Platform alert pack: Windows
- Former user (Deleted)
- Borja Moro Moreno
Purpose
Our Windows Log Threat Detection Suite is a powerful and comprehensive set of alerts specifically designed to detect and combat cybersecurity threats that exploit Windows logs. As Windows operating systems remain a prominent choice for businesses and organizations worldwide, it becomes essential to have robust monitoring and detection systems in place to safeguard against potential security breaches and malicious activities.
Included alerts
SecOpsWinWmiExecVbsScript | SecOpsWinWmiprvseSpawningProcess | SecOpsWinLockoutsEndpoint |
SecOpsWinExcessiveUserInteractiveLogin | SecOpsWinAnonymousAccountCreated | SecOpsWinBackupCatalogDeleted |
SecOpsWinDisableAntispywareRegistry | SecOpsWinLocalSystemExecuteWhoami | SecOpsWinLsassKeyModification |
SecOpsWinLsassMemDump | SecOpsWinRegUtilityHiveExport | SecOpsWinRegistryQuery |
SecOpsWinRemoteSystemDiscovery | SecOpsWinScheduledTaskCreation | SecOpsWinUserAddedToLocalSecurityEnabledGroup |
SecOpsWinWmiLaunchingShell | SecOpsWinWmiProcessCallCreate | SecOpsWinWmiScriptExecution |
SecOpsWinADDomainEnumeration | SecOpsWinAttemptToAddCertificateToStore | SecOpsWinDisableUac |
SecOpsWinMsiExecInstallWeb | SecOpsWinSchtasksForcedReboot | SecOpsWinSchtasksRemoteSystem |
SecOpsWinWifiCredHarvestNetsh | SecOpsWinAdminShareSuspiciousUse | SecOpsWinNetworkShareCreated |
SecOpsWinExternalSMBTrafficDetected | SecOpsAPT29byGoogleUpdateServiceInstall | SecOpsWinAuditLogCleared |
SecOpsLocalUserCreation | SecOpsWinAdminRemoteLogon | SecOpsWinAtsvcRemoteExecution |
SecOpsWinAuthLocalInteractiveLogin | SecOpsWinCmstpNetworkConnectionDetected | SecOpsWinCritServiceStopped |
SecOpsWinDcShadowDetected | SecOpsWinDomainTrustActivity | SecOpsWinExcessiveKerberosSPNDowngrade |
SecOpsWinExternalDeviceInstallationDenied | SecOpsWinNetShareScan | SecOpsWinNetShareSweep |
SecOpsWinPermissionGroupDiscovery | SecOpsWinPowershellProcessDiscovery | SecOpsWinSmbAccessTempDirectory |
SecOpsWinSpoolsvExeAbnormalProcessSpawn | SecOpsWinSuspiciousExternalDeviceInstallation | SecOpsWinUserAddedPrivlegedSecGroup |
SecOpsWinUserCreationAbnormalNamingConvention | SecOpsADAccountNoExpires | SecOpsWinUserAddedSelfToSecGroup |
SecOpsWinSamStopped | SecOpsWinSysInternalsActivityDetected | SecOpsWinSysTimeDiscovery |
SecOpsWinRunasCommandExecution | SecOpsWinDefenderDownloadActivity | SecOpsWinShadowCopyDetected |
SecOpsWinGoldenSamlCertificateExport | SecOpsWinDnsExeParentProcess | SecOpsWinFakeProcesses |
SecOpsWinMemoryCorruptionVulnerability | SecOpsWinMimikatzLsadump | SecOpsWinFsutilDeleteChangeJournal |
SecOpsWinRegistryModificationGlobalFolderOptions | SecOpsWinRegistryModificationRunKeyAdded | SecOpsWinRegistryModificationStoreLogonCred |
SecOpsWinRegistryModificationNewTrustedSite | SecOpsWinRegistryModificationIExplorerSecZone | SecOpsWinPowershellSetExecutionPolicyBypass |
SecOpsBlackByteRansomwareRegistryChanges | SecOpsBlackByteRansomwareRegChangesPowershell | SecOpsWinRegistryModificationDisableRegistryTool |
SecOpsWinRegistryModificationDisableCMDApp | SecOpsWinRegistryModificationDisableTaskmgr | SecOpsWinRegistryModificationDisableNotificationCenter |
SecOpsWinRegistryModificationDisableShutdownButton | SecOpsWinRegistryModificationDisableLogOffButton | SecOpsWinRegistryModificationDisableChangePasswdFeature |
SecOpsMaliciousServiceInstallations | SecOpsWinRegistryModificationDisableLockWSFeature | SecOpsWinRegistryModificationNoDesktopGroupPolicy |
SecOpsIntegrityProblem | SecOpsWinRegistryModificationActivateNoRunGroupPolicy | SecOpsWinRegistryModificationNoFindGroupPolicyFeature |
SecOpsWinActivateNoControlPanelGroupPolicyFeature | SecOpsWinActivateNoFileMenuGroupPolicyFeature | SecOpsWinActivateNoCloseGroupPolicyFeature |
