Technology has transformed what’s possible for today’s small and medium-sized organizations, but it also increases exposure to potential security risks.
Compromised Passwords

Compromised passwords are a serious risk to an environment.
Anomalous Logins

Anomalous logins may signify suspicious activity.
Business Intellectual Property

Data Loss Prevention/Information Lockdown- The SIEM can detect if files are being exported/imported instead of being stored where the information security policy dictates.
External Vulnerabilities

External vulnerabilities are opportunities for outside attackers to gain internal access to the network.
Login Failures

Large amounts of failed login attempts in a short timeframe can be an key indicator of a brute force attack.
Login History

Login history keeps records on who is attempting logins into which machines and how frequently.
Proprietary Applications Security

Realtime Security Risk Analysis on Proprietary Applications- The SIEM provides real time analysis of Proprietary Applications to look for security gaps and identify patterns of suspicious activity that can identify a breach has occurred.
Server SSH Key Access Monitoring

User logged into a Server using an SSH public key.
SIEM Firewall Alerts

Firewall Filter and IPS/IDS Log Analysis.
SIEM Office 365 Alerts

SIEM Office 365 Alerts.
Threat Intelligence Alert Destination IP Threat Indicated

Event destination IP address is listed on one of more blocklists as having an IOC - Indication of compromise.
Threat Intelligence Alert Source IP Threat Indicated

Event source IP address is listed on one of more blocklists as having an IOC - Indication of compromise.
Unauthorized 3rd Party Application Detection

3rd Party Application Detection and Remediation- The SIEM identifies unauthorized 3rd Party applications that have been granted access (a backdoor) into your network and provides you a portal to confirm applications in your environment.
User Behavior Analysis

User behavior analysis targets the method of login attempts by users.
Windows Account Usage

User account information can be collected and audited.
Windows Application Whitelisting

Application whitelisting events should be collected to look for applications that have been blocked from execution.
Windows Certificate Services

Certificate Services receives requests for digital certificates over RPC or HTTP.
Windows Clearing Event Logs

When an event log gets cleared, it is often suspicious.
Windows Defender Activity Monitoring

Spyware and malware remain a serious problem and Microsoft developed an antispyware and antivirus, Windows Defender, to combat this threat.
Windows DNS/Directory Services

Malicious or misused software can often attempt to resolve blacklisted or suspicious domain names.
Windows External Media Detection

Detection of USB device (e.g., mass storage devices) usage is important in some environments, such as air gapped networks.
Windows Kernel Driver Signing

Introduction of kernel driver signing in the 64-bit version of Windows Vista significantly improves defenses against insertion of malicious drivers or activities in the kernel.
Windows Microsoft Cryptography API

The Microsoft CryptoAPI can be used for certificate verification and encryption/decryption of data.
Windows Mobile Device Activities

Wireless devices are ubiquitous and the need to record an enterprise’s wireless device activities may be critical.
Windows Pass The Hash Detection

Tracking user accounts for detecting Pass the Hash (PtH) requires creating a custom view with XML to configure more advanced filtering options.
Windows PowerShell Activities

PowerShell events can be interesting as Powershell is included by default in modern Windows installations.
Windows Remote Desktop Logon Detection

Remote Desktop account activity events are not easily identifiable using the Event Viewer GUI.
Windows Task Scheduler Activities

Scheduled tasks can be maliciously created or deleted.
Windows Windows Firewall

If client workstations are taking advantage of the built-in host-based Windows Firewall, then there is value in collecting events to track the firewall status.
Windows File Modification Monitoring

Ransomware activity detection.
Last modified February 24, 2023