Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for SecurityEvent table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Windows |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Lake-Only Ingestion | ✓ Yes (source) |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| AccessMask | string | Hexadecimal mask for the requested or performed operation. |
| Account | string | The Security context for services or users. |
| AccountDomain | string | Subject's domain or computer name. |
| AccountExpires | string | The date when the account expires. |
| AccountName | string | The name of the account that requested the "remove domain trust" operation. |
| AccountSessionIdentifier | string | A unique identifier that is generated by the machine when the session is created. |
| AccountType | string | Identifies whether the account is a computer account (machine) or a user's. |
| Activity | string | The descriptive title of the event occurred. |
| AdditionalInfo | string | Additional information that is provided by the source, which do not mapped to other fields, represented by list. |
| AdditionalInfo2 | string | Additional information that is provided by the source, which do not mapped to other fields, represented by list. |
| AllowedToDelegateTo | string | The list of SPNs to which this account can present delegated credentials. |
| Attributes | string | Additional information about the event. |
| AuditPolicyChanges | string | Events that are generated when changes are made to the system audit policy or audit settings on a file or registry key. |
| AuditsDiscarded | int | Number of audit messages that were discarded. |
| AuthenticationLevel | int | Number of audit messages that were discarded. |
| AuthenticationPackageName | string | the name of loaded Authentication Package. The format is: DLL_PATH_AND_NAME: AUTHENTICATION_PACKAGE_NAME. |
| AuthenticationProvider | string | The identity of the provider responsible for the authentication process (can include a certificate authority, a username, a password authentication system, etc). |
| AuthenticationServer | string | The server in which located the authentication provider. |
| AuthenticationService | int | The service in which located the authentication provider. |
| AuthenticationType | string | the type of authentication that was used for the event (two-factor authentication, biometric authentication, etc). |
| AzureDeploymentID | string | Azure deployment ID of the cloud service the log belongs to. |
| CACertificateHash | string | The hash value of the certificate authority's (CA) certificate that was used to authenticate the user who performed the event. |
| CalledStationID | string | Information about the ID of the station that initiated the action that led to the security event. |
| CallerProcessId | string | Hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. |
| CallerProcessName | string | Full path and the name of the executable for the process. |
| CallingStationID | string | Information about the ID of the station that initiated the action that led to the security event. |
| CAPublicKeyHash | string | Hash value that identifies the public key of a certification authority (CA) that issued a certificate. |
| CategoryId | string | The category of the security event that occurred (login attempt, data breach, etc). |
| CertificateDatabaseHash | string | Hash value that identifies the database that issued a certificate. |
| Channel | string | The channel to which the event was logged. |
| ClassId | string | 'Class Guid' attribute of device. |
| ClassName | string | 'Class' attribute of device. |
| ClientAddress | string | IP address of the computer from which the TGT request was received. |
| ClientIPAddress | string | IP address of the computer that initiated the action that led to the event. |
| ClientName | string | computer name from which the user was reconnected. Has 'Unknown' value for console session. |
| CommandLine | string | The command line arguments that were passed to an application or process that was involved in the event. |
| CompatibleIds | string | 'Compatible Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details': |
| Computer | string | The name of the computer on which the event occurred. |
| Correlation | string | The activity identifiers that consumers can use to group related events together. |
| DCDNSName | string | The DNS name of the domain controller that was involved in the event. |
| DeviceDescription | string | the description of the device that was involved in the event. |
| DeviceId | string | The unique identifier of the device that was involved in the event. |
| DisplayName | string | It is a name, displayed in the address book for a particular account. This is usually the combination of the user's first name, middle initial, and last name. |
| Disposition | string | The event outcome/ resolution, such as whether the event was resolved or whether any action was taken in response to the event. |
| DomainBehaviorVersion | string | msDS-Behavior-Version domain attribute was modified. Numeric value. |
| DomainName | string | The name of removed trusted domain. |
| DomainPolicyChanged | string | Indicates whether any domain policies have been changed as part of the event (password policies, security policies, etc). |
| DomainSid | string | SID of the trust partner. This parameter might not be captured in the event, and in that case appears as 'NULL SID'. |
| EAPType | string | The type of Extensible Authentication Protocol (EAP) that was used for the event authentication process. |
| ElevatedToken | string | A 'Yes' or 'No' flag. If 'Yes', then the session this event represents is elevated and has administrator privileges. |
| ErrorCode | int | Contains error code for Failure events. For Success events this parameter has '0x0' value. |
| EventData | string | Event specific data associated with the event. |
| EventID | int | The identifier that the provider used to identify the event. |
| EventLevelName | string | The rendered message string of the level specified in the event. |
| EventRecordId | string | The record number assigned to the event when it was logged. |
| EventSourceName | string | The name of the software that logs the event (applicationor a succomponent). |
| ExtendedQuarantineState | string | The state of the network quarantine process, if applicable. Network quarantine is a process by which unauthorized devices are prevented from accessing a network until they meet certain security requirements or have been checked for malware. |
| FailureReason | string | textual explanation of Status field value. For this event, it typically has 'Account locked out' value. |
| FileHash | string | The hash value for any files that are were accessed or modified as part of the event, or any files that were used in the authentication or authorization process. |
| FilePath | string | Full path and filename of the key file on which the operation was performed. |
| FilePathNoUser | string | The path of any files that are related to the event, excluding the username or other user-specific information. |
| Filter | string | Filters that are used in the performed event. |
| ForceLogoff | string | '\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire' group policy. |
| Fqbn | string | The fully qualified binary name (FQBN) for any files that are related to the event. |
| FullyQualifiedSubjectMachineName | string | The fully qualified domain name (FQDN) of the machine that initiated the event. |
| FullyQualifiedSubjectUserName | string | The username of the user or service that initiated the event in FQDN format. |
