circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Analytics & Use Cases

hashtag
Analytics & Use Cases

After Logpoint ingests your logs, you can:

  • Use Windows Search Templates to access and view events.

  • Access and view events through Windows Dashboards.

  • Set up Alerts to automatically trigger a SIEM incident.

  • Set up Windows Reports.

hashtag
Search Templates

Search Templates are GUI-based search queries that use base queries or placeholders filled in at runtime. You can add multiple base queries to a search template and use them to run search queries or create dashboard widgets.

Logpoint provides the following search templates out-of-the-box:

  • LP_ADFS Issued Claim Identity

  • LP_Beaconing for Threat Hunting with Microsoft Sysmon

Use Search Templates:

1

hashtag
Open Search Templates

Go to Settings >> KnowledgeBase from the navigation bar and click Search Templates.

2

hashtag
Select Vendor Templates

Select VENDOR SEARCH TEMPLATES from the drop-down and find the Windows Search Templates you want to use.

3

hashtag
Update Parameters

In the Update Parameters, enter the required parameter(s):

  • Select Override widget time range to set a time range.

  • Select Repos.

  • Click Update.

After updating, widgets start populating the results. Logpoint forwards you to Search Template View to access the dashboards of the search template.

hashtag
Windows Dashboards

Windows has 22 out-of-the-box dashboards. Each dashboard provides different Windows data depending on your logs and what you want to see.

LP_AD: Computer Account Management

Widgets available in the LP_AD: Computer Account Management dashboard provide details of Audit Computer Account Management events.

Widget Name
Description

Top 10 Users in Computer Account Management

The top 10 users or computers, including domain controllers, member servers or workstations in the Computer Account Management.

Computer Account Management Overview

Details of events generated when a computer account is created, changed or deleted based on user, domain, actions and computer.

Top 10 Computers in Computer Account Management

The top 10 computer accounts that were created, modified or deleted in Computer Account Management.

Top 10 Actions by Users in Computer Account Management

An overview of the top 10 user actions, such as when a computer account was created, deleted, or changed.

Top 10 Actions in Computer Account Management - Time Trend

A time trend of top 10 Computer Account Management actions from the last 24 hours, involving computer account created, changed or deleted.

Computer Account Management

A detailed overview of account-related actions to computers that are a member of domains. The computer account related actions include computer account created, deleted, or changed.

LP_AD: Critical User Activities

Widgets available in the LP_AD: Critical User Activities dashboard provide details of users added, removed, enabled, disabled, or created in Active Directory Security Groups.

Widget Name
Description

Users Added to Administrator Group

Users added to the Windows administrative group. Administrative groups are Domain Admins, Enterprise Admins, Schema Admins, and DNSAdmins. Microsoft event ID: 4728.

Users Removed from Administrator Group

Users removed from the Windows administrative group. Microsoft event ID: 4729.

Users Disabled

Users disabled in Windows administrative group. Microsoft event ID: 4725.

Users Enabled

Users enabled in Windows administrative group. Microsoft event ID: 4722.

Password Never Expires

A user checked in the Password Never Expires event. Microsoft event ID: 4738.

Users Created with a $

Usernames created starting with a dollar sign ($) in Azure Directory.

Users Changed to End with $

Usernames changed to end with a dollar sign ($) in Azure Directory.

User Added to a LogPoint Group in Active Directory

Users added to the LogPoint group in Active Directory.

User Removed from a LogPoint Group in Active Directory

Users removed from the LogPoint group in Active Directory.

LP_AD: Distribution Group Management

Widgets available in the LP_AD: Distribution Group Management dashboard provide details of users or groups in Active Directory Distribution Group Management.

Widget Name
Description

Top 10 Users in Distribution Group Management

The top 10 users in the Distribution Groups lists.

Top 10 Groups in Distribution Group Management

The top 10 groups in the Distribution Groups lists.

Top 10 Actions by Users in Distribution Group Management

The top 10 actions (added, removed, created, changed, deleted) in Distribution Groups.

Distribution Group Management Overview

Distribution Groups based on group members, actions, objects and users.

Distribution Group Management

Distribution Groups based on log timestamp, path, group members, actions, objects and users.

Actions in Distribution Group Management - Time Trend

A time trend of actions performed on users or devices in the Distribution Group within the last 24 hours.

LP_AD: Machine Authentication Requests

Widgets provide details of machines or services authenticated by Kerberos.

Widget Name
Description

Top 10 Machines in Successful Kerberos Authentication

Top machines/services successfully authenticated by Kerberos.

Top 10 Machines in Failed Kerberos Authentication

Top machines/services not successfully authenticated by Kerberos.

Machines in Successful Kerberos Authentication

Machines/services successfully authenticated based on user, source address and pre-authentication type.

