How to filter a consolidate job?

Hi,

I'd like to filter events by ID while running a consolidate job. Is this possible? I can only find machine type filtering.

Thank you.

Parents Reply Children
  • Hi Sean,

    If you have the latest InTrust version 11.4.1, you can find a set of new searches under Predefined Search Folders| Threat Hunting | Windows | Native OS Logs Telemetry. These searches can be used as a sample for the request like yours because some of them have custom query similar to yours. For example, the search named Authentication has the custom search filter like (striequ(Log, "Application") and (EventID = 1511)) or (striequ(Log, "Security") and in_range(EventID, "4624,4625,4648,4776,4634,4672")). You can Copy this search and change the query to (striequ(Log, "System") and in_range(EventID, "20001, 20002")) or (striequ(Log, "Security") and in_range(EventID, "4624,4625")), and that's it.

    If your version is lower than 11.4.1, then please do the following:

    1. Under Custom Search Folders (or your favorite folder inside Custom Search Folders) create a new search.
    2. At the bottom of the right pane click Add or Remove Parameters.
    3. Choose Primary instead of Normalized Strings.
    4. Check Custom
    5. Close the Select Filter Parameters dialog
    6. In Search Filter scroll down so that Custom is visible.
    7. Change true to (striequ(Log, "System") and in_range(EventID, "20001, 20002")) or (striequ(Log, "Security") and in_range(EventID, "4624,4625"))
    8. Make some changes in the grid layout (add/remove columns, add sorting or grouping, etc.), and that's it.
  • Thank you Igor!

    Is there document regarding the grammar used in filters? 

  • It is called Customization Kit, https://support.quest.com/zh-cn/technical-documents/intrust/11.4.1/customization-kit/7

    I will ask tech writer to review Searching For Events document to add a link.