Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Microsoft Windows

Microsoft Windows
Microsoft Windows icon

Coralogix Extension For Microsoft Windows Includes:

Alerts - 48

Stay on top of Microsoft Windows key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

A logon was attempted using explicit credentials

This alert triggers when a process is trying an account login by explicitly using the account credentials. It is strongly advised to fine-tune this alert according to your security monitoring needs and organizational policy in order to avoid multiple alerts for every account login request. Consult Microsoft documentation for further recommendations: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648

Kerberos pre-authentication failed

This alert triggers for every kerberos pre-authentication failure. it is strongly advised to fine-tune this alert according to your security monitoring needs and organizational policy in order to avoid multiple alerts for every failure. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771

An operation was performed on an object

This alert triggers for every operation performed on an AD object. it is strongly advised to fine-tune this alert according to your security monitoring needs and organizational policy in order to avoid multiple alerts for every operation. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662

An account failed to log on

This alert triggers for account login failure. it is strongly advised to fine-tune this alert according to your security monitoring needs and organizational policy in order to avoid multiple alerts for every login failure. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

A process has exited

This alert triggers for every process that has been exited. It can be fine-tuned to monitor lists of processes that should always run (as EDR products or other critical processes) and to get notified when a process is terminated. It is strongly advised to fine-tune this alert for your needs in order to avoid multiple alerts of of general process termination. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4689

A new process has been created

This alert triggers for a new process that has been created on a computer. It is strongly advised to fine-tune this alert for your needs in order to avoid multiple alerts of general process creation. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688

An Active Directory replica source naming context was removed

This alert triggers when an Active Directory replica source naming context was removed. You should validate that this action was authorized as changing replication rules between domain controllers can negatively affect your network or even hinder operations due to AD information not replicating between domain controllers. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4929

A directory service object was deleted

This alert triggers when an Active Directory object is deleted. It is advised to fine-tune this alert according to microsoft recommendations and your environment. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141

A directory service object was created

This alert triggers when an Active Directory object is created. It is advised to fine-tune this alert according to microsoft recommendations and your environment. Note that you must enable auditing access lists (SACLs) for specific classes within Active Directory container to get this alert triggered (event code 5137) Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137

A computer account was changed

This alert detects when a computer account attributes were changed. It is advised to set this alert on critical accounts (as domain controller accounts) to avoid excessive alerting on general user accounts. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742

Script Block Logging - powershell command run

This event logs Powershell Script blocks. This event type shows the content of the Powershell command being run. It is advised to review the command run and verify its legitimacy.

The ACL was set on accounts that are members of administrator's groups

Changes in ACL for members of the admin group should be reviewed and approved. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4780

A security-enabled local group membership was enumerated

Attackers uses enumeration of group permission to facilitate lateral movement in the network. It is advice to monitor high value groups (as admin groups) for any enumeration and observe the enumeration service. Many malicious tools (as mimikatz or cain) enumerate group permissions before exploiting them. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799

A user's local group membership was enumerated

Attackers uses enumeration of a user permission to facilitate lateral movement in the network. It is advice to monitor high value accounts for any enumeration and observe the enumeration service. Many malicious tools (as mimikatz or cain) enumerate group permissions before exploiting them. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798

Shadow copy has been created

Shadow Copy is windows backup utility for computers, volumes or files. Shadow copy creations should be monitored as backups can be created in order to exfiltrate them by attackers. No official Microsoft documentation link exist for event number 8222.

An account was successfully logged on

This alert detects when an account was logged in. It is advised to set this alert on critical accounts (as admin accounts) to avoid excessive login alerts. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

A network share object was checked to see whether the client can be granted desired access

This alert monitors checks for permission to access network shares. It is advised to fine tune this alert before enabling. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145

A handle to an object was requested

This alert monitors access to file system, kernel, or registry objects. It is advised to fine-tune this alert to your specific needs. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656

A network share object was accessed

This alert monitors network share access. It is advised to fine-tune this alert to monitor critical network shares in order to to minimize noise. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140

The Windows Filtering Platform has allowed a connection

This alert can monitor multiple scenarios according to your network usage. It is advised to fine-tune this alert to your specific needs before enabling. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156

An account was logged off

This alert detects when there is a more then usual log-off activity. Multiple log-off of different machines is indicative of a ransomware or other malicious programs that resets computer to install persistence mechanisms or after ransomware deployment. This alert can be fine-tuned to specific computers, groups or users. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634

A Kerberos ticket was requested

More than usual Kerberos requests might indicate malicious activity (as kerberoasting attack method). Review excessive requests made in a small amount of time and see of there are any patterns to it (as a single user or machine making all requests). Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769

Kerberos TGS Request

More than usual Kerberos requests might indicate malicious activity (as kerberoasting attack method). Review excessive requests made in a small amount of time and see of there are any patterns to it (as a single user or machine making all requests). Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768

A privileged service was called

This alert monitors privileged system service operations. It is advised to fine-tune this alert to your specific needs. Consult microsoft documentation for further information: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673

Special privileges assigned to new logon

This alert monitors the addition of special privileges (As acting as part of the OS, backing up directories, taking ownership of files etc) to a new user account. It is advised to fine-tune this alert to your specific needs, consult microsoft documentation for further information - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672

An attempt was made to access an object

This alert monitors changes in file system, kernel, or registry objects. It is advised to fine-tune this alert to your specific needs. Consult microsoft documentation for further information - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663

