{"id":7018,"date":"2023-03-07T13:46:55","date_gmt":"2023-03-07T17:46:55","guid":{"rendered":"https:\/\/kevinjustin.com\/blog\/?p=7018"},"modified":"2023-03-21T12:36:33","modified_gmt":"2023-03-21T16:36:33","slug":"deciding-event-collection-versus-alert-rule","status":"publish","type":"post","link":"https:\/\/kevinjustin.com\/blog\/2023\/03\/07\/deciding-event-collection-versus-alert-rule\/","title":{"rendered":"Deciding ‘Event Collection vs. Alert’ rule"},"content":{"rendered":"
\"\"<\/a>
Question example of two cartoon people discussing something. Both have thought bubble cartoons looming overhead.<\/figcaption><\/figure>\n

 <\/p>\n

Ever run through an event log scenario deciding ‘event collection vs. alert rule’ is the way to filter out the needle from the haystack?\u00a0 \u00a0There’s a few ways to do this with Monitoring tools.\u00a0 \u00a0If you’re cloud centric, a KQL query (assuming you’re collecting the event logs, if you’re using Operations Manager (SCOM), there’s a few ways to consume the events.\u00a0 \u00a0SCOM ACS<\/a> is basically a DB for collecting Security events, and typically is an unused feature in SCOM by most customers.\u00a0 Kevin Holman’s had many blog<\/a> posts for ACS<\/a>, testing the filter<\/a>, as well as a management pack (MP)\u00a0 fragment (blog here<\/a>, GitHub fragment library here<\/a>).<\/p>\n

 <\/p>\n

 <\/p>\n

Let’s walk through criteria deciding ‘event collection vs. alert rule’:<\/h1>\n
    \n
  1. Do the event(s) happen often?\u00a0 If so, how often?<\/li>\n
  2. Can you filter the event description to limit the amount of gathered event?<\/li>\n
  3. Do you need match count or samples before action required?\u00a0 (i.e. count x events in y time)<\/li>\n
  4. Is there a regulatory or compliance requirement to collect every event?<\/li>\n
  5. Is this something you want to visualize with PowerBI?<\/li>\n
  6. For better visualizations, would the EventID help view\/sort data in a tabular output?\u00a0 \u00a0i.e. Think PowerShell property) as well as TimeRaised\/TimeGenerated, and Event Description<\/li>\n<\/ol>\n

     <\/p>\n

    Example – DC Security events<\/h1>\n

    When there is a regulatory requirement to collect events, we need to decide ‘event collection vs. alert rule, and IF we can filter for specific pieces of the event.\u00a0 Holman has examples of alert parameters<\/a>, and dynamic data<\/a>, which are very useful to get the needles out of the haystacks.\u00a0 Depending on your goals, use event parameters, or leverage CustomFields in the alert to build required fields.<\/p>\n

     <\/p>\n

    Depending on the requirements, event collection is useful to collect related EventID’s with RegularExpressions.\u00a0 \u00a0Use Event rules WHEN action is required.\u00a0 Leverage Regular expressions help filter what we collect (via event collection or alert rule.\u00a0 \u00a0By extension, utilize CustomFields in the alerts to help the presentation or SQL query towards a PowerBI report.<\/p>\n

     <\/p>\n

    Let’s talk about regular expressions<\/a> examples for rules (or monitors)<\/p>\n

     <\/p>\n

    MatchesRegularExpression<\/strong><\/p>\n

    <Expression>
    \n<RegExExpression>
    \n<ValueExpression>
    \n<XPathQuery Type=”String”>EventDescription<\/XPathQuery>
    \n<\/ValueExpression>
    \n<Operator>MatchesRegularExpression<\/Operator>
    \n<Pattern>^(Security ID:.*admin*)|^(Security ID:.*[des]a*)$<\/Pattern>
    \n<\/RegExExpression>
    \n<\/Expression><\/p>\n

    <Expression>
    \n<RegExExpression>
    \n<ValueExpression>
    \n<XPathQuery Type=”UnsignedInteger”>EventDisplayNumber<\/XPathQuery>
    \n<\/ValueExpression>
    \n<Operator>MatchesMOM2005BooleanRegularExpression<\/Operator>
    \n<Pattern>^(4625|4740)$<\/Pattern>
    \n<\/RegExExpression>
    \n<\/Expression><\/p>\n

