I have an existing rules for Windows Servers 2008 that filter up event ID 4625, is it possible to filter down to the status or substatus code number?
For example, the status code below:-
|0xc000015b||The user has not been granted the requested logon type (aka logon right) at this machine|
Is it possible to filter Event ID 4625 AND Status Code 0xc000015b? If yes, what fields should i put for the filter?
I looked at the MicrosoftWindows2008EventLogMappingsConfig.pdf and MicrosoftWindows2008EventLogMappingsNativeConfig.pdf but found nothing related to Status Code.