Correct Ingestion Label

Question

There are multiple ingestion labels defined in SecOps specifically for Windows and Azure AD. Is there a way to find which label to apply for specific events.

For example, whether all windows event channels will be covered by WINEVTLOG_XML, For example ADFS Admin Audit Channel?

Also, when should we use the below labels,

WINDOWS_AD

ADFS

AZURE_AD_SIGNIN (AZURE_AD already covers the sign ins from Entra ID)

Page 1 / 1

Hi,

you can explore this is by checking the documentation and looking under the relevant category.
For example:

Reply

Eoved · Answer

Hi,you can explore this is by checking the documentation and looking under the relevant category.For example:

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded