Windows Security Events
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Solutions Index
| Attribute |
Value |
| Publisher |
Microsoft Corporation |
| Support Tier |
Microsoft |
| Support Link |
https://support.microsoft.com |
| Categories |
domains |
| Version |
3.0.10 |
| Author |
Microsoft - support@microsoft.com |
| First Published |
2022-05-23 |
| Last Updated |
2026-02-25 |
| Solution Folder |
Windows Security Events |
| Marketplace |
Azure Marketplace · Rating: ★★★☆☆ 3.0/5 (4 ratings) · Popularity: 🟢 High (96%) |
The Windows Security Events solution for Microsoft Sentinel allows you to ingest Security events from your Windows machines using the Windows Agent into Microsoft Sentinel. This solution includes two (2) data connectors to help ingest the logs.
-
Windows Security Events via AMA - This data connector helps in ingesting Security Events logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
-
Security Events via Legacy Agent - This data connector helps in ingesting Security Events logs into your Log Analytics Workspace using the legacy Log Analytics agent.
Additional Information
📖 Setup Guide: Windows security events via AMA - Collect Windows security events using Azure Monitor Agent
Contents
Data Connectors
This solution provides 2 data connector(s):
Tables Used
This solution uses 3 table(s):
Content Items
This solution includes 72 content item(s):
| Content Type |
Count |
| Hunting Queries |
50 |
| Analytic Rules |
20 |
| Workbooks |
2 |
Analytic Rules
Hunting Queries
| Name |
Tactics |
Tables Used |
| AD Account Lockout |
Impact |
SecurityEvent |
| Commands executed by WMI on new hosts - potential Impacket |
Execution, LateralMovement |
SecurityEvent |
| Crash dump disabled on host |
DefenseEvasion |
SecurityEvent |
| Cscript script daily summary breakdown |
Execution |
SecurityEvent |
| Decoy User Account Authentication Attempt |
LateralMovement |
SecurityEvent |
| Discord download invoked from cmd line |
Execution, CommandAndControl, Exfiltration |
SecurityEvent |
| Domain controller installation media creation |
CredentialAccess |
SecurityEvent
WindowsEvent |
| Entropy for Processes for a given Host |
Execution |
SecurityEvent |
| Enumeration of users and groups |
Discovery |
SecurityEvent |
| Establishing internal proxies |
CommandandControl |
SecurityEvent
WindowsEvent |
| Exchange PowerShell Snapin Added |
Collection |
SecurityEvent |
| Group added to Built in Domain Local or Global Group |
Persistence, PrivilegeEscalation |
SecurityEvent |
| Host Exporting Mailbox and Removing Export |
Collection |
SecurityEvent |
| Hosts Running a Rare Process |
Execution, Persistence, Discovery, LateralMovement, Collection |
SecurityEvent |
| Hosts Running a Rare Process with Commandline |
Execution, Persistence, Discovery, LateralMovement, Collection |
SecurityEvent |
| Hosts with new logons |
CredentialAccess, LateralMovement |
SecurityEvent |
| Invoke-PowerShellTcpOneLine Usage. |
Exfiltration |
SecurityEvent |
| KrbRelayUp Local Privilege Escalation Service Creation |
PrivilegeEscalation |
Event |
| Least Common Parent And Child Process Pairs |
Execution |
SecurityEvent |
| Least Common Processes Including Folder Depth |
Execution |
SecurityEvent |
| Least Common Processes by Command Line |
Execution |
SecurityEvent |
| Long lookback User Account Created and Deleted within 10mins |
Persistence, PrivilegeEscalation |
SecurityEvent |
| Masquerading files |
Execution |
SecurityEvent |
| Multiple Explicit Credential Usage - 4648 events |
Discovery, LateralMovement |
SecurityEvent |
| New Child Process of W3WP.exe |
Execution |
SecurityEvent |
| New PowerShell scripts encoded on the commandline |
