Version:

Windows

Windows consists of security analytics components that normalize Windows events, which enables you to analyze Windows data. Logpoint aggregates and normalizes logs related to CPU, disk, memory, configuration, I/O, Active Directory (AD) and Domain Name Server (DNS) from Windows systems so you can analyze the information through dashboards and security reports. Windows dashboards visualize the Windows event enabling you to monitor threat categories, malicious activities and identify gaps in the security coverage of your organization.

When Logpoint identifies threats, malware, or malicious events with a potential risk to your environment, it triggers security alerts based on predetermined rules. The automated alerts enable you to detect potential threats, malware or malicious events early, and take corrective actions against them. You can further customize the data and searches to perform in-depth analysis.

DNSCompiledNormalizer is compatible with CNDP.

Supported Devices/Sources

These are the devices or sources that record events in Windows Event Logs under eventlog channels like DHCP-Server and DNS-Server which you can find in your server’s Event Viewer.

>>>>>>> b2adaab5623df7e2ea0b644030da33a7768a3dda + Windows DHCP Server + Windows DNS Server + Windows Server + Windows Server HyperV + Windows Server R2 HyperV + Windows Vista

Windows Components

These are the Knowledge Base (KB) components included in Windows v5.5.0.

  1. Compiled Normalizers

    • ADFSNormalizer

    • DNSCompiledNormalizer

    • LPA_Windows

    • WindowsDHCPCompiledNormalizer

    • WindowsNPSCompiledNormalizer

    • WindowsSecurityAuditing

    • WindowsSysmonCompiledNormalizer

  2. Reports

    • LP_Active Directory Authentication Requests

    • LP_Active Directory Object Management

    • LP_Active Directory Report

    • LP_AD: Computer Account Management

    • LP_AD: Critical User Activities

    • LP_AD: Distribution Group Management

    • LP_AD: Machine Authentication Requests

    • LP_AD: OU and GPO

    • LP_AD: Policy Changes

    • LP_AD: Security Group Management

    • LP_AD: Service

    • LP_AD: User Account Management

    • LP_AD: User Authentication Requests

    • LP_Windows Administrator Report

    • LP_Windows Configuration Report

  3. Normalization Packages

    • LP_DNS BIND

    • LP_Microsoft Antimalware

    • LP_Microsoft Direct Access

    • LP_Windows Firewall

  4. Alerts

    • LP_AD Privesc CVE-2022-26923 Exploitation

    • LP_Application Execution Attempt Blocked by AppLocker

    • LP_AppLocker SmartlockerFilter detected file being written by process

    • LP_Ngrok Execution

    • LP_Ngrok RDP Tunnel Detected

    • LP_Windows Account Creation followed by Group Add

    • LP_Windows Audit Logs Cleared

    • LP_Windows Audit Policy Changes

    • LP_Windows Authentication on Windows DC

    • LP_Windows Authentication Policy Change

    • LP_Windows Authorization Policy Change

    • LP_Windows Block Inheritance on Domain

    • LP_Windows Block Inheritance on OU

    • LP_Windows Block Inheritance on OU and Domain

    • LP_Windows Bulk Print at a Time

    • LP_Windows Critical File Access

    • LP_Windows Critical File Access followed by Cloud App Usage

    • LP_Windows CryptoAPI Spoofing Vulnerability Detected

    • LP_Windows Data Copied to Removable Device

    • LP_Windows Delegation of Authority Change in OU

    • LP_Windows Delegation of Control Change in Domain

    • LP_Windows Domain Policy Change

    • LP_Windows Excessive Amount of Files Copied to Removable Device

    • LP_Windows Failed Interactive User Logins Detected

    • LP_Windows Failed Login Attempt using an Expired Account

    • LP_Windows Failed Login Attempt using Locked Out Account

    • LP_Windows Failed Login Attempt Using Service Account

    • LP_Windows Failed Login Attempts using Disabled Account

