Security Monitoring

Security.Monitoring :: 1.0.3.5 (Management Pack)

1.0.0.0 - detect certain tools, pth detection, credential elevation detection, event collector monitor,
1.0.1.0 - monitor wdigest registry key
1.0.1.4 - added event checking for clearing event logs, local account creation, service creation.
1.0.1.5 - added threat hunting view and special groups rule.
1.0.1.7 - added event collection rules for threat hunting.
1.0.1.9 - added WEF rules targeting forwarded events logs.

Management Pack Elements

DataSource Modules (1)

 DisplayNameIDIsolationAccessibility
SecurityMonitoringMP.GPOMonitoring.Event.DSGPO Change Event then run correlation script DSSecurityMonitoringMP.GPOMonitoring.Event.DSAnyPublic

ProbeAction Modules (1)

 IDIsolationAccessibility
SecurityMonitoringMP.GPOMonitoring.ProbeActionModule.GPOCorrelationScriptSecurityMonitoringMP.GPOMonitoring.ProbeActionModule.GPOCorrelationScriptAnyPublic

Unit Monitor Types (2)

 DisplayNameIDAccessibilitySupport Monitor Recalculate
SecurityMonitoringMP.RegValueExistsMonitorTypeCheck Existence of RegKey Monitor TypeSecurityMonitoringMP.RegValueExistsMonitorTypeInternalFalse
SecurityMonitoringMP.RegValueMonitorTypeCheck value of registry keySecurityMonitoringMP.RegValueMonitorTypeInternalFalse

Unit Monitors (5)

 DisplayNameIDTargetCategoryEnabledAlert GenerateAccessibility
SecurityMonitoringMP.Event.RepeatedLogonMonitorSecurity Monitoring: Repeated RDP Logon FailuresSecurityMonitoringMP.Event.RepeatedLogonMonitorMicrosoft.Windows.Server.OperatingSystemCustomTrueTruePublic
SecurityMonitoringMP.Event.SystemPendingRestartA System - Is Pending RestartSecurityMonitoringMP.Event.SystemPendingRestartMicrosoft.Windows.Server.OperatingSystemCustomFalseTruePublic
SecurityMonitoringMP.Health.EventCollectorMonitorSecurity Monitoring: Event Log Collector Service is stoppedSecurityMonitoringMP.Health.EventCollectorMonitorWindowsEventCollectorDiscovery.EventLogCollectorServerCustomTrueTruePublic
SecurityMonitoringMP.UseLogonCredentialExistsMonitorSecurity Monitoring: UseLogonCredential key does not existSecurityMonitoringMP.UseLogonCredentialExistsMonitorMicrosoft.Windows.Server.OperatingSystemCustomTrueTrueInternal
SecurityMonitoringMP.WDigestRegConfiguredMonitorSecurity Monitoring: Wdigest passwords stored in clear textSecurityMonitoringMP.WDigestRegConfiguredMonitorMicrosoft.Windows.Server.OperatingSystemCustomTrueTrueInternal

Rules (61)

