Home
  •  

Security Monitoring

Security.Monitoring :: 1.0.4.272 (Management Pack)


All documentation can be found at the following page:
https://blogs.technet.microsoft.com/nathangau/2017/05/01/introducing-the-security-monitoring-management-pack-for-scom/

Management Pack Elements

DataSource Modules (5)

 DisplayNameIDIsolationAccessibility
SecurityMonitoringMP.GPOMonitoring.Event.DSGPO Change Event then run correlation script DSSecurityMonitoringMP.GPOMonitoring.Event.DSAnyPublic
Security.Monitoring.MultiStringRegistry.DSSecurity.Monitoring.MultiStringRegistry.DSSecurity.Monitoring.MultiStringRegistry.DSAnyInternal
Security.Monitoring.SMBv1Connections.DSSecurity.Monitoring.SMBv1Connections.DSSecurity.Monitoring.SMBv1Connections.DSAnyInternal
SecurityMonitoring.Event.RepeatedFailedLogind.DSSecurityMonitoring.Event.RepeatedFailedLogind.DSSecurityMonitoring.Event.RepeatedFailedLogind.DSAnyPublic
SecurityMonitoringMP.GPOMonitoring.GPOEvent.DSSecurityMonitoringMP.GPOMonitoring.GPOEvent.DSSecurityMonitoringMP.GPOMonitoring.GPOEvent.DSAnyPublic

ProbeAction Modules (3)

 IDIsolationAccessibility
Security.Monitoring.MultiStringRegistry.PowerShellSecurity.Monitoring.MultiStringRegistry.PowerShellAnyInternal
Security.Monitoring.SMBv1Connections.PowerShellSecurity.Monitoring.SMBv1Connections.PowerShellAnyInternal
SecurityMonitoringMP.GPOMonitoring.ProbeActionModule.GPOCorrelationScriptSecurityMonitoringMP.GPOMonitoring.ProbeActionModule.GPOCorrelationScriptAnyPublic

Unit Monitor Types (5)

 DisplayNameIDAccessibilitySupport Monitor Recalculate
SecurityMonitoringMP.RegValueExistsMonitorTypeCheck Existence of RegKey Monitor TypeSecurityMonitoringMP.RegValueExistsMonitorTypeInternalFalse
SecurityMonitoringMP.RegValueMonitorTypeCheck value of registry keySecurityMonitoringMP.RegValueMonitorTypeInternalFalse
CheckRegValueCheckRegValueCheckRegValueInternalFalse
CheckRegValueStringCheckRegValueStringCheckRegValueStringInternalFalse
MultiStringRegMonitorTypeMultiStringRegMonitorTypeMultiStringRegMonitorTypeInternalFalse

Unit Monitors (6)

 DisplayNameIDTargetCategoryEnabledAlert GenerateAccessibility
Security.Monitoring.Monitors.AuthenticationPackagesSecurity Monitoring: Check Authentication Packages Registry KeySecurity.Monitoring.Monitors.AuthenticationPackagesMicrosoft.Windows.Server.OperatingSystemAvailabilityHealthTrueTrueInternal
SecurityMonitoringMP.Event.RepeatedLogonMonitorSecurity Monitoring: Repeated RDP Logon FailuresSecurityMonitoringMP.Event.RepeatedLogonMonitorMicrosoft.Windows.Server.OperatingSystemCustomTrueFalsePublic
SecurityMonitoringMP.Event.SystemPendingRestartA System - Is Pending RestartSecurityMonitoringMP.Event.SystemPendingRestartMicrosoft.Windows.Server.OperatingSystemCustomFalseTruePublic
SecurityMonitoringMP.Health.EventCollectorMonitorSecurity Monitoring: Event Log Collector Service is stoppedSecurityMonitoringMP.Health.EventCollectorMonitorWindowsEventCollectorDiscovery.EventLogCollectorServerCustomTrueTruePublic
SecurityMonitoringMP.UseLogonCredentialExistsMonitorSecurity Monitoring: UseLogonCredential key does not existSecurityMonitoringMP.UseLogonCredentialExistsMonitorMicrosoft.Windows.Server.OperatingSystemCustomTrueTrueInternal
SecurityMonitoringMP.WDigestRegConfiguredMonitorSecurity Monitoring: Wdigest passwords stored in clear textSecurityMonitoringMP.WDigestRegConfiguredMonitorMicrosoft.Windows.Server.OperatingSystemCustomTrueTrueInternal

