Home
  •  

Security Monitoring

Security.Monitoring :: 1.0.7.1 (Management Pack)


All documentation can be found at the following page:
https://nathangau.wordpress.com/2017/05/01/introducing-the-security-monitoring-management-pack-for-scom/

Management Pack Elements

Classes (7)

 DisplayNameIDBase ClassAbstractHostedSingletonGroupExtensionAccessibility
Security.Monitoring.AdminAccountsSecurity Monitoring: Administrative Accouts ClassSecurity.Monitoring.AdminAccountsMicrosoft.Windows.ApplicationComponentFalseFalseFalseFalseFalseInternal
Security.Monitoring.SecurityMonitoringDASecurity Monitoring ConfigurationSecurity.Monitoring.SecurityMonitoringDAMicrosoft.SystemCenter.ServiceDesigner.ServiceFalseFalseFalseFalseFalsePublic
Security.Monitoring.SecurityMonitoringDA.DomainControllersSecurity Monitoring Configuration Domain ControllersSecurity.Monitoring.SecurityMonitoringDA.DomainControllersMicrosoft.SystemCenter.ServiceDesigner.ServiceComponentGroupFalseFalseFalseFalseFalsePublic
Security.Monitoring.SecurityMonitoringDA.MemberServersSecurity Monitoring Configuration Member ServersSecurity.Monitoring.SecurityMonitoringDA.MemberServersMicrosoft.SystemCenter.ServiceDesigner.ServiceComponentGroupFalseFalseFalseFalseFalsePublic
Security.Monitoring.WindowsComputersExtendedWriteableDirectoryMonitoringSecurity Monitoring: Extended Writeable Directory Monitoring GroupSecurity.Monitoring.WindowsComputersExtendedWriteableDirectoryMonitoringMicrosoft.SystemCenter.ComputerGroupFalseFalseTrueTrueFalsePublic
Security.Monitoring.WriteableLocationsSecurity Monitoring: OS User Writeable LocationsSecurity.Monitoring.WriteableLocationsMicrosoft.Windows.LocalApplicationFalseTrueFalseFalseFalseInternal
Security.Monitoring.WriteableLocationsSeedClassSecurity Monitoring: User Writeable Directories Seed ClassSecurity.Monitoring.WriteableLocationsSeedClassMicrosoft.Windows.Server.ComputerFalseFalseFalseFalseFalseInternal

Relationship Types (4)

 DisplayNameIDSourceTargetAccessibilityAbstract
Security.Monitoring.SecurityMonitoringDARelationshipsSecurity Monitoring DA RelationshipsSecurity.Monitoring.SecurityMonitoringDARelationshipsSecurity.Monitoring.SecurityMonitoringDASecurity.Monitoring.SecurityMonitoringDA.DomainControllersInternalFalse
Security.Monitoring.SecurityMonitoringDARelationshipsForDCsSecurity Monitoring DA Relationship for Domain Controller ClassSecurity.Monitoring.SecurityMonitoringDARelationshipsForDCsSecurity.Monitoring.SecurityMonitoringDA.DomainControllersMicrosoft.Windows.Server.DC.ComputerInternalFalse
Security.Monitoring.SecurityMonitoringDARelationshipsForMemberServersSecurity Monitoring DA Relationships for Member ServersSecurity.Monitoring.SecurityMonitoringDARelationshipsForMemberServersSecurity.Monitoring.SecurityMonitoringDA.MemberServersMicrosoft.Windows.ComputerInternalFalse
Security.Monitoring.SecurityMonitoringDARelationshipsforMSSecurity Monitoring DA Relationship for OS ClassSecurity.Monitoring.SecurityMonitoringDARelationshipsforMSSecurity.Monitoring.SecurityMonitoringDASecurity.Monitoring.SecurityMonitoringDA.MemberServersInternalFalse

DataSource Modules (18)

 DisplayNameIDIsolationAccessibility
SecurityMonitoringMP.GPOMonitoring.Event.DSGPO Change Event then run correlation script DSSecurityMonitoringMP.GPOMonitoring.Event.DSAnyPublic
Security.Monitoring.AuditPol.DSSecurity.Monitoring.AuditPol.DSSecurity.Monitoring.AuditPol.DSAnyPublic
Security.Monitoring.DistributedApplication.DataSourceSecurity.Monitoring.DistributedApplication.DataSourceSecurity.Monitoring.DistributedApplication.DataSourceAnyPublic
Security.Monitoring.DistributedApplicationMS.DataSourceSecurity.Monitoring.DistributedApplicationMS.DataSourceSecurity.Monitoring.DistributedApplicationMS.DataSourceAnyPublic
Security.Monitoring.MultiStringRegistry.DSSecurity.Monitoring.MultiStringRegistry.DSSecurity.Monitoring.MultiStringRegistry.DSAnyInternal
Security.Monitoring.SMBv1Connections.DSSecurity.Monitoring.SMBv1Connections.DSSecurity.Monitoring.SMBv1Connections.DSAnyInternal
SecurityMonitoring.Event.RepeatedFailedLogind.DSSecurityMonitoring.Event.RepeatedFailedLogind.DSSecurityMonitoring.Event.RepeatedFailedLogind.DSAnyPublic
SecurityMonitoringMP.4688CommandAudit.DSSecurityMonitoringMP.4688CommandAudit.DSSecurityMonitoringMP.4688CommandAudit.DSAnyInternal
SecurityMonitoringMP.DCServiceCreation.DSSecurityMonitoringMP.DCServiceCreation.DSSecurityMonitoringMP.DCServiceCreation.DSAnyPublic
SecurityMonitoringMP.Discoveries.DiscoverWriteableFileLocationsSecurityMonitoringMP.Discoveries.DiscoverWriteableFileLocationsSecurityMonitoringMP.Discoveries.DiscoverWriteableFileLocationsAnyPublic
SecurityMonitoringMP.GPOMonitoring.GPOEvent.DSSecurityMonitoringMP.GPOMonitoring.GPOEvent.DSSecurityMonitoringMP.GPOMonitoring.GPOEvent.DSAnyPublic
SecurityMonitoringMP.LocalAccountChange.DSSecurityMonitoringMP.LocalAccountChange.DSSecurityMonitoringMP.LocalAccountChange.DSAnyPublic
SecurityMonitoringMP.Modules.SecurityLogClear.DSSecurityMonitoringMP.Modules.SecurityLogClear.DSSecurityMonitoringMP.Modules.SecurityLogClear.DSAnyPublic
SecurityMonitoringMP.Modules.SystemLogClear.DSSecurityMonitoringMP.Modules.SystemLogClear.DSSecurityMonitoringMP.Modules.SystemLogClear.DSAnyPublic
SecurityMonitoringMP.ScheduledTaskCreation.DSSecurityMonitoringMP.ScheduledTaskCreation.DSSecurityMonitoringMP.ScheduledTaskCreation.DSAnyPublic
SecurityMonitoringMP.SuspiciousUserContext.DSSecurityMonitoringMP.SuspiciousUserContext.DSSecurityMonitoringMP.SuspiciousUserContext.DSAnyInternal
SecurityMonitoringMP.WriteableDirectories.DSSecurityMonitoringMP.WriteableDirectories.DSSecurityMonitoringMP.WriteableDirectories.DSAnyInternal
SecurityMonitoringMP.WriteableDirectoriesExtended.DSSecurityMonitoringMP.WriteableDirectoriesExtended.DSSecurityMonitoringMP.WriteableDirectoriesExtended.DSAnyInternal

ProbeAction Modules (4)

 IDIsolationAccessibility
Security.Monitoring.AuditPol.PowerShellSecurity.Monitoring.AuditPol.PowerShellAnyInternal
Security.Monitoring.MultiStringRegistry.PowerShellSecurity.Monitoring.MultiStringRegistry.PowerShellAnyInternal
Security.Monitoring.SMBv1Connections.PowerShellSecurity.Monitoring.SMBv1Connections.PowerShellAnyInternal
SecurityMonitoringMP.GPOMonitoring.ProbeActionModule.GPOCorrelationScriptSecurityMonitoringMP.GPOMonitoring.ProbeActionModule.GPOCorrelationScriptAnyPublic

Unit Monitor Types (7)

 DisplayNameIDAccessibilitySupport Monitor Recalculate
SecurityMonitoringMP.RegValueExistsMonitorTypeCheck Existence of RegKey Monitor TypeSecurityMonitoringMP.RegValueExistsMonitorTypeInternalFalse
SecurityMonitoringMP.RegValueMonitorTypeCheck value of registry keySecurityMonitoringMP.RegValueMonitorTypeInternalFalse
CheckRegValueCheckRegValueCheckRegValueInternalFalse
CheckRegValueStringCheckRegValueStringCheckRegValueStringInternalFalse
MultiStringRegMonitorTypeMultiStringRegMonitorTypeMultiStringRegMonitorTypeInternalFalse
Security.Monitoring.AuditPolMonitorTypeSecurity.Monitoring.AuditPolMonitorTypeSecurity.Monitoring.AuditPolMonitorTypePublicFalse
SecurityMonitoringMP.CommandLineAuditSettingSecurityMonitoringMP.CommandLineAuditSettingSecurityMonitoringMP.CommandLineAuditSettingInternalFalse

Discoveries (6)

 DisplayNameIDTargetEnabled
Security.Monitoring.AdminAccountDiscoverySecurity Monitoring: Discover Admin AccountsSecurity.Monitoring.AdminAccountDiscoveryMicrosoft.Windows.ComputerFalse
Security.Monitoring.DA.DCDiscoverySecurity Monitoring: Distributed App DC DiscoverySecurity.Monitoring.DA.DCDiscoveryMicrosoft.Windows.Server.DC.ComputerTrue
Security.Monitoring.DA.MSDiscoverySecurity Monitoring: Distributed App MemberServer DiscoverySecurity.Monitoring.DA.MSDiscoveryMicrosoft.Windows.ComputerTrue
Security.Monitoring.Discoveries.UserWriteableLocationSeedSecurity Monitoring: User Writeable Directories Seed ClassSecurity.Monitoring.Discoveries.UserWriteableLocationSeedMicrosoft.Windows.ComputerTrue
Security.Monitoring.DiscoverWriteableFileLocationsSecurity Monitoring: Discover Writeable File LocationsSecurity.Monitoring.DiscoverWriteableFileLocationsSecurity.Monitoring.WriteableLocationsSeedClassTrue
Security.Monitoring.PopulateExtendedWriteableDirectoryComputerGroupSecurity Monitoring: Populate Extended Writeable Directory Monitoring GroupSecurity.Monitoring.PopulateExtendedWriteableDirectoryComputerGroupSecurity.Monitoring.WindowsComputersExtendedWriteableDirectoryMonitoringTrue

Aggregate Monitors (2)

 DisplayNameIDTargetAlgorithmCategoryEnabledAlert GenerateAccessibility
Security.Monitoring.DCAuditSettingsSecurity Monitoring Domain Controller Auditing SettingsSecurity.Monitoring.DCAuditSettingsSecurity.Monitoring.SecurityMonitoringDA.DomainControllersWorstOfConfigurationHealthTrueFalsePublic
Security.Monitoring.MemberServerAuditSettingsSecurity Monitoring Member Server Auditing SettingsSecurity.Monitoring.MemberServerAuditSettingsSecurity.Monitoring.SecurityMonitoringDA.MemberServersWorstOfAvailabilityHealthTrueFalsePublic

Dependency Monitors (11)

