Logo
Sign in
  1. Logpoint Service Desk
  2. Products Hub
  3. Marketplace
app-115003856929.png

Windows

Windows consists of security analytics components that normalize Windows events, which enables you to analyze Windows data. Logpoint aggregates and normalizes logs related to CPU, disk, memory, configuration, I/O, Active Directory (AD), and Domain Name Server (DNS) from Windows systems so you can analyze the information through dashboards and security reports. The automated alerts enable you to detect potential threats, malware, or malicious events early and take corrective actions against them. DNSCompiledNormalizer is compatible with CNDP.

Release Details
Version: 5.6.0
Release date: May 02, 2024
SHA 256: 1e09577df124cb6291069a732a18b5088bfd6df759dae41a3b05b109dc4ed3db
Documentation: Windows guide
Download

 

 

 

 

 

 

 

 

 

Key Information

  • DNSCompiledNormalizerEU is available for this release only. 
  • Logpoint only supports JSON logs for Windows, so we recommend you use the Logpoint or NXLog Agent to generate logs in .json format. Go to NXLog Sample Configuration to obtain the NXLog Sample Configuration file.
  • You must configure Sysmon correctly for the alerts to work. Go to Sysmon Configuration to obtain the Sysmon Configuration file.

Enhancement

Description Issue ID Reference ID
Added Syslog Collector based Windows log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template. KB-22733 -

 

Past Releases

Windows v5.5.0

Release Date: August 11, 2023

Supported on: Logpoint v6.7.0 and later

Download: Windows_5.5.0.pak

SHA256: 5234e994cc9c846c4393f59da0fa60b3b77034dd716cf2318afc23b17cba1cfe

Enhancements

Description

Issue ID

Reference ID

Mapped the following fields to maintain consistency:

Raw Log Field

Normalized

Field

 Event ID

Compiled Normalizer
Product Application 7

WindowsSysmonCompiledNormalizer
DATA (milt-line value) server_address - DNSCompiledNormalizer, DNSCompiledNormalizerEU
Source source 4698

WindowsSecurityAuditing
KB-21545, KB-21877, KB-21706 76577, 76343

 

For Windows Registry and Sysmon Registry events with event ID 4657:

  • Added Registry, Set and Value labels.
  • Added detail field to mirror new_value field value.
  • Added target_object field with value object_name + '\' + object_value.
 KB-22065 - 
You can now configure a date format for DNSCompiledNormalizer using CompiledNormalizer Date Preference (CNDP). To learn how, go to CNDP. KB-22582 -

Bug Fixes

The following issues are fixed:

Description

Issue ID

Reference ID

Some Audit, Sysmon and MOVEit logs were not normalized by WindowsSecurityAuditing, WindowsSysmonCompiledNormalizer 

and LPA_Windows.

 KB-20885, KB-20649, KB-21302 74128, 73904 

The EventData fields were not properly normalized by ADFSNormalizer. 

 KB-21009 74684 
Windows v5.4.9

Release Date: June 30, 2023

Supported on: Logpoint v6.7.0 and later

Download: Windows_5.4.9.pak

SHA256: fd7ebec394b2ebd038ee12a890b94404fedbdc79f76e9c0f5bb159a6b596e0fd

Bug Fixes

The following issues are fixed:

Description

Issue ID

Reference ID

Some Audit, Sysmon and MOVEit logs were not normalized by WindowsSecurityAuditing, WindowsSysmonCompiledNormalizer 

and LPA_Windows.

 KB-20885, KB-20649, KB-21302 74128, 73904 

The EventData fields were not properly normalized by ADFSNormalizer. 