Rules (91)

 DisplayNameIDTargetCategoryEnabledAlert Generate
Security.Monitoring.Collect.SMBv1ConnectionsSecurity Monitoring: Collect SMBv1 ConnectionsSecurity.Monitoring.Collect.SMBv1ConnectionsMicrosoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
Security.Monitoring.CollectionRule.CollectLAPSEventsSecurity Monitoring: Collect LAPS EventsSecurity.Monitoring.CollectionRule.CollectLAPSEventsMicrosoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
Security.Monitoring.Event.4688.GenericCryptoRansomWareSecurity Monitoring: Possible Crypto-Ransomware Installed on ComputerSecurity.Monitoring.Event.4688.GenericCryptoRansomWareMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.Event.RemoteRegSvr32Security Monitoring: RegSvr32 used to load a DLL that is not located on this machineSecurity.Monitoring.Event.RemoteRegSvr32Microsoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.Event.SeDebugPrivilegeEscalationSecurity Monitoring: SeDebugPrivilege Escalation DetectedSecurity.Monitoring.Event.SeDebugPrivilegeEscalationMicrosoft.Windows.OperatingSystemAlertFalseTrue
Security.Monitoring.EventCollection.LanManSecurity Monitoring: Collect LANMAN AuthenticationSecurity.Monitoring.EventCollection.LanManMicrosoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
Security.Monitoring.EventCollection.NTLMV1Security Monitoring: Collect NTLMV1 EventsSecurity.Monitoring.EventCollection.NTLMV1Microsoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
Security.Monitoring.EventCollection.WdigestAuthenticationSecurity Monitoring: Collect WDigest Authentication EventsSecurity.Monitoring.EventCollection.WdigestAuthenticationMicrosoft.Windows.Server.DC.ComputerEventCollectionTrueFalse
Security.Monitoring.ForwardedEvents.4688.GenericCryptoRansomWareSecurity Monitoring Forwarded Events: Possible Crypto-Ransomware Installed on ComputerSecurity.Monitoring.ForwardedEvents.4688.GenericCryptoRansomWareWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.CollectLAPSEventsSecurity Monitoring Forwarded Events: Collect LAPS EventsSecurity.Monitoring.ForwardedEvents.CollectLAPSEventsWindowsEventCollectorDiscovery.EventLogCollectorServerEventCollectionTrueFalse
Security.Monitoring.ForwardedEvents.DebugEscalationSecurity Monitoring Forwarded Events: SeDebug Privilege Escalation DetectedSecurity.Monitoring.ForwardedEvents.DebugEscalationWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.FindAVSignatureSecuity Monitoring Forwarded Events: PowerSploit FindAV Signature Tool is in UseSecurity.Monitoring.ForwardedEvents.FindAVSignatureWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.GetDLLLoadPathSecurity Monitoring ForwardedEvents: Powersploit Get DLL Load Path is in UseSecurity.Monitoring.ForwardedEvents.GetDLLLoadPathWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.GetHTTPStatusSecurity Monitoring Forwarded Events: PowerSploit HTTP Path Discovery Tool is in UseSecurity.Monitoring.ForwardedEvents.GetHTTPStatusWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.GetKeystrokeSecurity Monitoring Forwarded Events: PowerSploit Key Stroke Logger in UseSecurity.Monitoring.ForwardedEvents.GetKeystrokeWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.InvokeDLLInjectionSecurity Monitoring Forwarded Events: PowerSploit Invoke DLL Injection Command in UseSecurity.Monitoring.ForwardedEvents.InvokeDLLInjectionWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.InvokeMimikatzSecurity Monitoring Forwarded Events: Invoke-Mimikatz Detected in Tier 0 EnvironmentSecurity.Monitoring.ForwardedEvents.InvokeMimikatzWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.InvokeNinjaCopySecurity Monitoring Forwarded Events: Invoke Ninja Copy is in UseSecurity.Monitoring.ForwardedEvents.InvokeNinjaCopyWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.InvokePortScanSecurity Monitoring Forwarded Events: Invoke Portscan is in UseSecurity.Monitoring.ForwardedEvents.InvokePortScanWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.InvokeShellCodeInUseSecurity Monitoring: Invoke ShellCode is in UseSecurity.Monitoring.ForwardedEvents.InvokeShellCodeInUseWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.PowerShellStartHiddenProcessSecurity Monitoring Forwarded Events: Hidden Process Starting Using PowerShellSecurity.Monitoring.ForwardedEvents.PowerShellStartHiddenProcessWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.RemoteRegSvr32Security Monitoring Forwarded Events: RegSvr32 used to load a DLL that is not