| DisplayName | ID | Target | Category | Enabled | Alert Generate |
![Security.Monitoring.Collect.SMBv1Connections](/images/Rule.png) | Security Monitoring: Collect SMBv1 Connections | Security.Monitoring.Collect.SMBv1Connections | Microsoft.Windows.Server.OperatingSystem | None | True | False |
![Security.Monitoring.CollectionRule.CollectLAPSEvents](/images/Rule.png) | Security Monitoring: Collect LAPS Events | Security.Monitoring.CollectionRule.CollectLAPSEvents | Microsoft.Windows.Server.OperatingSystem | EventCollection | True | False |
![Security.Monitoring.CollectLegacyTLSEvents](/images/Rule.png) | Security Monitoring: Collect Legacy TLS Events | Security.Monitoring.CollectLegacyTLSEvents | Microsoft.Windows.Server.OperatingSystem | EventCollection | True | False |
![Security.Monitoring.Event.4688.GenericCryptoRansomWare](/images/Rule.png) | Security Monitoring: Possible Crypto-Ransomware Installed on Computer | Security.Monitoring.Event.4688.GenericCryptoRansomWare | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.Event.ByPassExecutionPolicy](/images/Rule.png) | Security Monitoring: PowerShell script run natively to bypass existing execution policy | Security.Monitoring.Event.ByPassExecutionPolicy | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.Event.InvokeEncodedCommand](/images/Rule.png) | Security Monitoring: PowerShell used to Invoke an Encoded Command | Security.Monitoring.Event.InvokeEncodedCommand | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.Event.InvokeRemoteExpression](/images/Rule.png) | Security Monitoring: PowerShell used to Invoke a Remote Expression | Security.Monitoring.Event.InvokeRemoteExpression | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.Event.KillWindowsDefender](/images/Rule.png) | Security Monitoring: An attempt was made to kill Windows Defender | Security.Monitoring.Event.KillWindowsDefender | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.Event.PowerShellRuninMemoryOnly](/images/Rule.png) | Security Monitoring: PowerShell Running Only in Memory | Security.Monitoring.Event.PowerShellRuninMemoryOnly | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.Event.RemoteRegSvr32](/images/Rule.png) | Security Monitoring: RegSvr32 used to load a DLL that is not located on this machine | Security.Monitoring.Event.RemoteRegSvr32 | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.Event.SeDebugPrivilegeEscalation](/images/Rule.png) | Security Monitoring: SeDebugPrivilege Escalation Detected | Security.Monitoring.Event.SeDebugPrivilegeEscalation | Microsoft.Windows.OperatingSystem | Alert | False | True |
![Security.Monitoring.Event.WMIPersistence](/images/Rule.png) | Security Monitoring: Possible WMI Persistence Event Detected | Security.Monitoring.Event.WMIPersistence | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.Event.WMIRemote.Destination](/images/Rule.png) | Security Monitoring: Possible WMI Remote Attempt Made To this System | Security.Monitoring.Event.WMIRemote.Destination | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.Event.WMIRemote.Source](/images/Rule.png) | Security Monitoring: Possible WMI Remote Attempt Made From this System | Security.Monitoring.Event.WMIRemote.Source | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.EventCollection.LanMan](/images/Rule.png) | Security Monitoring: Collect LANMAN Authentication | Security.Monitoring.EventCollection.LanMan | Microsoft.Windows.Server.OperatingSystem | EventCollection | True | False |
![Security.Monitoring.EventCollection.NTLMV1](/images/Rule.png) | Security Monitoring: Collect NTLMV1 Events | Security.Monitoring.EventCollection.NTLMV1 | Microsoft.Windows.Server.OperatingSystem | EventCollection | True | False |
![Security.Monitoring.EventCollection.WdigestAuthentication](/images/Rule.png) | Security Monitoring: Collect WDigest Authentication Events | Security.Monitoring.EventCollection.WdigestAuthentication | Microsoft.Windows.Server.DC.Computer | EventCollection | True | False |
![Security.Monitoring.ExecutableRunFromUserWriteableDirectory](/images/Rule.png) | Security Monitoring: Executable Run from User Writeable Windows Directory | Security.Monitoring.ExecutableRunFromUserWriteableDirectory | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.ExecutableRuninWriteableDirectoriesExtended](/images/Rule.png) | Security Monitoring: Executable Run from User Writeable Windows Directory Extended | Security.Monitoring.ExecutableRuninWriteableDirectoriesExtended | Security.Monitoring.WriteableLocations | Alert | True | True |
