Technology has transformed what’s possible for today’s small and medium-sized organizations, but it also increases exposure to potential security risks.
Data Loss Prevention/Information Lockdown- The SIEM can detect if files are being exported/imported instead of being stored where the information security policy dictates.
External vulnerabilities are opportunities for outside attackers to gain internal access to the network.
Large amounts of failed login attempts in a short timeframe can be an key indicator of a brute force attack.
Login history keeps records on who is attempting logins into which machines and how frequently.
Realtime Security Risk Analysis on Proprietary Applications- The SIEM provides real time analysis of Proprietary Applications to look for security gaps and identify patterns of suspicious activity that can identify a breach has occurred.
Event destination IP address is listed on one of more blocklists as having an IOC - Indication of compromise.
Event source IP address is listed on one of more blocklists as having an IOC - Indication of compromise.
3rd Party Application Detection and Remediation- The SIEM identifies unauthorized 3rd Party applications that have been granted access (a backdoor) into your network and provides you a portal to confirm applications in your environment.
User behavior analysis targets the method of login attempts by users.
Application whitelisting events should be collected to look for applications that have been blocked from execution.
Certificate Services receives requests for digital certificates over RPC or HTTP.
Spyware and malware remain a serious problem and Microsoft developed an antispyware and antivirus, Windows Defender, to combat this threat.
Malicious or misused software can often attempt to resolve blacklisted or suspicious domain names.
Detection of USB device (e.g., mass storage devices) usage is important in some environments, such as air gapped networks.
Introduction of kernel driver signing in the 64-bit version of Windows Vista significantly improves defenses against insertion of malicious drivers or activities in the kernel.
The Microsoft CryptoAPI can be used for certificate verification and encryption/decryption of data.
Wireless devices are ubiquitous and the need to record an enterprise’s wireless device activities may be critical.
Tracking user accounts for detecting Pass the Hash (PtH) requires creating a custom view with XML to configure more advanced filtering options.
PowerShell events can be interesting as Powershell is included by default in modern Windows installations.
Remote Desktop account activity events are not easily identifiable using the Event Viewer GUI.
If client workstations are taking advantage of the built-in host-based Windows Firewall, then there is value in collecting events to track the firewall status.
Last modified February 24, 2023