Security Monitoring Change Log
Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks.
This is a link to the download.
These are the changes in the newestrelease…
This management pack is now sealed. That’s probably the biggest change going forward as customizations can be stored in their own separate MP. There are also collection rules and reports setup to target legacy protocols. This should allow an organization to see where these protocols are being used in their environments.
- Fixed bug in Repeated Logon Event Rule that caused alert suppression failure in SCOM 2016
- Added filters to scheduled task creation rule for the following applications (due to noise):
- Symantec EndPoint Protection
- System Center Configuration Manager
- Intel Security DAT Reputation (McAffee tool). I didn’t find a lot of good info on it, but did confirm the tool is in use in my environment.
- Microsoft Office 15 Sync Maintenance
- Optimize Start Menu Cache Files
- Software Inventory Logging\Configuration (SCCM or WMI occasionally adds this task)
- Software Inventory Logging\Daily Collector
- Software Inventory Logging\Collection
- ReplaceOMCert (created during SCOM update).
- MRT_ERROR_HB (malicious software removal tool)
- Various Windows Update strings
- Windows Defender Verification
- Windows Defender Scan
- Added filter to Service Created on DC to filter for
- Microsoft Antimalware
- Windows Defender
- Added rules looking for PowerSploit tools.
- Added a collection rule for LAPS events.
- Added a rule looking for modification to DCs OU (4662 event).
- Added a rule looking at sedebug privileges. This is OFF by default, as this does generate noise. My understanding that this should not happen in an environment does not appear to be true. It can be useful, but this will need some tuning, and as such I’m allowing people to turn this on and tune as needed.
- Added a rule targeting generic crypto-ransomware installations. This is a 4688 event.
- Added a rule targeting the use of regsvr32 to load remote DLLs. This is a 4688 event.
- Added additional filtering to GPO Creation rule to eliminate noise. I mistakenly did not filter this one by source like I did the others, causing excessive GPO creation alerts.
- Added suppression for the batch logon in use rule. I never saw this in my lab and missed setting up suppression when I built this. That is an oversight on my part. There isn’t an ideal way to suppress this. If you suppress by computer, you only see one account per machine, and if you suppress by user, you lose visibility to the machines. I’ve setup a suppression by machine, as this is very noisy when this logon type is in use. This will allow a clear picture into which machines are using batch logon, allowing a security team to remediate.
- Updated System Log rule to specify the system log only. Apparently, when clearing operational logs, a 104 is generated in the system log for each operational log. I doubt this is a common occurrence, as clearing logs rarely happens, but this will reduce this rule to alerting only when the system log is cleared.
- Added filter to Service creation on DC for Windows Defender Update (Windows defender apparently creates a service temporarily for its updates).
- Fixed bug with Log Clearing alerts.
- Updated descriptions for a couple of monitors.
- Rewrote GPO Modification, Creation, and Deletion rules for AGPM.
- Added report and collection rules to detect the following deprecated protocols