Elastic Inferred Detection Coverage

Microsoft-Windows-Security-Auditing (32 events, 264 rules) #

Channel: Security Event ID 4610: An authentication package has been loaded by the Local Security Authority. (4 low)

Channel: Security Event ID 4611: A trusted logon process has been registered with the Local Security Authority. (4 low)

Channel: Security Event ID 4624: An account was successfully logged on. (6 medium, 2 low)

Channel: Security Event ID 4625: An account failed to log on. (7 medium)

Channel: Security Event ID 4634: An account was logged off. (10 medium)

Channel: Security Event ID 4647: User initiated logoff. (10 medium)

Channel: Security Event ID 4648: A logon was attempted using explicit credentials. (10 medium)

Channel: Security Event ID 4649: A replay attack was detected. (4 low)

Channel: Security Event ID 4657: A registry value was modified. (3 low)

Channel: Security Event ID 4659: A handle to an object was requested with intent to delete. (2 low)

Channel: Security Event ID 4661: A handle to an object was requested. (4 low)

Channel: Security Event ID 4663: An attempt was made to access an object. (2 low)

Channel: Security Event ID 4688: A new process has been created. (133 medium)

Channel: Security Event ID 4691: Indirect access to an object was requested. (2 low)

Channel: Security Event ID 4700: A scheduled task was enabled. (4 low)

Channel: Security Event ID 4701: A scheduled task was disabled. (4 low)

Channel: Security Event ID 4720: A user account was created. (1 low)

Channel: Security Event ID 4741: A computer account was created. (1 low)

Channel: Security Event ID 4742: A computer account was changed. (1 low)

Channel: Security Event ID 4798: A user's local group membership was enumerated. (1 low)

Channel: Security Event ID 4799: A security-enabled local group membership was enumerated. (1 low)

Channel: Security Event ID 5050: An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected. (1 low)

Channel: Security Event ID 5136: A directory service object was modified. (3 low)

Channel: Security Event ID 5137: A directory service object was created. (2 low)

Channel: Security Event ID 5140: A network share object was accessed. (2 low)

Channel: Security Event ID 5141: A directory service object was deleted. (5 low)

Channel: Security Event ID 5142: A network share object was added. (2 low)

Channel: Security Event ID 5143: A network share object was modified. (2 low)

Channel: Security Event ID 5144: A network share object was deleted. (2 low)

Channel: Security Event ID 5169: A directory service object was modified. (14 low)

Channel: Security Event ID 5170: A directory service object was modified during a background cleanup task. (14 low)

Channel: Security Event ID 5380: Vault Find Credential. (1 low)

Microsoft-Windows-Sysmon (14 events, 690 rules) #

Channel: Operational Event ID 1: Process creation (229 medium, 1 low)

Channel: Operational Event ID 2: A process changed a file creation time (40 medium)

Channel: Operational Event ID 3: Network connection (52 medium)

Channel: Operational Event ID 5: Process terminated (21 medium)

Channel: Operational Event ID 6: Driver loaded (2 medium)

Channel: Operational Event ID 7: Image loaded (7 medium)

Channel: Operational Event ID 8: CreateRemoteThread (5 low)

Channel: Operational Event ID 11: FileCreate (51 medium)

Channel: Operational Event ID 12: RegistryEvent (Object create and delete) (53 medium)

Channel: Operational Event ID 13: RegistryEvent (Value Set) (53 medium)

Channel: Operational Event ID 14: RegistryEvent (Key and Value Rename) (53 medium)

Channel: Operational Event ID 15: FileCreateStreamHash (39 medium)