45
0

Audit CVE Event

45

Detects events generated by Windows to indicate the exploitation of a known vulnerability.

  • Elastic Query
(winlog.channel:Application AND winlog.event_data.Source:Microsoft\-Windows\-Audit\-CVE)
  • QRadar AQL
SELECT UTF8(payload) as search_payload from events where (LOGSOURCETYPENAME(devicetype) ilike '%Microsoft Windows Security Event Log%' and search_payload ilike '%Microsoft-Windows-Audit-CVE%')
  • Splunk
(source="WinEventLog:Application" Source="Microsoft-Windows-Audit-CVE")
  • EDR Carbon Black
Source:Microsoft-Windows-Audit-CVE
  • Windows PowerShell
Get-WinEvent -LogName Application | where {($_.message -match "Source.*Microsoft-Windows-Audit-CVE") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
  • RegEx
^Microsoft-Windows-Audit-CVE

Leave a Reply

Your email address will not be published.