 DisplayNameIDTargetAlgorithmSource MonitorRelationshipCategoryEnabledAlert GenerateAccessibility
Security.Monitoring.AccountLogonForDCSecurity Monitoring: Logon/Logoff Setting on Domain ControllersSecurity.Monitoring.AccountLogonForDCSecurity.Monitoring.SecurityMonitoringDA.DomainControllersWorstOfSecurity.Monitoring.AuditAccountLogonDCSecurity.Monitoring.SecurityMonitoringDARelationshipsForDCsAvailabilityHealthTrueFalseInternal
Security.Monitoring.AccountLogonForMSSecurity Monitoring: Logon/Logoff Setting on Member ServerssSecurity.Monitoring.AccountLogonForMSSecurity.Monitoring.SecurityMonitoringDA.MemberServersWorstOfSecurity.Monitoring.AuditAccountLogonMSSecurity.Monitoring.SecurityMonitoringDARelationshipsForMemberServersAvailabilityHealthTrueFalseInternal
Security.Monitoring.DCConfigGroupRollupSecurity Monitoring: Process Auditing Setting on Domain ControllersSecurity.Monitoring.DCConfigGroupRollupSecurity.Monitoring.SecurityMonitoringDA.DomainControllersWorstOfSecurity.Monitoring.SecurityAudit.ProcessCreationDCSecurity.Monitoring.SecurityMonitoringDARelationshipsForDCsConfigurationHealthTrueFalsePublic
Security.Monitoring.DCDirectoryServicesAuditSecurity Monitoring: Directory Service Changes Setting on Domain ControllersSecurity.Monitoring.DCDirectoryServicesAuditSecurity.Monitoring.SecurityMonitoringDA.DomainControllersWorstOfSecurity.Monitoring.DirectoryServiceChangeAuditingSecurity.Monitoring.SecurityMonitoringDARelationshipsForDCsAvailabilityHealthTrueFalseInternal
Security.Monitoring.IncludeCommandLineonDCsSecurity Monitoring: Include Command Line in Audit Process Set on DCSecurity.Monitoring.IncludeCommandLineonDCsSecurity.Monitoring.SecurityMonitoringDA.DomainControllersWorstOfSecurity.Monitoring.IncludeCommandLineProcessCreationonDCsSecurity.Monitoring.SecurityMonitoringDARelationshipsForDCsConfigurationHealthTrueFalseInternal
Security.Monitoring.IncludeCommandLineonMSSecurity Monitoring: Include Command Line in Audit Process Set on Member ServersSecurity.Monitoring.IncludeCommandLineonMSSecurity.Monitoring.SecurityMonitoringDA.MemberServersWorstOfSecurity.Monitoring.IncludeCommandLineProcessCreationonMSSecurity.Monitoring.SecurityMonitoringDARelationshipsForMemberServersConfigurationHealthTrueFalseInternal
Security.Monitoring.MemberServerProcessCreationSecurity Monitoring: Process Auditing Setting on Member ServersSecurity.Monitoring.MemberServerProcessCreationSecurity.Monitoring.SecurityMonitoringDA.MemberServersWorstOfSecurity.Monitoring.ProcessCreationMemberServerSecurity.Monitoring.SecurityMonitoringDARelationshipsForMemberServersAvailabilityHealthTrueFalseInternal
Security.Monitoring.SecurityGroupManagementforDCSecurity Monitoring: Security Group Management Audit Setting on Domain ControllersSecurity.Monitoring.SecurityGroupManagementforDCSecurity.Monitoring.SecurityMonitoringDA.DomainControllersWorstOfSecurity.Monitoring.SGManagementDCSecurity.Monitoring.SecurityMonitoringDARelationshipsForDCsAvailabilityHealthTrueFalseInternal
Security.Monitoring.SpecialGroupLogonDCSecurity Monitoring: Special Group Logon Setting on Domain ControllersSecurity.Monitoring.SpecialGroupLogonDCSecurity.Monitoring.SecurityMonitoringDA.DomainControllersWorstOfSecurity.Monitoring.SpecialGroupLogonAuditingEnabledonDCSecurity.Monitoring.SecurityMonitoringDARelationshipsForDCsAvailabilityHealthTrueFalseInternal
Security.Monitoring.SpecialGroupLogonMSSecurity Monitoring: Special Group Logon Setting on Member ServersSecurity.Monitoring.SpecialGroupLogonMSSecurity.Monitoring.SecurityMonitoringDA.MemberServersWorstOfSecurity.Monitoring.SpecialGroupLogonEnabledOnMemberServersSecurity.Monitoring.SecurityMonitoringDARelationshipsForMemberServersAvailabilityHealthTrueFalseInternal
Security.Monitoring.UserAcctforMSSecurity Monitoring: User Account Management Audit Setting on Member ServersSecurity.Monitoring.UserAcctforMSSecurity.Monitoring.SecurityMonitoringDA.MemberServersWorstOfSecurity.Monitoring.UserAccountMgmtMSSecurity.Monitoring.SecurityMonitoringDARelationshipsForMemberServersAvailabilityHealthTrueFalseInternal

Unit Monitors (17)

 DisplayNameIDTargetCategoryEnabledAlert GenerateAccessibility
Security.Monitoring.AuditAccountLogonDCSecurity Monitoring: Account Logon Monitoring not Set on DCsSecurity.Monitoring.AuditAccountLogonDCMicrosoft.Windows.Server.DC.ComputerAvailabilityHealthTrueFalseInternal
Security.Monitoring.AuditAccountLogonMSSecurity Monitoring: Account Logon Monitoring not Set on Member ServersSecurity.Monitoring.AuditAccountLogonMSMicrosoft.Windows.ComputerAvailabilityHealthFalseFalseInternal
Security.Monitoring.DirectoryServiceChangeAuditingSecurity Monitoring: Directory Service Change Monitoring not Set on DCsSecurity.Monitoring.DirectoryServiceChangeAuditingMicrosoft.Windows.Server.DC.ComputerConfigurationHealthTrueFalseInternal
Security.Monitoring.IncludeCommandLineProcessCreationonDCsSecurity Monitoring: Include Command Line for Process Auditing Setting on DCsSecurity.Monitoring.IncludeCommandLineProcessCreationonDCsMicrosoft.Windows.Server.DC.ComputerAvailabilityHealthTrueFalseInternal
Security.Monitoring.IncludeCommandLineProcessCreationonMSSecurity Monitoring: Include Command Line for Process Auditing Setting on Member ServersSecurity.Monitoring.IncludeCommandLineProcessCreationonMSMicrosoft.Windows.ComputerAvailabilityHealthFalseFalseInternal
Security.Monitoring.Monitors.AuthenticationPackagesSecurity Monitoring: Check Authentication Packages Registry KeySecurity.Monitoring.Monitors.AuthenticationPackagesMicrosoft.Windows.Server.OperatingSystemAvailabilityHealthTrueTrueInternal
Security.Monitoring.ProcessCreationMemberServerSecurity Monitoring: Process Creation Setting for Member ServersSecurity.Monitoring.ProcessCreationMemberServerMicrosoft.Windows.ComputerAvailabilityHealthFalseFalsePublic
Security.Monitoring.SecurityAudit.ProcessCreationDCSecurity Monitoring: Audit Process Creation Set on DCSecurity.Monitoring.SecurityAudit.ProcessCreationDCMicrosoft.Windows.Server.DC.ComputerConfigurationHealthTrueFalsePublic
Security.Monitoring.SGManagementDCSecurity Monitoring: Security Group Management Audit not Set on DCsSecurity.Monitoring.SGManagementDCMicrosoft.Windows.Server.DC.ComputerAvailabilityHealthTrueFalseInternal
Security.Monitoring.SpecialGroupLogonAuditingEnabledonDCSecurity Monitoring: Domain Controller Special Group LogonSecurity.Monitoring.SpecialGroupLogonAuditingEnabledonDCMicrosoft.Windows.Server.DC.ComputerAvailabilityHealthTrueFalseInternal
Security.Monitoring.SpecialGroupLogonEnabledOnMemberServersSecurity Monitoring: Member Server Special Group LogonSecurity.Monitoring.SpecialGroupLogonEnabledOnMemberServersMicrosoft.Windows.ComputerAvailabilityHealthFalseFalseInternal
Security.Monitoring.UserAccountMgmtMSSecurity Monitoring: User Account Management Audit Setting not Set on Member ServersSecurity.Monitoring.UserAccountMgmtMSMicrosoft.Windows.ComputerAvailabilityHealthFalseFalseInternal
SecurityMonitoringMP.Event.RepeatedLogonMonitorSecurity Monitoring: Repeated RDP Logon FailuresSecurityMonitoringMP.Event.RepeatedLogonMonitorMicrosoft.Windows.Server.OperatingSystemCustomTrueFalsePublic
SecurityMonitoringMP.Event.SystemPendingRestartA System - Is Pending RestartSecurityMonitoringMP.Event.SystemPendingRestartMicrosoft.Windows.Server.OperatingSystemCustomFalseTruePublic
SecurityMonitoringMP.Health.EventCollectorMonitorSecurity Monitoring: Event Log Collector Service is stoppedSecurityMonitoringMP.Health.EventCollectorMonitorWindowsEventCollectorDiscovery.EventLogCollectorServerCustomTrueTruePublic
SecurityMonitoringMP.UseLogonCredentialExistsMonitorSecurity Monitoring: UseLogonCredential key does not existSecurityMonitoringMP.UseLogonCredentialExistsMonitorMicrosoft.Windows.Server.OperatingSystemCustomFalseTrueInternal
SecurityMonitoringMP.WDigestRegConfiguredMonitorSecurity Monitoring: Wdigest passwords stored in clear textSecurityMonitoringMP.WDigestRegConfiguredMonitorMicrosoft.Windows.Server.OperatingSystemCustomTrueTrueInternal

