Logo
Sign in
  1. Logpoint Service Desk
  2. Products Hub
  3. Marketplace
app-115003856929.png

Windows

Windows consists of security analytics components that normalize Windows events, which enables you to analyze Windows data. Logpoint aggregates and normalizes logs related to CPU, disk, memory, configuration, I/O, Active Directory (AD), and Domain Name Server (DNS) from Windows systems so you can analyze the information through dashboards and security reports. The automated alerts enable you to detect potential threats, malware, or malicious events early and take corrective actions against them. DNSCompiledNormalizer is compatible with CNDP.

Release Details
Version: 5.7.0
Release date: December 9, 2024
SHA 256: 5df7e643894e406897a58867a8c34b203a54a32e2d1e49f00a881b6eae88c436
Documentation: Windows guide
Download

Package Details

Windows Components:

  1. Normalization package
    • LP_Microsoft Antimalware
    • LP_Microsoft Direct Access
    • LP_Windows Firewall
  2. Search template
    • LP_ADFS Issued Claim Identity
    • LP_Beaconing for Threat Hunting with Microsoft Sysmon
  3. K b list
    • ADMINS
    • FILE_EXTENSIONS
    • LOGPOINT_GROUPS
  4. Log source template
    • Windows
  5. Report
    • LP_Windows Administrator Report
    • LP_Active Directory Report
    • LP_Windows Configuration Report 
    • LP_Active Directory Authentication Requests 
    • LP_Active Directory Object Management 
    • LP_AD: User Authentication Requests 
    • LP_AD: User Account Management 
    • LP_AD: Security Group Management 
    • LP_AD: Policy Changes 
    • LP_AD: OU and GPO 
    • LP_AD: Distribution Group Management 
    • LP_AD: Critical User Activities 
    • LP_AD: Computer Account Management
    • LP_AD: Service 
    • LP_AD: Machine Authentication Requests
  6. Pluggable normalizer
    • LPA_Windows 
    • ADFSNormalizer
    • DNSCompiledNormalizer 
    • DNSCompiledNormalizerEU 
    • WindowsNPSCompiledNormalizer 
    • WindowsSysmonCompiledNormalizer 
    • WindowsDHCPCompiledNormalizer
    • WindowsSecurityAuditing 
  7. Dashboard
    • LP_AD: Computer Account Management
    • LP_AD: Critical User Activities
    • LP_AD: Distribution Group Management
    • LP_AD: Machine Authentication Requests 
    • LP_AD: OU and GPO
    • LP_AD: Policy Changes
    • LP_AD: Security Group Management
    • LP_AD: Service
    • LP_AD: User Account Management
    • LP_AD: User Authentication Requests
    • LP_ADFS Auditing
    • LP_AppLocker
    • LP_Windows Antimalware
    • LP_Windows Authentication
    • LP_Windows BITS
