How can I get notified if an executable that is larger than a certain size is launched?
Article ID: 506
Category: Security
Applies to: 5.1.1.82 and later
Updated: 2024-04-23
By monitoring 4688 events from the security event log and filtering on the process file size, EventSentry can notify you if a large (or small) executable was launched.
- Ensure that 4688 events are being logged to the event log. See the link for more information on auditing requirements.
- Create a package and assign it to the hosts where port scans should be detected, you can also use an existing event log package.
- Copy the code shown below into the clipboard.
- Click the package in EventSentry and then click the Paste button in the ribbon.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
{
"type": 0,
"active": 1,
"name": "Large File Launched",
"uuid": "04f99df3-efe9-4048-bec0-673b4c5a103d",
"version": 1,
"order": 11,
"isfolder": 0,
"applyToCollectorSideThresholds": 0,
"requireAck": 0,
"stopProcessing": 0,
"anomalyFiltering": 0,
"logs": [ "SEC" ],"severities": [ "AUDITSUCCESS" ],
"source": "Microsoft-Windows-Security-Auditing",
"eventid": "4688",
"chainType": 0,
"textfilters": [ { "insertionString": 5,
"comparisonType": 22,
"text": "500000000",
"type": 1
}],"threshold": {
"type": 0,
"limit": 0,
"interval": 0,
"intervalScale": 0,
"processBefore": 0,
"processAfter": 0,
"processAfterFirstOnly": 0,
"logImmediate": 0,
"logInterval": 0,
"logSeverity": 2,
"matchType": 1
},"timer": {
"enable": 0,
"interval": 0,
"intervalScale": 0
},"bootBehavior": 0
}
|
