InsightIDR

Generic Windows Event Log

Connecting this event source to InsightIDR will allow for a highly thorough view into one or a small number of high risk assets, such as shared systems, compromised users, or assets with frequent suspicious activity. InsightIDR will pull only the Security logs when polling for the Generic Windows Event Log.

The Collector will poll the Generic Windows Event Log every 75 seconds.

Warning!

Only use this event source with a single or small number of assets, as the Windows Security log will have a massive bandwidth impact and can potentially bring down your network

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.

  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.

  3. From the “Raw Data” section, click the Generic Windows Event Log icon. The “Add Event Source” panel appears. 

  4. Choose your collector and event source. You can also name your event source if you want.

  5. Choose the timezone that matches the location of your event source logs.
  6. Select a collection method and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP unfiltered logs.
  7. Click Save.

Data Collection Method Recommendations

It is recommended to configure this event source via the WMI (Windows Management Instrumentation), which seeks out and collects the data rather than receiving it. This collection method allows you to collect data from a single IP or a small range.

Reading the Event Code Monitor

As a security product, InsightIDR seeks specific security information from the data it ingests. Below are the codes pulled from the Security Log for the generic Windows event code monitor. Read about what each code means here: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx.

1100
1101
1102
1103
1104
1105
1106
1107
1108
4608
4609
4610
4611
4612
4614
4615
4616
4618
4621
4622
4624
4625
4626
4627
4634
4646
4647
4648
4649
4650
4651
4652
4653
4654
4655
4656
4657
4658
4659
4660
4661
4662
4663
4664
4665
4666
4667
4668
4670
4671
4672
4673
4674
4675
4688
4689
4690
4691
4692
4693
4694
4695
4696
4697
4698
4699
4700
4701
4702
4703
4704
4705
4706
4707
4709
4710
4711
4712
4713
4714
4715
4716
4717
4718
4719
4720
4722
4723
4724
4725
4726
4727
4728
4729
4730
4731
4732
4733
4734
4735
4737
4738
4739
4740
4741
4742
4743
4744
4745
4746
4747
4748
4749
4750
4751
4752
4753
4754
4755
4756
4757
4758
4759
4760
4761
4762
4763
4764
4765
4766
4767
4768
4769
4770
4771
4772
4773
4774
4775
4776
4777
4778
4779
4780
4781
4782
4783
4784
4785
4786
4787
4788
4789
4790
4791
4792
4793
4794
4797
4798
4799
4800
4801
4802
4803
4816
4817
4818
4819
4820
4821
4822
4823
4824
4825
4826
4864
4865
4866
4867
4868
4869
4870
4871
4872
4873
4874
4875
4876
4877
4878
4879
4880
4881
4882
4883
4884
4885
4886
4887
4888
4889
4890
4891
4892
4893
4894
4895
4896
4897
4898
4899
4900
4902
4904
4905
4906
4907
4908
4909
4910
4911
4912
4913
4928
4929
4930
4931
4932
4933
4934
4935
4936
4937
4944
4945
4946
4947
4948
4949
4950
4951
4952
4953
4954
4956
4957
4958
4960
4961
4962
4963
4964
4965
4976
4977
4978
4979
4980
4981
4982
4983
4984
4985
5024
5025
5027
5028
5029
5030
5031
5032
5033
5034
5035
5037
5038
5039
5040
5041
5042
5043
5044
5045
5046
5047
5048
5049
5050
5051
5056
5057
5058
5059
5060
5061
5062
5063
5064
5065
5066
5067
5068
5069
5070
5071
5120
5121
5122
5123
5124
5125
5126
5127
5136
5137
5138
5139
5140
5141
5142
5143
5144
5145
5146
5147
5148
5149
5150
5151
5152
5153
5154
5155
5156
5157
5158
5159
5168
5169
5376
5377
5378
5440
5441
5442
5443
5444
5446
5447
5448
5449
5450
5451
5452
5453
5456
5457
5458
5459
5460
5461
5462
5463
5464
5465
5466
5467
5468
5471
5472
5473
5474
5477
5478
5479
5480
5483
5484
5485
5632
5633
5712
5888
5889
5890
6144
6145
6272
6273
6274
6275
6276
6277
6278
6279
6280
6281
6400
6401
6402
6403
6404
6405
6406
6407
6408
6409
6410
6416
6417
6418
6419
6420
6421
6422
6423
6424
8191

Updated a day ago


Generic Windows Event Log


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.