# Enabling Windows Event Log Analysis&#x20;

Windows Event Log Analysis is performed with or without agents. Enabling Window Event Log Analysis is achieved through several steps.

1. Initially, the Elastic server connection setting should be set from the SUPERORG settings for on-premise deployments. Please switch to MSSP, configure the Elastic username and password. By default, Elastic uses port 9200. For this process please communicate with CyberCyte support team.

2\. From "Rules & Policies" -> "Artifact Collection Parameters" -> "Windows Event Log Rules" menu, rules for collecting logs are configured. The rules specify the filter to be executed for log collection. The filter is executed, and the matched records are sent to Elastic for initial storage.

3\.   Windows Event Log rule consists of the below sections for configuration:

a.     Name: The name given to the rules.

a.     Description: An optional description is provided for the rule.

b.     Channel: The log type to be collected from the endpoint.

c.      Filter:  Xpath is used to define the filter options. \[TimeCreated\[@SystemTime >= #{last\_collection\_time}] must be included in the filter. #{last\_collection\_time} is a variable used by the platform to track the last execution time and execute queries effectively. More information on Xpath is available from <https://powershell.org/2019/08/a-better-way-to-search-events/> page. &#x20;

d.     Tags: For matched events, a tag can be added.

e.     Mitre Technique: A value for mitre technique can be added for matched events.

f.      Risk Score: For matched events, a risk score can be set.

g.     Labels: For matched events, a label can be added.

h.     Is Malicious: For matched events, the malicious flag can be set

4\. Once the rules are configured, a policy should be created to select which Windows Event Log rules will be executed for collection. Create a policy from "Rules & Policies" -> "Policy Management" -> "Policy Rules" with the type "Windows Event Log" Analysis. From the policy settings, set the time interval for log collection and the rules for collection.

5\. The final step is to assign the policy to the groups. From "Rules & Policies" -> "Policy Management" -> "Group Management" settings, choose the created policy. The group members will retrieve the policy and start the log collection.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudcyte.com/getting-started/configuring-modules/network-security/enabling-windows-event-log-analysis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.