Rules (111)

 DisplayNameIDTargetCategoryEnabledAlert Generate
Security.Monitoring.Collect.SMBv1ConnectionsSecurity Monitoring: Collect SMBv1 ConnectionsSecurity.Monitoring.Collect.SMBv1ConnectionsMicrosoft.Windows.Server.OperatingSystemNoneTrueFalse
Security.Monitoring.CollectionRule.CollectLAPSEventsSecurity Monitoring: Collect LAPS EventsSecurity.Monitoring.CollectionRule.CollectLAPSEventsMicrosoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
Security.Monitoring.CollectLegacyTLSEventsSecurity Monitoring: Collect Legacy TLS EventsSecurity.Monitoring.CollectLegacyTLSEventsMicrosoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
Security.Monitoring.Event.4688.GenericCryptoRansomWareSecurity Monitoring: Possible Crypto-Ransomware Installed on ComputerSecurity.Monitoring.Event.4688.GenericCryptoRansomWareMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.Event.ByPassExecutionPolicySecurity Monitoring: PowerShell script run natively to bypass existing execution policySecurity.Monitoring.Event.ByPassExecutionPolicyMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.Event.InvokeEncodedCommandSecurity Monitoring: PowerShell used to Invoke an Encoded CommandSecurity.Monitoring.Event.InvokeEncodedCommandMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.Event.InvokeRemoteExpressionSecurity Monitoring: PowerShell used to Invoke a Remote ExpressionSecurity.Monitoring.Event.InvokeRemoteExpressionMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.Event.KillWindowsDefenderSecurity Monitoring: An attempt was made to kill Windows DefenderSecurity.Monitoring.Event.KillWindowsDefenderMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.Event.PowerShellRuninMemoryOnlySecurity Monitoring: PowerShell Running Only in MemorySecurity.Monitoring.Event.PowerShellRuninMemoryOnlyMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.Event.RemoteRegSvr32Security Monitoring: RegSvr32 used to load a DLL that is not located on this machineSecurity.Monitoring.Event.RemoteRegSvr32Microsoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.Event.SeDebugPrivilegeEscalationSecurity Monitoring: SeDebugPrivilege Escalation DetectedSecurity.Monitoring.Event.SeDebugPrivilegeEscalationMicrosoft.Windows.OperatingSystemAlertFalseTrue
Security.Monitoring.Event.WMIPersistenceSecurity Monitoring: Possible WMI Persistence Event DetectedSecurity.Monitoring.Event.WMIPersistenceMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.Event.WMIRemote.DestinationSecurity Monitoring: Possible WMI Remote Attempt Made To this SystemSecurity.Monitoring.Event.WMIRemote.DestinationMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.Event.WMIRemote.SourceSecurity Monitoring: Possible WMI Remote Attempt Made From this SystemSecurity.Monitoring.Event.WMIRemote.SourceMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.EventCollection.LanManSecurity Monitoring: Collect LANMAN AuthenticationSecurity.Monitoring.EventCollection.LanManMicrosoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
Security.Monitoring.EventCollection.NTLMV1Security Monitoring: Collect NTLMV1 EventsSecurity.Monitoring.EventCollection.NTLMV1Microsoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
Security.Monitoring.EventCollection.WdigestAuthenticationSecurity Monitoring: Collect WDigest Authentication EventsSecurity.Monitoring.EventCollection.WdigestAuthenticationMicrosoft.Windows.Server.DC.ComputerEventCollectionTrueFalse
Security.Monitoring.ExecutableRunFromUserWriteableDirectorySecurity Monitoring: Executable Run from User Writeable Windows DirectorySecurity.Monitoring.ExecutableRunFromUserWriteableDirectoryMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.ExecutableRuninWriteableDirectoriesExtendedSecurity Monitoring: Executable Run from User Writeable Windows Directory ExtendedSecurity.Monitoring.ExecutableRuninWriteableDirectoriesExtendedSecurity.Monitoring.WriteableLocationsAlertTrueTrue
Security.Monitoring.ForwardedEvents.4688.GenericCryptoRansomWareSecurity Monitoring Forwarded Events: Possible Crypto-Ransomware Installed on ComputerSecurity.Monitoring.ForwardedEvents.4688.GenericCryptoRansomWareWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.ByPassExecutionPolicySecurity Monitoring Forwarded Events: PowerShell script run natively to bypass existing execution policySecurity.Monitoring.ForwardedEvents.ByPassExecutionPolicyWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.CollectLAPSEventsSecurity Monitoring Forwarded Events: Collect LAPS EventsSecurity.Monitoring.ForwardedEvents.CollectLAPSEventsWindowsEventCollectorDiscovery.EventLogCollectorServerEventCollectionTrueFalse
Security.Monitoring.ForwardedEvents.DebugEscalationSecurity Monitoring Forwarded Events: SeDebug Privilege Escalation DetectedSecurity.Monitoring.ForwardedEvents.DebugEscalationWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.ExecutableRunFromUserWriteableDirectorySecurity Monitoring Forwarded Events: Executable Run from User Writeable Windows DirectorySecurity.Monitoring.ForwardedEvents.ExecutableRunFromUserWriteableDirectoryWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.FindAVSignatureSecuity Monitoring Forwarded Events: PowerSploit FindAV Signature Tool is in UseSecurity.Monitoring.ForwardedEvents.FindAVSignatureWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.GetDLLLoadPathSecurity Monitoring ForwardedEvents: Powersploit Get DLL Load Path is in UseSecurity.Monitoring.ForwardedEvents.GetDLLLoadPathWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.GetHTTPStatusSecurity Monitoring Forwarded Events: PowerSploit HTTP Path Discovery Tool is in UseSecurity.Monitoring.ForwardedEvents.GetHTTPStatusWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.GetKeystrokeSecurity Monitoring Forwarded Events: PowerSploit Key Stroke Logger in UseSecurity.Monitoring.ForwardedEvents.GetKeystrokeWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.InvokeDLLInjectionSecurity Monitoring Forwarded Events: PowerSploit Invoke DLL Injection Command in UseSecurity.Monitoring.ForwardedEvents.InvokeDLLInjectionWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.InvokeEncodedCommandSecurity Monitoring Forwarded Events: PowerShell used to Invoke an Encoded CommandSecurity.Monitoring.ForwardedEvents.InvokeEncodedCommandWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.InvokeMimikatzSecurity Monitoring Forwarded Events: Invoke-Mimikatz Detected in Tier 0 EnvironmentSecurity.Monitoring.ForwardedEvents.InvokeMimikatzWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.InvokeNinjaCopySecurity Monitoring Forwarded Events: Invoke Ninja Copy is in UseSecurity.Monitoring.ForwardedEvents.InvokeNinjaCopyWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.InvokePortScanSecurity Monitoring Forwarded Events: Invoke Portscan is in UseSecurity.Monitoring.ForwardedEvents.InvokePortScanWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.InvokeRemoteExpressionSecurity Monitoring Forwarded Events: PowerShell used to Invoke a Remote ExpressionSecurity.Monitoring.ForwardedEvents.InvokeRemoteExpressionWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.InvokeShellCodeInUseSecurity Monitoring: Invoke ShellCode is in UseSecurity.Monitoring.ForwardedEvents.InvokeShellCodeInUseWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.KillWindowsDefenderSecurity Monitoring Forwarded Events: An attempt was made to kill Windows DefenderSecurity.Monitoring.ForwardedEvents.KillWindowsDefenderWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.PowerShellRuninMemoryOnlySecurity Monitoring Forwarded Events: PowerShell Running Only in MemorySecurity.Monitoring.ForwardedEvents.PowerShellRuninMemoryOnlyWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.PowerShellStartHiddenProcessSecurity Monitoring Forwarded Events: Hidden Process Starting Using PowerShellSecurity.Monitoring.ForwardedEvents.PowerShellStartHiddenProcessWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.ForwardedEvents.RemoteRegSvr32Security Monitoring Forwarded Events: RegSvr32 used to load a DLL that is not located on this machineSecurity.Monitoring.ForwardedEvents.RemoteRegSvr32WindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