 DisplayNameIDTargetCategoryEnabledAlert Generate
SecurityMonitoring.Event.FailedLoginFailed RDP LogonSecurityMonitoring.Event.FailedLoginMicrosoft.Windows.Server.OperatingSystemCustomTrueTrue
SecurityMonitoring.Failed.Login.Attempts.CollectionCollect Failed Login AttemtsSecurityMonitoring.Failed.Login.Attempts.CollectionMicrosoft.Windows.ComputerEventCollectionTrueFalse
SecurityMonitoringMP.Accounts.DomainAdminChangeSecurity Monitoring: Domain Admins membership has changedSecurityMonitoringMP.Accounts.DomainAdminChangeMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Accounts.EnterpriseAdminChangeSecurity Monitoring: Enterprise Admins membership has changedSecurityMonitoringMP.Accounts.EnterpriseAdminChangeMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Accounts.LocalAdminChangeSecurity Monitoring: Local Administrators Group was ModifiedSecurityMonitoringMP.Accounts.LocalAdminChangeMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Accounts.SchemaAdminChangeSecurity Monitoring: Schema Admins membership has changedSecurityMonitoringMP.Accounts.SchemaAdminChangeMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.APPLocker.MimikatzSecurity Monitoring: Mimikatz in useSecurityMonitoringMP.APPLocker.MimikatzMicrosoft.Windows.ComputerAlertFalseTrue
SecurityMonitoringMP.APPLocker.ProhibitedAppSecurity Monitoring: Prohibited App in UseSecurityMonitoringMP.APPLocker.ProhibitedAppMicrosoft.Windows.ComputerAlertTrueTrue
SecurityMonitoringMP.APPLocker.PSExecSecurity Monitoring: PSEXEC in UseSecurityMonitoringMP.APPLocker.PSExecMicrosoft.Windows.ComputerAlertFalseTrue
SecurityMonitoringMP.APPLocker.WCESecurity Monitoring: WCE in UseSecurityMonitoringMP.APPLocker.WCEMicrosoft.Windows.ComputerAlertFalseTrue
SecurityMonitoringMP.APPLocker.WinRarSecurity Monitoring: WinRar in useSecurityMonitoringMP.APPLocker.WinRarMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.4688.SuspiciousApplockerJavaSecurity Monitoring: A suspicious process creation (AppLocker bypass) was executedSecurityMonitoringMP.Event.4688.SuspiciousApplockerJavaMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousApplockerRegsvrSecurity Monitoring: A suspicious process creation (AppLocker bypass using regsvr32) was execuitedSecurityMonitoringMP.Event.4688.SuspiciousApplockerRegsvrMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousCMDSecurity Monitoring: A suspicious process creation (cmd) was executedSecurityMonitoringMP.Event.4688.SuspiciousCMDMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousFTPCommandSecurity Monitoring: A suspicious process creation (FTP script execution via echo command) was executedSecurityMonitoringMP.Event.4688.SuspiciousFTPCommandMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousRegSecurity Monitoring: A suspicious process creation (registry) was executedSecurityMonitoringMP.Event.4688.SuspiciousRegMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousWindowsPositionSecurity Monitoring; A suspicious process creation (malicious use of WindowPosition with PowerShell) was executedSecurityMonitoringMP.Event.4688.SuspiciousWindowsPositionMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.GoldenTicketDetectionSecurity Monitoring: Possible Golden Ticket in UseSecurityMonitoringMP.Event.GoldenTicketDetectionMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Event.GPOCreationSecurity Monitoring: A New GPO has been createdSecurityMonitoringMP.Event.GPOCreationMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Event.GPODelectionSecurity Monitoring: A GPO was DeletedSecurityMonitoringMP.Event.GPODelectionMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Event.LocalAccountCreatedonServerSecurity Monitoring: Local account created on a member serverSecurityMonitoringMP.Event.LocalAccountCreatedonServerMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.ScheduledTaskCreationSecurity Monitoring: Scheduled Task was CreatedSecurityMonitoringMP.Event.ScheduledTaskCreationMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.SecurityLogClearedSecurity Monitoring: Security Log was clearedSecurityMonitoringMP.Event.SecurityLogClearedMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.ServiceCreatedonDCSecurity Monitoring: A Service was created on a domain controllerSecurityMonitoringMP.Event.ServiceCreatedonDCMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Event.ServiceCreatedonMemberServerSecurity Monitoring: A service was created on a member serverSecurityMonitoringMP.Event.ServiceCreatedonMemberServerMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.ServiceKnownThreatSecurity Monitoring: Service associated with a known threat was created on a member serverSecurityMonitoringMP.Event.ServiceKnownThreatMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.SmartCardDisabledSecurity Monitoring: A Smart Card has been Disabled to Allow for Interactive LogonSecurityMonitoringMP.Event.SmartCardDisabledMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Event.SoftwareInstallOnServerSecurity Monitoring: Software was Installed on a ServerSecurityMonitoringMP.Event.SoftwareInstallOnServerMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.SoftwareRemovedFromServerSecurity Monitoring: Software was Removed from a ServerSecurityMonitoringMP.Event.SoftwareRemovedFromServerMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.SystemLogClearedSecurity Monitoring: The system Log was clearedSecurityMonitoringMP.Event.SystemLogClearedMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.SystemPoweredOffSecurity Monitoring: A system has been powered offSecurityMonitoringMP.Event.SystemPoweredOffMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.SystemRestartedSecurity Monitoring: A system was restartedSecurityMonitoringMP.Event.SystemRestartedMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.UnexpectedShutdownSecurity Monitoring: Unexpected System ShutdownSecurityMonitoringMP.Event.UnexpectedShutdownMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.EventCollection.4672Security Monitoring Collection: Event ID 4672SecurityMonitoringMP.EventCollection.4672Microsoft.Windows.Server.OperatingSystemEventCollectionFalseFalse
