Integrations - Windows
5.7.0 (latest)
5.6.1
5.5.0
5.4.9
5.4.8
Integrations - Windows
Version:
5.7.0 (latest)
5.6.1
5.5.0
5.4.9
5.4.8
×
Page Contents
Table of Content
Table of Content
¶
Windows
Pre Configuration
Configuring DHCP server
Installing DHCP server
Enable DHCP Audit Logging
Enable DHCP Admin and Operational Logging
Configuring DNS server
Installing DNS Server
Enable DNS Debug Logging
Enable DNS Audit Logging
Installing Windows
Uninstalling Windows
Configuring Windows
Using Log Source Template
Using Devices
Configuring a Repo for Windows
Adding a Normalization Policy for Windows
Configuring a Processing Policy for Windows
Adding Windows as a Device in Logpoint
Configuring the Syslog Collector for Windows
Configuring AgentX for Windows
Configuring the Logpoint Agent (Centralized) for Windows
Windows Analytics
Windows Dashboards
LP_AD: Computer Account Management
LP_AD: Critical User Activities
LP_AD: Distribution Group Management
LP_AD: Machine Authentication Requests
LP_AD: OU and GPO
LP_AD: Policy Changes
LP_AD: Security Group Management
LP_AD: Service
LP_AD: User Account Management
LP_AD: User Authentication Requests
LP_Windows Antimalware
LP_Windows Authentication
LP_Windows Configuration
LP_Windows DHCP
LP_Windows DNS
LP_Windows File Auditing
LP_Windows Overview
LP_Windows Sysmon Overview
LP_ADFS Auditing
LP_Windows BITS
LP_AppLocker
LP_Windows Service Control Manager
Adding the Windows Dashboard
Windows Alerts
LP_Possible Pass the Hash Activity Detected
LP_Windows Directory Service State Change
LP_Windows unBlock Inheritance on OU or Domain
LP_Windows Users Enabled
LP_Windows Group Policy Object Creation
LP_Windows User Password Never Expires
LP_Windows User Added to Administrator Group
LP_Windows OU Deletion
LP_Windows Successful Brute Force Attack from Same User
LP_Windows User Rights Changes
LP_Windows User Removed from Administrator Group
LP_Windows Block Inheritance on OU
LP_Windows Kerberos Pre-authentication failed
LP_Windows User Added or Remove from Group
LP_Windows Password Never Expires
LP_Windows User Account was Created with a Dollar Sign
LP_Windows Failed Login Followed by Lockout Event
LP_Windows Kerberos Service Ticket Request
LP_Windows Logon Rights Changes
LP_Windows Successful Remote Interactive Login
LP_Windows unBlock Inheritance on OU and Domain
LP_Windows Block Inheritance on OU and Domain
LP_Windows Failed Login Attempts using Disabled Account
LP_Windows Authentication Policy Change
LP_Windows Group Policy Object Changes
LP_Windows OU Creation
LP_Windows Multiple Unique Lockouts
LP_Windows Successful Brute Force Attack from Same Source
LP_Windows Possible Ransomware Detection
LP_Windows unBlock Inheritance on Domain
LP_Windows User Account Change to End with Dollar Sign
LP_Windows Users Disabled
LP_Windows Audit Logs Cleared
LP_Windows Data Copied to Removable Device
LP_Windows Bulk Print at a Time
LP_Windows Multiple Failed Attempts against a Single Account
LP_Windows Excessive Amount of Files Copied to Removable Device
LP_Windows Failed Login Attempt Using Service Account
LP_Windows User Account Created or Removed
LP_Windows Multiple Account Password Changes by User
LP_Windows Domain Policy Change
LP_Windows Group Created or Deleted
LP_Windows Group Policy Object Deletion
LP_AD Privesc CVE-2022-26923 Exploitation
LP_AppLocker SmartlockerFilter detected file being written by process
LP_Application Execution Attempt Blocked by AppLocker
LP_Curl Silent Mode Execution Detected
LP_Non-Existent User Login Attempt Detected
LP_Malicious Image Loaded Via Excel
LP_Execution of Temporary Files Via Office Application
LP_Binary Creation in System Folder Detected
LP_High Volume of File Modification or Deletion in Short Span
LP_Auditd High Volume of File Modification or Deletion in Short Span
LP_Windows RDP Port Modified
LP_Possible Pass the Hash Activity Detected
LP_Windows Block Inheritance on OU or Domain
LP_Windows Delegation of Authority Change on OU or Domain
LP_Windows GPO Linked or Unlinked to OU or Domain
LP_Windows Security Service Terminated
LP_Windows User Account Created via Command Line
LP_Windows WMI Filter Linked or Unlinked with GPO
Using Windows Report Templates
Vendor Field Map
Microsoft-Windows-Security-Auditing
Event ID: 4608
Event ID: 4610
Event ID: 4611
Event ID: 4614
Event ID: 4616
Event ID: 4622
Event ID: 4624
Event ID: 4625
Event ID: 4627
Event ID: 4634
Event ID: 4647
Event ID: 4648
Event ID: 4653
Event ID: 4656
Event ID: 4657
Event ID: 4658
Event ID: 4659
Event ID: 4660
Event ID: 4661