located on this machineSecurity.Monitoring.ForwardedEvents.RemoteRegSvr32WindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.PowerShellLog.FindAVSignatureSecuity Monitoring: PowerSploit FindAV Signature Tool is in UseSecurity.Monitoring.PowerShellLog.FindAVSignatureMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.GetDLLLoadPathSecurity Monitoring: Powersploit Get DLL Load Path is in UseSecurity.Monitoring.PowerShellLog.GetDLLLoadPathMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.GetHTTPStatusSecurity Monitoring: PowerSploit HTTP Path Discovery Tool is in UseSecurity.Monitoring.PowerShellLog.GetHTTPStatusMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.GetKeystrokeSecurity Monitoring: PowerSploit Key Stroke Logger in UseSecurity.Monitoring.PowerShellLog.GetKeystrokeMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.InvokeDLLInjectionSecurity Monitoring: PowerSploit Invoke DLL Injection Command in UseSecurity.Monitoring.PowerShellLog.InvokeDLLInjectionMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.InvokeMimikatzInUseSecurity Monitoring: Invoke-Mimikatz is in Use.Security.Monitoring.PowerShellLog.InvokeMimikatzInUseMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.InvokeNinjaCopySecurity Monitoring: Invoke Ninja Copy is in UseSecurity.Monitoring.PowerShellLog.InvokeNinjaCopyMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.InvokePortScanSecurity Monitoring: Invoke Portscan is in UseSecurity.Monitoring.PowerShellLog.InvokePortScanMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.InvokeShellCodeInUseSecurity Monitoring: Invoke ShellCode in UseSecurity.Monitoring.PowerShellLog.InvokeShellCodeInUseMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.PowerShellStartHiddenProcessSecurity Monitoring: Hidden Process Starting Using PowerShellSecurity.Monitoring.PowerShellLog.PowerShellStartHiddenProcessMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.SecurityMonitoring.Event.DCOUModifySecurity Monitoring: Modification has been made to the DC OUSecurity.Monitoring.SecurityMonitoring.Event.DCOUModifyMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
Security.Monitoring.SecurityMonitoring.Event.GPOCreationSecurity Monitoring: A GPO was CreatedSecurity.Monitoring.SecurityMonitoring.Event.GPOCreationMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
Security.Monitoring.SecurityMonitoring.Event.GPODeletionRuleSecurity Monitoring: A GPO was DeletedSecurity.Monitoring.SecurityMonitoring.Event.GPODeletionRuleMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoring.Event.FailedLoginSecurity Monitoring: Failed RDP LogonSecurityMonitoring.Event.FailedLoginMicrosoft.Windows.Server.OperatingSystemCustomFalseTrue
SecurityMonitoring.Failed.Login.Attempts.CollectionCollect Failed Login AttemtsSecurityMonitoring.Failed.Login.Attempts.CollectionMicrosoft.Windows.ComputerEventCollectionTrueFalse
SecurityMonitoringMP.Accounts.DomainAdminChangeSecurity Monitoring: Domain Admins membership has changedSecurityMonitoringMP.Accounts.DomainAdminChangeMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Accounts.EnterpriseAdminChangeSecurity Monitoring: Enterprise Admins membership has changedSecurityMonitoringMP.Accounts.EnterpriseAdminChangeMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Accounts.LocalAdminChangeSecurity Monitoring: Local Administrators Group was ModifiedSecurityMonitoringMP.Accounts.LocalAdminChangeMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Accounts.SchemaAdminChangeSecurity Monitoring: Schema Admins membership has changedSecurityMonitoringMP.Accounts.SchemaAdminChangeMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.APPLocker.MimikatzSecurity Monitoring: Mimikatz in useSecurityMonitoringMP.APPLocker.MimikatzMicrosoft.Windows.ComputerAlertFalseTrue
SecurityMonitoringMP.APPLocker.ProhibitedAppSecurity Monitoring: Prohibited App in UseSecurityMonitoringMP.APPLocker.ProhibitedAppMicrosoft.Windows.ComputerAlertTrueTrue
SecurityMonitoringMP.APPLocker.PSExecSecurity Monitoring: PSEXEC in UseSecurityMonitoringMP.APPLocker.PSExecMicrosoft.Windows.ComputerAlertFalseTrue
SecurityMonitoringMP.APPLocker.WCESecurity Monitoring: WCE in UseSecurityMonitoringMP.APPLocker.WCEMicrosoft.Windows.ComputerAlertFalseTrue