A user has changed his password

An attacker can change a user password to hinder regular network operations. It is advised to adjust this rule to monitor high privileged accounts to avoid alerting on every password change. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4723

A user was renamed

An attacker can rename a user account to hinder regular network operations or hide malicious activity. It it advised to especially monitor privileged accounts as admin or service accounts and avoid excessive alerting on every user name change. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4781

A user was disabled

An attacker can disable a user account to hinder regular network operations. It is advised to adjust this rule to monitor high privileged accounts. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725

A user account has been unlocked

Unlocking of a user account should be reviewed and verified as attackers might release locked account to facilitate malicious activities. If an action is not sanctioned, it might indicate that an account has been compromised. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767

A scheduled task was created

Schedule task creation is a known method to create persistence on a machine by attackers. It is recommended to monitor scheduled task creation events and verify they are legitimate. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698

A privileged user changed a user's password

This alert monitors every password change event made to an account. Consider modifying this alert to suit your needs. Refer to Microsoft documentation for further details - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724

A user was modified

This alert can represent multiple types of changes in a user account. Refer to Microsoft documentation for further details - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738

A user has been locked out

User lock out (especially on Administrator accounts) can indicate malicious activity due to attempts to access an account until it triggers the lock out policy.. It is recommended to adjust this alert to specific groups/users to avoid multiple alerts on every user lock-out in the domain. https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738

The security Log is now full

By default, event logs are cyclic as old logs are being deleted when new logs enter. If the "Do not overwrite events (clear logs manually)" is enabled, the security logs can become full. A full log does not accept new events thus helping an attacker to hide his actions on a machine. It's even possible that an attack changed the policy in order to evade detection. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1104

powershell.exe process was started

PowerShell is windows go-to command-line tool for IT staff to perform actions and create automations in a windows network. For the same reason, it is also widely used by attackers to run numerous malicious commands as a Living-Off-The-Land Tool. Note that this alert only encompass directly run Powershell.exe that was registered in the event log. Note that attackers can invoke Powershell in multiple ways that will not be caught by this alert.

More than 5 user accounts were deleted in 10 minutes

Unusual number of accounts being deleted might indicate malicious intention by harming users and disrupting regular network activity. Note that this could also indicate a noisy distraction while other malicious activity are being performed. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726

More than 5 user accounts were locked out in 1 hour

Unusual number of accounts locking up might indicate brute forcing attempts by an attacker or malicious intention by denying access to accounts. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740

The audit log was cleared

Clearing audit logs might indicate an attacker covering up his tracks. They should be investigated and validated as authorized. Log deletion operations should be investigated and validated to be authorized. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102

A group was created

Group creation actions should be reviewed and validated as authorized. An adversary can create a group to evade detection and work on a new group that is not associated with any real world user. Verify that the action was authorized, further investigate if not.

A user was removed from an Admin group

Admin groups are especially sensitive groups, any addition or removal of an admin should be verified to be a legitimate and authorised action. An adversary removing legitimate admins from the admin groups can have many severe implications. Investigate that the removal of the admin was approved, further investigate and undo the action if not. MITRE Tactic: TA0003 MITRE Technique: T1078

More than 20 authentication failures in 10 minutes

Multiple authentication failures might indicate a brute force attack or an attacker trying to gain access to an account. Successful authentication after a series of unsuccessful tries might indicate an attacker gaining access to credentials. Investigate and verify with the user in question that these are legitimate attempts, if they are not, check for a successful login after the failed attempts and investigate further according to findings. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 MITRE Tactic: TA0001 MITRE Technique: T1078 MITRE Sub-technique: 002

A group was deleted

Group deletion actions should be reviewed and validated as authorized. An adversary can delete a group to harm or evade detection. Verify that the action was authorized, further investigate if not. MITRE Tactic: TA0040

A user account was created

User creation actions should be reviewed and validated as authorized. An adversary can create an account to evade detection and work on a new account that is not associated with any real world user. Verify that the action was authorized, further investigate if not. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 MITRE Tactic: TA0003 MITRE Technique: T1136 MITRE Sub-technique: 002

A user account was deleted

User deletion actions should be reviewed and validated as authorized. An adversary can delete a user to harm or evade detection. Verify that the action was authorized, further investigate if not. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726

A user was added to a Admin group

Admin groups are especially sensitive groups, any addition or removal of an admin should be verified to be a legitimate and authorized action. An adversary gaining admin privileges is one of the worst scenarios and can allow him to perform many malicious activities in the network. Investigate that the addition of the admin was approved, further investigate and undo the action if not. MITRE Tactic: TA0003 MITRE Technique: T1136 MITRE Sub-technique: 002

More than 5 authentication failures in 30 minutes

Multiple authentication failures might indicate a brute force attack or an attacker trying to gain access to an account. Successful authentication after a series of unsuccessful tries might indicate an attacker gaining access to credentials. Investigate and verify with the user in question that these are legitimate attempts, if they are not, check for a successful login after the failed attempts and investigate further according to findings. Consult Microsoft documentation for further recommendations - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 MITRE Tactic: TA0001 MITRE Technique: T1078 MITRE Sub-technique: 002

No logs from Microsoft Windows

This rule detects if there are no logs in the last 4 hours for Microsoft Windows in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Integration

Learn more about Coralogix's out-of-the-box integration with Microsoft Windows in our documentation.

Read More
Schedule Demo