Machines in Failed Kerberos Authentication

Machines/services not successfully authenticated based on user, source address, reason and pre-authentication type.

Attempts by Machine per IP: Revoked Credentials

Clients whose credentials have been revoked (disabled, expired, locked, logon hours).

Attempts by Machine per IP: Expired Password

Kerberos pre-auth failed due to expired password.

Attempts by Machine per IP: Client Not Found in Krb DB

Kerberos pre-auth failed as client not found in Kerberos DB.

LP_AD: OU and GPO

Widgets provide details of Organizational Unit (OU) and Group Policy Object (GPO).

Widget Name
Description

Group Policy Object Creation

GPO created. Microsoft event ID: 5137.

Group Policy Object Deletion

GPO deleted. Microsoft event ID: 5141.

Group Policy Object Linked/Unlinked or Enforced/Unenforced or Link Enabled/Disabled to OUs

GPO link/unlink/enforce events. Microsoft event ID: 5136.

Group Policies Updated

GPO updated. Microsoft event ID: 5136.

Block Inheritance on an OU

Inheritance set to block/unblock on an OU. Microsoft event ID: 5136.

Group Policy Updated on Computers

gpupdate events. Microsoft event ID: 1704.

Group Policy Object Linked/Unlinked or Enforced/Unenforced or Link Enabled/Disabled for the Domain

GPO linked/unlinked for domain. Microsoft event ID: 5136.

Block Inheritance on the Domain

Inheritance set on domain. Microsoft event ID: 5136.

Delegation of Authority or ACL Change on an OU

ACL changed on an OU. Microsoft event ID: 5136.

Delegation of Control or ACL Change on the Domain

ACL changed on domain. Microsoft event ID: 5136.

OU Deletion

OU deleted. Microsoft event ID: 5141.

OU Creation

OU created. Microsoft event ID: 5137.

Failed Group Policy Update on Computers

gpupdate failed. Microsoft event ID: 1704.

LP_AD: Policy Changes

Widgets provide details on Active Directory audit policy, user rights, logon rights and domain policy.

Widget Name
Description

Audit Policy Changes

Changed audit policies. Microsoft event ID: 4719.

User Rights Changes

Changed user rights. Microsoft event IDs: 4704 and 4705.

Logon Rights Changes

Changed logon rights. Microsoft event IDs: 4717 and 4718.

Domain Policy Change - List

Changed default domain policy. Microsoft event ID: 4739.

LP_AD: Security Group Management

Widgets keep track of security-enabled group activities.

Widget Name
Description

Top 10 Users in Security Group Management

Top 10 users in a security-enabled group.

Top 10 Groups in Security Group Management

Top 10 security-enabled groups.

Top 10 Actions by Users in Security Group Management

Top 10 actions performed by users in a security-enabled group.

Security Group Management

Security-enabled group based on timestamp, users, domains, actions, objects, and groups.

Actions Security Group Management

Actions performed in a security-enabled group.

Security Group Creation

Created security groups.

Security Group Deletion

Deleted security-enabled groups.

Users Added Security Groups

Users added to a security-enabled group.

Users Removed from Security Groups

Users removed from a security-enabled group.

Top 10 Users in Group Creation

Top 10 users in security group creation.

Top 10 Users in Group Deletion

Top 10 users in security group deletion.

Top 10 Users in Adding Users to Groups

Top 10 users that added users to security-enabled groups.

Top Users in Removing Users from Groups

Top 10 users that removed users from security-enabled groups.

LP_Windows Service, LP_Windows Antimalware, LP_Windows Authentication, LP_Windows Configuration, LP_Windows DHCP, LP_Windows DNS, LP_Windows File Auditing, LP_Windows Overview, LP_Windows Sysmon Overview, LP_ADFS Auditing, LP_Windows BITS, LP_AppLocker, LP_Windows Service Control Manager

(Each of those dashboards contains numerous widgets describing event types, time trends, top items, status, and lists. The original document lists full widget tables for each — retain the dashboards and the detailed widget tables as needed in your docs.)

Adding Windows Dashboards

1

hashtag
Open Dashboards

Go to Settings >> Knowledge Base from the navigation bar and click Dashboards.

2

hashtag
Select Vendor Dashboards

Select VENDOR DASHBOARD from the drop-down.

3

hashtag
Use a Dashboard

Click the Use icon from Actions of the required dashboard.

4

hashtag
Choose Repos

Click Choose Repos, select the repo configured to store the Windows logs and click Done.

5

hashtag
Finalize

Select the dashboard and click Ok. Windows dashboards are available under Dashboards.

hashtag
Windows Alerts

The alert rules available for Windows are many. Each alert rule includes: Trigger Condition, ATT&CK Category/Tag/ID, Minimum Log Source Requirement, and a Query. Below are examples of several alert rules in the format: title, metadata, and query.