Security.Monitoring.PowerShellLog.FindAVSignatureSecuity Monitoring: PowerSploit FindAV Signature Tool is in UseSecurity.Monitoring.PowerShellLog.FindAVSignatureMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.GetDLLLoadPathSecurity Monitoring: Powersploit Get DLL Load Path is in UseSecurity.Monitoring.PowerShellLog.GetDLLLoadPathMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.GetHTTPStatusSecurity Monitoring: PowerSploit HTTP Path Discovery Tool is in UseSecurity.Monitoring.PowerShellLog.GetHTTPStatusMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.GetKeystrokeSecurity Monitoring: PowerSploit Key Stroke Logger in UseSecurity.Monitoring.PowerShellLog.GetKeystrokeMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.InvokeDLLInjectionSecurity Monitoring: PowerSploit Invoke DLL Injection Command in UseSecurity.Monitoring.PowerShellLog.InvokeDLLInjectionMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.InvokeMimikatzInUseSecurity Monitoring: Invoke-Mimikatz is in Use.Security.Monitoring.PowerShellLog.InvokeMimikatzInUseMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.InvokeNinjaCopySecurity Monitoring: Invoke Ninja Copy is in UseSecurity.Monitoring.PowerShellLog.InvokeNinjaCopyMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.InvokePortScanSecurity Monitoring: Invoke Portscan is in UseSecurity.Monitoring.PowerShellLog.InvokePortScanMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.InvokeShellCodeInUseSecurity Monitoring: Invoke ShellCode in UseSecurity.Monitoring.PowerShellLog.InvokeShellCodeInUseMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.PowerShellLog.PowerShellStartHiddenProcessSecurity Monitoring: Hidden Process Starting Using PowerShellSecurity.Monitoring.PowerShellLog.PowerShellStartHiddenProcessMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.SecurityLogClearedv2Security Monitoring: Security Event Log was Cleared.Security.Monitoring.SecurityLogClearedv2Microsoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.SecurityMonitoring.Event.DCOUModifySecurity Monitoring: Modification has been made to the DC OUSecurity.Monitoring.SecurityMonitoring.Event.DCOUModifyMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
Security.Monitoring.SecurityMonitoring.Event.GPOCreationSecurity Monitoring: A GPO was CreatedSecurity.Monitoring.SecurityMonitoring.Event.GPOCreationMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
Security.Monitoring.SecurityMonitoring.Event.GPODeletionRuleSecurity Monitoring: A GPO was DeletedSecurity.Monitoring.SecurityMonitoring.Event.GPODeletionRuleMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
Security.Monitoring.SecurityMonitoring.Event.ScheduledTaskCreatedOnServerSecurity Monitoring: A Scheduled Task Was Created On ServerSecurity.Monitoring.SecurityMonitoring.Event.ScheduledTaskCreatedOnServerMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.SecurityMonitoring.Event.ServiceCreatedonDCSecurity Monitoring: A service was Created on a Domain ControllerSecurity.Monitoring.SecurityMonitoring.Event.ServiceCreatedonDCMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
Security.Monitoring.SuspiciousUserContextNew Alert RuleSecurity.Monitoring.SuspiciousUserContextMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
Security.Monitoring.SystemLogClearedv2Security Monitoring: System Event Log was Cleared.Security.Monitoring.SystemLogClearedv2Microsoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoring.Event.FailedLoginSecurity Monitoring: Failed RDP LogonSecurityMonitoring.Event.FailedLoginMicrosoft.Windows.Server.OperatingSystemCustomFalseTrue
SecurityMonitoring.Failed.Login.Attempts.CollectionCollect Failed Login AttemtsSecurityMonitoring.Failed.Login.Attempts.CollectionMicrosoft.Windows.ComputerEventCollectionTrueFalse
SecurityMonitoringMP.Accounts.DomainAdminChangeSecurity Monitoring: Domain Admins membership has changedSecurityMonitoringMP.Accounts.DomainAdminChangeMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Accounts.EnterpriseAdminChangeSecurity Monitoring: Enterprise Admins membership has changedSecurityMonitoringMP.Accounts.EnterpriseAdminChangeMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Accounts.LocalAdminChangeSecurity Monitoring: Local Administrators Group was ModifiedSecurityMonitoringMP.Accounts.LocalAdminChangeMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Accounts.SchemaAdminChangeSecurity Monitoring: Schema Admins membership has changedSecurityMonitoringMP.Accounts.SchemaAdminChangeMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.APPLocker.MimikatzSecurity Monitoring: Mimikatz in useSecurityMonitoringMP.APPLocker.MimikatzMicrosoft.Windows.ComputerAlertFalseTrue
SecurityMonitoringMP.APPLocker.ProhibitedAppSecurity Monitoring: Prohibited App in UseSecurityMonitoringMP.APPLocker.ProhibitedAppMicrosoft.Windows.ComputerAlertTrueTrue
SecurityMonitoringMP.APPLocker.PSExecSecurity Monitoring: PSEXEC in UseSecurityMonitoringMP.APPLocker.PSExecMicrosoft.Windows.ComputerAlertFalseTrue
SecurityMonitoringMP.APPLocker.WCESecurity Monitoring: WCE in UseSecurityMonitoringMP.APPLocker.WCEMicrosoft.Windows.ComputerAlertFalseTrue
SecurityMonitoringMP.APPLocker.WinRarSecurity Monitoring: WinRar in useSecurityMonitoringMP.APPLocker.WinRarMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.4688.SuspiciousApplockerJavaSecurity Monitoring: A suspicious process creation (AppLocker bypass) was executedSecurityMonitoringMP.Event.4688.SuspiciousApplockerJavaMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousApplockerRegsvrSecurity Monitoring: A suspicious process creation (AppLocker bypass using regsvr32) was execuitedSecurityMonitoringMP.Event.4688.SuspiciousApplockerRegsvrMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousCMDSecurity Monitoring: A suspicious process creation (cmd) was executedSecurityMonitoringMP.Event.4688.SuspiciousCMDMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousFTPCommandSecurity Monitoring: A suspicious process creation (FTP script execution via echo command) was executedSecurityMonitoringMP.Event.4688.SuspiciousFTPCommandMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousRegSecurity Monitoring: A suspicious process creation (registry) was executedSecurityMonitoringMP.Event.4688.SuspiciousRegMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.4688.SuspiciousWindowsPositionSecurity Monitoring; A suspicious process creation (malicious use of WindowPosition with PowerShell) was executedSecurityMonitoringMP.Event.4688.SuspiciousWindowsPositionMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.GoldenTicketDetectionSecurity Monitoring: Possible Golden Ticket in UseSecurityMonitoringMP.Event.GoldenTicketDetectionMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Event.LocalAccountCreatedonServerSecurity Monitoring: Local account created on a member serverSecurityMonitoringMP.Event.LocalAccountCreatedonServerMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.SecurityLogClearedSecurity Monitoring: Security Log was clearedSecurityMonitoringMP.Event.SecurityLogClearedMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.ServiceCreatedonMemberServerSecurity Monitoring: A service was created on a member serverSecurityMonitoringMP.Event.ServiceCreatedonMemberServerMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.ServiceKnownThreatSecurity Monitoring: Service associated with a known threat was created on a member serverSecurityMonitoringMP.Event.ServiceKnownThreatMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Event.SmartCardDisabledSecurity Monitoring: A Smart Card has been Disabled to Allow for Interactive LogonSecurityMonitoringMP.Event.SmartCardDisabledMicrosoft.Windows.Server.DC.ComputerAlertTrueTrue