| GroupMembership | string | The list of group SIDs which logged account belongs to (member of). Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. |
| HandleId | string | Hexadecimal value of a handle to Object Name. This field can be used for correlation with other events. |
| HardwareIds | string | 'Hardware Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details': |
| HomeDirectory | string | User's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form \Server\Share\Directory. |
| HomePath | string | User's home path. The path must be a network UNC of the form \Server\Share\Directory. |
| InterfaceUuid | string | The unique identifier (UUID) for the network interface that was used for the event. |
| IpAddress | string | the network address (usually IPv4 or IPv6) associated with the event. |
| IpPort | string | The network port number associated with the event. |
| KeyLength | int | The length of NTLM Session Security key. Typically it has 128 bit or 56 bit length. |
| Keywords | string | A bitmask of the keywords defined in the event. |
| Level | string | Windows categorizes every event with a severity level. The levels in order of severity are information, verbose, warning, error and critical expressed in numbers. |
| LmPackageName | string | The name of the package or software component that is currently using the Local Security Authority (LSA) on the machine where the event is being generated. |
| LocationInformation | string | 'Location information' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details': |
| LockoutDuration | string | '\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration' group policy. Numeric value. |
| LockoutObservationWindow | string | '\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after' group policy. Numeric value. |
| LockoutThreshold | string | '\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold' group policy. Numeric value. |
| LoggingResult | string | The result of the logon process. |
| LogonGuid | string | A GUID that can help you correlate this event with another event that can contain the same Logon GUID. |
| LogonHours | string | Hours that the account is allowed to logon to the domain. |
| LogonID | string | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID. |
| LogonProcessName | string | The name of registered logon process. |
| LogonType | int | The type of logon which was performed. |
| LogonTypeName | string | The type of logon or authentication event that is being captured by the event log (common values:Interactive, Network, RemoteInteractive, Unlock). |
| MachineAccountQuota | string | ms-DS-MachineAccountQuota domain attribute was modified. Numeric value. |
| MachineInventory | string | Information about the hardware configuration and software environment of the computer where the event is being generated. It can include different data points, for instance: the make and model of the computer, the amount of RAM or storage space available, the version numbers of various software applications, etc). |
| MachineLogon | string | Information about a successful logon event in the machine. |
| ManagementGroupName | string | Additional information based on the resource type. |
| MandatoryLabel | string | ID of integrity label which was assigned to the new process. |
| MaxPasswordAge | string | The period of time (in days) that a password can be used before the system requires the user to change it. |
| MemberName | string | The user account that was involved in the event. |
| MemberSid | string | The security identifier (SID) associated with the user account that was involved in the event. |
| MinPasswordAge | string | The period of time (in days) that a password must be used before the system requires the user to change it. |
| MinPasswordLength | string | The least number of characters that can make up a password for a user account. |
| MixedDomainMode | string | The domain mode of a system or domain controller. |
| NASIdentifier | string | The identifier of the network access server (NAS) that was involved in the event. |
| NASIPv4Address | string | The IPv4Address of the network access server (NAS) that was involved in the event, if applicable. |
| NASIPv6Address | string | The IPv6Address of the network access server (NAS) that was involved in the event, if applicable. |
| NASPort | string | the port on the network access server that was used in the event. |
| NASPortType | string | the type of network access server (NAS) used in the event. |
| NetworkPolicyName | string | The name of the network policy associated with the event. |
| NewDate | string | New date in UTC time zone. The format is YYYY-MM-DD. |
| NewMaxUsers | string | The new maximum number of users allowed for a resource in the event. |
| NewProcessId | string | Hexadecimal Process ID of the new process. Process ID (PID) is a number used by the operating system to uniquely identify an active process. |
| NewProcessName | string | Full path and the name of the executable for the new process. |
| NewRemark | string | The new value of network share 'Comments:' field. Has 'N/A' value if it isn't set. |
| NewShareFlags | string | The share flags associated with a resource in the event, for instance: information on whether the resource is read-only or read/write, whether it is hidden, and other parameters that can affect access and permissions. |
| NewTime | string | New time that was set in UTC time zone. The format is YYYY-MM-DDThh:mm:ss.nnnnnnnZ |
| NewUacValue | string | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. |
| NewValue | string | New value for changed registry key value. |
| NewValueType | string | New type of changed registry key value. |
| ObjectName | string | Name and other identifying information for the object for which access was requested. For example, for a file, the path would be included. |
| ObjectServer | string | Contains the name of the Windows subsystem calling the routine. |
| ObjectType | string | The type of an object that was accessed during the operation. |
| ObjectValueName | string | The name of modified registry key value. |
| OemInformation | string | The original equipment manufacturer (OEM) associated with a device or system in the event. |
| OldMaxUsers | string | The previous maximum number of users allowed for a resource in the event. |
| OldRemark | string | the old value of network share 'Comments:' field. Has 'N/A' value if it isn't set. |
| OldShareFlags | string | The previous share flags associated with a resource in the event, for instance: information on whether the resource is read-only or read/write, whether it is hidden, and other parameters that can affect access and permissions. |
| OldUacValue | string | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of userAccountControl attribute of user object. |
| OldValue | string | Old value for changed registry key value. |
| OldValueType | string | Old type of changed registry key value. |
| Opcode | string | The opcode element is defined by the SystemPropertiesType complex type. |
| OperationType | string | The type of operation which was performed on an object |
| PackageName | string | The name of the LAN Manager sub-package (NTLM-family protocol name) that was used during logon. |
| ParentProcessName | string | The name of the parent process associated with the event. |
| PasswordHistoryLength | string | \Security Settings\Account Policies\Password Policy\Enforce password history" group policy. Numeric value. |
| PasswordLastSet | string | Last time the account's password was modified. |
| PasswordProperties | string | The password policies or properties associated with the event, for example: password length, complexity and expiration date. |