Event ID: 4662
Event ID: 4663
Event ID: 4664
Event ID: 4670
Event ID: 4672
Event ID: 4673
Event ID: 4674
Event ID: 4675
Event ID: 4688
Event ID: 4689
Event ID: 4690
Event ID: 4692
Event ID: 4695
Event ID: 4697
Event ID: 4698
Event ID: 4699
Event ID: 4700
Event ID: 4701
Event ID: 4702
Event ID: 4703
Event ID: 4704
Event ID: 4705
Event ID: 4713
Event ID: 4714
Event ID: 4716
Event ID: 4717
Event ID: 4718
Event ID: 4719
Event ID: 4720
Event ID: 4722
Event ID: 4723
Event ID: 4724
Event ID: 4725
Event ID: 4726
Event ID: 4727
Event ID: 4728
Event ID: 4729
Event ID: 4730
Event ID: 4731
Event ID: 4732
Event ID: 4733
Event ID: 4734
Event ID: 4735
Event ID: 4737
Event ID: 4738
Event ID: 4739
Event ID: 4740
Event ID: 4741
Event ID: 4742
Event ID: 4743
Event ID: 4744
Event ID: 4745
Event ID: 4746
Event ID: 4747
Event ID: 4748
Event ID: 4749
Event ID: 4750
Event ID: 4751
Event ID: 4752
Event ID: 4753
Event ID: 4754
Event ID: 4755
Event ID: 4756
Event ID: 4757
Event ID: 4758
Event ID: 4759
Event ID: 4760
Event ID: 4761
Event ID: 4762
Event ID: 4763
Event ID: 4764
Event ID: 4767
Event ID: 4768
Event ID: 4769
Event ID: 4770
Event ID: 4771
Event ID: 4774
Event ID: 4776
Event ID: 4778
Event ID: 4779
Event ID: 4780
Event ID: 4781
Event ID: 4785
Event ID: 4786
Event ID: 4787
Event ID: 4788
Event ID: 4793
Event ID: 4798
Event ID: 4799
Event ID: 4800
Event ID: 4817
Event ID: 4902
Event ID: 4904
Event ID: 4905
Event ID: 4907
Event ID: 4912
Event ID: 4928
Event ID: 4929
Event ID: 4930
Event ID: 4931
Event ID: 4932
Event ID: 4933
Event ID: 4944
Event ID: 4945
Event ID: 4946
Event ID: 4947
Event ID: 4948
Event ID: 4949
Event ID: 4950
Event ID: 4953
Event ID: 4954
Event ID: 4956
Event ID: 4957
Event ID: 4985
Event ID: 5024
Event ID: 5031
Event ID: 5033
Event ID: 5038
Event ID: 5056
Event ID: 5058
Event ID: 5059
Event ID: 5061
Event ID: 5136
Event ID: 5137
Event ID: 5139
Event ID: 5140
Event ID: 5141
Event ID: 5142
Event ID: 5143
Event ID: 5144
Event ID: 5145
Event ID: 5152
Event ID: 5154
Event ID: 5156
Event ID: 5157
Event ID: 5158
Event ID: 5169
Event ID: 5170
Event ID: 5440
Event ID: 5441
Event ID: 5442
Event ID: 5444
Event ID: 5446
Event ID: 5447
Event ID: 5448
Event ID: 5449
Event ID: 5450
Event ID: 5478
Event ID: 6144
Event ID: 6272
Event ID: 6273
Event ID: 6274
Event ID: 6278
Event ID: 6416
Microsoft-Windows-Winlogon
Event ID: 7001
Microsoft-Windows-RestartManager
Event ID: 10005
Microsoft-Windows-GroupPolicy
Event ID: 1502
Microsoft-Windows-TaskScheduler
Event ID: 129
PowerShell
Event ID: 300
Event ID: 800
Event ID: -
Microsoft-Windows-TerminalServices-Printers
Event ID: 1111
Microsoft-Windows-TerminalServices-LocalSessionManager
Event ID: 21
Event ID: 22
Event ID: 23
Event ID: 24
Event ID: 25
Event ID: 41
Event ID: 42
Event ID: 1101
Event ID: 1102
Event ID: 1103
Event ID: 1104
Event ID: 1105
MsiInstaller
Event ID: 1040
Event ID: 1042
Service Control Manager
Event ID: 7000
Event ID: 7034
Event ID: 7036
Event ID: 7040
Event ID: 7045
User32
Event ID: 1074
ADSync
Event ID: 6946
SceCli
Event ID: 1704
Microsoft-Windows-Eventlog
Event ID: 1100
Windows_Error_Reporting
Event ID: 1001
Microsoft-Windows-AppLocker
Event ID: 8002
Event ID: 8003
Event ID: 8005
Event ID: 8020
Microsoft-Windows-PrintService
Event ID: 300
Event ID: 306
Event ID: 307
Event ID: 310
Event ID: 603
Event ID: 800
Event ID: 801
Event ID: 802
Event ID: 805
Event ID: 812
Event ID: 842
DefaultJSONEventSource
Microsoft Windows Defender
Event ID: 1121
Event ID: 1126
Event ID: 1116
Event ID: 1117
Event ID: 5013
Event ID: 1121
Microsoft Windows Perflib
Event ID: 1008
Sysmon Remote Threat Creation
Event ID: 8
DNS Events
Event ID: -
Microsoft Windows WMI Activity
Event ID: 23
Windows BITS Client
Event ID: 3
Event ID: 5
Event ID: 59
Event ID: 60
Event ID: 4
Event ID: 209
Event ID: 16403
Microsoft Windows SMB Client
Event ID: 30804
ASP.NET
Event ID: 1309
NXLog Sample Configuration
Configuration of the Sources
Sysmon Configuration
Expected Log Samples
Windows Log Configuration Guide
Event Channel Configuration
Windows Audit Policy – Additional Resources
Windows Log Collection Setup
Logpoint
Event Channels Overview
Application Channel
System Channel
Security Channel
Audit Policy Configuration
Sysmon Channel
Scheduled Task
Audit Policy Configuration
PowerShell
AppLocker
Microsoft Defender
Recommended Windows Audit Policy
Logpoint Alerts Mapping
Helpful?
Yes
No
We are glad this guide helped.
Please don't include any personal information in your comment
Contact Support
×
Navigation
next
Windows latest documentation
»