![Security.Monitoring.ForwardedEvents.4688.GenericCryptoRansomWare](/images/Rule.png) | Security Monitoring Forwarded Events: Possible Crypto-Ransomware Installed on Computer | Security.Monitoring.ForwardedEvents.4688.GenericCryptoRansomWare | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.ByPassExecutionPolicy](/images/Rule.png) | Security Monitoring Forwarded Events: PowerShell script run natively to bypass existing execution policy | Security.Monitoring.ForwardedEvents.ByPassExecutionPolicy | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.CollectLAPSEvents](/images/Rule.png) | Security Monitoring Forwarded Events: Collect LAPS Events | Security.Monitoring.ForwardedEvents.CollectLAPSEvents | WindowsEventCollectorDiscovery.EventLogCollectorServer | EventCollection | True | False |
![Security.Monitoring.ForwardedEvents.DebugEscalation](/images/Rule.png) | Security Monitoring Forwarded Events: SeDebug Privilege Escalation Detected | Security.Monitoring.ForwardedEvents.DebugEscalation | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.ExecutableRunFromUserWriteableDirectory](/images/Rule.png) | Security Monitoring Forwarded Events: Executable Run from User Writeable Windows Directory | Security.Monitoring.ForwardedEvents.ExecutableRunFromUserWriteableDirectory | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.FindAVSignature](/images/Rule.png) | Secuity Monitoring Forwarded Events: PowerSploit FindAV Signature Tool is in Use | Security.Monitoring.ForwardedEvents.FindAVSignature | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.GetDLLLoadPath](/images/Rule.png) | Security Monitoring ForwardedEvents: Powersploit Get DLL Load Path is in Use | Security.Monitoring.ForwardedEvents.GetDLLLoadPath | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.GetHTTPStatus](/images/Rule.png) | Security Monitoring Forwarded Events: PowerSploit HTTP Path Discovery Tool is in Use | Security.Monitoring.ForwardedEvents.GetHTTPStatus | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.GetKeystroke](/images/Rule.png) | Security Monitoring Forwarded Events: PowerSploit Key Stroke Logger in Use | Security.Monitoring.ForwardedEvents.GetKeystroke | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.InvokeDLLInjection](/images/Rule.png) | Security Monitoring Forwarded Events: PowerSploit Invoke DLL Injection Command in Use | Security.Monitoring.ForwardedEvents.InvokeDLLInjection | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.InvokeEncodedCommand](/images/Rule.png) | Security Monitoring Forwarded Events: PowerShell used to Invoke an Encoded Command | Security.Monitoring.ForwardedEvents.InvokeEncodedCommand | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.InvokeMimikatz](/images/Rule.png) | Security Monitoring Forwarded Events: Invoke-Mimikatz Detected in Tier 0 Environment | Security.Monitoring.ForwardedEvents.InvokeMimikatz | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.InvokeNinjaCopy](/images/Rule.png) | Security Monitoring Forwarded Events: Invoke Ninja Copy is in Use | Security.Monitoring.ForwardedEvents.InvokeNinjaCopy | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.InvokePortScan](/images/Rule.png) | Security Monitoring Forwarded Events: Invoke Portscan is in Use | Security.Monitoring.ForwardedEvents.InvokePortScan | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.InvokeRemoteExpression](/images/Rule.png) | Security Monitoring Forwarded Events: PowerShell used to Invoke a Remote Expression | Security.Monitoring.ForwardedEvents.InvokeRemoteExpression | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.InvokeShellCodeInUse](/images/Rule.png) | Security Monitoring: Invoke ShellCode is in Use | Security.Monitoring.ForwardedEvents.InvokeShellCodeInUse | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.KillWindowsDefender](/images/Rule.png) | Security Monitoring Forwarded Events: An attempt was made to kill Windows Defender | Security.Monitoring.ForwardedEvents.KillWindowsDefender | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.PowerShellRuninMemoryOnly](/images/Rule.png) | Security Monitoring Forwarded Events: PowerShell Running Only in Memory | Security.Monitoring.ForwardedEvents.PowerShellRuninMemoryOnly | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.PowerShellStartHiddenProcess](/images/Rule.png) | Security Monitoring Forwarded Events: Hidden Process Starting Using PowerShell | Security.Monitoring.ForwardedEvents.PowerShellStartHiddenProcess | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.ForwardedEvents.RemoteRegSvr32](/images/Rule.png) | Security Monitoring Forwarded Events: RegSvr32 used to load a DLL that is not located on this machine | Security.Monitoring.ForwardedEvents.RemoteRegSvr32 | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![Security.Monitoring.PowerShellLog.FindAVSignature](/images/Rule.png) | Secuity Monitoring: PowerSploit FindAV Signature Tool is in Use | Security.Monitoring.PowerShellLog.FindAVSignature | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.PowerShellLog.GetDLLLoadPath](/images/Rule.png) | Security Monitoring: Powersploit Get DLL Load Path is in Use | Security.Monitoring.PowerShellLog.GetDLLLoadPath | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.PowerShellLog.GetHTTPStatus](/images/Rule.png) | Security Monitoring: PowerSploit HTTP Path Discovery Tool is in Use | Security.Monitoring.PowerShellLog.GetHTTPStatus | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.PowerShellLog.GetKeystroke](/images/Rule.png) | Security Monitoring: PowerSploit Key Stroke Logger in Use | Security.Monitoring.PowerShellLog.GetKeystroke | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.PowerShellLog.InvokeDLLInjection](/images/Rule.png) | Security Monitoring: PowerSploit Invoke DLL Injection Command in Use | Security.Monitoring.PowerShellLog.InvokeDLLInjection | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.PowerShellLog.InvokeMimikatzInUse](/images/Rule.png) | Security Monitoring: Invoke-Mimikatz is in Use. | Security.Monitoring.PowerShellLog.InvokeMimikatzInUse | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.PowerShellLog.InvokeNinjaCopy](/images/Rule.png) | Security Monitoring: Invoke Ninja Copy is in Use | Security.Monitoring.PowerShellLog.InvokeNinjaCopy | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.PowerShellLog.InvokePortScan](/images/Rule.png) | Security Monitoring: Invoke Portscan is in Use | Security.Monitoring.PowerShellLog.InvokePortScan | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.PowerShellLog.InvokeShellCodeInUse](/images/Rule.png) | Security Monitoring: Invoke ShellCode in Use | Security.Monitoring.PowerShellLog.InvokeShellCodeInUse | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.PowerShellLog.PowerShellStartHiddenProcess](/images/Rule.png) | Security Monitoring: Hidden Process Starting Using PowerShell | Security.Monitoring.PowerShellLog.PowerShellStartHiddenProcess | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.SecurityMonitoring.Event.DCOUModify](/images/Rule.png) | Security Monitoring: Modification has been made to the DC OU | Security.Monitoring.SecurityMonitoring.Event.DCOUModify | Microsoft.Windows.Server.DC.Computer | Alert | True | True |
![Security.Monitoring.SecurityMonitoring.Event.GPOCreation](/images/Rule.png) | Security Monitoring: A GPO was Created | Security.Monitoring.SecurityMonitoring.Event.GPOCreation | Microsoft.Windows.Server.DC.Computer | Alert | True | True |
![Security.Monitoring.SecurityMonitoring.Event.GPODeletionRule](/images/Rule.png) | Security Monitoring: A GPO was Deleted | Security.Monitoring.SecurityMonitoring.Event.GPODeletionRule | Microsoft.Windows.Server.DC.Computer | Alert | True | True |
![Security.Monitoring.SecurityMonitoring.Event.ScheduledTaskCreatedOnServer](/images/Rule.png) | Security Monitoring: A Scheduled Task Was Created On Server | Security.Monitoring.SecurityMonitoring.Event.ScheduledTaskCreatedOnServer | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![Security.Monitoring.SecurityMonitoring.Event.ServiceCreatedonDC](/images/Rule.png) | Security Monitoring: A service was Created on a Domain Controller | Security.Monitoring.SecurityMonitoring.Event.ServiceCreatedonDC | Microsoft.Windows.Server.DC.Computer | Alert | True | True |
![SecurityMonitoring.Event.FailedLogin](/images/Rule.png) | Security Monitoring: Failed RDP Logon | SecurityMonitoring.Event.FailedLogin | Microsoft.Windows.Server.OperatingSystem | Custom | False | True |