SecurityMonitoringMP.Event.SoftwareInstallOnServerSecurity Monitoring: Software was Installed on a ServerSecurityMonitoringMP.Event.SoftwareInstallOnServerMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.SoftwareRemovedFromServerSecurity Monitoring: Software was Removed from a ServerSecurityMonitoringMP.Event.SoftwareRemovedFromServerMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.SystemLogClearedSecurity Monitoring: The system Log was clearedSecurityMonitoringMP.Event.SystemLogClearedMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.SystemPoweredOffSecurity Monitoring: A system has been powered offSecurityMonitoringMP.Event.SystemPoweredOffMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.SystemRestartedSecurity Monitoring: A system was restartedSecurityMonitoringMP.Event.SystemRestartedMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.Event.UnexpectedShutdownSecurity Monitoring: Unexpected System ShutdownSecurityMonitoringMP.Event.UnexpectedShutdownMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.EventCollection.4672Security Monitoring Collection: Event ID 4672SecurityMonitoringMP.EventCollection.4672Microsoft.Windows.Server.OperatingSystemEventCollectionFalseFalse
SecurityMonitoringMP.EventCollection.BatchLogonSecurity Monitoring Collection: Event ID 4624 Logon Type 4SecurityMonitoringMP.EventCollection.BatchLogonMicrosoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
SecurityMonitoringMP.EventCollection.GoldenTicketSecurity Monitoring Event Collection: Event ID 4769 result 0x1FSecurityMonitoringMP.EventCollection.GoldenTicketMicrosoft.Windows.Server.DC.ComputerEventCollectionTrueFalse
SecurityMonitoringMP.EventCollection.SpecialGroupLogonSecurity Monitoring Collection: Event ID 4694SecurityMonitoringMP.EventCollection.SpecialGroupLogonMicrosoft.Windows.Server.OperatingSystemEventCollectionTrueFalse
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerJavaSecurity Monitoring Forwarded Events: A suspicious process creation (AppLocker bypass) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerJavaWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvrSecurity Monitoring Forwarded Events: A suspicious process creation (AppLocker bypass using regsvr32) was execuitedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvrWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMDSecurity Monitoring Forwarded Events: A suspicious process creation (cmd) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMDWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousFTPCommandSecurity Monitoring Forwarded Events: A suspicious process creation (FTP script execution via echo command) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousFTPCommandWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousRegSecurity Monitoring Forwarded Events: A suspicious process creation (registry) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousRegWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousWindowsPositionSecurity Monitoring Forwarded Events: A suspicious process creation (malicious use of WindowPosition with PowerShell) was executedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousWindowsPositionWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.CredentialSwapSecurity Monitoring Forwarded Events: Potential Credential Swap in ProgressSecurityMonitoringMP.ForwardedEvents.CredentialSwapWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.LocalUserCreatedDeletedSecurity Monitoring Forwarded Events: Local User Created or Deleted in Administrator Security GroupSecurityMonitoringMP.ForwardedEvents.LocalUserCreatedDeletedWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.ProhibitedAppSecurity Monitoring Forwarded Events: Prohibited App in UseSecurityMonitoringMP.ForwardedEvents.ProhibitedAppWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.PtHTier2Security Monitoring Forwarded Events: Possible PtH Attack in Progress Against Tier 2SecurityMonitoringMP.ForwardedEvents.PtHTier2WindowsEventCollectorDiscovery.EventLogCollectorServerAlertFalseTrue
SecurityMonitoringMP.ForwardedEvents.SecurityLogClearedSecurity Monitoring Forwarded Events: Security log cleared on a server configured to forward eventsSecurityMonitoringMP.ForwardedEvents.SecurityLogClearedWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.ServiceCreationSecurity Monitoring Forwarded Events: Service Created on systemSecurityMonitoringMP.ForwardedEvents.ServiceCreationWindowsEventCollectorDiscovery.EventLogCollectorServerAlertFalseTrue
SecurityMonitoringMP.ForwardedEvents.ServiceCreationKnownThreatsSecurity Monitoring Forwarded Events: Service associated with a known threat was created on a forwarding computerSecurityMonitoringMP.ForwardedEvents.ServiceCreationKnownThreatsWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.SpecialGroupLogonSecurity Monitoring Forwarded Events: Special Group logon eventSecurityMonitoringMP.ForwardedEvents.SpecialGroupLogonWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.ForwardedEvents.SystemLogClearedSecurity Monitoring Forwarded Events: System Log was ClearedSecurityMonitoringMP.ForwardedEvents.SystemLogClearedWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrueTrue
SecurityMonitoringMP.GPOMonitoring.EventAndScript.RuleGPO Change Event then run correlation script RuleSecurityMonitoringMP.GPOMonitoring.EventAndScript.RuleMicrosoft.Windows.Server.DC.ComputerCustomTrueTrue
SecurityMonitoringMP.Pth.CredentialSwapSecurity Monitoring: Potential Credential Swap in ProgressSecurityMonitoringMP.Pth.CredentialSwapMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue
SecurityMonitoringMP.Pth.PtHAgainstDCSecurity Monitoring: Possible PtH attack in progress (successful) against DCSecurityMonitoringMP.Pth.PtHAgainstDCMicrosoft.Windows.Server.DC.ComputerAlertFalseTrue
SecurityMonitoringMP.Pth.PtHAgainstTier1Security Monitoring: Possible PtH Attack in Progress against tier 1SecurityMonitoringMP.Pth.PtHAgainstTier1Microsoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.ThreatHunt.BatchLogonInUseSecurity Monitoring Threat Hunting: Batch Logon in useSecurityMonitoringMP.ThreatHunt.BatchLogonInUseMicrosoft.Windows.Server.OperatingSystemAlertFalseTrue
SecurityMonitoringMP.ThreatHunt.SpecialGroupLogonSecurity Monitoring Threat Hunting: Special Group logon eventSecurityMonitoringMP.ThreatHunt.SpecialGroupLogonMicrosoft.Windows.Server.OperatingSystemAlertTrueTrue