    • LP_Windows Configuration
    • LP_Windows DHCP
    • LP_Windows DNS
    • LP_Windows File Auditing
    • LP_Windows Overview
    • LP_Windows Service Control Manager
    • LP_Windows Sysmon Overview
  8. Alert
    • LP_ADPrivescCVE-2022-26923Exploitation
    • LP_ApplicationExecutionAttemptBlockedbyAppLocker
    • LP_AppLockerSmartlockerFilterdetectedfilebeingwrittenbyprocess
    • LP_NgrokExecution
    • LP_NgrokRDPTunnelDetected
    • LP_PossiblePasstheHashActivityDetected
    • LP_WindowsAuditLogsCleared
    • LP_WindowsAuthenticationPolicyChange
    • LP_WindowsBlockInheritanceonOUorDomain
    • LP_WindowsBulkPrintataTime
    • LP_WindowsDataCopiedtoRemovableDevice
    • LP_WindowsDelegationofAuthorityChangeonOUorDomain
    • LP_WindowsDirectoryServiceStateChange
    • LP_WindowsDomainPolicyChange
    • LP_WindowsExcessiveAmountofFilesCopiedtoRemovableDevice
    • LP_WindowsFailedLoginAttemptsusingDisabledAccount
    • LP_WindowsFailedLoginAttemptUsingServiceAccount
    • LP_WindowsFailedLoginFollowedbyLockoutEvent
    • LP_WindowsFileAccess
    • LP_WindowsGPOLinkedorUnlinkedtoOUorDomain
    • LP_WindowsGroupCreatedorDeleted
    • LP_WindowsGroupPolicyObjectChanges
    • LP_WindowsGroupPolicyObjectCreation
    • LP_WindowsGroupPolicyObjectDeletion
    • LP_WindowsKerberosPre-authenticationfailed
    • LP_WindowsKerberosServiceTicketRequest
    • LP_WindowsLocalUserManagement
    • LP_WindowsLogonRightsChanges
    • LP_WindowsMultipleAccountPasswordchangesbyUser
    • LP_WindowsMultipleFailedAttemptsagainstaSingleAccount
    • LP_WindowsMultipleUniqueLockouts
    • LP_WindowsOUCreation
    • LP_WindowsOUDeletion
    • LP_WindowsPasswordNeverExpires
    • LP_WindowsPossibleRansomwareDetection
    • LP_WindowsSecurityServiceTerminated
    • LP_WindowsSuccessfulBruteForceAttackfromSameSource
    • LP_WindowsSuccessfulBruteForceAttackfromSameUser
    • LP_WindowsSuccessfulRemoteInteractiveLogin
    • LP_WindowsunBlockInheritanceonDomain
    • LP_WindowsunBlockInheritanceonOU
    • LP_WindowsunBlockInheritanceonOUandDomain
    • LP_WindowsUserAccountChangetoEndwithDollarSign
    • LP_WindowsUserAccountCreatedorRemoved
    • LP_WindowsUserAccountCreatedviaCommandLine
    • LP_WindowsUserAccountwasCreatedwithaDollarSign
    • LP_WindowsUserAddedorRemovefromGroup
    • LP_WindowsUserAddedtoAdministratorGroup
    • LP_WindowsUserRemovedfromAdministratorGroup
    • LP_WindowsUserRightsChanges
    • LP_WindowsUsersDisabled
    • LP_WindowsUsersEnabled
    • LP_WindowsWMIFilterLinkedorUnlinkedwithGPO

