I'd like to filter events by ID while running a consolidate job. Is this possible? I can only find machine type filtering.
Thank you Igor.
With this option not available, I'd like to create a search filter in Repository Viewer instead. I want to create a filter to show several events in Windows Security log and Windows System log.
Eg, Security log 4624, 4625, System log 20001, 20002.
Can you tell me how to create a filter like this? The samples in https://support.quest.com/zh-cn/technical-documents/intrust/11.3/searching-for-events-in-repository-viewer/3#Advanced is not very comprehensive. Thank you.
If you have the latest InTrust version 11.4.1, you can find a set of new searches under Predefined Search Folders| Threat Hunting | Windows | Native OS Logs Telemetry. These searches can be used as a sample for the request like yours because some of them have custom query similar to yours. For example, the search named Authentication has the custom search filter like (striequ(Log, "Application") and (EventID = 1511)) or (striequ(Log, "Security") and in_range(EventID, "4624,4625,4648,4776,4634,4672")). You can Copy this search and change the query to (striequ(Log, "System") and in_range(EventID, "20001, 20002")) or (striequ(Log, "Security") and in_range(EventID, "4624,4625")), and that's it.
If your version is lower than 11.4.1, then please do the following:
It is called Customization Kit, https://support.quest.com/zh-cn/technical-documents/intrust/11.4.1/customization-kit/7
I will ask tech writer to review Searching For Events document to add a link.