Recoveries (2)

 DisplayNameIDTargetMonitorReset MonitorCategoryEnabledAccessibility
SecurityMonitoringMP.Recovery.BlockPortWindowsFWModify Windows FirewallSecurityMonitoringMP.Recovery.BlockPortWindowsFWMicrosoft.Windows.Server.OperatingSystemSecurityMonitoringMP.Event.RepeatedLogonMonitorFalseCustomfalsePublic
SecurityMonitoringMP.Recovery.RestartWecSVCRestart ServiceSecurityMonitoringMP.Recovery.RestartWecSVCWindowsEventCollectorDiscovery.EventLogCollectorServerSecurityMonitoringMP.Health.EventCollectorMonitorTrueCustomtruePublic

Agent Tasks (2)

 DisplayNameIDTargetAccessibilityCategoryEnabled
SecurityMonitoring.PowerShell.Task.CreateUserWriteableRegKeySecurity Monitoring: Create Registry Key to Discover Writeable LocationsSecurityMonitoring.PowerShell.Task.CreateUserWriteableRegKeyMicrosoft.Windows.ComputerInternalMaintenanceTrue
SecurityMonitoring.PowerShell.Task.RemoveUserWriteableRegKeySecurity Monitoring: Remove Registry Key to Discover Writeable LocationsSecurityMonitoring.PowerShell.Task.RemoveUserWriteableRegKeyMicrosoft.Windows.ComputerInternalMaintenanceTrue

Monitor Property Overrides (8)

 IDContextTarget
OverrideForMonitorSecurityMonitoringAccountLogonAuditingMemberServerForContextMicrosoftSystemCenterManagementServerComputersGroupOverrideForMonitorSecurityMonitoringAccountLogonAuditingMemberServerForContextMicrosoftSystemCenterManagementServerComputersGroupMicrosoft.SystemCenter.ManagementServerComputersGroupSecurity.Monitoring.AuditAccountLogonMS
OverrideForMonitorSecurityMonitoringCommandLineAuditingMemberServerForContextMicrosoftSystemCenterManagementServerComputersGroupOverrideForMonitorSecurityMonitoringCommandLineAuditingMemberServerForContextMicrosoftSystemCenterManagementServerComputersGroupMicrosoft.SystemCenter.ManagementServerComputersGroupSecurity.Monitoring.IncludeCommandLineProcessCreationonMS
OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012FullOverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012FullMicrosoft.Windows.Server.6.2.Full.OperatingSystemSecurityMonitoringMP.UseLogonCredentialExistsMonitor
OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012OSOverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2012OSMicrosoft.Windows.Server.6.2.OperatingSystemSecurityMonitoringMP.UseLogonCredentialExistsMonitor
OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2016OverrideForMonitorSecurityMonitoringMPUseLogonCredentialExistsMonitor.Server2016Microsoft.Windows.Server.10.0.OperatingSystemSecurityMonitoringMP.UseLogonCredentialExistsMonitor
OverrideForMonitorSecurityMonitoringProcessCreationMemberServerForContextMicrosoftSystemCenterManagementServerComputersGroupOverrideForMonitorSecurityMonitoringProcessCreationMemberServerForContextMicrosoftSystemCenterManagementServerComputersGroupMicrosoft.SystemCenter.ManagementServerComputersGroupSecurity.Monitoring.ProcessCreationMemberServer
OverrideForMonitorSecurityMonitoringSpecialGroupLogonMemberServerForContextMicrosoftSystemCenterManagementServerComputersGroupOverrideForMonitorSecurityMonitoringSpecialGroupLogonMemberServerForContextMicrosoftSystemCenterManagementServerComputersGroupMicrosoft.SystemCenter.ManagementServerComputersGroupSecurity.Monitoring.SpecialGroupLogonEnabledOnMemberServers
OverrideForMonitorSecurityMonitoringUserAccountManagementAuditingMemberServerForContextMicrosoftSystemCenterManagementServerComputersGroupOverrideForMonitorSecurityMonitoringUserAccountManagementAuditingMemberServerForContextMicrosoftSystemCenterManagementServerComputersGroupMicrosoft.SystemCenter.ManagementServerComputersGroupSecurity.Monitoring.UserAccountMgmtMS

Rule Property Overrides (4)

 IDContextTarget
OverrideForRuleSecurityMonitoringEventSeDebugPrivilegeEscalationOverrideForRuleSecurityMonitoringEventSeDebugPrivilegeEscalationMicrosoft.SystemCenter.ManagementServerSecurity.Monitoring.Event.SeDebugPrivilegeEscalation
OverrideForRuleSecurityMonitoringExecutableRunFromUserWriteableDirectoryOverrideForRuleSecurityMonitoringExecutableRunFromUserWriteableDirectorySecurity.Monitoring.WindowsComputersExtendedWriteableDirectoryMonitoringSecurity.Monitoring.ExecutableRunFromUserWriteableDirectory
OverrideForRuleSecurityMonitoringMPEventLocalAccountCreatedonServer.DomainControllersOverrideForRuleSecurityMonitoringMPEventLocalAccountCreatedonServer.DomainControllersMicrosoft.Windows.Server.DC.ComputerSecurityMonitoringMP.Event.LocalAccountCreatedonServer
OverrideForRuleSecurityMonitoringMPEventLocalAdminChange.DomainControllersOverrideForRuleSecurityMonitoringMPEventLocalAdminChange.DomainControllersMicrosoft.Windows.Server.DC.ComputerSecurityMonitoringMP.Accounts.LocalAdminChange

Folder Items (8)