| PreviousDate | string | The previous date associated with the event. |
| PreviousTime | string | Previous time in UTC time zone. The format is YYYY-MM-DDThh:mm:ss.nnnnnnnZ. |
| PrimaryGroupId | string | Relative Identifier (RID) of user's object primary group. |
| PrivateKeyUsageCount | string | The number of times a private key has been used. |
| PrivilegeList | string | The privileges, including user, group, or system privileges associated with the event. |
| Process | string | The name of the process that generates the event. |
| ProcessId | string | Identifies the process that generated the event. |
| ProcessName | string | Full path and the name of the executable for the process. |
| ProfilePath | string | Specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. |
| Properties | string | Depends on Object Type. This field can be empty or contain the list of the object properties that were accessed. |
| ProtocolSequence | string | Information about the protocol used for an authentication attempt. |
| ProxyPolicyName | string | Name of the policy that was used to configure the proxy server for connecting to the network. |
| QuarantineHelpURL | string | URL that provides help with troubleshooting a network quarantine issue. |
| QuarantineSessionID | string | Identifier of the session where the file was assessed for quarantine. |
| QuarantineSessionIdentifier | string | Identifier of the session where the file was assessed for quarantine. |
| QuarantineState | string | It shows whether the file is quarantined. |
| QuarantineSystemHealthResult | string | Report that shows the status of the files that have been quarantined. |
| RelativeTargetName | string | Relative name of the accessed target file or folder. This file-path is relative to the network share. If access was requested for the share itself, then this field appears as "". |
| RemoteIpAddress | string | The IP address of the computer that initiated a remote connection. |
| RemotePort | string | The port number of the remote computer that initiated a connection. |
| Requester | string | The event requester identifier. |
| RequestId | string | A unique identifier that's associated with particular requests, such as those made over HTTP. |
| RestrictedAdminMode | string | Only populated for RemoteInteractive logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10. |
| RowsDeleted | string | The number of rows that were deleted as a part of a particular operation. |
| SamAccountName | string | logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). |
| ScriptPath | string | Specifies the path of the account's logon script. |
| SecurityDescriptor | string | Information about the security settings and permissions of a particular object or resource. |
| ServiceAccount | string | The security context that the service will run as when started. |
| ServiceFileName | string | Indicates the type of service that was registered with the Service Control Manager. |
| ServiceName | string | The name of installed service. |
| ServiceStartType | int | Contains information about how a particular service should be started, whether it should be started automatically or manually. |
| ServiceType | string | Indicates the type of service that was registered with the Service Control Manager. |
| SessionName | string | The name of the session to which the user was reconnected. |
| ShareLocalPath | string | The local path of accessed network share. |
| ShareName | string | The name of accessed network share. The format is: *\SHARE_NAME. |
| SidHistory | string | Contains previous SIDs used for the object if the object was moved from another domain. |
| SourceComputerId | string | Unique identifier assigned to each computer in a Windows domain. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| Status | string | The reason why logon failed. For this event, it typically has '0xC0000234' value. The most common status codes are listed in Table 12. Windows logon status codes. |
| StorageAccount | string | Sets the storage account access key. |
| SubcategoryGuid | string | The unique GUID of changed subcategory. |
| SubcategoryId | string | A unique identifier for a specific type of the event. |
| Subject | string | Information about the security principal (for instance: user account) that initiated the event. |
| SubjectAccount | string | Information about the account that is initiating the event. |
| SubjectDomainName | string | Information about the domain or workgroup to which the subject account belongs. |
| SubjectKeyIdentifier | string | A unique identifier for a particular certificate subject. |
| SubjectLogonId | string | A unique identifier for the logon session associated with the subject account. |
| SubjectMachineName | string | Information about the machine or system from which the event was created. |
| SubjectMachineSID | string | The security identifier (SID) for the machine that generated the event. |
| SubjectUserName | string | The name of the user account that generated the event. |
| SubjectUserSid | string | The security identifier (SID) for the user account that generated the event. |
| SubStatus | string | Additional information about logon failure. The most common substatus codes listed in the 'Table 12. Windows logon status codes'. |
| SystemProcessId | int | Identifies the process that generated the event. |
| SystemThreadId | int | Identifies the thread that generated the event. |
| SystemUserId | string | The ID of the user who is responsible for the event. |
| TableId | string | The specific data table identifier the event data is stored in. |
| TargetAccount | string | The account targeted by the event (user name, computer name, etc). |
| TargetDomainName | string | The name of the domain that the target account belongs to. |
| TargetInfo | string | Additional information about the event target (for example: the path to a file or folder, the name of a registry key, etc). |
| TargetLinkedLogonId | string | Information that helps to link related events together by their logon attempt IDs. It can be useful in keeping all relevant events organized, tracking activity across multiple sessions, and identifying the attack source. |
| TargetLogonGuid | string | A globally unique identifier (GUID) associated with the logon session related to the event. |
| TargetLogonId | string | A unique identifier associated with the logon session related to the event. |
| TargetOutboundDomainName | string | The domain that the account specified in the TargetAccount field was authenticated against during an outbound authentication attempt. |
| TargetOutboundUserName | string | The name of the user account that was authenticated during an outbound authentication attempt. |
| TargetServerName | string | The name of the server on which the new process was run. Has "localhost" value if the process was run locally. |
| TargetSid | string | The security identifier (SID) of the server on which the new process was run. |
| TargetUser | string | The user account identifier that generated the new process. |
| TargetUserName | string | The name of the user account that generated the new process. |
| TargetUserSid | string | The security identifier (SID) associated with the user or resource involved in the event. |
| Task | int | The task defined in the event. |
| TemplateContent | string | The content of the event message or notification in a structured form. |
| TemplateDSObjectFQDN | string | FQDN of the DS object that represents the GPO template. |
| TemplateInternalName | string | The internal name of the GPO template. |