 KB-21009 74684 
Windows v5.4.8

Release Date: April 12, 2023

Supported on: Logpoint v6.7.0 and later

Download: Windows_5.4.8.pak

SHA256: ee063d20b6142fb453c85413a2cb7396664bbc7201c33df1aefb7fce24440ab8

Enhancements

Description

Issue ID

Reference ID
Renamed is_sign field as is_signed in WindowsSysmoNCompiledNormalizer. KB-20541 -

Renamed the following field name in LPA_Windows:

Former Field Name
Renamed Field Name

process_name

 process
processnamelength process_name_length
sha1_flat_hash_size hash_datasize
productname product
status status_code
userwriteable is_user_writeable
processnamebuffer buffer
requestedsigninglevel requested_signing_level
securerequired secure_required
KB-18841
Updated LPA_Windows to support Software Restriction Policies events.  KB-18859

Bug Fix

Description

Issue ID

Reference ID

Some Windows logs were not normalized by LPA_Windows.

 KB-19806, KB-19065 71873, 69618
Windows v5.4.7

Release Date: January 14, 2023

Download: Windows_5.4.7.pak

SHA256: cad5b732170e36db8867a8ef6a22eef6121e50ac79a3df69fa8398265bca5f92 

Enhancements

Description

Issue ID

Reference ID

Renamed the field name in LPA_Windows for the following event sources and event IDs to maintain consistency:

FormerField Name

UpdatedField Name

 Event Source Event ID

Data

fault_bucket

 Windows Error Reporting 1000

Data_1 

 type

Data_2 

 event
Data_3  response

Data_4 

 cab_id

Data_11 

 file

Data_15 

 report_status

Data_16 

 hashed_bucket

Data_17 

 cab_guid

Data 

 application Application Error 1001

Data_1 

 application_version
Data_3  faulting_module
Data_4  module_version
Data_6  exception_code
Data_7  fault_offset
Data_8  faulting_process_id
Data_10  faulting_path
Data_11  module_path
Data_12  report_id
Data_13  faulting_package
Data_14  application_id

EventXML.binaryData 

 data -



 -

EventXML.binaryDataSize 

 datasize

EventXML.param1 

 service
EventXML.param2  file
ConfigPath configuration_path -



 29 and 50
editoperationtype  operation_type
PhysicalPath path
NewValue new_value
KB-18669, KB-18494 -

Renamed the initiated field to is_initiated in the WindowsSysmonCompiledNormalizer to maintain consistency.

KB-18527

 -

Added the following source names in LPA_Windows to normalize progress DB audit events:

  • ARCHIV_LOB_PROGRESS
  • DPW_DATA_PROGRESS
  • ARCHIV_PROGRESS
 KB-19289 -

Bug Fix

Description

Issue ID

Reference ID

SomeDNSlogs were not normalized by DNSCompiledNormalizer.

 KB-18943 70724
Windows v5.4.6

Enhancements

Description

Issue ID

Reference ID

Added the following alert rules for Windows events:

  • LP_Curl Silent Mode Execution Detected
  • LP_Non-Existent User Login Attempt Detected
  • LP_Malicious Image Loaded Via Excel
  • LP_Execution of Temporary Files Via Office Application
  • LP_Binary Creation in System Folder Detected
  • LP_High Volume of File Modification or Deletion in Short Span
  • LP_Auditd High Volume of File Modification or Deletion in Short Span
  • LP_Windows RDP Port Modified
 KB-17755  

Updated descriptions for the following alerts:

  • LP_Windows Bulk Print at a Time
  • LP_Windows Password Never Expires
  • LP_Windows Data Copied to Removable Device
  • LP_Windows Excessive Amount of Files Copied to Removable Device
 KB-18021

 

 

 -

 

 

Removed the following alerts that are no longer relevant:

  • LP_Service Hung at Start
  • LP_Windows File Access
  • LP_Failed Service Control Manager Initialization
  • LP_Service Connection to a Different Process
  • LP_Windows Local User Management

Renamed LP_Windows password never expires alert as Windows User Password Never Expires.

Renamed the name field to consumer for Windows Sysmon events with event ID 20 to maintain consistency.

Modified the existing alert rules forWindows Sysmon (event ID 1) to make it compatible with Windows Process Creation (event ID 4688) events.

 KB-18090 -
Added File, Block and Executable labels for Microsoft Windows Sysmon events with event ID 27. KB-17888 -

Bug Fixes

The following issues are fixed:

Description

Issue ID

Reference ID

The message field of Microsoft Windows Security Mitigations event with event ID 11 was not properly normalized.

