<?xml version="1.0" encoding="ISO-8859-1" ?> <event_sets> <set_elements setName="Symantec Antivirus Event IDs" eventSetId="44388897"> <element_data ignore="0" source="*" category="*" eventId="5" username="*" description="*"/> <element_data ignore="0" source="*" category="*" eventId="51" username="*" description="*"/> <element_data ignore="0" source="*" category="*" eventId="46" username="*" description="*"/> <element_data ignore="0" source="*" category="*" eventId="11" username="*" description="*"/> <element_data ignore="0" source="*" category="*" eventId="13" username="*" description="*"/> <element_data ignore="0" source="*" category="*" eventId="24" username="*" description="*"/> <element_data ignore="0" source="Symantec Mail Security for Microsoft Exchange" category="*" eventId="293" username="*" description="*"/> </set_elements> </event_sets> Here is an event set...not a monitor set I have a monitor set as well, but it only alerts when a service is stopped/ doesn't start; Nothing real fancy.Legacy Forum Name: Monitor Sets, Legacy Posted By Username: pbrophy
The ones posted by pBrophy are the ones most commonly seen with regards to catching found threats. My event set is pretty much the complete opposite of his, though. Mine reports on everything except a list of events. This way, if something different pops up, I get a warning, which I can then choose to continue looking for or not. <?xml version="1.0" encoding="ISO-8859-1" ?> <event_sets> <set_elements setName="Symantec AV Events" eventSetId="86081622"> <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="46" username="*" description="*"/> <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="5" username="*" description="*"/> <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="45" username="*" description="*"/> <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="31" username="*" description="*"/> <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="6" username="*" description="*"/> <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="45" username="*" description="*"/> <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="73" username="*" description="*"/> <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="40" username="*" description="*"/> <element_data ignore="1" source="Symantec AntiVirus" category="*" eventId="51" username="*" description="*Cookie*"/> <element_data ignore="0" source="Symantec AntiVirus" category="*" eventId="-1" username="*" description="*"/> </set_elements> </event_sets> This should report on all found threats (event id 51), unless the "threat" is a cookie. It will also report on all other events not explicitly ignored.Legacy Forum Name: Monitor Sets, Legacy Posted By Username: Lmhansen