![SecurityMonitoring.Failed.Login.Attempts.Collection](/images/Rule.png) | Collect Failed Login Attemts | SecurityMonitoring.Failed.Login.Attempts.Collection | Microsoft.Windows.Computer | EventCollection | True | False |
![SecurityMonitoringMP.Accounts.DomainAdminChange](/images/Rule.png) | Security Monitoring: Domain Admins membership has changed | SecurityMonitoringMP.Accounts.DomainAdminChange | Microsoft.Windows.Server.DC.Computer | Alert | True | True |
![SecurityMonitoringMP.Accounts.EnterpriseAdminChange](/images/Rule.png) | Security Monitoring: Enterprise Admins membership has changed | SecurityMonitoringMP.Accounts.EnterpriseAdminChange | Microsoft.Windows.Server.DC.Computer | Alert | True | True |
![SecurityMonitoringMP.Accounts.LocalAdminChange](/images/Rule.png) | Security Monitoring: Local Administrators Group was Modified | SecurityMonitoringMP.Accounts.LocalAdminChange | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![SecurityMonitoringMP.Accounts.SchemaAdminChange](/images/Rule.png) | Security Monitoring: Schema Admins membership has changed | SecurityMonitoringMP.Accounts.SchemaAdminChange | Microsoft.Windows.Server.DC.Computer | Alert | True | True |
![SecurityMonitoringMP.APPLocker.Mimikatz](/images/Rule.png) | Security Monitoring: Mimikatz in use | SecurityMonitoringMP.APPLocker.Mimikatz | Microsoft.Windows.Computer | Alert | False | True |
![SecurityMonitoringMP.APPLocker.ProhibitedApp](/images/Rule.png) | Security Monitoring: Prohibited App in Use | SecurityMonitoringMP.APPLocker.ProhibitedApp | Microsoft.Windows.Computer | Alert | True | True |
![SecurityMonitoringMP.APPLocker.PSExec](/images/Rule.png) | Security Monitoring: PSEXEC in Use | SecurityMonitoringMP.APPLocker.PSExec | Microsoft.Windows.Computer | Alert | False | True |
![SecurityMonitoringMP.APPLocker.WCE](/images/Rule.png) | Security Monitoring: WCE in Use | SecurityMonitoringMP.APPLocker.WCE | Microsoft.Windows.Computer | Alert | False | True |
![SecurityMonitoringMP.APPLocker.WinRar](/images/Rule.png) | Security Monitoring: WinRar in use | SecurityMonitoringMP.APPLocker.WinRar | Microsoft.Windows.Server.OperatingSystem | Alert | False | True |
![SecurityMonitoringMP.Event.4688.SuspiciousApplockerJava](/images/Rule.png) | Security Monitoring: A suspicious process creation (AppLocker bypass) was executed | SecurityMonitoringMP.Event.4688.SuspiciousApplockerJava | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![SecurityMonitoringMP.Event.4688.SuspiciousApplockerRegsvr](/images/Rule.png) | Security Monitoring: A suspicious process creation (AppLocker bypass using regsvr32) was execuited | SecurityMonitoringMP.Event.4688.SuspiciousApplockerRegsvr | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![SecurityMonitoringMP.Event.4688.SuspiciousCMD](/images/Rule.png) | Security Monitoring: A suspicious process creation (cmd) was executed | SecurityMonitoringMP.Event.4688.SuspiciousCMD | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![SecurityMonitoringMP.Event.4688.SuspiciousFTPCommand](/images/Rule.png) | Security Monitoring: A suspicious process creation (FTP script execution via echo command) was executed | SecurityMonitoringMP.Event.4688.SuspiciousFTPCommand | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![SecurityMonitoringMP.Event.4688.SuspiciousReg](/images/Rule.png) | Security Monitoring: A suspicious process creation (registry) was executed | SecurityMonitoringMP.Event.4688.SuspiciousReg | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![SecurityMonitoringMP.Event.4688.SuspiciousWindowsPosition](/images/Rule.png) | Security Monitoring; A suspicious process creation (malicious use of WindowPosition with PowerShell) was executed | SecurityMonitoringMP.Event.4688.SuspiciousWindowsPosition | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![SecurityMonitoringMP.Event.GoldenTicketDetection](/images/Rule.png) | Security Monitoring: Possible Golden Ticket in Use | SecurityMonitoringMP.Event.GoldenTicketDetection | Microsoft.Windows.Server.DC.Computer | Alert | True | True |
![SecurityMonitoringMP.Event.LocalAccountCreatedonServer](/images/Rule.png) | Security Monitoring: Local account created on a member server | SecurityMonitoringMP.Event.LocalAccountCreatedonServer | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![SecurityMonitoringMP.Event.SecurityLogCleared](/images/Rule.png) | Security Monitoring: Security Log was cleared | SecurityMonitoringMP.Event.SecurityLogCleared | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![SecurityMonitoringMP.Event.ServiceCreatedonMemberServer](/images/Rule.png) | Security Monitoring: A service was created on a member server | SecurityMonitoringMP.Event.ServiceCreatedonMemberServer | Microsoft.Windows.Server.OperatingSystem | Alert | False | True |
