Our Windows Log Threat Detection Suite is a powerful and comprehensive set of alerts specifically designed to detect and combat cybersecurity threats that exploit Windows logs. As Windows operating systems remain a prominent choice for businesses and organizations worldwide, it becomes essential to have robust monitoring and detection systems in place to safeguard against potential security breaches and malicious activities.
Included alerts
SecOpsWinWmiExecVbsScript
SecOpsWinWmiprvseSpawningProcess
SecOpsWinLockoutsEndpoint
SecOpsWinExcessiveUserInteractiveLogin
SecOpsWinAnonymousAccountCreated
SecOpsWinBackupCatalogDeleted
SecOpsWinDisableAntispywareRegistry
SecOpsWinLocalSystemExecuteWhoami
SecOpsWinLsassKeyModification
SecOpsWinLsassMemDump
SecOpsWinRegUtilityHiveExport
SecOpsWinRegistryQuery
SecOpsWinRemoteSystemDiscovery
SecOpsWinScheduledTaskCreation
SecOpsWinUserAddedToLocalSecurityEnabledGroup
SecOpsWinWmiLaunchingShell
SecOpsWinWmiProcessCallCreate
SecOpsWinWmiScriptExecution
SecOpsWinADDomainEnumeration
SecOpsWinAttemptToAddCertificateToStore
SecOpsWinDisableUac
SecOpsWinMsiExecInstallWeb
SecOpsWinSchtasksForcedReboot
SecOpsWinSchtasksRemoteSystem
SecOpsWinWifiCredHarvestNetsh
SecOpsWinAdminShareSuspiciousUse
SecOpsWinNetworkShareCreated
SecOpsWinExternalSMBTrafficDetected
SecOpsAPT29byGoogleUpdateServiceInstall
SecOpsWinAuditLogCleared
SecOpsLocalUserCreation
SecOpsWinAdminRemoteLogon
SecOpsWinAtsvcRemoteExecution
SecOpsWinAuthLocalInteractiveLogin
SecOpsWinCmstpNetworkConnectionDetected
SecOpsWinCritServiceStopped
SecOpsWinDcShadowDetected
SecOpsWinDomainTrustActivity
SecOpsWinExcessiveKerberosSPNDowngrade
SecOpsWinExternalDeviceInstallationDenied
SecOpsWinNetShareScan
SecOpsWinNetShareSweep
SecOpsWinPermissionGroupDiscovery
SecOpsWinPowershellProcessDiscovery
SecOpsWinSmbAccessTempDirectory
SecOpsWinSpoolsvExeAbnormalProcessSpawn
SecOpsWinSuspiciousExternalDeviceInstallation
SecOpsWinUserAddedPrivlegedSecGroup
SecOpsWinUserCreationAbnormalNamingConvention
SecOpsADAccountNoExpires
SecOpsWinUserAddedSelfToSecGroup
SecOpsWinSamStopped
SecOpsWinSysInternalsActivityDetected
SecOpsWinSysTimeDiscovery
SecOpsWinRunasCommandExecution
SecOpsWinDefenderDownloadActivity
SecOpsWinShadowCopyDetected
SecOpsWinGoldenSamlCertificateExport
SecOpsWinDnsExeParentProcess
SecOpsWinFakeProcesses
SecOpsWinMemoryCorruptionVulnerability
SecOpsWinMimikatzLsadump
SecOpsWinFsutilDeleteChangeJournal
SecOpsWinRegistryModificationGlobalFolderOptions
SecOpsWinRegistryModificationRunKeyAdded
SecOpsWinRegistryModificationStoreLogonCred
SecOpsWinRegistryModificationNewTrustedSite
SecOpsWinRegistryModificationIExplorerSecZone
SecOpsWinPowershellSetExecutionPolicyBypass
SecOpsBlackByteRansomwareRegistryChanges
SecOpsBlackByteRansomwareRegChangesPowershell
SecOpsWinRegistryModificationDisableRegistryTool
SecOpsWinRegistryModificationDisableCMDApp
SecOpsWinRegistryModificationDisableTaskmgr
SecOpsWinRegistryModificationDisableNotificationCenter
SecOpsWinRegistryModificationDisableShutdownButton
SecOpsWinRegistryModificationDisableLogOffButton
SecOpsWinRegistryModificationDisableChangePasswdFeature
SecOpsMaliciousServiceInstallations
SecOpsWinRegistryModificationDisableLockWSFeature
SecOpsWinRegistryModificationNoDesktopGroupPolicy
SecOpsIntegrityProblem
SecOpsWinRegistryModificationActivateNoRunGroupPolicy
SecOpsWinRegistryModificationNoFindGroupPolicyFeature
SecOpsWinActivateNoControlPanelGroupPolicyFeature
SecOpsWinActivateNoFileMenuGroupPolicyFeature
SecOpsWinActivateNoCloseGroupPolicyFeature
SecOpsWinActivateNoSetTaskbarGroupPolicyFeature