| TemplateOID | string | the unique identifier for the template that was used to create the event. |
| TemplateSchemaVersion | string | Version of the template schema that defines the data to include with an event. |
| TemplateVersion | string | Version of the template that defines the data to include with an event. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The time stamp when the event was generated on the computer. |
| TokenElevationType | string | Type of token that was assigned to a new process in accordance with User Account Control Policy. |
| TransmittedServices | string | The list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user - most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx. |
| Type | string | The name of the table |
| UserAccountControl | string | Shows the list of changes in userAccountControl attribute. You will see a line of text for each change. |
| UserParameters | string | If you change any setting using Active Directory Users and Computers management console in Dial-in tab of user's account properties, then you will see <value changed, but not displayed> in this field. For local accounts, this field is not applicable and always has <value not set> value. |
| UserPrincipalName | string | Internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. |
| UserWorkstations | string | Contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a computer object. |
| VendorIds | string | 'Hardware Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details'. |
| Version | int | Contains the version number of the event's definition. |
| VirtualAccount | string | A 'Yes' or 'No' flag, which indicates if the account is a virtual account (e.g., 'Managed Service Account'), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using 'NetworkService'. |
| Workstation | string | The name of the machine that was used to perform the event. |
| WorkstationName | string | Machine name from which a logon attempt was performed. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Cyborg Security HUNTER Hunt Packages | |
| [Deprecated] Microsoft Exchange Logs and Events | |
| Microsoft Active-Directory Domain Controllers Security Event Logs | |
| Security Events via Legacy Agent | |
| Semperis Directory Services Protector | EventID in "9208,9211,9212"EventSourceName == "Semperis-DSP-Security" |
| Windows Security Events via AMA |
In solution Attacker Tools Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Powershell Empire Cmdlets Executed in Command Line |
In solution Dev 0270 Detection and Hunting:
| Analytic Rule | Selection Criteria |
|---|---|
| DEV-0270 New User Creation | |
| Dev-0270 Malicious Powershell usage | |
| Dev-0270 Registry IOC - September 2022 | |
| Dev-0270 WMIC Discovery |
In solution EatonForeseer: AccountType == "User"EventID in "4624,4625,4634,4647,4648,4675"
| Analytic Rule |
|---|
| EatonForeseer - Unauthorized Logins |
In solution Endpoint Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Base64 encoded Windows process command-lines | |
| Malware in the recycle bin | |
| Potential Remote Desktop Tunneling | EventID in "4624,4625"LogonType == "10" |
| Process executed from binary hidden in Base64 encoded file | |
| Security Event log cleared | EventSourceName == "Microsoft-Windows-Eventlog" |
| Windows Binaries Executed from Non-Default Directory | EventID == "4688"NewProcessName has "C:\\Windows\\" |
In solution FalconFriday:
| Analytic Rule | Selection Criteria |
|---|---|
| Certified Pre-Owned - TGTs requested with certificate authentication | EventID == "4768" |
| Certified Pre-Owned - backup of CA private key - rule 1 | Computer contains "<YOUR CA MACHINE NAME>"EventID == "5058" |
| Certified Pre-Owned - backup of CA private key - rule 2 | Computer contains "<YOUR CA MACHINE NAME>"EventID == "5059" |
| Excessive share permissions | EventID == "5143" |
In solution Lumen Defender Threat Feed:
| Analytic Rule | Selection Criteria |
|---|---|
| Lumen TI IPAddress in SecurityEvents |
In solution Network Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Network endpoint to host executable correlation |
In solution Semperis Directory Services Protector:
| Analytic Rule | Selection Criteria |
|---|---|
| Semperis DSP Failed Logons | EventID == "20002"EventSourceName == "Semperis-Operation-Log" |
| Semperis DSP Kerberos krbtgt account with old password | EventID in "9208,9211,9212"EventSourceName == "Semperis-DSP-Security" |
| Semperis DSP Mimikatz's DCShadow Alert | EventID in "9208,9211,9212"EventSourceName == "Semperis-DSP-Security" |
| Semperis DSP Operations Critical Notifications | EventID == "30001"EventSourceName == "Semperis-DSP-Notifications" |
| Semperis DSP RBAC Changes | EventID == "20012"EventSourceName == "Semperis-Operation-Log" |
| Semperis DSP Recent sIDHistory changes on AD objects | EventID in "9208,9211,9212"EventSourceName == "Semperis-DSP-Security" |
| Semperis DSP Well-known privileged SIDs in sIDHistory | EventID in "9208,9211,9212"EventSourceName == "Semperis-DSP-Security" |
| Semperis DSP Zerologon vulnerability | EventID in "9208,9211,9212"EventSourceName == "Semperis-DSP-Security" |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI map Email entity to SecurityEvent | |
| TI map File Hash to Security Event |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI map Email entity to SecurityEvent | |
| TI map File Hash to Security Event |
In solution Web Shells Threat Protection: AccessMask in "0x10,0x100,0x2,0x4"CommandLine has "SysAidServer"EventID in "4663,4688"ObjectName endswith ".jsp"Process has_any "java.exe"
| Analytic Rule |
|---|
| Identify SysAid Server web shell creation |
In solution Windows Security Events:
| Analytic Rule | Selection Criteria |
|---|---|
| AD FS Remote Auth Sync Connection | EventID in "412,501,5156" |
| AD user enabled and password not set within 48 hours | |
| Excessive Windows Logon Failures | AccountType == "User"EventID == "4625" |
| Exchange OAB Virtual Directory Attribute Containing Potential Webshell | EventID == "5136" |
| Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task | Account !endswith "$"EventID in "4624,4688,4697,4698,4699,4700,4701,4702,5145"LogonType == "3"RelativeTargetName in "atsvc,svcctl" |
| Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access | EventID in "4656,4663" |
| NRT Base64 Encoded Windows Process Command-lines | CommandLine contains "TVqQAAMAAAAEAAA"EventID == "4688" |
| NRT Process executed from binary hidden in Base64 encoded file | CommandLine contains ".decode("CommandLine contains ".decode64("CommandLine contains "base64 --decode"EventID == "4688" |
| NRT Security Event log cleared | EventID == "1102"EventSourceName == "Microsoft-Windows-Eventlog" |
| New EXE deployed via Default Domain or Default Domain Controller Policies | EventID == "4688"NewProcessName has_any "Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}" |
| Non Domain Controller Active Directory Replication | AccountType != "Machine"EventID in "4624,4662"LogonType == "3"ObjectServer == "DS"Properties has "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"Properties has "89e95b76-444d-4c62-991a-0facbeda640c" |
| Potential Fodhelper UAC Bypass | EventID in "4657,4688"ParentProcessName endswith "cmd.exe"ParentProcessName endswith "powershell.exe"ParentProcessName endswith "powershell_ise.exe"Process == "fodhelper.exe" |
| Potential re-named sdelete usage | CommandLine !has "sdelete"CommandLine has_all "accepteula"EventID == "4688"Process != "sdelete.exe" |
| Process Execution Frequency Anomaly | EventID == "4688" |
| Scheduled Task Hide | EventID == "4657" |