SecOpsWinActivateNoSetTaskbarGroupPolicyFeature | SecOpsWinActivateNoTrayContextMenuGroupPolicyFeature | SecOpsWinRegistryModificationHideClockGroupPolicyFeature |
SecOpsWinRegistryModificationHideSCAHealth | SecOpsStoneDrillServiceInstall | SecOpsWinRegistryModificationHideSCANetwork |
SecOpsWinRegistryModificationHideSCAPower | SecOpsWinActivateNoPropertiesMyDocumentsGroupPolicyFeature | SecOpsWinRegistryModificationHideSCAVolume |
SecOpsWinRegistryModificationPowershellLoggingDisabled | SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWONetwork | SecOpsWinCredentialDumpingNppspy |
SecOpsWinModifyShowCompressColorAndInfoTipRegistry | SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWithNetwork | SecOpsAppInitDLLsLoaded |
SecOpsBypassUserAccountControl | SecOpsDLLWithNonUsualPath | SecOpsHAFNIUMUmServiceSuspiciousFileTargetingExchangeServers |
SecOpsMaliciousPowerShellCommandletNames | SecOpsMaliciousPowerShellPrebuiltCommandlet | SecOpsPassTheHashActivityLoginBehaviour |
SecOpsRevilKaseyaRegistryKey | SecOpsRareServiceInstalls | SecOpsSIGRedExploitMicrosoftWindowsDNS |
SecOpsSuspiciousBehaviorAppInitDLL | SecOpsSuspiciousWMIExecution | SecOpsTurlaPNGDropperService |
SecOpsTurlaServiceInstall | SecOpsWinUserCredentialDumpRegistry | SecOpsLOLBASCertreq |
SecOpsLOLBASDatasvcutil | SecOpsWinWebclientClassUse | SecOpsWinInvokewebrequestUse |
SecOpsWinTFTPExecution | SecOpsWinIcmpExfiltration | SecOpsLolbinBitsadminTransfer |
SecOpsLolbinCertreq | SecOpsLolbinCertutil | SecOpsLolbinConfigsecuritypolicy |
SecOpsLolbinDatasvcutil | SecOpsLolbinMshta | SecOpsWinCurl |
SecOpsWinFTPScriptExecution | SecOpsWinSensitiveFiles | SecOpsWinServiceCreatedNonStandardPath |
SecOpsWinSuspiciousWritesToRecycleBin | SecOpsWINWmiMOFProcessExecution | SecOpsWinWMIPermanentEventSubscription |
SecOpsWinWmiTemporaryEventSubscription | SecOpsWinAutomatedCollectionCmd | SecOpsWinCompressEncryptData |
SecOpsWinPotentialPassTheHash | SecOpsWinAutomatedCollectionPowershell | SecOpsWinPowershellKeyloggin |
SecOpsWinIISWebRootProcessExecution | SecOpsWinMapSmbShare | SecOpsWinNewPsDrive |
SecOpsWinRcloneExecution | SecOpsWinSmtpExfiltration | SecOpsWinAttackerToolsOnEndpoint |
SecOpsWinAppInstallerExecution | SecOpsWinWMIReconRunningProcessOrSrvcs | SecOpsLolbinCertocexecution |
SecOpsWinSysInfoGatheringUsingDxdiag | SecOpsWinGatherVictimIdentitySAMInfo | SecOpsWinKerberosUserEnumeration |
SecOpsWermgrConnectingToIPCheckWebServices | SecOpsWinOfficeBrowserLaunchingShell | SecOpsResetPasswordAttempt |
SecOpsAccountsCreatedRemovedWithinFourHours | SecOpsADPasswdNoExpires | SecOpsBlackKingdomWebshellInstalation |
SecOpsBlankPasswordAsk | SecOpsChangesAccessibilityBinaries | SecOpsDeletingMassAmountOfFiles |
SecOpsFailLogOn | SecOpsFsutilSuspiciousInvocation | SecOpsGenericRansomwareBehaviorIpScanner |
SecOpsMultipleMachineAccessedbyUser | SecOpsNewAccountCreated | SecOpsNtds.ditDomainHashExtractionActivity |
SecOpsPersistenceAndExecutionViaGPOScheduledTask | SecOpsPsExecToolExecution | SecOpsRansomwareBehaviorMaze |
SecOpsRansomwareBehaviorNotPetya | SecOpsRansomwareBehaviorRyuk | SecOpsSecurityEnabledLocalGroupChanged |
SecOpsSeveralPasswordChanges | SecOpsShadowCopiesDeletion | SecOpsStopSqlServicesRunning |
SecOpsSuspiciousEventlogClearUsingWevtutil | SecOpsUserAccountChanged | SecOpsWannaCryBehavior |
Prerequisites
To use this alert pack, you must have the following data sources available on your domain:
box.all.win
Open alert packÂ
Once you have installed the desired alerts individually, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find them and later manage them as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).
Use alert packÂ
The alerts installed are deactivated by default. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.