I wanted to use WEL events to detect unauthorised login hours, but for some reason WEL events are not all shown in timeline even though its enabled in the event collection. Is there a default timezone, can we change it. This is the d&r rule I wrote
Hello, have you had a look at this doc going over how to select specific WELs from the system (they’re not selected by default): Ingesting Windows Event Logs
You might also be interested in some of the pre-made templates for this kind of stuff here: https://iac.limacharlie.io/
I did according to the manual and still was unsuccessful, here are artifact collection rule and d&r rule, is there anything wrong??
I am gettinh WEL on my timeline, but what timezone does it follow, is it the time set in my LC account or something else?
All dates and times displayed in the web app follow the timezone set in your user preferences. We have details on how to change that in our FAQ.
I meant for the d&r rule, does it take follow a particular timezone or does ti follow the timezone set in the user settings
The D&R rule is affected by whatever timezone the logs are in. Windows event log times are in UTC.
I’ve observed that during 6 consecutive unauthorized login attempts (each spaced 2–3 minutes apart), the unauthorized access was detected every time, but the shutdown response was triggered only twice. Is there any reason why the shutdown didn’t occur for all detected attempts?
The relevant D&R rule is attached for reference.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.