Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Purpose

Our Windows Log Threat Detection Suite is a powerful and comprehensive set of alerts specifically designed to detect and combat cybersecurity threats that exploit Windows logs. As Windows operating systems remain a prominent choice for businesses and organizations worldwide, it becomes essential to have robust monitoring and detection systems in place to safeguard against potential security breaches and malicious activities.

Included alerts

SecOpsWinWmiExecVbsScript

SecOpsWinWmiprvseSpawningProcess

SecOpsWinLockoutsEndpoint

SecOpsWinExcessiveUserInteractiveLogin

SecOpsWinAnonymousAccountCreated

SecOpsWinBackupCatalogDeleted

SecOpsWinDisableAntispywareRegistry

SecOpsWinLocalSystemExecuteWhoami

SecOpsWinLsassKeyModification

SecOpsWinLsassMemDump

SecOpsWinRegUtilityHiveExport

SecOpsWinRegistryQuery

SecOpsWinRemoteSystemDiscovery

SecOpsWinScheduledTaskCreation

SecOpsWinUserAddedToLocalSecurityEnabledGroup

SecOpsWinWmiLaunchingShell

SecOpsWinWmiProcessCallCreate

SecOpsWinWmiScriptExecution

SecOpsWinADDomainEnumeration

SecOpsWinAttemptToAddCertificateToStore

SecOpsWinDisableUac

SecOpsWinMsiExecInstallWeb

SecOpsWinSchtasksForcedReboot

SecOpsWinSchtasksRemoteSystem

SecOpsWinWifiCredHarvestNetsh

SecOpsWinAdminShareSuspiciousUse

SecOpsWinNetworkShareCreated

SecOpsWinExternalSMBTrafficDetected

SecOpsAPT29byGoogleUpdateServiceInstall

SecOpsWinAuditLogCleared

SecOpsLocalUserCreation

SecOpsWinAdminRemoteLogon

SecOpsWinAtsvcRemoteExecution

SecOpsWinAuthLocalInteractiveLogin

SecOpsWinCmstpNetworkConnectionDetected

SecOpsWinCritServiceStopped

SecOpsWinDcShadowDetected

SecOpsWinDomainTrustActivity

SecOpsWinExcessiveKerberosSPNDowngrade

SecOpsWinExternalDeviceInstallationDenied

SecOpsWinNetShareScan

SecOpsWinNetShareSweep

SecOpsWinPermissionGroupDiscovery

SecOpsWinPowershellProcessDiscovery

SecOpsWinSmbAccessTempDirectory

SecOpsWinSpoolsvExeAbnormalProcessSpawn

SecOpsWinSuspiciousExternalDeviceInstallation

SecOpsWinUserAddedPrivlegedSecGroup

SecOpsWinUserCreationAbnormalNamingConvention

SecOpsADAccountNoExpires

SecOpsWinUserAddedSelfToSecGroup

SecOpsWinSamStopped

SecOpsWinSysInternalsActivityDetected

SecOpsWinSysTimeDiscovery

SecOpsWinRunasCommandExecution

SecOpsWinDefenderDownloadActivity

SecOpsWinShadowCopyDetected

SecOpsWinGoldenSamlCertificateExport

SecOpsWinDnsExeParentProcess

SecOpsWinFakeProcesses

SecOpsWinMemoryCorruptionVulnerability

SecOpsWinMimikatzLsadump

SecOpsWinFsutilDeleteChangeJournal

SecOpsWinRegistryModificationGlobalFolderOptions

SecOpsWinRegistryModificationRunKeyAdded

SecOpsWinRegistryModificationStoreLogonCred

SecOpsWinRegistryModificationNewTrustedSite

SecOpsWinRegistryModificationIExplorerSecZone

SecOpsWinPowershellSetExecutionPolicyBypass

SecOpsBlackByteRansomwareRegistryChanges

SecOpsBlackByteRansomwareRegChangesPowershell

SecOpsWinRegistryModificationDisableRegistryTool

SecOpsWinRegistryModificationDisableCMDApp

SecOpsWinRegistryModificationDisableTaskmgr

SecOpsWinRegistryModificationDisableNotificationCenter

SecOpsWinRegistryModificationDisableShutdownButton

SecOpsWinRegistryModificationDisableLogOffButton

SecOpsWinRegistryModificationDisableChangePasswdFeature

SecOpsMaliciousServiceInstallations

SecOpsWinRegistryModificationDisableLockWSFeature

SecOpsWinRegistryModificationNoDesktopGroupPolicy

SecOpsIntegrityProblem

SecOpsWinRegistryModificationActivateNoRunGroupPolicy

SecOpsWinRegistryModificationNoFindGroupPolicyFeature

SecOpsWinActivateNoControlPanelGroupPolicyFeature

SecOpsWinActivateNoFileMenuGroupPolicyFeature

SecOpsWinActivateNoCloseGroupPolicyFeature

