661 4662 4663 4664 4665 4666 4667 4668 4670 4671 4672 4673 4674 4675 4688 4689 4690 4691 4692 4693 4694 4695 4696 4697 4698 4699 4700 4701 4702 4703 4704 4705 4706 4707 4709 4710 4711 4712 4713 4714 4715 4716 4717 4718 4719 4720 4722 4723 4724 4725 4726 4727 4728 4729 4730 4731 4732 4733 4734 4735 4737 4738 4739 4740 4741 4742 4743 4744 4745 4746 4747 4748 4749 4750 4751 4752 4753 4754 4755 4756 4757 4758 4759 4760 4761 4762 4763 4764 4765 4766 4767 4768 4769 4770 4771 4772 4773 4774 4775 4776 4777 4778 4779 4780 4781 4782 4783 4784 4785 4786 4787 4788 4789 4790 4791 4792 4793 4794 4797 4798 4799 4800 4801 4802 4803 4816 4817 4818 4819 4820 4821 4822 4823 4824 4825 4826 4864 4865 4866 4867 4868 4869 4870 4871 4872 4873 4874 4875 4876 4877 4878 4879 4880 4881 4882 4883 4884 4885 4886 4887 4888 4889 4890 4891 4892 4893 4894 4895 4896 4897 4898 4899 4900 4902 4904 4905 4906 4907 4908 4909 4910 4911 4912 4913 4928 4929 4930 4931 4932 4933 4934 4935 4936 4937 4944 4945 4946 4947 4948 4949 4950 4951 4952 4953 4954 4956 4957 4958 4960 4961 4962 4963 4964 4965 4976 4977 4978 4979 4980 4981 4982 4983 4984 4985 5024 5025 5027 5028 5029 5030 5031 5032 5033 5034 5035 5037 5038 5039 5040 5041 5042 5043 5044 5045 5046 5047 5048 5049 5050 5051 5056 5057 5058 5059 5060 5061 5062 5063 5064 5065 5066 5067 5068 5069 5070 5071 5120 5121 5122 5123 5124 5125 5126 5127 5136 5137 5138 5139 5140 5141 5142 5143 5144 5145 5146 5147 5148 5149 5150 5151 5152 5153 5154 5155 5156 5157 5158 5159 5168 5169 5376 5377 5378 5440 5441 5442 5443 5444 5446 5447 5448 5449 5450 5451 5452 5453 5456 5457 5458 5459 5460 5461 5462 5463 5464 5465 5466 5467 5468 5471 5472 5473 5474 5477 5478 5479 5480 5483 5484 5485 5632 5633 5712 5888 5889 5890 6144 6145 6272 6273 6274 6275 6276 6277 6278 6279 6280 6281 6400 6401 6402 6403 6404 6405 6406 6407 6408 6409 6410 6416 6417 6418 6419 6420 6421 6422 6423 6424 8191