SecurityMonitoringMP.EventCollection.BatchLogonSecurity Monitoring Collection: Event ID 4624 Logon Type 4SecurityMonitoringMP.EventCollection.BatchLogonMicrosoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
SecurityMonitoringMP.EventCollection.GoldenTicketSecurity Monitoring Event Collection: Event ID 4769 result 0x1FSecurityMonitoringMP.EventCollection.GoldenTicketMicrosoft.Windows.Server.DC.ComputerEventCollectionTrueFalse
SecurityMonitoringMP.EventCollection.SpecialGroupLogonSecurity Monitoring Collection: Event ID 4694SecurityMonitoringMP.EventCollection.SpecialGroupLogonMicrosoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerJavaSecurity Monitoring Forwarded Events: A suspicious process creation (AppLocker bypass) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerJavaWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvrSecurity Monitoring: A suspicious process creation (AppLocker bypass using regsvr32) was execuitedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvrWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMDSecurity Monitoring Forwarded Events: A suspicious process creation (cmd) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMDWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousFTPCommandSecurity Monitoring Forwarded Events: A suspicious process creation (FTP script execution via echo command) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousFTPCommandWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousRegSecurity Monitoring Forwarded Events: A suspicious process creation (registry) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousRegWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousWindowsPositionSecurity Monitoring Forwarded Events: A suspicious process creation (malicious use of WindowPosition with PowerShell) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousWindowsPositionWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.CredentialSwapSecurity Monitoring Forwarded Events: Potential Credential Swap in ProgressSecurityMonitoringMP.ForwardedEvents.CredentialSwapWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.LocalUserCreatedDeletedSecurity Monitoring Forwarded Events: Local User Created or Deleted in Administrator Security GroupSecurityMonitoringMP.ForwardedEvents.LocalUserCreatedDeletedWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.PowerSploitSecurity Monitoring Forwarded Events: Invoke-Mimikatz in useSecurityMonitoringMP.ForwardedEvents.PowerSploitWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.ProhibitedAppSecurity Monitoring Forwarded Events: Prohibited App in UseSecurityMonitoringMP.ForwardedEvents.ProhibitedAppWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.PtHTier2Security Monitoring Forwarded Events: Possible PtH Attack in Progress Against Tier 2SecurityMonitoringMP.ForwardedEvents.PtHTier2WindowsEventCollectorDiscovery.EventLogCollectorServerAlertFalseTrue
SecurityMonitoringMP.ForwardedEvents.SecurityLogClearedSecurity Monitoring Forwarded Events: Security log cleared on a server configured to forward eventsSecurityMonitoringMP.ForwardedEvents.SecurityLogClearedWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.ServiceCreationSecurity Monitoring Forwarded Events: Service Created on systemSecurityMonitoringMP.ForwardedEvents.ServiceCreationWindowsEventCollectorDiscovery.EventLogCollectorServerAlertFalseTrue
SecurityMonitoringMP.ForwardedEvents.ServiceCreationKnownThreatsSecurity Monitoring Forwarded Events: Service associated with a known threat was created on a forwarding computerSecurityMonitoringMP.ForwardedEvents.ServiceCreationKnownThreatsWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.SpecialGroupLogonSecurity Monitoring Forwarded Events: Special Group logon eventSecurityMonitoringMP.ForwardedEvents.SpecialGroupLogonWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.SystemLogClearedSecurity Monitoring Forwarded Events: System Log was ClearedSecurityMonitoringMP.ForwardedEvents.SystemLogClearedWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.GPOMonitoring.EventAndScript.RuleGPO Change Event then run correlation script RuleSecurityMonitoringMP.GPOMonitoring.EventAndScript.RuleMicrosoft.Windows.Server.DC.ComputerCustomTrueTrue
SecurityMonitoringMP.PowerShellLog.PowerSploitSecurity Monitoring: Invoke-Mimikatz in useSecurityMonitoringMP.PowerShellLog.PowerSploitMicrosoft.Windows.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Pth.CredentialSwapSecurity Monitoring: Potential Credential Swap in ProgressSecurityMonitoringMP.Pth.CredentialSwapMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Pth.PtHAgainstDCSecurity Monitoring: Possible PtH attack in progress (successful) against DCSecurityMonitoringMP.Pth.PtHAgainstDCMicrosoft.Windows.Server.DC.ComputerAlertFalseTrue
SecurityMonitoringMP.Pth.PtHAgainstTier1Security Monitoring: Possible PtH Attack in Progress against tier 1SecurityMonitoringMP.Pth.PtHAgainstTier1Microsoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.ThreatHunt.BatchLogonInUseSecurity Monitoring Threat Hunting: Batch Logon in useSecurityMonitoringMP.ThreatHunt.BatchLogonInUseMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.ThreatHunt.GoldenTicketSecurity Monitoring Threat Hunting: Kerberos Integrity Check on Decrypted Field FailedSecurityMonitoringMP.ThreatHunt.GoldenTicketMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.ThreatHunt.SpecialGroupLogonSecurity Monitoring Threat Hunting: Special Group logon eventSecurityMonitoringMP.ThreatHunt.SpecialGroupLogonMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue

Recoveries (2)

 DisplayNameIDTargetMonitorReset MonitorCategoryEnabledAccessibility
SecurityMonitoringMP.Recovery.BlockPortWindowsFWModify Windows FirewallSecurityMonitoringMP.Recovery.BlockPortWindowsFWMicrosoft.Windows.Server.OperatingSystemSecurityMonitoringMP.Event.RepeatedLogonMonitorFalseCustomfalsePublic
SecurityMonitoringMP.Recovery.RestartWecSVCRestart ServiceSecurityMonitoringMP.Recovery.RestartWecSVCWindowsEventCollectorDiscovery.EventLogCollectorServerSecurityMonitoringMP.Health.EventCollectorMonitorTrueCustomtruePublic

Monitor Property Overrides (4)

 IDContextTarget
OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012FullOverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012FullMicrosoft.Windows.Server.6.2.Full.OperatingSystemSecurityMonitoringMP.UseLogonCredentialExistsMonitor
OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012OSOverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012OSMicrosoft.Windows.Server.6.2.OperatingSystemSecurityMonitoringMP.UseLogonCredentialExistsMonitor
OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012R2OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012R2Microsoft.Windows.Server.2012.R2.OperatingSystemSecurityMonitoringMP.UseLogonCredentialExistsMonitor
OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2016OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2016Microsoft.Windows.Server.10.0.OperatingSystemSecurityMonitoringMP.UseLogonCredentialExistsMonitor

Rule Property Overrides (3)