SecOpsWinActivateNoTrayContextMenuGroupPolicyFeature
SecOpsWinRegistryModificationHideClockGroupPolicyFeature
SecOpsWinRegistryModificationHideSCAHealth
SecOpsStoneDrillServiceInstall
SecOpsWinRegistryModificationHideSCANetwork
SecOpsWinRegistryModificationHideSCAPower
SecOpsWinActivateNoPropertiesMyDocumentsGroupPolicyFeature
SecOpsWinRegistryModificationHideSCAVolume
SecOpsWinRegistryModificationPowershellLoggingDisabled
SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWONetwork
SecOpsWinCredentialDumpingNppspy
SecOpsWinModifyShowCompressColorAndInfoTipRegistry
SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWithNetwork
SecOpsAppInitDLLsLoaded
SecOpsBypassUserAccountControl
SecOpsDLLWithNonUsualPath
SecOpsHAFNIUMUmServiceSuspiciousFileTargetingExchangeServers
SecOpsMaliciousPowerShellCommandletNames
SecOpsMaliciousPowerShellPrebuiltCommandlet
SecOpsPassTheHashActivityLoginBehaviour
SecOpsRevilKaseyaRegistryKey
SecOpsRareServiceInstalls
SecOpsSIGRedExploitMicrosoftWindowsDNS
SecOpsSuspiciousBehaviorAppInitDLL
SecOpsSuspiciousWMIExecution
SecOpsTurlaPNGDropperService
SecOpsTurlaServiceInstall
SecOpsWinUserCredentialDumpRegistry
SecOpsLOLBASCertreq
SecOpsLOLBASDatasvcutil
SecOpsWinWebclientClassUse
SecOpsWinInvokewebrequestUse
SecOpsWinTFTPExecution
SecOpsWinIcmpExfiltration
SecOpsLolbinBitsadminTransfer
SecOpsLolbinCertreq
SecOpsLolbinCertutil
SecOpsLolbinConfigsecuritypolicy
SecOpsLolbinDatasvcutil
SecOpsLolbinMshta
SecOpsWinCurl
SecOpsWinFTPScriptExecution
SecOpsWinSensitiveFiles
SecOpsWinServiceCreatedNonStandardPath
SecOpsWinSuspiciousWritesToRecycleBin
SecOpsWINWmiMOFProcessExecution
SecOpsWinWMIPermanentEventSubscription
SecOpsWinWmiTemporaryEventSubscription
SecOpsWinAutomatedCollectionCmd
SecOpsWinCompressEncryptData
SecOpsWinPotentialPassTheHash
SecOpsWinAutomatedCollectionPowershell
SecOpsWinPowershellKeyloggin
SecOpsWinIISWebRootProcessExecution
SecOpsWinMapSmbShare
SecOpsWinNewPsDrive
SecOpsWinRcloneExecution
SecOpsWinSmtpExfiltration
SecOpsWinAttackerToolsOnEndpoint
SecOpsWinAppInstallerExecution
SecOpsWinWMIReconRunningProcessOrSrvcs
SecOpsLolbinCertocexecution
SecOpsWinSysInfoGatheringUsingDxdiag
SecOpsWinGatherVictimIdentitySAMInfo
SecOpsWinKerberosUserEnumeration
SecOpsWermgrConnectingToIPCheckWebServices
SecOpsWinOfficeBrowserLaunchingShell
SecOpsResetPasswordAttempt
SecOpsAccountsCreatedRemovedWithinFourHours
SecOpsADPasswdNoExpires
SecOpsBlackKingdomWebshellInstalation
SecOpsBlankPasswordAsk
SecOpsChangesAccessibilityBinaries
SecOpsDeletingMassAmountOfFiles
SecOpsFailLogOn
SecOpsFsutilSuspiciousInvocation
SecOpsGenericRansomwareBehaviorIpScanner
SecOpsMultipleMachineAccessedbyUser
SecOpsNewAccountCreated
SecOpsNtds.ditDomainHashExtractionActivity
SecOpsPersistenceAndExecutionViaGPOScheduledTask
SecOpsPsExecToolExecution
SecOpsRansomwareBehaviorMaze
SecOpsRansomwareBehaviorNotPetya
SecOpsRansomwareBehaviorRyuk
SecOpsSecurityEnabledLocalGroupChanged
SecOpsSeveralPasswordChanges
SecOpsShadowCopiesDeletion
SecOpsStopSqlServicesRunning
SecOpsSuspiciousEventlogClearUsingWevtutil
SecOpsUserAccountChanged
SecOpsWannaCryBehavior
Prerequisites
To use this alert pack, you must have the following data sources available on your domain:
box.all.win
Open alert pack
Once you have installed the desired alerts individually, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find them and later manage them as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).
Use alert pack
The alerts installed are deactivated by default. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.