SecurityMonitoringMP.APPLocker.WinRarSecurity Monitoring: WinRar in useSecurityMonitoringMP.APPLocker.WinRarMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.4688.SuspiciousApplockerJavaSecurity Monitoring: A suspicious process creation (AppLocker bypass) was executedSecurityMonitoringMP.Event.4688.SuspiciousApplockerJavaMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousApplockerRegsvrSecurity Monitoring: A suspicious process creation (AppLocker bypass using regsvr32) was execuitedSecurityMonitoringMP.Event.4688.SuspiciousApplockerRegsvrMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousCMDSecurity Monitoring: A suspicious process creation (cmd) was executedSecurityMonitoringMP.Event.4688.SuspiciousCMDMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousFTPCommandSecurity Monitoring: A suspicious process creation (FTP script execution via echo command) was executedSecurityMonitoringMP.Event.4688.SuspiciousFTPCommandMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousRegSecurity Monitoring: A suspicious process creation (registry) was executedSecurityMonitoringMP.Event.4688.SuspiciousRegMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousWindowsPositionSecurity Monitoring; A suspicious process creation (malicious use of WindowPosition with PowerShell) was executedSecurityMonitoringMP.Event.4688.SuspiciousWindowsPositionMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.GoldenTicketDetectionSecurity Monitoring: Possible Golden Ticket in UseSecurityMonitoringMP.Event.GoldenTicketDetectionMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Event.LocalAccountCreatedonServerSecurity Monitoring: Local account created on a member serverSecurityMonitoringMP.Event.LocalAccountCreatedonServerMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.ScheduledTaskCreationSecurity Monitoring: Scheduled Task was CreatedSecurityMonitoringMP.Event.ScheduledTaskCreationMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.SecurityLogClearedSecurity Monitoring: Security Log was clearedSecurityMonitoringMP.Event.SecurityLogClearedMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.ServiceCreatedonDCSecurity Monitoring: A Service was created on a domain controllerSecurityMonitoringMP.Event.ServiceCreatedonDCMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Event.ServiceCreatedonMemberServerSecurity Monitoring: A service was created on a member serverSecurityMonitoringMP.Event.ServiceCreatedonMemberServerMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.ServiceKnownThreatSecurity Monitoring: Service associated with a known threat was created on a member serverSecurityMonitoringMP.Event.ServiceKnownThreatMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.SmartCardDisabledSecurity Monitoring: A Smart Card has been Disabled to Allow for Interactive LogonSecurityMonitoringMP.Event.SmartCardDisabledMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Event.SoftwareInstallOnServerSecurity Monitoring: Software was Installed on a ServerSecurityMonitoringMP.Event.SoftwareInstallOnServerMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.SoftwareRemovedFromServerSecurity Monitoring: Software was Removed from a ServerSecurityMonitoringMP.Event.SoftwareRemovedFromServerMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.SystemLogClearedSecurity Monitoring: The system Log was clearedSecurityMonitoringMP.Event.SystemLogClearedMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.SystemPoweredOffSecurity Monitoring: A system has been powered offSecurityMonitoringMP.Event.SystemPoweredOffMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.SystemRestartedSecurity Monitoring: A system was restartedSecurityMonitoringMP.Event.SystemRestartedMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.UnexpectedShutdownSecurity Monitoring: Unexpected System ShutdownSecurityMonitoringMP.Event.UnexpectedShutdownMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.EventCollection.4672Security Monitoring Collection: Event ID 4672SecurityMonitoringMP.EventCollection.4672Microsoft.Windows.Server.OperatingSystemEventCollectionFalseFalse
SecurityMonitoringMP.EventCollection.BatchLogonSecurity Monitoring Collection: Event ID 4624 Logon Type 4SecurityMonitoringMP.EventCollection.BatchLogonMicrosoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
SecurityMonitoringMP.EventCollection.GoldenTicketSecurity Monitoring Event Collection: Event ID 4769 result 0x1FSecurityMonitoringMP.EventCollection.GoldenTicketMicrosoft.Windows.Server.DC.ComputerEventCollectionTrueFalse