Execution, CommandAndControl |
SecurityEvent |
| New processes observed in last 24 hours |
Execution |
SecurityEvent |
| Nishang Reverse TCP Shell in Base64 |
Exfiltration |
SecurityEvent |
| Potential Exploitation of MS-RPRN printer bug |
PrivilegeEscalation |
SecurityEvent |
| PowerShell downloads |
Execution, CommandAndControl |
SecurityEvent |
| Powercat Download |
Exfiltration |
SecurityEvent |
| Rare Process Path |
Execution |
SecurityEvent |
| Rare Processes Run by Service Accounts |
Execution |
SecurityEvent |
| Remote Task Creation/Update using Schtasks Process |
Persistence |
SecurityEvent |
| Service installation from user writable directory |
Execution |
Event |
| Summary of failed user logons by reason of failure |
CredentialAccess, LateralMovement |
SecurityEvent |
| Summary of user logons by logon type |
CredentialAccess, LateralMovement |
SecurityEvent |
| Summary of users created using uncommon/undocumented commandline switches |
CredentialAccess, LateralMovement |
SecurityEvent |
| Suspected LSASS Dump |
CredentialAccess |
SecurityEvent |
| Suspicious Enumeration using Adfind Tool |
Execution, Discovery, Collection |
SecurityEvent |
| Suspicious Windows Login Outside Normal Hours |
InitialAccess, LateralMovement |
SecurityEvent |
| Suspicious command line tokens in LolBins or LolScripts |
Execution |
SecurityEvent |
| Uncommon processes - bottom 5% |
Execution |
SecurityEvent |
| User Account added to Built in Sensitive or Privileged Domain Local or Global Group |
Persistence, PrivilegeEscalation |
SecurityEvent |
| User account added or removed from a security group by an unauthorized user |
Persistence, PrivilegeEscalation |
SecurityEvent |
| User created by unauthorized user |
Persistence, PrivilegeEscalation |
SecurityEvent |
| VIP account more than 6 failed logons in 10 |
CredentialAccess |
SecurityEvent |
| VIP account more than 6 failed logons in 10 |
CredentialAccess |
SecurityEvent |
| Windows System Shutdown/Reboot(Sysmon) |
Impact |
Event |
| Windows System Time changed on hosts |
DefenseEvasion |
SecurityEvent |
Workbooks
Release Notes
| Version |
Date Modified (DD-MM-YYYY) |
Change History |
| 3.0.12 |
18-02-2026 |
Removed external blog reference text from "Remote Scheduled Task Creation or Update using ATSVC Named Pipe" and " Scheduled Task Creation or Update from User Writable Directory" hunting query description |
| 3.0.11 |
28-01-2026 |
Updated Analytic Rule to fix the link from the description & Update Analytic Rule NonDCActiveDirectoryReplication - to reduce false positive results |
| 3.0.10 |
12-01-2026 |
Update Analytic Rule NonDCActiveDirectoryReplication - fix swapped fields |
| 3.0.9 |
01-10-2024 |
Removed kind from Hunting Query [Service installation from user writable directory] |
| 3.0.8 |
23-07-2024 |
Updated the Workspace type from resource type picker to resource picker in Workbook |
| 3.0.7 |
12-06-2024 |
Fixed the bugs from Analytic Rules NRT_execute_base64_decodedpayload.yaml and ADFSRemoteAuthSyncConnection.yaml |
| 3.0.6 |
16-05-2024 |
Fixed wrong fieldMappings of Analytic Rules password_not_set.yaml |
| 3.0.5 |
21-03-2024 |
Updated Entity Mappings of Analytic Rules |
| 3.0.4 |
06-03-2024 |
Added New Hunting Queries |
| 3.0.3 |
19-02-2024 |
Updated Entity Mapping in Analytical Rule [Non Domain Controller Active Directory Replication] |
| 3.0.2 |
23-01-2024 |
Added Sub-Technique in Template |
| 3.0.1 |
13-12-2023 |
Updated query in Analytical Rule (AD user enabled and password not set within 48 hours) |
| 3.0.0 |
26-12-2023 |
Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID. |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Solutions Index