| Sdelete deployed via GPO and run recursively | CommandLine has "-k GPSvcGroup"CommandLine has "-s gpsvc"CommandLine has "sdelete"CommandLine has_all "-s"EventID == "4688"ParentProcessName endswith "svchost.exe"Process in "sdelete.exe,svchost.exe" |
| SecurityEvent - Multiple authentication failures followed by a success | EventID in "4624,4625" |
| Starting or Stopping HealthService to Avoid Detection | EventID in "4624,4656" |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| Zinc Actor IOCs files - October 2022 |
In solution Attacker Tools Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Potential Impacket Execution |
In solution Cyborg Security HUNTER:
| Hunting Query | Selection Criteria |
|---|---|
| Attempted VBScript Stored in Non-Run CurrentVersion Registry Key Value | NewValue contains "CreateObject"NewValue contains "Execute("NewValue contains "RegRead"NewValue contains "RunHTMLApplication"NewValue contains "jscript"NewValue contains "mshtml"NewValue contains "mshtml,"NewValue contains "vbscript"NewValue contains "window.close"ObjectName !has "\\Run"ObjectName has "\\CurrentVersion" |
| Excessive Windows Discovery and Execution Processes - Potential Malware Installation | NewProcessName has_any "arp.exe" |
| LSASS Memory Dumping using WerFault.exe - Command Identification | NewProcessName endswith "werfault.exe"ObjectName endswith "lsass.exe" |
| Metasploit / Impacket PsExec Process Creation Activity | EventID == "4688"NewProcessName matchesregex "C:\\\\Windows\\\\[a-zA-Z]{8}.exe"ParentProcessName has "services.exe" |
| Potential Maldoc Execution Chain Observed | |
| PowerShell Pastebin Download | CommandLine contains ".onion"CommandLine contains "http"CommandLine contains "paste."CommandLine has_any "pastebin"Process has "powershell.exe" |
| Powershell Encoded Command Execution | CommandLine matchesregex "-[Ee^]{1,2}[NnCcOoDdEeMmAaPpHh^]+\s+"<br>NewProcessName endswith "powershell.exe"` |
| Prohibited Applications Spawning cmd.exe or powershell.exe | NewProcessName has_any "cmd.exe"NewProcessName has_any "winword.exe" |
| Proxy VBScript Execution via CurrentVersion Registry Key | CommandLine contains "\\Microsoft\\Windows\\CurrentVersion"CommandLine has_all "Execute"CommandLine has_all "vbscript"Process has_any "cmd.exe" |
| Rundll32 or cmd Executing Application from Explorer - Potential Malware Execution Chain | CommandLine has "cmd.exe"CommandLine has_any ",.dll"CommandLine has_any "explorer"CommandLine matchesregex "\\/[Cc] +[Ss][Tt][Aa][Rr][Tt].*\\.exe"ParentProcessName has "explorer.exe"Process has_any "wscript.exe" |
In solution Endpoint Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Backup Deletion | |
| Download of New File Using Curl | |
| Persisting via IFEO Registry Key | |
| Potential Microsoft Security Services Tampering | |
| Rare Windows Firewall Rule updates using Netsh | AccountType != "Machine"CommandLine has_all "advfirewall"EventID == "1"Process == "netsh.exe" |
| Remote Login Performed with WMI | EventID in "4624,4625" |
| Remote Scheduled Task Creation or Update using ATSVC Named Pipe | EventID == "5145"RelativeTargetName == "atsvc" |
| Scheduled Task Creation or Update from User Writable Directory | EventID in "4698,4702" |
| Unicode Obfuscation in Command Line |
In solution Legacy IOC based Threat Protection:
In solution Threat Intelligence: EventID in "4648,4673,4688,8002"
| Hunting Query |
|---|
| TI Map File Entity to Security Event |
In solution Threat Intelligence (NEW): EventID in "4648,4673,4688,8002"
| Hunting Query |
|---|
| TI Map File Entity to Security Event |
In solution Windows Security Events:
| Hunting Query | Selection Criteria |
|---|---|
| AD Account Lockout | EventID == "4740" |
| Commands executed by WMI on new hosts - potential Impacket | EventID == "4688"ParentProcessName endswith "wmiprvse.exe" |
| Crash dump disabled on host | EventID == "4657"ObjectValueName == "CrashDumpEnabled" |
| Cscript script daily summary breakdown | EventID == "4688" |
| Decoy User Account Authentication Attempt | EventID in "4624,4625" |
| Discord download invoked from cmd line | CommandLine has "powershell"CommandLine has_any "cdn.discordapp.com"EventID == "4688"Process has_any "powershell.exe" |
| Domain controller installation media creation | |
| Entropy for Processes for a given Host | EventID == "4688" |
| Enumeration of users and groups | EventID == "4688" |
| Establishing internal proxies | |
| Exchange PowerShell Snapin Added | CommandLine has "Add-PSSnapin Microsoft.Exchange.Management.Powershell.Snapin"EventID == "4688"Process has_any "cmd.exe" |
| Group added to Built in Domain Local or Global Group | EventID in "4727,4728,4731,4732,4754,4756" |
| Host Exporting Mailbox and Removing Export | CommandLine has "New-MailboxExportRequest"CommandLine has "Remove-MailboxExportRequest"EventID == "4688"Process in "cmd.exe,powershell.exe" |
| Hosts Running a Rare Process | EventID == "4688" |
| Hosts Running a Rare Process with Commandline | EventID == "4688" |
| Hosts with new logons | EventID in "4624,4625" |
| Invoke-PowerShellTcpOneLine Usage. | CommandLine has "$client = New-Object System.Net.Sockets.TCPClient"EventID == "4688"Process has_any "powershell.exe" |
| Least Common Parent And Child Process Pairs | EventID == "4688" |
| Least Common Processes Including Folder Depth | EventID == "4688" |
| Least Common Processes by Command Line | EventID == "4688"NewProcessName !endswith "conhost.exe" |
| Long lookback User Account Created and Deleted within 10mins | AccountType == "User"EventID in "4720,4726" |
| Masquerading files | NewProcessName !has ":\\Windows\\System32"NewProcessName !has ":\\Windows\\Syswow64"NewProcessName endswith "\\svchost.exe"SubjectUserSid !in "S-1-5-18,S-1-5-19,S-1-5-20" |
| Multiple Explicit Credential Usage - 4648 events | EventID == "4648"SubjectUserSid != "S-1-0-0"TargetInfo has "/" |
| New Child Process of W3WP.exe | EventID == "4688" |
| New PowerShell scripts encoded on the commandline | EventID == "4688" |
| New processes observed in last 24 hours | EventID == "4688" |
| Nishang Reverse TCP Shell in Base64 | CommandLine has "-e"EventID == "4688"Process in "powershell.exe,powershell_ise.exe" |
| Potential Exploitation of MS-RPRN printer bug | EventID == "5145"RelativeTargetName == "spoolss"ShareName == "\\\\*\\IPC$" |
| PowerShell downloads | EventID == "4688" |
| Powercat Download | EventID == "4688"Process has_any "cmd.exe" |
| Rare Process Path | EventID == "4688" |
| Rare Processes Run by Service Accounts | EventID in "4624,4688" |
| Remote Task Creation/Update using Schtasks Process | CommandLine has "/s"EventID == "4688"NewProcessName == "C:\\Windows\\System32\\schtasks.exe" |
| Summary of user logons by logon type | AccountType == "User"EventID in "4624,4625" |
| Summary of users created using uncommon/undocumented commandline switches | EventID == "4688" |
| Suspected LSASS Dump | CommandLine has_all "procdump"CommandLine has_all "rundll32"EventID == "4688" |
| Suspicious Enumeration using Adfind Tool | CommandLine matchesregex "(.*)>(.*)"EventID == "4688" |
| Suspicious Windows Login Outside Normal Hours | EventID in "4624,4625"TargetDomainName !in "Window Manager,Font Driver Host" |
| Suspicious command line tokens in LolBins or LolScripts | EventID == "4688"SubjectUserName != "SYSTEM"SubjectUserName !endswith "$" |
| Uncommon processes - bottom 5% | EventID == "4688" |
| User Account added to Built in Sensitive or Privileged Domain Local or Global Group | AccountType == "User"EventID in "4728,4732,4756"TargetSid !in "S-1-5-32-555" |
| User account added or removed from a security group by an unauthorized user | EventID in "4728,4729,4732,4733,4746,4747,4751,4752,4756,4757,4761,4762" |
| User created by unauthorized user | AccountType == "User"EventID == "4720" |
