Paul, I am assuming that all this query is already "taking care" of the context - i.e. what you want to achieve and what you you need for that.
During engagements (and especially with compliance-sensitive entities) I usually start with recommendations from CIS about the audit policy / events to monitor and follow-up with tweaks.
The recommendations from NSA (though not of a recent date as I recall) are certainly a valid starting point, too.
The NSA inclusion filter list is there in QRadar if you are using WinCollect protocol.
You can maybe use that as a template and customize / tailor to your needs.
(If you are building a custom filter there's the option to use an exclusion instead of inclusion filter - e.g. if there's less items to specify compared to overall).
Other option is to use the recommendations of your choice for a baseline and build your XPATH query that will be used to pull exactly the events you want from the source. The advantage is that unwanted events will never reach QRadar, so the EPS rate would be lower (in case of inclusion/exclusion filters, they first need to reach the QRadar instance before the filter is applied).
This
technote should complement this discussion.
(Hopefully, this is what you were looking for)
------------------------------
Dusan VIDOVIC
------------------------------
Original Message:
Sent: Thu April 14, 2022 03:37 PM
From: Paul Goffar
Subject: Event Filtering
Hey there,
I'm trying to take my tuning to the next level and start weeding out unnecessary events. I like the idea of the NSA's Windows filtering but I'm curious how this is being implemented. I found a very old Reddit post where Jonathan mentioned a list that was already in Qradar but thats nothing I've ever seen. Very interesting to hear everyones thoughts about this.
(Reference set for Windows Event IDsreddit | remove preview |
| Reference set for Windows Event IDs | Has anybody found a source for a good reference set to convert windows event IDs back into human readable text? | View this on reddit > |
|
|
)
------------------------------
Paul
------------------------------