Sign in
Follow

Interesting Event Queries

               

What Windows boxes are running end-of-life operating systems

Partner portal: https://dsap.netwatcher.com/UjocP

Customer portal: https://portal.netwatcher.com/l8BL4

 

What assets have CCleaner installed?

Partner portal: https://dsap.netwatcher.com/RtM7c

Customer portal: https://portal.netwatcher.com/aAdpO

 

Windows Authentication Events

Partner portal: https://dsap.netwatcher.com/nwONX  

Customer portal: https://portal.netwatcher.com/2BeY8

 

User account or groups changing (HIDS view)

Windows: Administrators Group Changed

Partner portal: https://dsap.netwatcher.com/NTw15

Customer portal: https://portal.netwatcher.com/54iJC

 

Windows: Security Enabled Global Group Changed

Partner portal: https://dsap.netwatcher.com/xyJ7W

Customer portal: https://portal.netwatcher.com/b7RjT

 

Windows: Security Enabled Global Group Member Added

Partner portal: https://dsap.netwatcher.com/4gD6n

Customer portal: https://portal.netwatcher.com/KRxiF

 

Windows: Security Enabled Global Group Member Removed

Partner portal: https://dsap.netwatcher.com/WRm4e

Customer portal: https://portal.netwatcher.com/hTYT5

 

Windows: Security Enabled Local Group Changed

Partner portal: https://dsap.netwatcher.com/xyJ7W

Customer portal: https://portal.netwatcher.com/b7RjT

 

Windows: Security Enabled Local Group Member Added

Partner portal: https://dsap.netwatcher.com/fJ0sl

Customer portal: https://portal.netwatcher.com/Ql3SC

 

Windows: Security Enabled Local Group Member Removed

Partner portal: https://dsap.netwatcher.com/66R3M

Customer portal: https://portal.netwatcher.com/J0K9n

 

Windows: User account enabled or created.

Partner portal: https://dsap.netwatcher.com/QriYS

Customer portal: https://portal.netwatcher.com/pwAP2

 

Windows: User account disabled or deleted.

Partner portal: https://dsap.netwatcher.com/rkGMM

Customer portal: https://portal.netwatcher.com/mHDYh

 

Windows: User account changed.

Partner portal: https://dsap.netwatcher.com/AUdAC

Customer portal: https://portal.netwatcher.com/lBt4H

 

Windows: User account locked out (multiple login errors).

Partner portal: https://dsap.netwatcher.com/3ndzM

Customer portal: https://portal.netwatcher.com/JAnCr

 

Windows: User account unlocked.

Partner portal: https://dsap.netwatcher.com/2UTxZ

Customer portal: https://portal.netwatcher.com/SJM3z

 

 

User account or groups changing (HIDS view)

Windows: Administrators Group Changed

Partner portal: https://dsap.netwatcher.com/NTw15

Customer portal: https://portal.netwatcher.com/54iJC

 

Windows: Security Enabled Global Group Changed

Partner portal: https://dsap.netwatcher.com/xyJ7W

Customer portal: https://portal.netwatcher.com/b7RjT

 

Windows: Security Enabled Global Group Member Added

Partner portal: https://dsap.netwatcher.com/4gD6n

Customer portal: https://portal.netwatcher.com/KRxiF

 

Windows: Security Enabled Global Group Member Removed

Partner portal: https://dsap.netwatcher.com/WRm4e

Customer portal: https://portal.netwatcher.com/hTYT5

 

Windows: Security Enabled Local Group Changed

Partner portal: https://dsap.netwatcher.com/xyJ7W

Customer portal: https://portal.netwatcher.com/b7RjT

 

Windows: Security Enabled Local Group Member Added

Partner portal: https://dsap.netwatcher.com/fJ0sl

Customer portal: https://portal.netwatcher.com/Ql3SC

 

Windows: Security Enabled Local Group Member Removed

Partner portal: https://dsap.netwatcher.com/66R3M

Customer portal: https://portal.netwatcher.com/J0K9n

 

Windows: User account enabled or created.

Partner portal: https://dsap.netwatcher.com/QriYS

Customer portal: https://portal.netwatcher.com/pwAP2

 

Windows: User account disabled or deleted.

Partner portal: https://dsap.netwatcher.com/rkGMM

Customer portal: https://portal.netwatcher.com/mHDYh

 

Windows: User account changed.

Partner portal: https://dsap.netwatcher.com/AUdAC

Customer portal: https://portal.netwatcher.com/lBt4H

 

Windows: User account locked out (multiple login errors).

Partner portal: https://dsap.netwatcher.com/3ndzM

Customer portal: https://portal.netwatcher.com/JAnCr

 

Windows: User account unlocked.

Partner portal: https://dsap.netwatcher.com/2UTxZ

Customer portal: https://portal.netwatcher.com/SJM3z

 

File added to the asset

Partner Portal: https://dsap.netwatcher.com/Usxz8

Customer Portal: https://portal.netwatcher.com/1LlpK

              

Windows Application Installs

Partner Portal: https://dsap.netwatcher.com/KK4fM

Customer portal: https://portal.netwatcher.com/l5agP

 

Registry entry added to the system

Partner Portal: https://dsap.netwatcher.com/dIWfZ

Customer Portal: https://portal.netwatcher.com/XCB0X

This lets you know what assets had their registry updated.

 

Checking on any NIDS “current events”

Partner Portal: https://dsap.netwatcher.com/NTzpd

Customer Portal: https://portal.netwatcher.com/86mBn

Current Events – Category for active and short-lived campaigns. This category covers exploit kits and malware that will be aged and removed quickly due to the short-lived nature of the threat. High profile items that we don’t expect to be there long—fraud campaigns related to disasters for instance. These are rules that we don't intend to keep in the ruleset for long, or that need to be tested before they are considered for inclusion. Most often these will be simple sigs for the Storm binary URL of the day, sigs to catch CLSID's of newly found vulnerable apps where we don't have any detail on the exploit, etc.

 

Look for any malware/trojan/exploit NIDS traffic

Partner Portal: https://dsap.netwatcher.com/hT0zw

Customer portal https://portal.netwatcher.com/RZGPr

 

Look for Windows Audit Events

Partner portal: https://dsap.netwatcher.com/dx2qK

Customer portal: https://portal.netwatcher.com/0XjfA

 

Look for any executable that has been downloaded from outside the USA

Partner portal: https://dsap.netwatcher.com/D2LgW

Customer portal https://portal.netwatcher.com/IQD2q

 

Look for assets communicating with known bad IP addresses

Partner portal: https://dsap.netwatcher.com/Ql4bG 

Customer portal: https://portal.netwatcher.com/rCRLU 

Comments

Powered by Zendesk