SecOpsWinActivateNoSetTaskbarGroupPolicyFeature

SecOpsWinActivateNoTrayContextMenuGroupPolicyFeature

SecOpsWinRegistryModificationHideClockGroupPolicyFeature

SecOpsWinRegistryModificationHideSCAHealth

SecOpsStoneDrillServiceInstall

SecOpsWinRegistryModificationHideSCANetwork

SecOpsWinRegistryModificationHideSCAPower

SecOpsWinActivateNoPropertiesMyDocumentsGroupPolicyFeature

SecOpsWinRegistryModificationHideSCAVolume

SecOpsWinRegistryModificationPowershellLoggingDisabled

SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWONetwork

SecOpsWinCredentialDumpingNppspy

SecOpsWinModifyShowCompressColorAndInfoTipRegistry

SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWithNetwork

SecOpsAppInitDLLsLoaded

SecOpsBypassUserAccountControl

SecOpsDLLWithNonUsualPath

SecOpsHAFNIUMUmServiceSuspiciousFileTargetingExchangeServers

SecOpsMaliciousPowerShellCommandletNames

SecOpsMaliciousPowerShellPrebuiltCommandlet

SecOpsPassTheHashActivityLoginBehaviour

SecOpsRevilKaseyaRegistryKey

SecOpsRareServiceInstalls

SecOpsSIGRedExploitMicrosoftWindowsDNS

SecOpsSuspiciousBehaviorAppInitDLL

SecOpsSuspiciousWMIExecution

SecOpsTurlaPNGDropperService

SecOpsTurlaServiceInstall

SecOpsWinUserCredentialDumpRegistry

SecOpsLOLBASCertreq

SecOpsLOLBASDatasvcutil

SecOpsWinWebclientClassUse

SecOpsWinInvokewebrequestUse

SecOpsWinTFTPExecution

SecOpsWinIcmpExfiltration

SecOpsLolbinBitsadminTransfer

SecOpsLolbinCertreq

SecOpsLolbinCertutil

SecOpsLolbinConfigsecuritypolicy

SecOpsLolbinDatasvcutil

SecOpsLolbinMshta

SecOpsWinCurl

SecOpsWinFTPScriptExecution

SecOpsWinSensitiveFiles

SecOpsWinServiceCreatedNonStandardPath

SecOpsWinSuspiciousWritesToRecycleBin

SecOpsWINWmiMOFProcessExecution

SecOpsWinWMIPermanentEventSubscription

SecOpsWinWmiTemporaryEventSubscription

SecOpsWinAutomatedCollectionCmd

SecOpsWinCompressEncryptData

SecOpsWinPotentialPassTheHash

SecOpsWinAutomatedCollectionPowershell

SecOpsWinPowershellKeyloggin

SecOpsWinIISWebRootProcessExecution

SecOpsWinMapSmbShare

SecOpsWinNewPsDrive

SecOpsWinRcloneExecution

SecOpsWinSmtpExfiltration

SecOpsWinAttackerToolsOnEndpoint

SecOpsWinAppInstallerExecution

SecOpsWinWMIReconRunningProcessOrSrvcs

SecOpsLolbinCertocexecution

SecOpsWinSysInfoGatheringUsingDxdiag

SecOpsWinGatherVictimIdentitySAMInfo

SecOpsWinKerberosUserEnumeration

SecOpsWermgrConnectingToIPCheckWebServices

SecOpsWinOfficeBrowserLaunchingShell

SecOpsResetPasswordAttempt

SecOpsAccountsCreatedRemovedWithinFourHours

SecOpsADPasswdNoExpires

SecOpsBlackKingdomWebshellInstalation

SecOpsBlankPasswordAsk

SecOpsChangesAccessibilityBinaries

SecOpsDeletingMassAmountOfFiles

SecOpsFailLogOn

SecOpsFsutilSuspiciousInvocation

SecOpsGenericRansomwareBehaviorIpScanner

SecOpsMultipleMachineAccessedbyUser

SecOpsNewAccountCreated

SecOpsNtds.ditDomainHashExtractionActivity

SecOpsPersistenceAndExecutionViaGPOScheduledTask

SecOpsPsExecToolExecution

SecOpsRansomwareBehaviorMaze

SecOpsRansomwareBehaviorNotPetya

SecOpsRansomwareBehaviorRyuk

SecOpsSecurityEnabledLocalGroupChanged

SecOpsSeveralPasswordChanges

SecOpsShadowCopiesDeletion

SecOpsStopSqlServicesRunning

SecOpsSuspiciousEventlogClearUsingWevtutil

SecOpsUserAccountChanged

SecOpsWannaCryBehavior

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

  • box.all.win

Open alert pack 

Once you have installed the desired alerts individually, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find them and later manage them as required. You can also access this area via the Navigation pane (AdministrationAlert ConfigurationAvailable alerts).

Use alert pack 

The alerts installed are deactivated by default. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.

  • No labels