 KB-17511 -
Some Avecto IC3 Adapter logs with event ID 17866 and NVWMI logs with event ID 3 were not properly normalized by LPA_Windows. KB-18073 -

The task_value field was incorrectly mapped as task for Windows Sysmon events with event ID 11 in WindowSysmonCompiledNormalizer.

 KB-17569 -

The product and rule_type fields were mapped as product_name and ruletype for Windows Defender events with event ID 1121 in LP_Windows.

 KB-18094 -

The targetname field was incorrectly mapped as target for Microsoft Windows Security Auditing events with event ID 5379 in LP_Windows.

 KB-17522  
Windows v5.4.5

Enhancements

Description Issue ID Reference ID

Updated the following fields for the Microsoft Windows Security Auditing event with the event ID 4719:

Previously Used Field

 Updated Field
AuditPolicyChanges policy
Category id category
SubcategoryId sub_category

 

KB-17207

 67239

Updated the following fields in WindowsSecurityAuditingCompliedNormalizer with event ID 4801:

Previously Used Field Updated Field
TargetUserSid user_id
TargetUserName user
TargetDomainName domain
TargetLogonId logon_id
SessionId session_id

 

 KB-17536 67615
Updated NxLog configuration to generate JSON format Windows logs. KB-17117 66384

Bug Fixes

The following issues are fixed:

Description

Issue ID

Reference ID

The process field was missing in a Window log with event ID 11.

 KB-17146 -

The alert LP_Windows Failed Login Attempt using an Expired Account contained an incorrect sub_status_code value.

 KB-17188 67205
The properties field was not properly parsed by WindowsSecurityAuditingCompliedNormalizer. KB-17529 67700 

Misspelt RelyingParty as relaying_party in the ADFS Auditing event with event IDs 1200 and 1202.  

 KB-16309 64794
Windows v5.4.4

Enhancements

Description

Issue ID

Reference ID

Renamed the field names in Microsoft-Windows-VHDMP events with the following event IDs:

Former Field Name
Renamed Field Name
Event ID

virtualdisk 

 virtual_disk 1, 12, 14, 25, 15, 16, 30
vhdfilename virtual_file 1, 12, 25, 27, 28, 22, 23
vhdfile virtual_file 12
writedepth write_depth 12
vmid virtual_host_id 12
vhdtype virtual_machine_type 12
fileobject file_object 12, 21
handlecontext handle_context 12, 14, 30
desiredaccess desired_access 12, 27, 22
KB-16792 -

Added the following analytics for Applocker events:

Dashboard

LP_AppLocker SmartlockerFilter

Alerts

  • LP_AppLocker SmartlockerFilter detected file being written by process
  • LP_Application Execution Attempt Blocked by AppLocker

 To learn more, go to Windows Analytics. 

 KB-13954
Parsed the message field of Microsoft Windows Defender event with event ID 1121. 

 

 KB-16973

Bug Fixes

The following issues are fixed:

Description

Issue ID

Reference ID
Misspelt inheritance_flag as inhertiance_flags in the Microsoft Windows Defender event with event ID 1121. 

 

 KB-16973 -


Support

If you have any questions or require assistance, create a support ticket.

Comments

  • Avatar
    Hans Vedder
    February 20, 2019 12:13

    To use the provided queries in the widgets with logon_process=User32, it's necessary to configure Windows Event Forwarding (WEF) on the Windows workstations.

    Comment actions Permalink
  • Avatar
    Hans Vedder
    February 22, 2019 11:09

    Many queries contain

    -user="ANONYMOUS LOGON"
    -caller_user="ANONYMOUS LOGON"
    -domain="NT AUTHORITY"
    -caller_domain="NT AUTHORITY"

    For none english windows versions it’s necessary to modify them to national values.

    Comment actions Permalink

Article is closed for comments.

Follow

Related articles

  • Logpoint Agent Collector
  • NXLog Enterprise
  • Office365
  • Universal Normalizer
  • Cloud Connector
Privacy policy    EULA    Terms of service   
Copyright © , Logpoint. All rights reserved.