LP_Windows Users Enabled

  • Trigger Condition: A user is enabled (event ID 4722).

  • ATT&CK Category: Credential Access, Persistence, Execution, Defense Evasion

  • ATT&CK Tag: Account Manipulation, User Execution, Abuse Elevation Control Mechanism, Bypass User Access Control

  • ATT&CK ID: T1098, T1204, T1548

  • Minimum Log Source Requirement: Windows

Query:

LP_Windows Group Policy Object Creation

  • Trigger Condition: Creation of a Group Policy Object.

  • ATT&CK Category: Credential Access, Persistence, Defense Evasion, Privilege Escalation

  • ATT&CK ID: T1098, T1484, T1548, T1212, T1068

  • Minimum Log Source Requirement: Windows

Query:

LP_Windows Unusual File Access

  • Trigger Condition: A file is accessed more than 10 times within 10 minutes.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: File and Directory Discovery, Data Staged, Data from Information Repositories

  • ATT&CK ID: T1083, T1074, T1213

  • Minimum Log Source Requirement: Windows

Query:

LP_Windows Unusual User Access to an Object

  • Trigger Condition: A file or object is accessed by a user more than 10 times in a given time.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: File and Directory Discovery, Data from Network Shared Drive, Network Share Discovery

  • ATT&CK ID: T1083, T1039, T1135

  • Minimum Log Source Requirement: Windows

Query:

LP_Windows Possible Successful Lateral Movement using Pass the Hash

  • Trigger Condition: Logpoint detects successful use of PtH for lateral movement between workstations.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Use Alternate Authentication Material, Pass the Hash

  • ATT&CK ID: T1550, T1550.002

  • Minimum Log Source Requirement: Windows

Query:

(There are many additional alert rules in the Windows set — each follows the same format. Include alerts such as: User Added to Administrator Group, unBlock Inheritance on OU, Delegation of Authority Change in OU, Registry Value Change, OU Deletion, Successful Brute Force Attack from Same User, User Rights Changes, Failed Login Attempt using Expired Account, Registry Key Permission Change, Service State Change, User Account Lockout, User Removed from Administrator Group, Block Inheritance on OU, Kerberos Pre-authentication failed, and many others. Each alert includes the human-readable metadata above and a query block in the same format.)

hashtag
Adding Windows Alert Rules

1

hashtag
Open Alert Rules

Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.

2

hashtag
Select Vendor Rules

Select VENDOR RULES from the drop-down.

3

hashtag
Add Rule

Click the add icon from Actions.

4

hashtag
After Adding

After adding alert rules, Windows redirects to Used Alert Rules. Once an alert rule is triggered, Logpoint generates the corresponding incidents in Incidents.

hashtag
Reports

There are 15 different reports:

  1. LP_Active Directory Authentication Requests

  2. LP_Active Directory Object Management

  3. LP_Active Directory Report

  4. LP_AD: Computer Account Management

  5. LP_AD: Critical User Activities

  6. LP_AD: Distribution Group Management

  7. LP_AD: Machine Authentication Requests

  8. LP_AD: OU and GPO

  9. LP_AD: Policy Changes

  10. LP_AD: Security Group Management

  11. LP_AD: Service

  12. LP_AD: User Account Management

  13. LP_AD: User Authentication Requests

  14. LP_Windows Administrator Report

  15. LP_Windows Configuration Report

Knowledge Base Lists:

  • ADMINS

  • FILE_EXTENSIONS

  • LOGPOINT_GROUPS

hashtag
Report Templates

  • LP_Windows Administrator Report is an incident summary report providing statistical information on Windows log events, account-related events, process events, event categories, member status, and policy changes.

  • LP_Active Directory Authentication Requests provides statistics on authentication requests made on Domain Controllers using Kerberos.

  • LP_Active Directory Object Management provides statistical information on management of security principal objects (account and group management).

  • LP_Active Directory Report provides statistical information on changes made in Active Directory.

Using Report Templates: Data analysis can be conducted using graphs, time trends, lists, and text. Report data summarizes incidents over a specific period (e.g., past 24 hours). When generating a report, the calendar period can be customized.

Generating a Report:

1

hashtag
Open Reports

Go to Reports from the navigation bar and click Report Template.

2

hashtag
Select Vendor Report Templates

Select VENDOR REPORT TEMPLATES.

3

hashtag
Run a Report

Click Use Vendor Report and Run this Report from Actions. Select Repos, Time Zone, Time Range, Export Type, and Email. Click Submit.

4

hashtag
View Report Jobs

Reports in progress can be viewed under Report Jobs and are available for download. Click PDF from Download to retrieve reports in .pdf format.

We do our best to ensure the content we provide is complete, accurate and up to date. Logpoint makes no representations or warranties of any kind, express or implied about the documentation. We update it on a best-effort basis.

Last updated

Was this helpful?