Key Information

  • DNSCompiledNormalizerEU is available for this release only. 
  • Logpoint only supports JSON logs for Windows, so we recommend you use the Logpoint or NXLog Agent to generate logs in .json format. Go to NXLog Sample Configuration to obtain the NXLog Sample Configuration file.
  • You must configure Sysmon correctly for the alerts to work. Go to Sysmon Configuration to obtain the Sysmon Configuration file.

Enhancements

Description Issue ID ReferenceID

Windows now also normalizes Application, Process, and Exception data in ASP.NET and MSIInstaller.

PLUG-12016, PLUG-12015

84800

Added the following new alerts for Windows events:

  • LP_Possible Pass the Hash Activity Detected
  • LP_Windows Block Inheritance on OU or Domain
  • LP_Windows Delegation of Authority Change on OU or Domain
  • LP_Windows Directory Service State Change
  • LP_Windows GPO Linked or Unlinked to OU or Domain
  • LP_Windows Security Service Terminated
  • LP_Windows User Account Created via Command Line
  • LP_Windows WMI Filter Linked or Unlinked with GPO

For more details, go to Windows Alerts.

PLUG-13246

or

SR-216


 

 

-


 

 

Updated query and description of the following alerts:

  • Windows Audit Logs Cleared
  • Windows Authentication Policy Change
  • Windows Bulk Print at a Time
  • Windows Data Copied to Removable Device
  • Windows Domain Policy Change
  • Windows Excessive Amount of Files Copied to Removable Device
  • Windows Failed Login Attempt Using Service Account
  • Windows Failed Login Followed by Lockout Event
  • Windows Group Created or Deleted
  • Windows Group Policy Object Change
  • Windows Group Policy Object Creation
  • Windows Group Policy Object Deletion
  • Windows Logon Rights Changes
  • Windows Multiple Account Password changes by User
  • Windows Multiple Failed Attempts against a Single Account
  • Windows Multiple Unique Lockouts
  • Windows OU Creation
  • Windows OU Deletion
  • Windows Successful Brute Force Attack from Same Source
  • Windows Successful Brute Force Attack from Same User
  • Windows User Account Change to End with Dollar Sign
  • Windows User Account Created or Removed
  • Windows User Account was Created with a Dollar Sign
  • Windows User Added or Remove from Group
  • Windows User Added to Administrator Group
  • Windows User Password Never Expires
  • Windows User Removed from Administrator Group
  • Windows User Rights Changes
  • Windows Users Disabled
  • Windows Users Enabled

Removed the following generic and redundant alerts:

  • LP_Windows Account Creation followed by Group Add
  • LP_Windows Audit Policy Changes
  • LP_Windows Authentication on Windows DC
  • LP_Windows Authorization Policy Change
  • LP_Windows Block Inheritance on Domain
  • LP_Windows Block Inheritance on OU
  • LP_Windows Block Inheritance on OU and Domain
  • LP_Windows Critical File Access
  • LP_Windows Critical File Access followed by Cloud App Usage
  • LP_Windows CryptoAPI Spoofing Vulnerability Detected
  • LP_Windows Delegation of Authority Change in OU
  • LP_Windows Delegation of Control Change in Domain
  • LP_Windows Failed Interactive User Logins Detected
  • LP_Windows Failed Login Attempt using an Expired Account
  • LP_Windows Failed Login Attempt using Locked Out Account
  • LP_Windows Failed User Login Attempt
  • LP_Windows File Permission Change
  • LP_Windows GPO Linked Unlinked for the Domain
  • LP_Windows GPO Linked Unlinked to OUs
  • LP_Windows Group Policy Object WMI Filter Changed
  • LP_Windows Member Added to or Removed from Group by Admin
  • LP_Windows Multiple Password Changed by User
  • LP_Windows Ownership of File Taken
  • LP_Windows Permission Change on Critical Folder
  • LP_Windows Permission Change on Home Folder
  • LP_Windows Possible Failed Lateral Movement using Pass the Hash
  • LP_Windows Possible Successful Lateral Movement using Pass the Hash
  • LP_Windows Possible Successful PtH Lateral Movement followed by Audit Log Clear
  • LP_Windows Registry Key Permission Change
  • LP_Windows Registry Value Change
  • LP_Windows Removable Storage Disconnected
  • LP_Windows Revocation of User Privileges detected
  • LP_Windows Security ACL on File Modified
  • LP_Windows Service State Change
  • LP_Windows Suspicious Creation of User Accounts
  • LP_Windows Unusual File Access
  • LP_Windows Unusual User Access to an Object
  • LP_Windows User Account Lockout
  • LP_Windows User Added to Domain Enterprise Admin
  • LP_Windows User Removed from Domain Enterprise Admin

Bug Fix

The following bug has been fixed:

Description Issue ID ReferenceID

For Windows events, the normalized user field value was the digit "1" instead of the actual user value.

PLUG-13151

82928

 

Past Releases

Windows v5.6.1

Release Date: May 02, 2024

Supported on: Logpoint v6.7.0 and later

Download: Windows_5.6.1.pak

SHA256: 1e09577df124cb6291069a732a18b5088bfd6df759dae41a3b05b109dc4ed3db

Enhancement

Description Issue ID Reference ID
Added Syslog Collector based Windows log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template. KB-22733 -

 

Windows v5.5.0

Release Date: August 11, 2023

Supported on: Logpoint v6.7.0 and later

Download: Windows_5.5.0.pak

SHA256: 5234e994cc9c846c4393f59da0fa60b3b77034dd716cf2318afc23b17cba1cfe

Enhancements

Description

Issue ID

Reference ID

Mapped the following fields to maintain consistency:

Raw Log Field

Normalized

Field

 Event ID

Compiled Normalizer
Product Application 7

WindowsSysmonCompiledNormalizer
DATA (milt-line value) server_address - DNSCompiledNormalizer, DNSCompiledNormalizerEU
Source source 4698

WindowsSecurityAuditing
KB-21545, KB-21877, KB-21706 76577, 76343

 

For Windows Registry and Sysmon Registry events with event ID 4657:

  • Added Registry, Set and Value labels.
  • Added detail field to mirror new_value field value.
  • Added target_object field with value object_name + '\' + object_value.
 KB-22065 - 
You can now configure a date format for DNSCompiledNormalizer using CompiledNormalizer Date Preference (CNDP). To learn how, go to CNDP. KB-22582 -

Bug Fixes

The following issues are fixed:

Description

Issue ID

Reference ID

Some Audit, Sysmon and MOVEit logs were not normalized by WindowsSecurityAuditing, WindowsSysmonCompiledNormalizer 

and LPA_Windows.

 KB-20885, KB-20649, KB-21302 74128, 73904 

The EventData fields were not properly normalized by ADFSNormalizer. 

 KB-21009 74684 
Windows v5.4.9

Release Date: June 30, 2023

Supported on: Logpoint v6.7.0 and later

Download: Windows_5.4.9.pak

SHA256: fd7ebec394b2ebd038ee12a890b94404fedbdc79f76e9c0f5bb159a6b596e0fd

Bug Fixes

The following issues are fixed:

Description

Issue ID

Reference ID

Some Audit, Sysmon and MOVEit logs were not normalized by WindowsSecurityAuditing, WindowsSysmonCompiledNormalizer 

and LPA_Windows.

 KB-20885, KB-20649, KB-21302 74128, 73904 

The EventData fields were not properly normalized by ADFSNormalizer. 

 KB-21009 74684 
Windows v5.4.8

Release Date: April 12, 2023

Supported on: Logpoint v6.7.0 and later

Download: Windows_5.4.8.pak

SHA256: ee063d20b6142fb453c85413a2cb7396664bbc7201c33df1aefb7fce24440ab8

Enhancements

Description

Issue ID

Reference ID
Renamed is_sign field as is_signed in WindowsSysmoNCompiledNormalizer. KB-20541 -

Renamed the following field name in LPA_Windows:

Former Field Name
Renamed Field Name

process_name

 process
processnamelength process_name_length
sha1_flat_hash_size hash_datasize
productname product
status status_code
userwriteable is_user_writeable
processnamebuffer buffer
requestedsigninglevel requested_signing_level
securerequired secure_required
KB-18841
Updated LPA_Windows to support Software Restriction Policies events.  KB-18859

Bug Fix

Description

Issue ID

Reference ID

Some Windows logs were not normalized by LPA_Windows.

 KB-19806, KB-19065 71873, 69618


Support

If you have any questions or require assistance, create a support ticket.

Comments

  • Avatar
    Hans Vedder
    February 20, 2019 12:13

    To use the provided queries in the widgets with logon_process=User32, it's necessary to configure Windows Event Forwarding (WEF) on the Windows workstations.

    Comment actions Permalink
  • Avatar
    Hans Vedder
    February 22, 2019 11:09

    Many queries contain

    -user="ANONYMOUS LOGON"
    -caller_user="ANONYMOUS LOGON"
    -domain="NT AUTHORITY"
    -caller_domain="NT AUTHORITY"

    For none english windows versions it’s necessary to modify them to national values.

    Comment actions Permalink

Article is closed for comments.

Follow

Related articles

  • Logpoint Agent Collector
  • Office365
  • NXLog Enterprise
  • Universal Normalizer
  • Cloud Connector
Privacy policy    EULA    Terms of service   
Copyright © , Logpoint. All rights reserved.

Note: We use cookies that are essential for the smooth functioning of our website.