![SecurityMonitoringMP.Event.ServiceKnownThreat](/images/Rule.png) | Security Monitoring: Service associated with a known threat was created on a member server | SecurityMonitoringMP.Event.ServiceKnownThreat | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![SecurityMonitoringMP.Event.SmartCardDisabled](/images/Rule.png) | Security Monitoring: A Smart Card has been Disabled to Allow for Interactive Logon | SecurityMonitoringMP.Event.SmartCardDisabled | Microsoft.Windows.Server.DC.Computer | Alert | True | True |
![SecurityMonitoringMP.Event.SoftwareInstallOnServer](/images/Rule.png) | Security Monitoring: Software was Installed on a Server | SecurityMonitoringMP.Event.SoftwareInstallOnServer | Microsoft.Windows.Server.OperatingSystem | Alert | False | True |
![SecurityMonitoringMP.Event.SoftwareRemovedFromServer](/images/Rule.png) | Security Monitoring: Software was Removed from a Server | SecurityMonitoringMP.Event.SoftwareRemovedFromServer | Microsoft.Windows.Server.OperatingSystem | Alert | False | True |
![SecurityMonitoringMP.Event.SystemLogCleared](/images/Rule.png) | Security Monitoring: The system Log was cleared | SecurityMonitoringMP.Event.SystemLogCleared | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![SecurityMonitoringMP.Event.SystemPoweredOff](/images/Rule.png) | Security Monitoring: A system has been powered off | SecurityMonitoringMP.Event.SystemPoweredOff | Microsoft.Windows.Server.OperatingSystem | Alert | False | True |
![SecurityMonitoringMP.Event.SystemRestarted](/images/Rule.png) | Security Monitoring: A system was restarted | SecurityMonitoringMP.Event.SystemRestarted | Microsoft.Windows.Server.OperatingSystem | Alert | False | True |
![SecurityMonitoringMP.Event.UnexpectedShutdown](/images/Rule.png) | Security Monitoring: Unexpected System Shutdown | SecurityMonitoringMP.Event.UnexpectedShutdown | Microsoft.Windows.Server.OperatingSystem | Alert | False | True |
![SecurityMonitoringMP.EventCollection.4672](/images/Rule.png) | Security Monitoring Collection: Event ID 4672 | SecurityMonitoringMP.EventCollection.4672 | Microsoft.Windows.Server.OperatingSystem | EventCollection | False | False |
![SecurityMonitoringMP.EventCollection.BatchLogon](/images/Rule.png) | Security Monitoring Collection: Event ID 4624 Logon Type 4 | SecurityMonitoringMP.EventCollection.BatchLogon | Microsoft.Windows.Server.OperatingSystem | EventCollection | True | False |
![SecurityMonitoringMP.EventCollection.GoldenTicket](/images/Rule.png) | Security Monitoring Event Collection: Event ID 4769 result 0x1F | SecurityMonitoringMP.EventCollection.GoldenTicket | Microsoft.Windows.Server.DC.Computer | EventCollection | True | False |
![SecurityMonitoringMP.EventCollection.SpecialGroupLogon](/images/Rule.png) | Security Monitoring Collection: Event ID 4694 | SecurityMonitoringMP.EventCollection.SpecialGroupLogon | Microsoft.Windows.Server.OperatingSystem | EventCollection | True | False |
![SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerJava](/images/Rule.png) | Security Monitoring Forwarded Events: A suspicious process creation (AppLocker bypass) was executed | SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerJava | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvr](/images/Rule.png) | Security Monitoring Forwarded Events: A suspicious process creation (AppLocker bypass using regsvr32) was execuited | SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvr | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMD](/images/Rule.png) | Security Monitoring Forwarded Events: A suspicious process creation (cmd) was executed | SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMD | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousFTPCommand](/images/Rule.png) | Security Monitoring Forwarded Events: A suspicious process creation (FTP script execution via echo command) was executed | SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousFTPCommand | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousReg](/images/Rule.png) | Security Monitoring Forwarded Events: A suspicious process creation (registry) was executed | SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousReg | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousWindowsPosition](/images/Rule.png) | Security Monitoring Forwarded Events: A suspicious process creation (malicious use of WindowPosition with PowerShell) was executed | SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousWindowsPosition | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![SecurityMonitoringMP.ForwardedEvents.CredentialSwap](/images/Rule.png) | Security Monitoring Forwarded Events: Potential Credential Swap in Progress | SecurityMonitoringMP.ForwardedEvents.CredentialSwap | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![SecurityMonitoringMP.ForwardedEvents.LocalUserCreatedDeleted](/images/Rule.png) | Security Monitoring Forwarded Events: Local User Created or Deleted in Administrator Security Group | SecurityMonitoringMP.ForwardedEvents.LocalUserCreatedDeleted | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![SecurityMonitoringMP.ForwardedEvents.ProhibitedApp](/images/Rule.png) | Security Monitoring Forwarded Events: Prohibited App in Use | SecurityMonitoringMP.ForwardedEvents.ProhibitedApp | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![SecurityMonitoringMP.ForwardedEvents.PtHTier2](/images/Rule.png) | Security Monitoring Forwarded Events: Possible PtH Attack in Progress Against Tier 2 | SecurityMonitoringMP.ForwardedEvents.PtHTier2 | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | False | True |
![SecurityMonitoringMP.ForwardedEvents.SecurityLogCleared](/images/Rule.png) | Security Monitoring Forwarded Events: Security log cleared on a server configured to forward events | SecurityMonitoringMP.ForwardedEvents.SecurityLogCleared | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![SecurityMonitoringMP.ForwardedEvents.ServiceCreation](/images/Rule.png) | Security Monitoring Forwarded Events: Service Created on system | SecurityMonitoringMP.ForwardedEvents.ServiceCreation | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | False | True |
![SecurityMonitoringMP.ForwardedEvents.ServiceCreationKnownThreats](/images/Rule.png) | Security Monitoring Forwarded Events: Service associated with a known threat was created on a forwarding computer | SecurityMonitoringMP.ForwardedEvents.ServiceCreationKnownThreats | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![SecurityMonitoringMP.ForwardedEvents.SpecialGroupLogon](/images/Rule.png) | Security Monitoring Forwarded Events: Special Group logon event | SecurityMonitoringMP.ForwardedEvents.SpecialGroupLogon | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![SecurityMonitoringMP.ForwardedEvents.SystemLogCleared](/images/Rule.png) | Security Monitoring Forwarded Events: System Log was Cleared | SecurityMonitoringMP.ForwardedEvents.SystemLogCleared | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | True |
![SecurityMonitoringMP.GPOMonitoring.EventAndScript.Rule](/images/Rule.png) | GPO Change Event then run correlation script Rule | SecurityMonitoringMP.GPOMonitoring.EventAndScript.Rule | Microsoft.Windows.Server.DC.Computer | Custom | True | True |
![SecurityMonitoringMP.Pth.CredentialSwap](/images/Rule.png) | Security Monitoring: Potential Credential Swap in Progress | SecurityMonitoringMP.Pth.CredentialSwap | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |
![SecurityMonitoringMP.Pth.PtHAgainstDC](/images/Rule.png) | Security Monitoring: Possible PtH attack in progress (successful) against DC | SecurityMonitoringMP.Pth.PtHAgainstDC | Microsoft.Windows.Server.DC.Computer | Alert | False | True |
![SecurityMonitoringMP.Pth.PtHAgainstTier1](/images/Rule.png) | Security Monitoring: Possible PtH Attack in Progress against tier 1 | SecurityMonitoringMP.Pth.PtHAgainstTier1 | Microsoft.Windows.Server.OperatingSystem | Alert | False | True |
![SecurityMonitoringMP.ThreatHunt.BatchLogonInUse](/images/Rule.png) | Security Monitoring Threat Hunting: Batch Logon in use | SecurityMonitoringMP.ThreatHunt.BatchLogonInUse | Microsoft.Windows.Server.OperatingSystem | Alert | False | True |
![SecurityMonitoringMP.ThreatHunt.SpecialGroupLogon](/images/Rule.png) | Security Monitoring Threat Hunting: Special Group logon event | SecurityMonitoringMP.ThreatHunt.SpecialGroupLogon | Microsoft.Windows.Server.OperatingSystem | Alert | True | True |