     <\/p>\n

    Contains example<\/strong><\/p>\n

    <Expression>
    \n<RegExExpression>
    \n<ValueExpression>
    \n<XPathQuery Type=”String”>EventDescription<\/XPathQuery>
    \n<\/ValueExpression>
    \n<Operator>ContainsSubstring<\/Operator>
    \n<Pattern>Proactive DailyTasks ADDS Monitors close automation for<\/Pattern>
    \n<\/RegExExpression>
    \n<\/Expression><\/p>\n

    <Expression>
    \n<RegExExpression>
    \n<ValueExpression>
    \n<XPathQuery Type=”String”>Params\/Param[2]<\/XPathQuery>
    \n<\/ValueExpression>
    \n<Operator>ContainsSubstring<\/Operator>
    \n<Pattern>dnsserver<\/Pattern>
    \n<\/RegExExpression>
    \n<\/Expression><\/p>\n

     <\/p>\n

    DoesNotContain example<\/strong><\/p>\n

    <Expression>
    \n<RegExExpression>
    \n<ValueExpression>
    \n<XPathQuery Type=”String”>EventDescription<\/XPathQuery>
    \n<\/ValueExpression>
    \n<Operator>DoesNotContainSubstring<\/Operator>
    \n<Pattern>None<\/Pattern>
    \n<\/RegExExpression>
    \n<\/Expression><\/p>\n

    Holman MP Fragment example of specific EventID:<\/h2>\n

    <Rule ID=”Rule.StateChangeAlerts” Enabled=”true” Target=”SCOMMagementServer.Class” ConfirmDelivery=”true” Remotable=”true” Priority=”Normal” DiscardLevel=”100″>
    \n<Category>EventCollection<\/Category>
    \n<DataSources>
    \n<DataSource ID=”DS” TypeID=”Windows!Microsoft.Windows.EventCollector”>
    \n<ComputerName>$Target\/Host\/Property[Type=”Windows!Microsoft.Windows.Computer”]\/NetworkName$<\/ComputerName>
    \n<LogName>TestAPP<\/LogName>
    \n<AllowProxying>false<\/AllowProxying>
    \n<Expression>
    \n<And>
    \n<Expression>
    \n<SimpleExpression>
    \n<ValueExpression>
    \n<XPathQuery Type=”UnsignedInteger”>EventDisplayNumber<\/XPathQuery>
    \n<\/ValueExpression>
    \n<Operator>Equal<\/Operator>
    \n<ValueExpression>
    \n<Value Type=”UnsignedInteger”>600<\/Value>
    \n<\/ValueExpression>
    \n<\/SimpleExpression>
    \n<\/Expression>
    \n<Expression>
    \n<SimpleExpression>
    \n<ValueExpression>
    \n<XPathQuery Type=”String”>PublisherName<\/XPathQuery>
    \n<\/ValueExpression>
    \n<Operator>Equal<\/Operator>
    \n<ValueExpression>
    \n<Value Type=”String”>APP Test Log Monitoring<\/Value>
    \n<\/ValueExpression>
    \n<\/SimpleExpression>
    \n<\/Expression>
    \n<\/And>
    \n<\/Expression>
    \n<\/DataSource>
    \n<\/DataSources>
    \n<WriteActions>
    \n<WriteAction ID=”CollectToDB” TypeID=”SC!Microsoft.SystemCenter.CollectEvent” \/>
    \n<WriteAction ID=”CollectToDW” TypeID=”SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData” \/>
    \n<\/WriteActions>
    \n<\/Rule><\/p>\n

     <\/p>\n

    Lastly, let’s talk about the use of CustomFields to add additional data to the alert, but NOT in the event description (Holman’s blog here<\/a>)<\/p>\n

    For the tabular view of alert data (from PowerShell as with SQL query of Alerts view, we might need to display the data, such as EventDisplayNumber, TimeRaised, Message, (alternate is Parameters, or UnformattedDescription).\u00a0 Additionally, check alert output details, from the SCOM MS in PowerShell via get-SCOMAlert -name “MonitorDisplayNameHere” | fl | more<\/p>\n

     <\/p>\n

    Leverage Custom Fields to add<\/h3>\n

    EventID\u00a0 \u00a0 \u00a0 \u00a0$Data\/EventDisplayNumber$<\/p>\n

    Event Category\u00a0 \u00a0 $Data\/EventCategory$<\/p>\n

     <\/p>\n

    Happy Authoring!<\/p>\n

     <\/p>\n

    Additional links<\/p>\n

    How to collect events – but not ALL the events?<\/a><\/p><\/blockquote>\n