Templates for Windows Server Sensors
Stellar Cyber provides predefined templates for Windows Server Sensor settings. These templates have been carefully configured to match common deployment scenarios. Once you have reviewed the settings in a template and seen how it operates in your environment, you can tailor the settings in individual channels to fit your needs using the instructions in Configuring Standard Sensor Profiles
The following templates are available for options in the Windows tab of the ADD/EDIT SENSOR PROFILE window:
-
Windows Detect Profile (Low Volume). The selection covers the minimal events required for all native detections in Stellar Cyber.
-
Windows Context Profile (Medium Volume). Adds events commonly used by third-party detection rules.
-
Windows Compliance Profile (High Volume). Covers all Windows events.
Each of these profiles collects a different set of logs/events and results in a progressively higher volume of data ingestion from Low to Medium to High.
If you find that you are ingesting a higher volume of data than you would like relative to your license limits, you may want to reconfigure these settings, keeping in mind that the Low Volume profile provides enough coverage for all native Stellar Cyber detections.
The settings for each template are summarized in the table below:
Channel |
|
|
Notes |
Windows Detect Profile |
Windows Context Profile |
Windows Compliance Profile |
---|---|---|---|---|---|---|
Security Collect Windows advanced security audit policy settings events.
|
|
|
|
|||
Account Logon Events
|
|
|
||||
Credential Validation |
For UEBA alerts. |
|||||
Kerberos Authentication Service |
For UEBA alerts |
|||||
Kerberos Service Ticket Operations |
|
|||||
Other Account Logon Events |
|
|||||
Account Management Events
|
|
|
||||
Application Group Management |
|
|
|
|||
Computer Account Management |
|
|
|
|||
Distribution Group Management |
|
|
|
|||
Security Group Management |
|
|
|
|||
User Account Management |
|
|
|
|||
Other Account Management Events |
|
|
|
|||
Detailed Tracking Events
|
|
|
|
|
|
|
DPAPI Activity |
|
|
|
|||
PNP Activity |
|
|
|
|||
Process Creation |
For alerts related to process creation anomalies. |
|
|
|||
Process Termination |
|
|
|
|||
RPC Events |
|
|
|
|||
Token Right Adjustment Events |
|
|
|
|||
DS Access Events
|
|
|
|
|
|
|
Detailed Directory Service Replication |
|
|
|
|||
Directory Service Access |
|
|
|
|||
Directory Service Changes |
|
|||||
Directory Service Replication |
|
|
|
|||
Logon/Logoff Events
|
|
|
|
|
|
|
Account Lockout |
|
|
|
|||
User/Device Claims |
|
|
|
|||
Group Membership |
|
|
|
|||
IPsec Extended Mode |
|
|
|
|||
IPsec Main Mode |
|
|
|
|||
IPSec Quick Mode |
|
|
|
|||
Logoff |
|
|
|
|||
Logon |
For UEBA alerts |
|
|
|||
Network Policy Server |
|
|
|
|||
Special Logon |
|
|
|
|||
Other Logon/Logoff Events |
|
|
|
|||
Object Access Events
|
|
|
|
|
|
|
Application Generated |
|
|
|
|||
Certification Services |
|
|
|
|||
Detailed File Share |
|
|
|
|||
File Share |
|
|
|
|||
File System |
|
|
|
|||
Filtering Platform Connection |
|
|
|
|||
Filtering Platform Packet Drop |
|
|
|
|||
Handle Manipulation |
|
|
|
|||
Kernel Object |
|
|
|
|||
Registry |
|
|
|
|||
Removable Storage |
|
|
|
|||
SAM |
|
|
|
|||
Central Access Policy Staging |
|
|
|
|||
Other Object Access Events |
|
|
|
|||
Policy Change Events
|
|
|
|
|
|
|
Audit Policy Change |
|
|
|
|||
Authentication Policy Change |
|
|
|
|||
Authorization Policy Change |
|
|
|
|||
Filtering Platform Policy Change |
|
|
|
|||
MPSSVC Rule-Level Policy Change |
|
|
|
|||
Other Policy Change Events |
|
|
|
|||
Privilege Use Events
|
|
|
|
|
|
|
Non-Sensitive Privilege Use |
|
|
|
|||
Sensitive Privilege Use |
|
|
|
|||
Other Privilege Use Events |
|
|
|
|||
System Events
|
|
|
|
|
|
|
IPsec Driver |
|
|
|
|||
Security State Change |
|
|
|
|||
Security System Extension |
|
|
|
|||
System Integrity |
|
|
|
|||
Log Clear |
|
|
|
|||
Other System Events |
|
|
|
|||
Specify Event IDs |
Exclude or Include Only |
|
Include Only:
|
Include Only:
|
|
|
System Collect Windows system events. |
|
|
|
|
|
|
Application Collext Windows aplication events. |
|
|
|
|
|
|
Forwarded Events Collect Windows events forwarded fro other Windows machines. |
|
|
|
|
|
|
Microsoft Windows DHCP Client Collect Windows DHCP client events |
|
|
|
|
|
|
Microsoft Windows Firewall with Advanced Security Firewall Collect Windows advanced security firewall events. |
|
|
|
|
|
|
Microsoft Windows Defender Collect Windows Defender events.
|
|
|
|
|
|
|
Specify Event IDs |
|
|
Include Only:
|
Include Only:
|
|
|
Microsoft Windows Sysmon Collect Windows sysmon events for process anomaly detections.
|
|
|
|
|
|
|
Specify Event IDs |
|
|
Include Only:
|
Include Only:
|
|
|
Microsoft Windows PowerShell Operational Collect Windows PowerShell operational logs.
|
|
|
|
|
|
|
Specify Event IDs |
|
|
Include Only:
|
Include Only:
|
|
|
FIM Configure and enable file integrity monitoring. |
Not enabled by default in any template. |
|
|
|
|
|