| VIP account more than 6 failed logons in 10 | AccountType == "User"EventID == "4625" |
| VIP account more than 6 failed logons in 10 | AccountType == "User"EventID == "4625"LogonType in "2,3" |
| Windows System Time changed on hosts | EventID == "4616" |
GitHub Only: EventID == "4740"
| Hunting Query |
|---|
| Summary of failed user logons by reason of failure |
In solution AzureSecurityBenchmark: Account !contains "ANONYMOUS LOGON"AuthenticationPackageName == "NTLM"EventID in "2889,3000,4624,4768,4769,4776"LmPackageName == "NTLM V1"PackageName contains "WDigest"
| Workbook |
|---|
| AzureSecurityBenchmark |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution DPDP Compliance:
| Workbook | Selection Criteria |
|---|---|
| DPDPCompliance |
In solution EatonForeseer: AccountType == "User"EventID in "4624,4625,4634,4647,4648,4675"Process != "-"
| Workbook |
|---|
| EatonForeseerHealthAndAccess |
In solution GDPR Compliance & Data Security:
| Workbook | Selection Criteria |
|---|---|
| GDPRComplianceAndDataSecurity |
In solution HIPAA Compliance: EventID in "4624,4625"
| Workbook |
|---|
| HIPAACompliance |
In solution MaturityModelForEventLogManagementM2131: GroupMembership contains "admin"GroupMembership contains "contributor"
| Workbook |
|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Exchange Security - Exchange On-Premises: EventID in "4624,4720,4722,4724,4725,4726,7036"
| Workbook |
|---|
| Microsoft Exchange Admin Activity |
In solution MicrosoftPurviewInsiderRiskManagement: ErrorCode == "50126"EventID in "4723,4724"
| Workbook |
|---|
| InsiderRiskManagement |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution PCI DSS Compliance: Activity has "privileged"Activity has_any "An account failed to log on"SubjectUserName !has "$"
| Workbook |
|---|
| PCIDSSCompliance |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| InvestigationInsights | AccountType != "Computer"AccountType != "Machine"ErrorCode == "500121"EventID in "1102,4624,4625,4688,4719,4720,4723,4724,4768,4771,4776"TargetAccount !contains "NT AUTHORITY"TargetAccount !endswith "$" |
| SecurityStatus |
In solution SOX IT Compliance: EventID in "1100,1102,1104,1240,1241,1242,4656,4657,4660,4663,4670,4688,4719,4720,4726,4732,4739,4754,4907"ObjectName has_any "xlsx"
| Workbook |
|---|
| SOXITCompliance |
In solution Semperis Directory Services Protector:
| Workbook | Selection Criteria |
|---|---|
| SemperisDSPNotifications | |
| SemperisDSPQuickviewDashboard | ClassName == "group"ClassName != "dnsNode"EventID in "20000,20002,20012,9208,9211,9212"EventSourceName in "Semperis-DSP-Notifications,Semperis-DSP-Security,Semperis-Operation-Log" |
| SemperisDSPSecurityIndicators | EventID in "9208,9211,9212"EventSourceName == "Semperis-DSP-Security" |
| SemperisDSPWorkbook | EventID in "9208,9211,9212"EventSourceName == "Semperis-DSP-Security" |
In solution Windows Firewall: AccountType == "User"EventID in "4624,4625"LogonType == "10"
| Workbook |
|---|
| WindowsFirewall |
In solution Windows Security Events:
| Workbook | Selection Criteria |
|---|---|
| EventAnalyzer | EventID in "4656,4657,4658,4660,4661,4663,4664,4670,4671,4673,4674,4690,4691,4698,4699,4700,4701,4702,4715,4719,4817,4902,4904,4905,4906,4907,4908,4912,4985,5031,5039,5051,5140,5142,5143,5144,5148,5149,5150,5151,5154,5155,5156,5157,5158,5159,5168,5888,5889,5890" |
| IdentityAndAccess | Process != "-" |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimAuditEventMicrosoftSecurityEvents | AuditEvent | Microsoft Windows | |
| ASimFileEventMicrosoftSecurityEvents | FileEvent | Microsoft Windows Events | EventID == "4663"ObjectType == "File" |
| ASimProcessCreateMicrosoftSecurityEvents | ProcessEvent | Security Events | EventID == "4688" |
| ASimProcessTerminateMicrosoftSecurityEvents | ProcessEvent | Security Events | EventID == "4689" |
| ASimRegistryEventMicrosoftSecurityEvent | RegistryEvent | Security Events | EventID in "4657,4663"ObjectType == "Key" |
| ASimUserManagementMicrosoftSecurityEvent | UserManagement | Microsoft Security Event | EventID in "4744,4748,4749,4753,4759,4763" |
EventID in "9208,9211,9212"EventSourceName == "Semperis-DSP-Security"| Parser | Solution |
|---|---|
| dsp_parser | Semperis Directory Services Protector |
This table collects data from the following Azure resource types:
microsoft.securityinsights/securityinsightsmicrosoft.compute/virtualmachinesmicrosoft.conenctedvmwarevsphere/virtualmachinesmicrosoft.azurestackhci/virtualmachinesmicrosoft.scvmm/virtualmachinesmicrosoft.compute/virtualmachinescalesetsReferences by type: 1 connectors, 109 content items, 5 ASIM parsers, 1 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
EventID == "4688" |
- | 15 | 1 | - | 16 |
EventID in "9208,9211,9212"EventSourceName == "Semperis-DSP-Security" |
1 | 7 | - | 1 | 9 |
EventID in "4624,4625" |
- | 5 | - | - | 5 |
AccountType == "User"EventID == "4625" |
- | 2 | - | - | 2 |
EventID in "4648,4673,4688,8002" |
- | 2 | - | - | 2 |
EventID == "4740" |
- | 2 | - | - | 2 |
AccountType == "User"EventID in "4624,4625,4634,4647,4648,4675" |
- | 1 | - | - | 1 |
EventID in "4624,4625"LogonType == "10" |
- | 1 | - | - | 1 |
EventSourceName == "Microsoft-Windows-Eventlog" |
- | 1 | - | - | 1 |
EventID == "4688"NewProcessName has "C:\\Windows\\" |
- | 1 | - | - | 1 |
Computer contains "<YOUR CA MACHINE NAME>"EventID == "5058" |
- | 1 | - | - | 1 |
Computer contains "<YOUR CA MACHINE NAME>"EventID == "5059" |
- | 1 | - | - | 1 |
EventID == "4768" |
- | 1 | - | - | 1 |
EventID == "5143" |
- | 1 | - | - | 1 |
EventID == "20002"EventSourceName == "Semperis-Operation-Log" |
- | 1 | - | - | 1 |
EventID == "30001"EventSourceName == "Semperis-DSP-Notifications" |
- | 1 | - | - | 1 |
EventID == "20012"EventSourceName == "Semperis-Operation-Log" |
- | 1 | - | - | 1 |
AccessMask in "0x10,0x100,0x2,0x4"CommandLine has "SysAidServer"EventID in "4663,4688"ObjectName endswith ".jsp"Process has_any "java.exe" |
- | 1 | - | - | 1 |
EventID in "412,501,5156" |
- | 1 | - | - | 1 |
EventID == "5136" |
- | 1 | - | - | 1 |
Account !endswith "$"EventID in "4624,4688,4697,4698,4699,4700,4701,4702,5145"LogonType == "3"RelativeTargetName in "atsvc,svcctl" |
- | 1 | - | - | 1 |
EventID in "4656,4663" |
- | 1 | - | - | 1 |
EventID == "4688"NewProcessName has_any "Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}" |
- | 1 | - | - | 1 |
AccountType != "Machine"EventID in "4624,4662"LogonType == "3"ObjectServer == "DS"Properties has "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"Properties has "89e95b76-444d-4c62-991a-0facbeda640c" |
- | 1 | - | - | 1 |
CommandLine contains "TVqQAAMAAAAEAAA"EventID == "4688" |
- | 1 | - | - | 1 |
CommandLine contains ".decode("CommandLine contains ".decode64("CommandLine contains "base64 --decode"EventID == "4688" |
- | 1 | - | - | 1 |
EventID == "1102"EventSourceName == "Microsoft-Windows-Eventlog" |
- | 1 | - | - | 1 |
EventID in "4657,4688"ParentProcessName endswith "cmd.exe"ParentProcessName endswith "powershell.exe"ParentProcessName endswith "powershell_ise.exe"Process == "fodhelper.exe" |
- | 1 | - | - | 1 |
CommandLine !has "sdelete"CommandLine has_all "accepteula"EventID == "4688"Process != "sdelete.exe" |
- | 1 | - | - | 1 |
EventID == "4657" |
- | 1 | - | - | 1 |
CommandLine has "-k GPSvcGroup"CommandLine has "-s gpsvc"CommandLine has "sdelete"CommandLine has_all "-s"EventID == "4688"ParentProcessName endswith "svchost.exe"Process in "sdelete.exe,svchost.exe" |
- | 1 | - | - | 1 |
EventID in "4624,4656" |
- | 1 | - | - | 1 |
