Version:

Windows

Windows consists of security analytics components that normalize Windows events, which enables you to analyze Windows data. It includes the Syslog Collector based Windows log source template, which ensure consistency in collecting, processing and analyzing Windows logs for precise security event analysis and reporting.

Logpoint aggregates and normalizes logs related to CPU, disk, memory, configuration, I/O, Active Directory (AD) and Domain Name Server (DNS) from Windows systems so you can analyze the information through dashboards and security reports. Windows dashboards visualizes of the Windows event enabling you to monitor threat categories, malicious activities and identify gaps in your organization’s security coverage.

When Logpoint identifies threats, malware or malicious events with a potential risk to your environment, it triggers security alerts based on predetermined alert rules. The automated alerts enable you to detect potential threats, malware or malicious events early and take corrective actions against them. You can further customize the data and searches to perform in-depth analysis. DNSCompiledNormalizer is compatible with CNDP.

You can configure Windows from Log Source Templates or Devices. We recommend using the log source template.

Supported Devices/Sources

These are the devices or sources that record events in Windows Event Logs under eventlog channels like DHCP-Server and DNS-Server which you can find in your server’s Event Viewer.

  • Windows Server

  • Windows Vista

  • Windows DNS Server

  • Windows DHCP Server

  • Windows Server HyperV

  • Windows Server R2 HyperV

Windows Components

These are the package components included in Windows.

  1. Compiled Normalizers

    • ADFSNormalizer

    • DNSCompiledNormalizer

    • DNSCompiledNormalizerEU

    • LPA_Windows

    • WindowsDHCPCompiledNormalizer

    • WindowsNPSCompiledNormalizer

    • WindowsSecurityAuditing

    • WindowsSysmonCompiledNormalizer

  2. Reports

    • LP_Windows Administrator Report

    • LP_Active Directory Report

    • LP_Windows Configuration Report

    • LP_Active Directory Authentication Requests

    • LP_Active Directory Object Management

    • LP_AD: User Authentication Requests

    • LP_AD: User Account Management

    • LP_AD: Security Group Management

    • LP_AD: Policy Changes

    • LP_AD: OU and GPO

    • LP_AD: Distribution Group Management

    • LP_AD: Critical User Activities

    • LP_AD: Computer Account Management

    • LP_AD: Service

    • LP_AD: Machine Authentication Requests

  3. Normalization Packages

    • LP_Microsoft Antimalware

    • LP_Microsoft Antimalware

    • LP_Microsoft Direct Access

    • LP_Windows Firewall

  4. Alerts

    • LP_Applocker Blocked Application Execution

    • LP_Applocker Detected File write by Process

    • LP_Windows Account Creation followed by Group Add

    • LP_Windows Audit Logs Cleared

    • LP_Windows Audit Policy Changed

    • LP_Windows Authentication Policy Change

    • LP_Windows Authentication on Windows DC

    • LP_Windows Authorization Policy Change

    • LP_Windows Block Inheritance on Domain

    • LP_Windows Block Inheritance on OU

    • LP_Windows Block Inheritance on OU and Domain

    • LP_Windows Bulk Print at a Time

    • LP_Windows Critical File Access

    • LP_Windows Critical File Access followed by Cloud App Usage

    • LP_Windows CryptoAPI Spoofing Vulnerability Detected

    • LP_Windows Data Copied to Removable Device

    • LP_Windows Delegation of Authority Change in OU

    • LP_Windows Delegation of Control Change in Domain

    • LP_Windows Domain Policy Change

    • LP_Windows Excessive Amount of Files Copied to Removable Device

    • LP_Windows Failed Interactive User Logins Detected

    • LP_Windows Failed Login Attempt Using Service Account

    • LP_Windows Failed Login Attempt using Locked Out Account

    • LP_Windows Failed Login Attempt using an Expired Account

    • LP_Windows Failed Login Followed by Lockout Event

    • LP_Windows Failed User Login Attempt

    • LP_Windows File Permission Change

    • LP_Windows GPO Linked Unlinked for the Domain

    • LP_Windows GPO Linked Unlinked to OUs

    • LP_Windows Group Created or Deleted

    • LP_Windows Group Policy Object Changes

    • LP_Windows Group Policy Object Creation

    • LP_Windows Group Policy Object Deletion

    • LP_Windows Group Policy Object WMI Filter Changed

    • LP_Windows Logon Rights Changes

    • LP_Windows Member Added to or Removed from Group by Admin

    • LP_Windows Multiple Account Password changes by User

    • LP_Windows Multiple Failed Attempts against a Single Account

    • LP_Windows Multiple Password Changed by User

    • LP_Windows Multiple Unique Lockouts

    • LP_Windows OU Creation

    • LP_Windows OU Deletion

    • LP_Windows Ownership of File Taken

    • LP_Windows Permission Change on Critical Folder

    • LP_Windows Permission Change on Home Folder

    • LP_Windows Possible Failed Lateral Movement using Pass the Hash

    • LP_Windows Possible Successful Lateral Movement using Pass the Hash

    • LP_Windows Possible Successful PtH Lateral Movement followed by Audit Log Clear

    • LP_Windows Registry Key Permission Change

    • LP_Windows Registry Value Change

    • LP_Windows Removable Storage Disconnected

    • LP_Windows Revocation of User Privileges detected

    • LP_Windows Security ACL on File Modified

    • LP_Windows Service State Change

    • LP_Windows Successful Brute Force Attack from Same Source

    • LP_Windows Successful Brute Force Attack from Same User

    • LP_Windows Suspicious Creation of User Accounts

    • LP_Windows Unusual File Access

    • LP_Windows Unusual User Access to an Object

    • LP_Windows User Account Change to End with Dollar Sign

    • LP_Windows User Account Created or Removed

    • LP_Windows User Account Lockout

    • LP_Windows User Account was Created with a Dollar Sign

    • LP_Windows User Added or Remove from Group

    • LP_Windows User Added to Administrator Group

    • LP_Windows User Added to Domain Enterprise Admin

    • LP_Windows User Password Never Expires

    • LP_Windows User Removed from Administrator Group

    • LP_Windows User Removed from Domain Enterprise Admin

    • LP_Windows User Rights Changes

    • LP_Windows Users Disabled

    • LP_Windows Users Enabled

    • LP_Windows unBlock Inheritance on OU or Domain

  5. Knowledge Base Lists

    • ADMINS

    • FILE_EXTENSIONS

    • LOGPOINT_GROUPS

  6. Dashboards

    • LP_AD: Computer Account Management

    • LP_AD: Critical User Activities

    • LP_AD: Distribution Group Management

    • LP_AD: Machine Authentication Requests

    • LP_AD: OU and GPO

    • LP_AD: Policy Changes

    • LP_AD: Security Group Management

    • LP_AD: Service

    • LP_AD: User Account Management

    • LP_AD: User Authentication Requests

    • LP_ADFS Auditing

    • LP_AppLocker

    • LP_Windows Antimalware

    • LP_Windows Authentication

    • LP_Windows BITS

    • LP_Windows Configuration

    • LP_Windows DHCP

    • LP_Windows DNS

    • LP_Windows File Auditing

    • LP_Windows Overview

    • LP_Windows Service Control Manager

    • LP_Windows Sysmon Overview

  7. Search Templates

    • LP_ADFS Issued Claim Identity

    • LP_Beaconing for Threat Hunting with Microsoft Sysmon

  8. Log Source Template

    • Windows

Go to Pre Configuration before installing or configuring Windows.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support