Being multi-tenant, we have a lot of systems across a lot of networks, subnets, customers as well as a lot of custom content.
Some custom content is used in lieu of checking out credential, logging into a baston (or 2), Jumping into the customer’s environment and finally into the system you need to reach. With as much custom content that we have, we don’t want all of it being evaluating unless they are needed. Instead, the relevance of the analysis or other custom content is set to only be applicable on systems with custom client property, or registry key being set to a specific value.
Example,
We have an analysis that pulls all event logs for “shutdowns” event entries. The purpose is to get all events concerning reboots of the target system. The scanning of the event log can be resource intensive. Instead of leaving it applicable to all Windows Systems and running at whatever interval we set, we set a registry key to “enable” the analysis on the target system.
if (exists value whose (name of it is "ShowShutdownEvents") of key "HKEY_LOCAL_MACHINE\SOFTWARE\CUS-MRS" of native registry | False) AND ((value whose (name of it is "ShowShutdownEvents") of key "HKEY_LOCAL_MACHINE\SOFTWARE\CUS-MRS" of native registry) = "True") Then True else False
Then we created a task to enable and disable the applicability of the analysis.
We get a question about a reboot on a system, we enable the analysis using the task to make it applicable, wait for the analysis to populate, read, copy, screen capture the data, then disable the applicability.
If you have any questions, send me a message.
Someone asked about the analysis property relevance. Here it is…
(event id of it, time generated of it, description of it) of (records whose (event id of it is contained by set of (41;1074;6008)) of system event log)