NewValue contains "CreateObject"NewValue contains "Execute("NewValue contains "RegRead"NewValue contains "RunHTMLApplication"NewValue contains "jscript"NewValue contains "mshtml"NewValue contains "mshtml,"NewValue contains "vbscript"NewValue contains "window.close"ObjectName !has "\\Run"ObjectName has "\\CurrentVersion" |
- | 1 | - | - | 1 |
NewProcessName has_any "arp.exe" |
- | 1 | - | - | 1 |
NewProcessName endswith "werfault.exe"ObjectName endswith "lsass.exe" |
- | 1 | - | - | 1 |
EventID == "4688"NewProcessName matchesregex "C:\\\\Windows\\\\[a-zA-Z]{8}.exe"ParentProcessName has "services.exe" |
- | 1 | - | - | 1 |
CommandLine matchesregex "-[Ee^]{1,2}[NnCcOoDdEeMmAaPpHh^]+\s+"<br>NewProcessName endswith "powershell.exe"` |
- | 1 | - | - | 1 |
CommandLine contains ".onion"CommandLine contains "http"CommandLine contains "paste."CommandLine has_any "pastebin"Process has "powershell.exe" |
- | 1 | - | - | 1 |
NewProcessName has_any "cmd.exe"NewProcessName has_any "winword.exe" |
- | 1 | - | - | 1 |
CommandLine contains "\\Microsoft\\Windows\\CurrentVersion"CommandLine has_all "Execute"CommandLine has_all "vbscript"Process has_any "cmd.exe" |
- | 1 | - | - | 1 |
CommandLine has "cmd.exe"CommandLine has_any ",.dll"CommandLine has_any "explorer"CommandLine matchesregex "\\/[Cc] +[Ss][Tt][Aa][Rr][Tt].*\\.exe"ParentProcessName has "explorer.exe"Process has_any "wscript.exe" |
- | 1 | - | - | 1 |
EventID == "5145"RelativeTargetName == "atsvc" |
- | 1 | - | - | 1 |
EventID in "4698,4702" |
- | 1 | - | - | 1 |
AccountType != "Machine"CommandLine has_all "advfirewall"EventID == "1"Process == "netsh.exe" |
- | 1 | - | - | 1 |
EventID == "4688"ParentProcessName endswith "wmiprvse.exe" |
- | 1 | - | - | 1 |
EventID == "4657"ObjectValueName == "CrashDumpEnabled" |
- | 1 | - | - | 1 |
CommandLine has "powershell"CommandLine has_any "cdn.discordapp.com"EventID == "4688"Process has_any "powershell.exe" |
- | 1 | - | - | 1 |
CommandLine has "Add-PSSnapin Microsoft.Exchange.Management.Powershell.Snapin"EventID == "4688"Process has_any "cmd.exe" |
- | 1 | - | - | 1 |
EventID in "4727,4728,4731,4732,4754,4756" |
- | 1 | - | - | 1 |
CommandLine has "New-MailboxExportRequest"CommandLine has "Remove-MailboxExportRequest"EventID == "4688"Process in "cmd.exe,powershell.exe" |
- | 1 | - | - | 1 |
CommandLine has "$client = New-Object System.Net.Sockets.TCPClient"EventID == "4688"Process has_any "powershell.exe" |
- | 1 | - | - | 1 |
EventID == "4688"NewProcessName !endswith "conhost.exe" |
- | 1 | - | - | 1 |
NewProcessName !has ":\\Windows\\System32"NewProcessName !has ":\\Windows\\Syswow64"NewProcessName endswith "\\svchost.exe"SubjectUserSid !in "S-1-5-18,S-1-5-19,S-1-5-20" |
- | 1 | - | - | 1 |
EventID == "5145"RelativeTargetName == "spoolss"ShareName == "\\\\*\\IPC$" |
- | 1 | - | - | 1 |
EventID == "4648"SubjectUserSid != "S-1-0-0"TargetInfo has "/" |
- | 1 | - | - | 1 |
CommandLine has "-e"EventID == "4688"Process in "powershell.exe,powershell_ise.exe" |
- | 1 | - | - | 1 |
EventID == "4688"Process has_any "cmd.exe" |
- | 1 | - | - | 1 |
EventID in "4624,4688" |
- | 1 | - | - | 1 |
CommandLine has "/s"EventID == "4688"NewProcessName == "C:\\Windows\\System32\\schtasks.exe" |
- | 1 | - | - | 1 |
CommandLine has_all "procdump"CommandLine has_all "rundll32"EventID == "4688" |
- | 1 | - | - | 1 |
EventID == "4688"SubjectUserName != "SYSTEM"SubjectUserName !endswith "$" |
- | 1 | - | - | 1 |
CommandLine matchesregex "(.*)>(.*)"EventID == "4688" |
- | 1 | - | - | 1 |
EventID in "4624,4625"TargetDomainName !in "Window Manager,Font Driver Host" |
- | 1 | - | - | 1 |
AccountType == "User"EventID in "4624,4625" |
- | 1 | - | - | 1 |
AccountType == "User"EventID in "4728,4732,4756"TargetSid !in "S-1-5-32-555" |
- | 1 | - | - | 1 |
AccountType == "User"EventID in "4720,4726" |
- | 1 | - | - | 1 |
EventID in "4728,4729,4732,4733,4746,4747,4751,4752,4756,4757,4761,4762" |
- | 1 | - | - | 1 |
AccountType == "User"EventID == "4720" |
- | 1 | - | - | 1 |
AccountType == "User"EventID == "4625"LogonType in "2,3" |
- | 1 | - | - | 1 |
EventID == "4616" |
- | 1 | - | - | 1 |
Account !contains "ANONYMOUS LOGON"AuthenticationPackageName == "NTLM"EventID in "2889,3000,4624,4768,4769,4776"LmPackageName == "NTLM V1"PackageName contains "WDigest" |
- | 1 | - | - | 1 |
AccountType == "User"EventID in "4624,4625,4634,4647,4648,4675"Process != "-" |
- | 1 | - | - | 1 |
GroupMembership contains "admin"GroupMembership contains "contributor" |
- | 1 | - | - | 1 |
EventID in "4624,4720,4722,4724,4725,4726,7036" |
- | 1 | - | - | 1 |
ErrorCode == "50126"EventID in "4723,4724" |
- | 1 | - | - | 1 |
Activity has "privileged"Activity has_any "An account failed to log on"SubjectUserName !has "$" |
- | 1 | - | - | 1 |
ClassName == "group"ClassName != "dnsNode"EventID in "20000,20002,20012,9208,9211,9212"EventSourceName in "Semperis-DSP-Notifications,Semperis-DSP-Security,Semperis-Operation-Log" |
- | 1 | - | - | 1 |
AccountType != "Computer"AccountType != "Machine"ErrorCode == "500121"EventID in "1102,4624,4625,4688,4719,4720,4723,4724,4768,4771,4776"TargetAccount !contains "NT AUTHORITY"TargetAccount !endswith "$" |
- | 1 | - | - | 1 |
EventID in "1100,1102,1104,1240,1241,1242,4656,4657,4660,4663,4670,4688,4719,4720,4726,4732,4739,4754,4907"ObjectName has_any "xlsx" |
- | 1 | - | - | 1 |
AccountType == "User"EventID in "4624,4625"LogonType == "10" |
- | 1 | - | - | 1 |
EventID in "4656,4657,4658,4660,4661,4663,4664,4670,4671,4673,4674,4690,4691,4698,4699,4700,4701,4702,4715,4719,4817,4902,4904,4905,4906,4907,4908,4912,4985,5031,5039,5051,5140,5142,5143,5144,5148,5149,5150,5151,5154,5155,5156,5157,5158,5159,5168,5888,5889,5890" |
- | 1 | - | - | 1 |
Process != "-" |
- | 1 | - | - | 1 |
EventID == "4663"ObjectType == "File" |
- | - | 1 | - | 1 |
EventID == "4689" |
- | - | 1 | - | 1 |
EventID in "4657,4663"ObjectType == "Key" |
- | - | 1 | - | 1 |
EventID in "4744,4748,4749,4753,4759,4763" |
- | - | 1 | - | 1 |
| Total | 1 | 109 | 5 | 1 | 116 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
0x10 |
- | 1 | - | - | 1 |
0x100 |
- | 1 | - | - | 1 |
0x2 |
- | 1 | - | - | 1 |
0x4 |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!endswith $ |
- | 1 | - | - | 1 |
!contains ANONYMOUS LOGON |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
User |
- | 10 | - | - | 10 |
!= Machine |
- | 3 | - | - | 3 |
!= Computer |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has privileged |
- | 1 | - | - | 1 |
has_any An account failed to log on |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
NTLM |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
group |
- | 1 | - | - | 1 |
!= dnsNode |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has SysAidServer |
- | 1 | - | - | 1 |
contains TVqQAAMAAAAEAAA |
- | 1 | - | - | 1 |
contains .decode( |
- | 1 | - | - | 1 |
contains .decode64( |
- | 1 | - | - | 1 |
contains base64 --decode |
- | 1 | - | - | 1 |
!has sdelete |
- | 1 | - | - | 1 |
has_all accepteula |
- | 1 | - | - | 1 |
has -k GPSvcGroup |
- | 1 | - | - | 1 |
has -s gpsvc |
- | 1 | - | - | 1 |
has sdelete |
- | 1 | - | - | 1 |
has_all -s |
- | 1 | - | - | 1 |
contains .onion |
- | 1 | - | - | 1 |
contains http |
- | 1 | - | - | 1 |
contains paste. |
- | 1 | - | - | 1 |
has_any pastebin |
- | 1 | - | - | 1 |
contains \\Microsoft\\Windows\\CurrentVersion |
- | 1 | - | - | 1 |
has_all Execute |
- | 1 | - | - | 1 |
has_all vbscript |
- | 1 | - | - | 1 |
has cmd.exe |
- | 1 | - | - | 1 |
has_any .dll |
- | 1 | - | - | 1 |
has_any explorer |
- | 1 | - | - | 1 |
has_all advfirewall |
- | 1 | - | - | 1 |
has powershell |
- | 1 | - | - | 1 |
has_any cdn.discordapp.com |
- | 1 | - | - | 1 |
has Add-PSSnapin Microsoft.Exchange.Management.Powershell.Snapin |
- | 1 | - | - | 1 |
has New-MailboxExportRequest |
- | 1 | - | - | 1 |