    • LP_Windows Failed Login Followed by Lockout Event

    • LP_Windows Failed User Login Attempt

    • LP_Windows File Access

    • LP_Windows File Permission Change

    • LP_Windows GPO Linked Unlinked for the Domain

    • LP_Windows GPO Linked Unlinked to OUs

    • LP_Windows Group Created or Deleted

    • LP_Windows Group Policy Object Changes

    • LP_Windows Group Policy Object Creation

    • LP_Windows Group Policy Object Deletion

    • LP_Windows Group Policy Object WMI Filter Changed

    • LP_Windows Kerberos Pre-authentication failed

    • LP_Windows Kerberos Service Ticket Request

    • LP_Windows Local User Management

    • LP_Windows Logon Rights Changes

    • LP_Windows Member Added to or Removed from Group by Admin

    • LP_Windows Multiple Account Password changes by User

    • LP_Windows Multiple Failed Attempts against a Single Account

    • LP_Windows Multiple Password Changed by User

    • LP_Windows Multiple Unique Lockouts

    • LP_Windows OU Creation

    • LP_Windows OU Deletion

    • LP_Windows Ownership of File Taken

    • LP_Windows Password Never Expires

    • LP_Windows Permission Change on Critical Folder

    • LP_Windows Permission Change on Home Folder

    • LP_Windows Possible Failed Lateral Movement using Pass the Hash

    • LP_Windows Possible Ransomware Detection

    • LP_Windows Possible Successful Lateral Movement using Pass the Hash

    • LP_Windows Possible Successful PtH Lateral Movement followed by Audit Log Clear

    • LP_Windows Registry Key Permission Change

    • LP_Windows Registry Value Change

    • LP_Windows Removable Storage Disconnected

    • LP_Windows Revocation of User Privileges detected

    • LP_Windows Security ACL on File Modified

    • LP_Windows Service State Change

    • LP_Windows Successful Brute Force Attack from Same Source

    • LP_Windows Successful Brute Force Attack from Same User

    • LP_Windows Successful Remote Interactive Login

    • LP_Windows Suspicious Creation of User Accounts

    • LP_Windows unBlock Inheritance on Domain

    • LP_Windows unBlock Inheritance on OU

    • LP_Windows unBlock Inheritance on OU and Domain

    • LP_Windows Unusual File Access

    • LP_Windows Unusual User Access to an Object

    • LP_Windows User Account Change to End with Dollar Sign

    • LP_Windows User Account Created or Removed

    • LP_Windows User Account Lockout

    • LP_Windows User Account was Created with a Dollar Sign

    • LP_Windows User Added or Remove from Group

    • LP_Windows User Added to Administrator Group

    • LP_Windows User Added to Domain Enterprise Admin

    • LP_Windows User Removed from Administrator Group

    • LP_Windows User Removed from Domain Enterprise Admin

    • LP_Windows User Rights Changes

    • LP_Windows Users Disabled

    • LP_Windows Users Enabled

  5. Knowledge Base Lists

    • ADMINS

    • FILE_EXTENSIONS

    • LOGPOINT_GROUPS

  6. Dashboards

    • LP_AD: Computer Account Management

    • LP_AD: Critical User Activities

    • LP_AD: Distribution Group Management

    • LP_AD: Machine Authentication Requests

    • LP_AD: OU and GPO

    • LP_AD: Policy Changes

    • LP_AD: Security Group Management

    • LP_AD: Service

    • LP_AD: User Account Management

    • LP_AD: User Authentication Requests

    • LP_ADFS Auditing

    • LP_AppLocker

    • LP_Windows Antimalware

    • LP_Windows Authentication

    • LP_Windows BITS

    • LP_Windows Configuration

    • LP_Windows DHCP

    • LP_Windows DNS

    • LP_Windows File Auditing

    • LP_Windows Overview

    • LP_Windows Service Control Manager

    • LP_Windows Sysmon Overview

  7. Search Templates

    • LP_ADFS Issued Claim Identity

    • LP_Beaconing for Threat Hunting with Microsoft Sysmon

Go to Pre Configuration before installing or configuring Windows.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support