Version:

Windows

Windows consists of security analytics components that normalize Windows events, which enables you to analyze Windows data. It includes the Syslog Collector based Windows log source template, which ensure consistency in collecting, processing and analyzing Windows logs for precise security event analysis and reporting.

Logpoint aggregates and normalizes logs related to CPU, disk, memory, configuration, I/O, Active Directory (AD) and Domain Name Server (DNS) from Windows systems so you can analyze the information through dashboards and security reports. Windows dashboards visualizes of the Windows event enabling you to monitor threat categories, malicious activities and identify gaps in your organization’s security coverage.

When Logpoint identifies threats, malware or malicious events with a potential risk to your environment, it triggers security alerts based on predetermined alert rules. The automated alerts enable you to detect potential threats, malware or malicious events early and take corrective actions against them. You can further customize the data and searches to perform in-depth analysis. DNSCompiledNormalizer is compatible with CNDP.

You can configure Windows from Log Source Templates or Devices. We recommend using the log source template.

Supported Devices/Sources

These are the devices or sources that record events in Windows Event Logs under eventlog channels like DHCP-Server and DNS-Server which you can find in your server’s Event Viewer.

  • Windows Server

  • Windows Vista

  • Windows DNS Server

  • Windows DHCP Server

  • Windows Server HyperV

  • Windows Server R2 HyperV

Windows Components

These are the package components included in Windows.

  1. Compiled Normalizers

    • ADFSNormalizer

    • DNSCompiledNormalizer

    • LPA_Windows

    • WindowsDHCPCompiledNormalizer

    • WindowsNPSCompiledNormalizer

    • WindowsSecurityAuditing

    • WindowsSysmonCompiledNormalizer

  2. Reports

    • LP_Windows Administrator Report

    • LP_Active Directory Report

    • LP_Windows Configuration Report

    • LP_Active Directory Authentication Requests

    • LP_Active Directory Object Management

    • LP_AD: User Authentication Requests

    • LP_AD: User Account Management

    • LP_AD: Security Group Management

    • LP_AD: Policy Changes

    • LP_AD: OU and GPO

    • LP_AD: Distribution Group Management

    • LP_AD: Critical User Activities

    • LP_AD: Computer Account Management

    • LP_AD: Service

    • LP_AD: Machine Authentication Requests

  3. Normalization Packages

    • LP_Microsoft Antimalware

    • LP_Microsoft Direct Access

    • LP_Windows Firewall

  4. Alerts

    • LP_Applocker Blocked Application Execution

    • LP_Applocker Detected File write by Process

    • LP_Possible Pass the Hash Activity Detected

    • LP_Windows Audit Logs Cleared

    • LP_Windows Authentication Policy Change

    • LP_Windows Block Inheritance on OU or Domain

    • LP_Windows Bulk Print at a Time

    • LP_Windows Data Copied to Removable Device

    • LP_Windows Delegation of Authority Change on OU or Domain

    • LP_Windows Directory Service State Change

    • LP_Windows Domain Policy Change (v43)

    • LP_Windows Excessive Amount of Files Copied to Removable Device

    • LP_Windows Failed Login Attempt Using Service Account

    • LP_Windows Failed Login Followed by Lockout Event

    • LP_Windows GPO Linked or Unlinked to OU or Domain

    • LP_Windows Group Created or Deleted

    • LP_Windows Group Policy Object Changes

    • LP_Windows Group Policy Object Creation

    • LP_Windows Group Policy Object Deletion

    • LP_Windows Logon Rights Changes

    • LP_Windows Multiple Account Password changes by User

    • LP_Windows Multiple Failed Attempts against a Single Account

    • LP_Windows Multiple Unique Lockouts

    • LP_Windows OU Creation

    • LP_Windows OU Deletion

    • LP_Windows Security Service Terminated

    • LP_Windows Successful Brute Force Attack from Same Source

    • LP_Windows Successful Brute Force Attack from Same User

    • LP_Windows User Account Change to End with Dollar Sign

    • LP_Windows User Account Created or Removed

    • LP_Windows User Account Created via Command Line

    • LP_Windows User Account was Created with a Dollar Sign

    • LP_Windows User Added or Remove from Group

    • LP_Windows User Added to Administrator Group

    • LP_Windows User Password Never Expires

    • LP_Windows User Removed from Administrator Group

    • LP_Windows User Rights Changes

    • LP_Windows Users Disabled

    • LP_Windows Users Enabled

    • LP_Windows WMI Filter Linked or Unlinked with GPO

    • LP_Windows unBlock Inheritance on OU or Domain

  5. Knowledge Base Lists

    • ADMINS

    • FILE_EXTENSIONS

    • LOGPOINT_GROUPS

  6. Dashboards

    • LP_AD: Computer Account Management

    • LP_AD: Critical User Activities

    • LP_AD: Distribution Group Management

    • LP_AD: Machine Authentication Requests

    • LP_AD: OU and GPO

    • LP_AD: Policy Changes

    • LP_AD: Security Group Management

    • LP_AD: Service

    • LP_AD: User Account Management

    • LP_AD: User Authentication Requests

    • LP_ADFS Auditing

    • LP_AppLocker

    • LP_Windows Antimalware

    • LP_Windows Authentication

    • LP_Windows BITS

    • LP_Windows Configuration

    • LP_Windows DHCP

    • LP_Windows DNS

    • LP_Windows File Auditing

    • LP_Windows Overview

    • LP_Windows Service Control Manager

    • LP_Windows Sysmon Overview

  7. Search Templates

    • LP_ADFS Issued Claim Identity

    • LP_Beaconing for Threat Hunting with Microsoft Sysmon

  8. Log Source Tempalte

    • Windows

Go to Pre Configuration before installing or configuring Windows.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support