Windows
Windows consists of security analytics components that normalize Windows events, which enables you to analyze Windows data. Logpoint aggregates and normalizes logs related to CPU, disk, memory, configuration, I/O, Active Directory (AD), and Domain Name Server (DNS) from Windows systems so you can analyze the information through dashboards and security reports. The automated alerts enable you to detect potential threats, malware, or malicious events early and take corrective actions against them. DNSCompiledNormalizer is compatible with CNDP.
Package Details
Windows Components:
- Normalization package
- LP_Microsoft Antimalware
- LP_Microsoft Direct Access
- LP_Windows Firewall
- Search template
- LP_ADFS Issued Claim Identity
- LP_Beaconing for Threat Hunting with Microsoft Sysmon
- K b list
- ADMINS
- FILE_EXTENSIONS
- LOGPOINT_GROUPS
- Log source template
- Windows
- Report
- LP_Windows Administrator Report
- LP_Active Directory Report
- LP_Windows Configuration Report
- LP_Active Directory Authentication Requests
- LP_Active Directory Object Management
- LP_AD: User Authentication Requests
- LP_AD: User Account Management
- LP_AD: Security Group Management
- LP_AD: Policy Changes
- LP_AD: OU and GPO
- LP_AD: Distribution Group Management
- LP_AD: Critical User Activities
- LP_AD: Computer Account Management
- LP_AD: Service
- LP_AD: Machine Authentication Requests
- Pluggable normalizer
- LPA_Windows
- ADFSNormalizer
- DNSCompiledNormalizer
- DNSCompiledNormalizerEU
- WindowsNPSCompiledNormalizer
- WindowsSysmonCompiledNormalizer
- WindowsDHCPCompiledNormalizer
- WindowsSecurityAuditing
- Dashboard
- LP_AD: Computer Account Management
- LP_AD: Critical User Activities
- LP_AD: Distribution Group Management
- LP_AD: Machine Authentication Requests
- LP_AD: OU and GPO
- LP_AD: Policy Changes
- LP_AD: Security Group Management
- LP_AD: Service
- LP_AD: User Account Management
- LP_AD: User Authentication Requests
- LP_ADFS Auditing
- LP_AppLocker
- LP_Windows Antimalware
- LP_Windows Authentication
- LP_Windows BITS
- LP_Windows Configuration
- LP_Windows DHCP
- LP_Windows DNS
- LP_Windows File Auditing
- LP_Windows Overview
- LP_Windows Service Control Manager
- LP_Windows Sysmon Overview
- Alert
- LP_ADPrivescCVE-2022-26923Exploitation
- LP_ApplicationExecutionAttemptBlockedbyAppLocker
- LP_AppLockerSmartlockerFilterdetectedfilebeingwrittenbyprocess
- LP_NgrokExecution
- LP_NgrokRDPTunnelDetected
- LP_PossiblePasstheHashActivityDetected
- LP_WindowsAuditLogsCleared
- LP_WindowsAuthenticationPolicyChange
- LP_WindowsBlockInheritanceonOUorDomain
- LP_WindowsBulkPrintataTime
- LP_WindowsDataCopiedtoRemovableDevice
- LP_WindowsDelegationofAuthorityChangeonOUorDomain
- LP_WindowsDirectoryServiceStateChange
- LP_WindowsDomainPolicyChange
- LP_WindowsExcessiveAmountofFilesCopiedtoRemovableDevice
- LP_WindowsFailedLoginAttemptsusingDisabledAccount
- LP_WindowsFailedLoginAttemptUsingServiceAccount
- LP_WindowsFailedLoginFollowedbyLockoutEvent
- LP_WindowsFileAccess
- LP_WindowsGPOLinkedorUnlinkedtoOUorDomain
- LP_WindowsGroupCreatedorDeleted
- LP_WindowsGroupPolicyObjectChanges
- LP_WindowsGroupPolicyObjectCreation
- LP_WindowsGroupPolicyObjectDeletion
- LP_WindowsKerberosPre-authenticationfailed
- LP_WindowsKerberosServiceTicketRequest
- LP_WindowsLocalUserManagement
- LP_WindowsLogonRightsChanges
- LP_WindowsMultipleAccountPasswordchangesbyUser
- LP_WindowsMultipleFailedAttemptsagainstaSingleAccount
- LP_WindowsMultipleUniqueLockouts
- LP_WindowsOUCreation
- LP_WindowsOUDeletion
- LP_WindowsPasswordNeverExpires
- LP_WindowsPossibleRansomwareDetection
- LP_WindowsSecurityServiceTerminated
- LP_WindowsSuccessfulBruteForceAttackfromSameSource
- LP_WindowsSuccessfulBruteForceAttackfromSameUser
- LP_WindowsSuccessfulRemoteInteractiveLogin
- LP_WindowsunBlockInheritanceonDomain
- LP_WindowsunBlockInheritanceonOU
- LP_WindowsunBlockInheritanceonOUandDomain
- LP_WindowsUserAccountChangetoEndwithDollarSign
- LP_WindowsUserAccountCreatedorRemoved
- LP_WindowsUserAccountCreatedviaCommandLine
- LP_WindowsUserAccountwasCreatedwithaDollarSign
- LP_WindowsUserAddedorRemovefromGroup
- LP_WindowsUserAddedtoAdministratorGroup
- LP_WindowsUserRemovedfromAdministratorGroup
- LP_WindowsUserRightsChanges
- LP_WindowsUsersDisabled
- LP_WindowsUsersEnabled
- LP_WindowsWMIFilterLinkedorUnlinkedwithGPO
Key Information
- DNSCompiledNormalizerEU is available for this release only.
