The agent monitors these Windows Event Log channels:
Application - Application errors, warnings, and information
System - System-level events and service state changes
Security - Authentication events, access control, and audit logs
Windows PowerShell - PowerShell engine activity
PowerShell Operational - Detailed PowerShell command execution
This provides visibility into:
User authentication attempts (successful and failed)
Service starts, stops, and failures
Process creation and termination
Application crashes and errors
PowerShell script execution and commands
The advanced configuration automatically filters out high-volume, low-value events to reduce storage costs:
Filtered Event IDs:
5145 - Network share object access check
5156 - Windows Filtering Platform permitted connection
5447 - Windows Filtering Platform filter change
4656 - Handle to object requested
4658 - Handle to object closed
4663 - Attempt to access object
4660 - Object deleted
4670 - Permissions on object changed
4690 - Duplicate handle to object requested
4703 - Token right adjusted
4907 - Auditing settings changed
5152 - Windows Filtering Platform blocked packet
5157 - Windows Filtering Platform blocked connection
To customize this list:
Add or remove Event IDs in the configuration:
Exec if $EventID in (5145, 5156, YOUR_EVENT_ID) drop();
ResolveSID: FALSE - Does not resolve Security Identifiers to usernames (improves performance)
ReadFromLast: TRUE - Starts reading from the last known position (avoids duplicates on restart)
$ModuleType = ‘event_log’ - Tags events for Logpoint normalization
DHCP Server role must be installed
DHCP logging must be enabled (enabled by default)
DHCP server logs from:
C:\Windows\System32\dhcp\DhcpSrvLog-*.log
The wildcard * matches log files with different day names (e.g., DhcpSrvLog-Mon.log, DhcpSrvLog-Tue.log)
The agent parses these CSV fields from DHCP logs:
ID, Date, Time, Description
IPAddress, Hostname, MACAddress
UserName, TransactionID, QResult
ProbationTime, CorrelationID, DHCID
VendorClassHex, VendorClassASCII
UserClassHex, UserClassASCII
RelayAgentInformation, DnsRegError
DHCP lease requests and grants
IP address assignments
DHCP client information
Lease renewals and releases
DHCP server activity
Enable DHCP collection on servers running the DHCP Server role to track:
Device network connections
IP address usage patterns
Unauthorized DHCP activity
DHCP troubleshooting
CRITICAL: DNS debug logging must be manually enabled on your DNS server.
To Enable DNS Debug Logging:
Open DNS Manager
Right-click the DNS server
Select Properties → Debug Logging tab
Enable desired logging options
Set log file location to default or specify custom path
The agent validates DNS log entries before forwarding:
Drops empty lines
Drops lines that don’t start with a date pattern
Only forwards properly formatted DNS debug entries
DNS queries and responses
Query types and destinations
Response codes
DNS resolution flows
Client IP addresses making queries
Enable DNS collection for:
Investigating DNS-based threats (tunneling, DGA domains)
Tracking domain resolution patterns
Detecting DNS exfiltration
Network troubleshooting
Compliance and auditing
Performance Note: DNS debug logging can generate high volumes of data. Enable selectively on critical DNS servers.
The agent performs continuous FIM-style scanning of critical registry locations to detect:
Persistence mechanisms - Malware auto-start locations
Execution hijacking - File handler and association tampering
Service modifications - Changes to Windows services
Policy tampering - Group policy and security policy changes
Protocol handler abuse - Custom protocol handler manipulation
Category |
Example Paths |
Purpose |
|---|---|---|
File Execution |
|
Detect file association attacks Monitor command file handlers Track executable file handlers |
Persistence |
|
Catch auto-start malware Monitor one-time startup items Track Winlogon changes |