Technology has transformed what’s possible for today’s small and medium-sized organizations, but it also increases exposure to potential security risks.
Compromised passwords are a serious risk to an environment.
Anomalous logins may signify suspicious activity.
Business Intellectual Property
Data Loss Prevention/Information Lockdown- The SIEM can detect if files are being exported/imported instead of being stored where the information security policy dictates.
External vulnerabilities are opportunities for outside attackers to gain internal access to the network.
Large amounts of failed login attempts in a short timeframe can be an key indicator of a brute force attack.
Login history keeps records on who is attempting logins into which machines and how frequently.
Proprietary Applications Security
Realtime Security Risk Analysis on Proprietary Applications- The SIEM provides real time analysis of Proprietary Applications to look for security gaps and identify patterns of suspicious activity that can identify a breach has occurred.
Server SSH Key Access Monitoring
User logged into a Server using an SSH public key.
SIEM Microsoft Events To Monitor
SIEM Firewall Alerts
Firewall Filter and IPS/IDS Log Analysis.
SIEM Office 365 Alerts
SIEM Office 365 Alerts.
Threat Intelligence Alert Destination IP Threat Indicated
Event destination IP address is listed on one of more blocklists as having an IOC - Indication of compromise.
Threat Intelligence Alert Source IP Threat Indicated
Event source IP address is listed on one of more blocklists as having an IOC - Indication of compromise.
Unauthorized 3rd Party Application Detection
3rd Party Application Detection and Remediation- The SIEM identifies unauthorized 3rd Party applications that have been granted access (a backdoor) into your network and provides you a portal to confirm applications in your environment.
User Behavior Analysis
User behavior analysis targets the method of login attempts by users.
Windows Account Usage
User account information can be collected and audited.
Windows Application Whitelisting
Application whitelisting events should be collected to look for applications that have been blocked from execution.
Windows Certificate Services
Certificate Services receives requests for digital certificates over RPC or HTTP.
Windows Clearing Event Logs
When an event log gets cleared, it is often suspicious.
Windows Defender Activity Monitoring
Spyware and malware remain a serious problem and Microsoft developed an antispyware and antivirus, Windows Defender, to combat this threat.
Windows DNS/Directory Services
Malicious or misused software can often attempt to resolve blacklisted or suspicious domain names.
Windows External Media Detection
Detection of USB device (e.g., mass storage devices) usage is important in some environments, such as air gapped networks.
Windows Kernel Driver Signing
Introduction of kernel driver signing in the 64-bit version of Windows Vista significantly improves defenses against insertion of malicious drivers or activities in the kernel.
Windows Microsoft Cryptography API
The Microsoft CryptoAPI can be used for certificate verification and encryption/decryption of data.
Windows Mobile Device Activities
Wireless devices are ubiquitous and the need to record an enterprise’s wireless device activities may be critical.
Windows Pass The Hash Detection
Tracking user accounts for detecting Pass the Hash (PtH) requires creating a custom view with XML to configure more advanced filtering options.
Windows PowerShell Activities
PowerShell events can be interesting as Powershell is included by default in modern Windows installations.
Windows Remote Desktop Logon Detection
Remote Desktop account activity events are not easily identifiable using the Event Viewer GUI.
Windows Task Scheduler Activities
Scheduled tasks can be maliciously created or deleted.
Windows Windows Firewall
If client workstations are taking advantage of the built-in host-based Windows Firewall, then there is value in collecting events to track the firewall status.
Windows File Modification Monitoring
Ransomware activity detection.
Last modified February 24, 2023