How can I get notified if an executable that is larger than a certain size is launched?

Article ID: 506
Category: Security
Applies to: 5.1.1.82 and later
Updated: 2024-04-23

By monitoring 4688 events from the security event log and filtering on the process file size, EventSentry can notify you if a large (or small) executable was launched.

  1. Ensure that 4688 events are being logged to the event log. See the link for more information on auditing requirements.
  2. Create a package and assign it to the hosts where port scans should be detected, you can also use an existing event log package.
  3. Copy the code shown below into the clipboard.
  4. Click the package in EventSentry and then click the Paste button in the ribbon.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
{
"type": 0,
"active": 1,
"name": "Large File Launched",
"uuid": "04f99df3-efe9-4048-bec0-673b4c5a103d",
"version": 1,
"order": 11,
"isfolder": 0,
"applyToCollectorSideThresholds": 0,
"requireAck": 0,
"stopProcessing": 0,
"anomalyFiltering": 0,
"logs": [ "SEC" ],"severities": [ "AUDITSUCCESS" ],
"source": "Microsoft-Windows-Security-Auditing",
"eventid": "4688",
"chainType": 0,
"textfilters": [ { "insertionString": 5,
"comparisonType": 22,
"text": "500000000",
"type": 1
}],"threshold": {
"type": 0,
"limit": 0,
"interval": 0,
"intervalScale": 0,
"processBefore": 0,
"processAfter": 0,
"processAfterFirstOnly": 0,
"logImmediate": 0,
"logInterval": 0,
"logSeverity": 2,
"matchType": 1
},"timer": {
"enable": 0,
"interval": 0,
"intervalScale": 0
},"bootBehavior": 0
}


Try EventSentry on-premise

FREE 30-day evaluation

Download Now