- Logpoint only supports JSON logs for Windows, so we recommend you use the Logpoint or NXLog Agent to generate logs in .json format. Go to NXLog Sample Configuration to obtain the NXLog Sample Configuration file.
- You must configure Sysmon correctly for the alerts to work. Go to Sysmon Configuration to obtain the Sysmon Configuration file.
Enhancements
Description | Issue ID | ReferenceID |
Windows now also normalizes Application, Process, and Exception data in ASP.NET and MSIInstaller. |
PLUG-12016, PLUG-12015 |
84800 |
Added the following new alerts for Windows events:
For more details, go to Windows Alerts. |
PLUG-13246 or SR-216
|
-
|
Updated query and description of the following alerts:
|
||
Removed the following generic and redundant alerts:
|
Bug Fix
The following bug has been fixed:
Description | Issue ID | ReferenceID |
For Windows events, the normalized user field value was the digit "1" instead of the actual user value. |
PLUG-13151 |
82928 |
Past Releases
Release Date: May 02, 2024
Supported on: Logpoint v6.7.0 and later
Download: Windows_5.6.1.pak
SHA256: 1e09577df124cb6291069a732a18b5088bfd6df759dae41a3b05b109dc4ed3db
Enhancement
Description | Issue ID | Reference ID |
---|---|---|
Added Syslog Collector based Windows log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template. | KB-22733 | - |
Release Date: August 11, 2023
Supported on: Logpoint v6.7.0 and later
Download: Windows_5.5.0.pak
SHA256: 5234e994cc9c846c4393f59da0fa60b3b77034dd716cf2318afc23b17cba1cfe
Enhancements
Description |
Issue ID |
Reference ID |
||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Mapped the following fields to maintain consistency:
|
KB-21545, KB-21877, KB-21706 | 76577, 76343
|
||||||||||||||||
For Windows Registry and Sysmon Registry events with event ID 4657:
|
KB-22065 | - | ||||||||||||||||
You can now configure a date format for DNSCompiledNormalizer using CompiledNormalizer Date Preference (CNDP). To learn how, go to CNDP. | KB-22582 | - |
Bug Fixes
The following issues are fixed:
Description |
Issue ID |
Reference ID |
---|---|---|
Some Audit, Sysmon and MOVEit logs were not normalized by WindowsSecurityAuditing, WindowsSysmonCompiledNormalizer and LPA_Windows. |
KB-20885, KB-20649, KB-21302 | 74128, 73904 |
The EventData fields were not properly normalized by ADFSNormalizer. |
KB-21009 | 74684 |
Release Date: June 30, 2023
Supported on: Logpoint v6.7.0 and later
Download: Windows_5.4.9.pak
SHA256: fd7ebec394b2ebd038ee12a890b94404fedbdc79f76e9c0f5bb159a6b596e0fd
Bug Fixes
The following issues are fixed:
Description |
Issue ID |
Reference ID |
---|---|---|
Some Audit, Sysmon and MOVEit logs were not normalized by WindowsSecurityAuditing, WindowsSysmonCompiledNormalizer and LPA_Windows. |
KB-20885, KB-20649, KB-21302 | 74128, 73904 |
The EventData fields were not properly normalized by ADFSNormalizer. |
KB-21009 | 74684 |
Release Date: April 12, 2023
Supported on: Logpoint v6.7.0 and later
Download: Windows_5.4.8.pak
SHA256: ee063d20b6142fb453c85413a2cb7396664bbc7201c33df1aefb7fce24440ab8
Enhancements
Description |
Issue ID |
Reference ID |
|||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Renamed is_sign field as is_signed in WindowsSysmoNCompiledNormalizer. | KB-20541 | - | |||||||||||||||||||
Renamed the following field name in LPA_Windows:
|
KB-18841 | ||||||||||||||||||||
Updated LPA_Windows to support Software Restriction Policies events. | KB-18859 |
Bug Fix
Description |
Issue ID |
Reference ID |
---|---|---|
Some Windows logs were not normalized by LPA_Windows. |
KB-19806, KB-19065 | 71873, 69618 |
Support
If you have any questions or require assistance, create a support ticket.
To use the provided queries in the widgets with logon_process=User32, it's necessary to configure Windows Event Forwarding (WEF) on the Windows workstations.
Many queries contain
-user="ANONYMOUS LOGON"
-caller_user="ANONYMOUS LOGON"
-domain="NT AUTHORITY"
-caller_domain="NT AUTHORITY"
For none english windows versions it’s necessary to modify them to national values.