 IDFolderNameElementID
i08b0d1b442c04c8daf4574e19f39c3c9i08b0d1b442c04c8daf4574e19f39c3c9SecurityMonitoringMP.Folder.SecurityMonitoringSecurityMonitoringMP.View.SecurityMonitoringAlerts
i23e6b51216814447b3b73c5124fae3d3i23e6b51216814447b3b73c5124fae3d3SecurityMonitoringMP.Folder.AdministrationSecurityMonitoringMP.View.DCDistributedApp
i2465151f071a4563af2090f8f6f734cei2465151f071a4563af2090f8f6f734ceSecurityMonitoringMP.Folder.AdministrationSecurityMonitoringMP.View.MemberServerDistributedApp
i3691038e88044516a67ac5bbc79422c0i3691038e88044516a67ac5bbc79422c0SecurityMonitoringMP.Folder.EventCollectorsSecurityMonitoringMP.View.EventCollectorState
i74a5ba1881174da89a4041962320a070i74a5ba1881174da89a4041962320a070SecurityMonitoringMP.Folder.SecurityMonitoringSecurityMonitoringMP.View.ThreatHuntingAlert
ibbd540dc68af4043bfdb9f75cf03ae00ibbd540dc68af4043bfdb9f75cf03ae00SecurityMonitoringMP.Folder.SecurityMonitoringSecurityMonitoringMP.View.OnlineDocumentation
if3e38fad5d3547168a4bca954c52cecbif3e38fad5d3547168a4bca954c52cecbSecurityMonitoringMP.Folder.EventCollectorsSecurityMonitoringMP.View.EventCollectorAlerts
if879997c69ee482abc74aca8ebbe4367if879997c69ee482abc74aca8ebbe4367SecurityMonitoringMP.Folder.AdministrationSecurityMonitoringMP.View.DADocumentation

Folders (3)

 DisplayNameIDParentFolderAccessibility
SecurityMonitoringMP.Folder.AdministrationAdministrationSecurityMonitoringMP.Folder.AdministrationSecurityMonitoringMP.Folder.SecurityMonitoringPublic
SecurityMonitoringMP.Folder.EventCollectorsEvent CollectorsSecurityMonitoringMP.Folder.EventCollectorsSecurityMonitoringMP.Folder.SecurityMonitoringPublic
SecurityMonitoringMP.Folder.SecurityMonitoringSecurity MonitoringSecurityMonitoringMP.Folder.SecurityMonitoringMicrosoft.SystemCenter.Monitoring.ViewFolder.RootPublic

Views (8)

 DisplayNameIDTargetTypeAccessibilityVisible
SecurityMonitoringMP.View.DADocumentationDistributed Application DocumentationSecurityMonitoringMP.View.DADocumentationSystem.EntityMicrosoft.SystemCenter.UrlViewTypePublicTrue
SecurityMonitoringMP.View.DCDistributedAppDomain Controller Audit SettingsSecurityMonitoringMP.View.DCDistributedAppSecurity.Monitoring.SecurityMonitoringDA.DomainControllersMicrosoft.SystemCenter.StateViewTypePublicTrue
SecurityMonitoringMP.View.EventCollectorAlertsEvent Collector AlertsSecurityMonitoringMP.View.EventCollectorAlertsWindowsEventCollectorDiscovery.EventLogCollectorServerMicrosoft.SystemCenter.AlertViewTypePublicTrue
SecurityMonitoringMP.View.EventCollectorStateEvent Collector StateSecurityMonitoringMP.View.EventCollectorStateWindowsEventCollectorDiscovery.EventLogCollectorServerMicrosoft.SystemCenter.StateViewTypePublicTrue
SecurityMonitoringMP.View.MemberServerDistributedAppMember Server Audit SettingsSecurityMonitoringMP.View.MemberServerDistributedAppSecurity.Monitoring.SecurityMonitoringDA.MemberServersMicrosoft.SystemCenter.StateViewTypePublicTrue
SecurityMonitoringMP.View.OnlineDocumentationOnline DocumentationSecurityMonitoringMP.View.OnlineDocumentationSystem.EntityMicrosoft.SystemCenter.UrlViewTypePublicTrue
SecurityMonitoringMP.View.SecurityMonitoringAlertsSecurity Monitoring MP AlertsSecurityMonitoringMP.View.SecurityMonitoringAlertsSystem.EntityMicrosoft.SystemCenter.AlertViewTypePublicTrue
SecurityMonitoringMP.View.ThreatHuntingAlertThreat HuntingSecurityMonitoringMP.View.ThreatHuntingAlertSystem.EntityMicrosoft.SystemCenter.AlertViewTypePublicTrue

Report Resources (11)

 IDFile NameAccessibility
AlertSummary.IDAlertSummary.IDAlert Summary_v1.rdlInternal
BatchLogonReport.IDBatchLogonReport.IDBatch Logon Report_v1.2.rdlInternal
EventCollectionSummary.IDEventCollectionSummary.IDEvent Collection Report_v1.rdlInternal
FailedLoginDetails.IDFailedLoginDetails.IDFailed Login Details_v1.rdlInternal
FailedLoginSummary.IDFailedLoginSummary.IDFailed Login Summary_v1.rdlInternal
FailedLoginSummary24.IDFailedLoginSummary24.IDFailed Login Summary (24 hours)_v1.rdlInternal
LanManConnectionReport.IDLanManConnectionReport.IDLanMan.rdlInternal
LegacyTLSConnectionReport.IDLegacyTLSConnectionReport.IDLegacyTLS.rdlInternal
NTLMv1ConnectionReport.IDNTLMv1ConnectionReport.IDNTLMV1.rdlInternal
SMBv1ConnectionReport.IDSMBv1ConnectionReport.IDSMBv1 Connections Report_v1.rdlInternal
WDigestConnectionReport.IDWDigestConnectionReport.IDWdigest.rdlInternal

Reports (11)

 DisplayNameIDAccessibilityVisible
Security.Monitoring.AlertSummaryAlert SummarySecurity.Monitoring.AlertSummaryPublicTrue
Security.Monitoring.BatchLogonReportBatch Logon ReportSecurity.Monitoring.BatchLogonReportPublicTrue
Security.Monitoring.EventCollectionSummaryEvent Colleciton SummarySecurity.Monitoring.EventCollectionSummaryPublicTrue
Security.Monitoring.FailedLoginDetailsFailed Login DetailsSecurity.Monitoring.FailedLoginDetailsPublicTrue
Security.Monitoring.FailedLoginSummaryFailed Login SummarySecurity.Monitoring.FailedLoginSummaryPublicTrue
Security.Monitoring.FailedLoginSummary24HoursFailed Login Summary (24 Hours)Security.Monitoring.FailedLoginSummary24HoursPublicTrue
Security.Monitoring.LanManConnectionReportLanMan Connection ReportSecurity.Monitoring.LanManConnectionReportPublicTrue
Security.Monitoring.LegacyTLSConnectionReportLegacy TLS Protocols Connection ReportSecurity.Monitoring.LegacyTLSConnectionReportPublicTrue
Security.Monitoring.NTLMv1ConnectionReportNTLM Version 1 Connection ReportSecurity.Monitoring.NTLMv1ConnectionReportPublicTrue
Security.Monitoring.SMBv1ConnectionReportSMBv1 Connections ReportSecurity.Monitoring.SMBv1ConnectionReportPublicTrue
Security.Monitoring.WDigestConnectionReportWDigest Connection ReportSecurity.Monitoring.WDigestConnectionReportPublicTrue