has Remove-MailboxExportRequest |
- | 1 | - | - | 1 |
has $client = New-Object System.Net.Sockets.TCPClient |
- | 1 | - | - | 1 |
has -e |
- | 1 | - | - | 1 |
has /s |
- | 1 | - | - | 1 |
has_all procdump |
- | 1 | - | - | 1 |
has_all rundll32 |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
contains <YOUR CA MACHINE NAME> |
- | 2 | - | - | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
50126 |
- | 1 | - | - | 1 |
500121 |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
4688 |
- | 42 | 1 | - | 43 |
4624 |
- | 18 | - | - | 18 |
4625 |
- | 15 | - | - | 15 |
9208 |
1 | 8 | - | 1 | 10 |
9211 |
1 | 8 | - | 1 | 10 |
9212 |
1 | 8 | - | 1 | 10 |
4663 |
- | 4 | 2 | - | 6 |
4657 |
- | 5 | 1 | - | 6 |
4648 |
- | 5 | - | - | 5 |
4720 |
- | 5 | - | - | 5 |
4656 |
- | 4 | - | - | 4 |
4732 |
- | 4 | - | - | 4 |
4768 |
- | 3 | - | - | 3 |
4698 |
- | 3 | - | - | 3 |
4702 |
- | 3 | - | - | 3 |
5145 |
- | 3 | - | - | 3 |
1102 |
- | 3 | - | - | 3 |
4673 |
- | 3 | - | - | 3 |
4728 |
- | 3 | - | - | 3 |
4756 |
- | 3 | - | - | 3 |
4726 |
- | 3 | - | - | 3 |
4724 |
- | 3 | - | - | 3 |
4719 |
- | 3 | - | - | 3 |
4634 |
- | 2 | - | - | 2 |
4647 |
- | 2 | - | - | 2 |
4675 |
- | 2 | - | - | 2 |
5143 |
- | 2 | - | - | 2 |
20002 |
- | 2 | - | - | 2 |
20012 |
- | 2 | - | - | 2 |
5156 |
- | 2 | - | - | 2 |
4699 |
- | 2 | - | - | 2 |
4700 |
- | 2 | - | - | 2 |
4701 |
- | 2 | - | - | 2 |
8002 |
- | 2 | - | - | 2 |
4740 |
- | 2 | - | - | 2 |
4754 |
- | 2 | - | - | 2 |
4776 |
- | 2 | - | - | 2 |
4723 |
- | 2 | - | - | 2 |
4660 |
- | 2 | - | - | 2 |
4670 |
- | 2 | - | - | 2 |
4907 |
- | 2 | - | - | 2 |
5058 |
- | 1 | - | - | 1 |
5059 |
- | 1 | - | - | 1 |
30001 |
- | 1 | - | - | 1 |
412 |
- | 1 | - | - | 1 |
501 |
- | 1 | - | - | 1 |
5136 |
- | 1 | - | - | 1 |
4697 |
- | 1 | - | - | 1 |
4662 |
- | 1 | - | - | 1 |
1 |
- | 1 | - | - | 1 |
4727 |
- | 1 | - | - | 1 |
4731 |
- | 1 | - | - | 1 |
4729 |
- | 1 | - | - | 1 |
4733 |
- | 1 | - | - | 1 |
4746 |
- | 1 | - | - | 1 |
4747 |
- | 1 | - | - | 1 |
4751 |
- | 1 | - | - | 1 |
4752 |
- | 1 | - | - | 1 |
4757 |
- | 1 | - | - | 1 |
4761 |
- | 1 | - | - | 1 |
4762 |
- | 1 | - | - | 1 |
4616 |
- | 1 | - | - | 1 |
2889 |
- | 1 | - | - | 1 |
3000 |
- | 1 | - | - | 1 |
4769 |
- | 1 | - | - | 1 |
4722 |
- | 1 | - | - | 1 |
4725 |
- | 1 | - | - | 1 |
7036 |
- | 1 | - | - | 1 |
20000 |
- | 1 | - | - | 1 |
4771 |
- | 1 | - | - | 1 |
1100 |
- | 1 | - | - | 1 |
1104 |
- | 1 | - | - | 1 |
1240 |
- | 1 | - | - | 1 |
1241 |
- | 1 | - | - | 1 |
1242 |
- | 1 | - | - | 1 |
4739 |
- | 1 | - | - | 1 |
4658 |
- | 1 | - | - | 1 |
4661 |
- | 1 | - | - | 1 |
4664 |
- | 1 | - | - | 1 |
4671 |
- | 1 | - | - | 1 |
4674 |
- | 1 | - | - | 1 |
4690 |
- | 1 | - | - | 1 |
4691 |
- | 1 | - | - | 1 |
4715 |
- | 1 | - | - | 1 |
4817 |
- | 1 | - | - | 1 |
4902 |
- | 1 | - | - | 1 |
4904 |
- | 1 | - | - | 1 |
4905 |
- | 1 | - | - | 1 |
4906 |
- | 1 | - | - | 1 |
4908 |
- | 1 | - | - | 1 |
4912 |
- | 1 | - | - | 1 |
4985 |
- | 1 | - | - | 1 |
5031 |
- | 1 | - | - | 1 |
5039 |
- | 1 | - | - | 1 |
5051 |
- | 1 | - | - | 1 |
5140 |
- | 1 | - | - | 1 |
5142 |
- | 1 | - | - | 1 |
5144 |
- | 1 | - | - | 1 |
5148 |
- | 1 | - | - | 1 |
5149 |
- | 1 | - | - | 1 |
5150 |
- | 1 | - | - | 1 |
5151 |
- | 1 | - | - | 1 |
5154 |
- | 1 | - | - | 1 |
5155 |
- | 1 | - | - | 1 |
5157 |
- | 1 | - | - | 1 |
5158 |
- | 1 | - | - | 1 |
5159 |
- | 1 | - | - | 1 |
5168 |
- | 1 | - | - | 1 |
5888 |
- | 1 | - | - | 1 |
5889 |
- | 1 | - | - | 1 |
5890 |
- | 1 | - | - | 1 |
4689 |
- | - | 1 | - | 1 |
4744 |
- | - | 1 | - | 1 |
4748 |
- | - | 1 | - | 1 |
4749 |
- | - | 1 | - | 1 |
4753 |
- | - | 1 | - | 1 |
4759 |
- | - | 1 | - | 1 |
4763 |
- | - | 1 | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Semperis-DSP-Security |
1 | 8 | - | 1 | 10 |
Semperis-Operation-Log |
- | 3 | - | - | 3 |
Microsoft-Windows-Eventlog |
- | 2 | - | - | 2 |
Semperis-DSP-Notifications |
- | 2 | - | - | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
contains admin |
- | 1 | - | - | 1 |
contains contributor |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
NTLM V1 |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
3 |
- | 3 | - | - | 3 |
10 |
- | 2 | - | - | 2 |
2 |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has C:\\Windows\\ |
- | 1 | - | - | 1 |
has_any Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9} |
- | 1 | - | - | 1 |
has_any arp.exe |
- | 1 | - | - | 1 |
endswith werfault.exe |
- | 1 | - | - | 1 |
endswith powershell.exe |
- | 1 | - | - | 1 |
has_any cmd.exe |
- | 1 | - | - | 1 |
has_any winword.exe |
- | 1 | - | - | 1 |
!endswith conhost.exe |
- | 1 | - | - | 1 |
!has :\\Windows\\System32 |
- | 1 | - | - | 1 |
!has :\\Windows\\Syswow64 |
- | 1 | - | - | 1 |
endswith \\svchost.exe |
- | 1 | - | - | 1 |
C:\\Windows\\System32\\schtasks.exe |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
contains CreateObject |
- | 1 | - | - | 1 |
contains Execute( |
- | 1 | - | - | 1 |
contains RegRead |
- | 1 | - | - | 1 |
contains RunHTMLApplication |
- | 1 | - | - | 1 |
contains jscript |
- | 1 | - | - | 1 |
contains mshtml |
- | 1 | - | - | 1 |
contains mshtml, |
- | 1 | - | - | 1 |
contains vbscript |
- | 1 | - | - | 1 |
contains window.close |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
endswith .jsp |
- | 1 | - | - | 1 |
!has \\Run |
- | 1 | - | - | 1 |
has \\CurrentVersion |
- | 1 | - | - | 1 |
endswith lsass.exe |
- | 1 | - | - | 1 |
has_any xlsx |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
DS |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
File |
- | - | 1 | - | 1 |
Key |
- | - | 1 | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
CrashDumpEnabled |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
contains WDigest |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
endswith cmd.exe |
- | 1 | - | - | 1 |
endswith powershell.exe |
- | 1 | - | - | 1 |
endswith powershell_ise.exe |
- | 1 | - | - | 1 |
endswith svchost.exe |
- | 1 | - | - | 1 |
has services.exe |
- | 1 | - | - | 1 |
has explorer.exe |
- | 1 | - | - | 1 |
endswith wmiprvse.exe |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has_any cmd.exe |
- | 3 | - | - | 3 |
has_any powershell.exe |
- | 2 | - | - | 2 |
powershell.exe |
- | 2 | - | - | 2 |
!= - |
- | 2 | - | - | 2 |
has_any java.exe |
- | 1 | - | - | 1 |
fodhelper.exe |
- | 1 | - | - | 1 |
!= sdelete.exe |
- | 1 | - | - | 1 |
sdelete.exe |
- | 1 | - | - | 1 |
svchost.exe |
- | 1 | - | - | 1 |
has powershell.exe |
- | 1 | - | - | 1 |
has_any wscript.exe |
- | 1 | - | - | 1 |
netsh.exe |
- | 1 | - | - | 1 |
cmd.exe |
- | 1 | - | - | 1 |
powershell_ise.exe |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 |
- | 1 | - | - | 1 |
has 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 |
- | 1 | - | - | 1 |
has 89e95b76-444d-4c62-991a-0facbeda640c |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
atsvc |
- | 2 | - | - | 2 |
svcctl |
- | 1 | - | - | 1 |
spoolss |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
\\\\*\\IPC$ |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= SYSTEM |
- | 1 | - | - | 1 |
!endswith $ |
- | 1 | - | - | 1 |
!has $ |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= S-1-5-18 |
- | 1 | - | - | 1 |
!= S-1-5-19 |
- | 1 | - | - | 1 |
!= S-1-5-20 |
- | 1 | - | - | 1 |
!= S-1-0-0 |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!contains NT AUTHORITY |
- | 1 | - | - | 1 |
!endswith $ |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= Window Manager |
- | 1 | - | - | 1 |
!= Font Driver Host |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has / |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= S-1-5-32-555 |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