The Windows Base Rule Set is a default Rule Set in the Threat Stack application. It enables you to track alerts on security Windows events such as logins and file changes in system directory.
After you Install the Windows Agent, you will need to apply the Windows Base Rule Set.
Apply the Windows Base Rule Set
In the Threat Stack application, navigate to the Servers page.
1) Select the Windows Server to display the Server Details section.
2) Click the Edit Server button to open the Edit Server window.
3) Click the [X] button to delete the Base Rule Set and display Rule Set options.
4) Select the Windows Base Rule Set.
5) Click the Save Changes button to apply and save the Windows Base Rule Set to your Windows Server.
Now that you have applied the Windows Base Rule Set, your Threat Stack organization will start capturing all events from the Windows security logs.
Search for Events and Alerts
You can search for events and alerts on the Events and Alerts pages.
All events from the Windows security log are captured as
event_type = "winsec". On the Events page, you can use the
event_type = "winsec" to find Windows events that Threat Stack has captured.
On the Alerts page, you can find alerts and events using search terms such as "windows" or "event".
Create Rules and Filters
Similar to Linux, you can write rules, filters, and suppressions and add them to the Windows Base Rule Set using the same workflow as the Base Rule Set. Additionally, you can copy any event search filter and create a rule from it