 IDContextTarget
OverrideForRuleSecurityMonitoringMP.Pth.PtHAgainstTier1.ServerDCComputerOverrideForRuleSecurityMonitoringMP.Pth.PtHAgainstTier1.ServerDCComputerMicrosoft.Windows.Server.DC.ComputerSecurityMonitoringMP.Pth.PtHAgainstTier1
OverrideForRuleSecurityMonitoringMP.Pth.PtHAgainstTier1.SQLComputerOverrideForRuleSecurityMonitoringMP.Pth.PtHAgainstTier1.SQLComputerMicrosoft.SQLServer.ComputerGroupSecurityMonitoringMP.Pth.PtHAgainstTier1
OverrideForRuleSecurityMonitoringMPEventLocalAccountCreatedonServer.DomainControllersOverrideForRuleSecurityMonitoringMPEventLocalAccountCreatedonServer.DomainControllersMicrosoft.Windows.Server.DC.ComputerSecurityMonitoringMP.Event.LocalAccountCreatedonServer

Folder Items (4)

 IDFolderNameElementID
i08b0d1b442c04c8daf4574e19f39c3c9i08b0d1b442c04c8daf4574e19f39c3c9SecurityMonitoringMP.Folder.SecurityMonitoringSecurityMonitoringMP.View.SecurityMonitoringAlerts
i3691038e88044516a67ac5bbc79422c0i3691038e88044516a67ac5bbc79422c0SecurityMonitoringMP.Folder.EventCollectorsSecurityMonitoringMP.View.EventCollectorState
i74a5ba1881174da89a4041962320a070i74a5ba1881174da89a4041962320a070SecurityMonitoringMP.Folder.SecurityMonitoringSecurityMonitoringMP.View.ThreatHuntingAlert
if3e38fad5d3547168a4bca954c52cecbif3e38fad5d3547168a4bca954c52cecbSecurityMonitoringMP.Folder.EventCollectorsSecurityMonitoringMP.View.EventCollectorAlerts

Folders (2)

 DisplayNameIDParentFolderAccessibility
SecurityMonitoringMP.Folder.EventCollectorsEvent CollectorsSecurityMonitoringMP.Folder.EventCollectorsSecurityMonitoringMP.Folder.SecurityMonitoringPublic
SecurityMonitoringMP.Folder.SecurityMonitoringSecurity MonitoringSecurityMonitoringMP.Folder.SecurityMonitoringMicrosoft.SystemCenter.Monitoring.ViewFolder.RootPublic

Views (4)

 DisplayNameIDTargetTypeAccessibilityVisible
SecurityMonitoringMP.View.EventCollectorAlertsEvent Collector AlertsSecurityMonitoringMP.View.EventCollectorAlertsWindowsEventCollectorDiscovery.EventLogCollectorServerMicrosoft.SystemCenter.AlertViewTypePublicTrue
SecurityMonitoringMP.View.EventCollectorStateEvent Collector StateSecurityMonitoringMP.View.EventCollectorStateWindowsEventCollectorDiscovery.EventLogCollectorServerMicrosoft.SystemCenter.StateViewTypePublicTrue
SecurityMonitoringMP.View.SecurityMonitoringAlertsSecurity Monitoring MP AlertsSecurityMonitoringMP.View.SecurityMonitoringAlertsSystem.EntityMicrosoft.SystemCenter.AlertViewTypePublicTrue
SecurityMonitoringMP.View.ThreatHuntingAlertThreat HuntingSecurityMonitoringMP.View.ThreatHuntingAlertSystem.EntityMicrosoft.SystemCenter.AlertViewTypePublicTrue

Report Resources (3)

 IDFile NameAccessibility
FailedLoginDetails.IDFailedLoginDetails.IDFailed Login Details.rdlInternal
FailedLoginSummary.IDFailedLoginSummary.IDFailed Login Summary.rdlInternal
FailedLoginSummary24.IDFailedLoginSummary24.IDFailed Login Summary (24 hours).rdlInternal

Reports (3)

 IDAccessibilityVisible
Security.Monitoring.FailedLoginDetailsSecurity.Monitoring.FailedLoginDetailsPublicTrue
Security.Monitoring.FailedLoginSummarySecurity.Monitoring.FailedLoginSummaryPublicTrue
Security.Monitoring.FailedLoginSummary24HoursSecurity.Monitoring.FailedLoginSummary24HoursPublicTrue