Using Filter Text to match specific events

Apply Filter Text to Security events (Step 5 of 6)

Unlock event


Let's say, for the sake of an example, that you wanted to be alerted when a certain user unlocked their workstation. The event below is an example of the event that is logged to the Security log each time a machine is unlocked.



Unlock event


Initially it is always a good idea with these event to look at a few of them to verify which information is similar between events you are interested in. We know that the event we are looking for should have the same user name in each message and since it is a logon event it should have the same logon type. Thanks to a quick search we find that Logon Type: 7 is going to indicate a logon after the computer has been locked.


With the information we have gathered about this event we should have no problem including enough information to focus the filter so we only get one users successfully unlocks their computer.


Filter for Unlocked events


Instead of waiting for the event to occur we can test this event against are filter rules to see that this filter is in fact matching.


Successful filter match



  • Updated on: 2015-01-21
  • Skill Level: Advanced
  •  
  • LEFT/RIGHT arrow keys for navigation