SecurityMonitoringMP.EventCollection.SpecialGroupLogonSecurity Monitoring Collection: Event ID 4694SecurityMonitoringMP.EventCollection.SpecialGroupLogonMicrosoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerJavaSecurity Monitoring Forwarded Events: A suspicious process creation (AppLocker bypass) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerJavaWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvrSecurity Monitoring Forwarded Events: A suspicious process creation (AppLocker bypass using regsvr32) was execuitedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvrWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMDSecurity Monitoring Forwarded Events: A suspicious process creation (cmd) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMDWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousFTPCommandSecurity Monitoring Forwarded Events: A suspicious process creation (FTP script execution via echo command) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousFTPCommandWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousRegSecurity Monitoring Forwarded Events: A suspicious process creation (registry) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousRegWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousWindowsPositionSecurity Monitoring Forwarded Events: A suspicious process creation (malicious use of WindowPosition with PowerShell) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousWindowsPositionWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.CredentialSwapSecurity Monitoring Forwarded Events: Potential Credential Swap in ProgressSecurityMonitoringMP.ForwardedEvents.CredentialSwapWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.LocalUserCreatedDeletedSecurity Monitoring Forwarded Events: Local User Created or Deleted in Administrator Security GroupSecurityMonitoringMP.ForwardedEvents.LocalUserCreatedDeletedWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.ProhibitedAppSecurity Monitoring Forwarded Events: Prohibited App in UseSecurityMonitoringMP.ForwardedEvents.ProhibitedAppWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.PtHTier2Security Monitoring Forwarded Events: Possible PtH Attack in Progress Against Tier 2SecurityMonitoringMP.ForwardedEvents.PtHTier2WindowsEventCollectorDiscovery.EventLogCollectorServerAlertFalseTrue
SecurityMonitoringMP.ForwardedEvents.SecurityLogClearedSecurity Monitoring Forwarded Events: Security log cleared on a server configured to forward eventsSecurityMonitoringMP.ForwardedEvents.SecurityLogClearedWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.ServiceCreationSecurity Monitoring Forwarded Events: Service Created on systemSecurityMonitoringMP.ForwardedEvents.ServiceCreationWindowsEventCollectorDiscovery.EventLogCollectorServerAlertFalseTrue
SecurityMonitoringMP.ForwardedEvents.ServiceCreationKnownThreatsSecurity Monitoring Forwarded Events: Service associated with a known threat was created on a forwarding computerSecurityMonitoringMP.ForwardedEvents.ServiceCreationKnownThreatsWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.SpecialGroupLogonSecurity Monitoring Forwarded Events: Special Group logon eventSecurityMonitoringMP.ForwardedEvents.SpecialGroupLogonWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.SystemLogClearedSecurity Monitoring Forwarded Events: System Log was ClearedSecurityMonitoringMP.ForwardedEvents.SystemLogClearedWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.GPOMonitoring.EventAndScript.RuleGPO Change Event then run correlation script RuleSecurityMonitoringMP.GPOMonitoring.EventAndScript.RuleMicrosoft.Windows.Server.DC.ComputerCustomTrueTrue
SecurityMonitoringMP.Pth.CredentialSwapSecurity Monitoring: Potential Credential Swap in ProgressSecurityMonitoringMP.Pth.CredentialSwapMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Pth.PtHAgainstDCSecurity Monitoring: Possible PtH attack in progress (successful) against DCSecurityMonitoringMP.Pth.PtHAgainstDCMicrosoft.Windows.Server.DC.ComputerAlertFalseTrue
SecurityMonitoringMP.Pth.PtHAgainstTier1Security Monitoring: Possible PtH Attack in Progress against tier 1SecurityMonitoringMP.Pth.PtHAgainstTier1Microsoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.ThreatHunt.BatchLogonInUseSecurity Monitoring Threat Hunting: Batch Logon in useSecurityMonitoringMP.ThreatHunt.BatchLogonInUseMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.ThreatHunt.SpecialGroupLogonSecurity Monitoring Threat Hunting: Special Group logon eventSecurityMonitoringMP.ThreatHunt.SpecialGroupLogonMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue

Recoveries (2)

 DisplayNameIDTargetMonitorReset MonitorCategoryEnabledAccessibility
SecurityMonitoringMP.Recovery.BlockPortWindowsFWModify Windows FirewallSecurityMonitoringMP.Recovery.BlockPortWindowsFWMicrosoft.Windows.Server.OperatingSystemSecurityMonitoringMP.Event.RepeatedLogonMonitorFalseCustomfalsePublic
SecurityMonitoringMP.Recovery.RestartWecSVCRestart ServiceSecurityMonitoringMP.Recovery.RestartWecSVCWindowsEventCollectorDiscovery.EventLogCollectorServerSecurityMonitoringMP.Health.EventCollectorMonitorTrueCustomtruePublic

Monitor Property Overrides (4)

 IDContextTarget
OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012FullOverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012FullMicrosoft.Windows.Server.6.2.Full.OperatingSystemSecurityMonitoringMP.UseLogonCredentialExistsMonitor
OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012OSOverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012OSMicrosoft.Windows.Server.6.2.OperatingSystemSecurityMonitoringMP.UseLogonCredentialExistsMonitor
OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012R2OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012R2Microsoft.Windows.Server.2012.R2.OperatingSystemSecurityMonitoringMP.UseLogonCredentialExistsMonitor
OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2016OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2016Microsoft.Windows.Server.10.0.OperatingSystemSecurityMonitoringMP.UseLogonCredentialExistsMonitor

Rule Property Overrides (3)

 IDContextTarget
OverrideForRuleSecurityMonitoringEventSeDebugPrivilegeEscalationOverrideForRuleSecurityMonitoringEventSeDebugPrivilegeEscalationMicrosoft.SystemCenter.ManagementServerSecurity.Monitoring.Event.SeDebugPrivilegeEscalation
OverrideForRuleSecurityMonitoringMP.Pth.PtHAgainstTier1.ServerDCComputerOverrideForRuleSecurityMonitoringMP.Pth.PtHAgainstTier1.ServerDCComputerMicrosoft.Windows.Server.DC.ComputerSecurityMonitoringMP.Pth.PtHAgainstTier1
OverrideForRuleSecurityMonitoringMP.Pth.PtHAgainstTier1.SQLComputerOverrideForRuleSecurityMonitoringMP.Pth.PtHAgainstTier1.SQLComputerMicrosoft.SQLServer.ComputerGroupSecurityMonitoringMP.Pth.PtHAgainstTier1

Folder Items (4)

 IDFolderNameElementID
i08b0d1b442c04c8daf4574e19f39c3c9i08b0d1b442c04c8daf4574e19f39c3c9SecurityMonitoringMP.Folder.SecurityMonitoringSecurityMonitoringMP.View.SecurityMonitoringAlerts
i3691038e88044516a67ac5bbc79422c0i3691038e88044516a67ac5bbc79422c0SecurityMonitoringMP.Folder.EventCollectorsSecurityMonitoringMP.View.EventCollectorState
i74a5ba1881174da89a4041962320a070i74a5ba1881174da89a4041962320a070SecurityMonitoringMP.Folder.SecurityMonitoringSecurityMonitoringMP.View.ThreatHuntingAlert
if3e38fad5d3547168a4bca954c52cecbif3e38fad5d3547168a4bca954c52cecbSecurityMonitoringMP.Folder.EventCollectorsSecurityMonitoringMP.View.EventCollectorAlerts

Folders (2)

