Skip to content

How to collect data on Windows Security Log

This page describes how to collect events from the Windows Security data source.

Log in to the CYBERQUEST web interface with an account with administrative rights.

Navigate to "Settings > Management > Data Source Manager".

Settings > Management > Data Source Manager

This page contains all the data sources added in the CYBERQUEST application.

Data sources list

Complete the form

Press the "ADD DATA-SOURCE" button and complete the following form:

Add data source form

  • DataSource Type: Select "WindowsOS/ Security Log (LogName: Security)" data source type;

  • DataSource Information: This field is filled in automatically with data source information;

  • Query Interval: How often the WMI (Windows Management Instrumentation) query runs. Defaults to every 60 seconds;

  • Credentials to use: Select a domain or local account with permissions to read the Windows Security log and WMI (See Credential Setup: How to manage Credentials);

  • Tag: A unique identifier automatically assigned to the data source;

  • Administrative Notes: Optional notes for administrators;

  • Anonymize Fields: Select fields to be anonymized. One or more options can be selected;

  • Computer: Enter the hostname (FQDN) or IP address of the Windows host;

Click the "Save" button to save the data source.

Assign the CYBERQUEST agent

The next step is to assign the CYBERQUEST agent to this data source. Press the drop-down list and choose the agent (often the CQ Server agent).

Assign agent dropdown

  • Edit: Click the Edit button button to update the data source information. The steps are similar to adding a new data source.

  • Clone: Click theClone icon to create a duplicate of the data source.

  • Bulk Clone: Click the Bulk Clone icon to replicate the current data source settings for each entry listed in the "Bulk Clone" field.

  • Delete: To remove a data source, unassign the Agent first, then click "Delete".