Version:

Windows

Windows consists of security analytics components that normalize Windows events, which enables you to analyze Windows data. LogPoint aggregates and normalizes logs related to CPU, disk, memory, configuration, I/O, Active Directory (AD), and Domain Name Server (DNS) from Windows systems so you can analyze the information through dashboards and security reports. Windows dashboards provide visualization of the Windows event enabling you to monitor threat categories, malicious activities, and identify gaps in the security coverage of your organization. When LogPoint identifies threats, malware, or malicious events with a potential risk to your environment, it triggers security alerts based on predetermined rules. The automated alerts enable you to detect potential threats, malware, or malicious events early, and take corrective actions against them. You can further customize the data and searches to perform in-depth analysis.

It consists of the following components:

  1. Dashboards

    • LP_AD: Computer Account Management

    • LP_AD: Critical User Activities

    • LP_AD: Distribution Group Management

    • LP_AD: Machine Authentication Requests

    • LP_AD: OU and GPO

    • LP_AD: Policy Changes

    • LP_AD: Security Group Management

    • LP_AD: Service

    • LP_AD: User Account Management

    • LP_AD: User Authentication Requests

    • LP_Windows Antimalware

    • LP_Windows Authentication

    • LP_Windows Configuration

    • LP_Windows DHCP

    • LP_Windows DNS

    • LP_Windows File Auditing

    • LP_Windows Overview

    • LP_Windows Sysmon Overview

    • LP_ADFS Auditing

    • LP_Windows BITS

    • LP_AppLocker

    • LP_Windows Service Control Manager

  2. Reports

    • LP_Windows Administrator Report

    • LP_Active Directory Authentication Requests

    • LP_Active Directory Object Management

    • LP_Active Directory Report

    • LP_Windows Configuration Report

    • LP_AD: Computer Account Management

    • LP_AD: Critical User Activities

    • LP_AD: Distribution Group Management

    • LP_AD: Machine Authentication Requests

    • LP_AD: OU and GPO

    • LP_AD: Policy Changes

    • LP_AD: Security Group Management

    • LP_AD: Service

    • LP_AD: User Account Management

    • LP_AD: User Authentication Requests

  3. Normalization Packages

    • LP_Microsoft Antimalware

    • LP_Microsoft Direct Access

    • LP_Windows Firewall

    • LP_DNS BIND

  4. Alerts

    • LP_Windows Users Enabled

    • LP_Windows Group Policy Object Creation

    • LP_Windows Unusual File Access

    • LP_Windows Unusual User Access to an Object

    • LP_Windows Possible Successful Lateral Movement using Pass the Hash

    • LP_Windows User Added to Administrator Group

    • LP_Windows unBlock Inheritance on OU

    • LP_Windows Delegation of Authority Change in OU

    • LP_Windows Registry Value Change

    • LP_Windows OU Deletion

    • LP_Windows Successful Brute Force Attack from Same User

    • LP_Windows User Rights Changes

    • LP_Windows Failed Login Attempt using an Expired Account

    • LP_Windows Registry Key Permission Change

    • LP_Windows Service State Change

    • LP_Windows User Account Lockout

    • LP_Windows User Removed from Administrator Group

    • LP_Windows Block Inheritance on OU

    • LP_Windows Kerberos Pre-authentication failed

    • LP_Windows User Added or Remove from Group

    • LP_Windows Authorization Policy Change

    • LP_Windows Password Never Expires

    • LP_Windows User Account was Created with a Dollar Sign

    • LP_Windows Critical File Access followed by Cloud App Usage

    • LP_Windows Failed Login Followed by Lockout Event

    • LP_Windows Security ACL on File Modified

    • LP_Windows Kerberos Service Ticket Request

    • LP_Windows Logon Rights Changes

    • LP_Windows Removable Storage Disconnected

    • LP_Windows Authentication on Windows DC

    • LP_Windows Successful Remote Interactive Login

    • LP_Windows unBlock Inheritance on OU and Domain

    • LP_Windows Block Inheritance on OU and Domain

    • LP_Windows Failed Login Attempts using Disabled Account

    • LP_Windows Authentication Policy Change

    • LP_Windows Group Policy Object Changes

    • LP_Windows OU Creation

    • LP_Windows User Added to Domain Enterprise Admin

    • LP_Windows Revocation of User Privileges detected

    • LP_Windows Multiple Unique Lockouts

    • LP_Windows Ownership of File Taken

    • LP_Windows Successful Brute Force Attack from Same Source

    • LP_Windows Permission Change on Critical Folder

    • LP_Windows User Removed from Domain Enterprise Admin

    • LP_Windows Failed Interactive User Logins Detected

    • LP_Windows Possible Ransomware Detection

    • LP_Windows GPO Linked Unlinked to OUs

    • LP_Windows unBlock Inheritance on Domain

    • LP_Windows Group Policy Object WMI Filter Changed

    • LP_Windows Account Creation followed by Group Add

    • LP_Windows Local User Management

    • LP_Windows User Account Change to End with Dollar Sign

    • LP_Windows Users Disabled

    • LP_Windows File Access

    • LP_Windows Delegation of Control Change in Domain

    • LP_Windows Audit Logs Cleared

    • LP_Windows Data Copied to Removable Device

    • LP_Windows Failed User Login Attempt

    • LP_Windows Bulk Print at a Time

    • LP_Windows Multiple Failed Attempts against a Single Account

    • LP_Windows Excessive Amount of Files Copied to Removable Device

    • LP_Windows CryptoAPI Spoofing Vulnerability Detected

    • LP_Windows Possible Failed Lateral Movement using Pass the Hash

    • LP_Windows Failed Login Attempt Using Service Account

    • LP_Windows Possible Successful PtH Lateral Movement followed by Audit Log Clear

    • LP_Windows Block Inheritance on Domain

    • LP_Windows User Account Created or Removed

    • LP_Windows Permission Change on Home Folder

    • LP_Windows Multiple Account Password changes by User

    • LP_Windows GPO Linked Unlinked for the Domain

    • LP_Windows Domain Policy Change

    • LP_Windows Member Added to or Removed from Group by Admin

    • LP_Windows Group Created or Deleted

    • LP_Windows Critical File Access

    • LP_Windows Failed Login Attempt using Locked Out Account

    • LP_Windows Group Policy Object Deletion

    • LP_Windows File Permission Change

    • LP_Windows Audit Policy Changes

    • LP_Windows Suspicious Creation of User Accounts

    • LP_Windows Multiple Password Changed by User

    • LP_Ngrok RDP Tunnel Detected

    • LP_Ngrok Execution

    • LP_AD Privesc CVE-2022-26923 Exploitation

    • LP_AppLocker SmartlockerFilter detected file being written by process

    • LP_Application Execution Attempt Blocked by AppLocker

  5. Knowledge Base Lists

    • LOGPOINT_GROUPS

    • ADMINS

    • FILE_EXTENSIONS

  6. Compiled Normalizers

    • WindowsSecurityAuditing

    • DNSCompiledNormalizer

    • LPA_Windows

    • WindowsNPSCompiledNormalizer

    • ADFSNormalizer

    • WindowsSysmonCompiledNormalizer

    • WindowsDHCPCompiledNormalizer

    • DNSCompiledNormalizerEU

  7. Search Templates

    • LP_ADFS Issued Claim Identity

    • LP_Beaconing for Threat Hunting with Microsoft Sysmon

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support