 DisplayNameIDParentFolderAccessibility
SecurityMonitoringMP.Folder.EventCollectorsEvent CollectorsSecurityMonitoringMP.Folder.EventCollectorsSecurityMonitoringMP.Folder.SecurityMonitoringPublic
SecurityMonitoringMP.Folder.SecurityMonitoringSecurity MonitoringSecurityMonitoringMP.Folder.SecurityMonitoringMicrosoft.SystemCenter.Monitoring.ViewFolder.RootPublic

Views (4)

 DisplayNameIDTargetTypeAccessibilityVisible
SecurityMonitoringMP.View.EventCollectorAlertsEvent Collector AlertsSecurityMonitoringMP.View.EventCollectorAlertsWindowsEventCollectorDiscovery.EventLogCollectorServerMicrosoft.SystemCenter.AlertViewTypePublicTrue
SecurityMonitoringMP.View.EventCollectorStateEvent Collector StateSecurityMonitoringMP.View.EventCollectorStateWindowsEventCollectorDiscovery.EventLogCollectorServerMicrosoft.SystemCenter.StateViewTypePublicTrue
SecurityMonitoringMP.View.SecurityMonitoringAlertsSecurity Monitoring MP AlertsSecurityMonitoringMP.View.SecurityMonitoringAlertsSystem.EntityMicrosoft.SystemCenter.AlertViewTypePublicTrue
SecurityMonitoringMP.View.ThreatHuntingAlertThreat HuntingSecurityMonitoringMP.View.ThreatHuntingAlertSystem.EntityMicrosoft.SystemCenter.AlertViewTypePublicTrue

Report Resources (10)

 IDFile NameAccessibility
AlertSummary.IDAlertSummary.IDAlert Summary_v1.rdlInternal
BatchLogonReport.IDBatchLogonReport.IDBatch Logon Report_v1.2.rdlInternal
EventCollectionSummary.IDEventCollectionSummary.IDEvent Collection Report_v1.rdlInternal
FailedLoginDetails.IDFailedLoginDetails.IDFailed Login Details_v1.rdlInternal
FailedLoginSummary.IDFailedLoginSummary.IDFailed Login Summary_v1.rdlInternal
FailedLoginSummary24.IDFailedLoginSummary24.IDFailed Login Summary (24 hours)_v1.rdlInternal
LanManConnectionReport.IDLanManConnectionReport.IDLanMan.rdlInternal
NTLMv1ConnectionReport.IDNTLMv1ConnectionReport.IDNTLMV1.rdlInternal
SMBv1ConnectionReport.IDSMBv1ConnectionReport.IDSMBv1 Connections Report_v1.rdlInternal
WDigestConnectionReport.IDWDigestConnectionReport.IDWdigest.rdlInternal

Reports (10)

 DisplayNameIDAccessibilityVisible
Security.Monitoring.AlertSummaryAlert SummarySecurity.Monitoring.AlertSummaryPublicTrue
Security.Monitoring.BatchLogonReportBatch Logon ReportSecurity.Monitoring.BatchLogonReportPublicTrue
Security.Monitoring.EventCollectionSummaryEvent Colleciton SummarySecurity.Monitoring.EventCollectionSummaryPublicTrue
Security.Monitoring.FailedLoginDetailsFailed Login DetailsSecurity.Monitoring.FailedLoginDetailsPublicTrue
Security.Monitoring.FailedLoginSummaryFailed Login SummarySecurity.Monitoring.FailedLoginSummaryPublicTrue
Security.Monitoring.FailedLoginSummary24HoursFailed Login Summary (24 Hours)Security.Monitoring.FailedLoginSummary24HoursPublicTrue
Security.Monitoring.LanManConnectionReportLanMan Connection ReportSecurity.Monitoring.LanManConnectionReportPublicTrue
Security.Monitoring.NTLMv1ConnectionReportNTLM Version 1 Connection ReportSecurity.Monitoring.NTLMv1ConnectionReportPublicTrue
Security.Monitoring.SMBv1ConnectionReportSMBv1 Connections ReportSecurity.Monitoring.SMBv1ConnectionReportPublicTrue
Security.Monitoring.WDigestConnectionReportWDigest Connection ReportSecurity.Monitoring.WDigestConnectionReportPublicTrue