Templates for Windows Server Sensors

Stellar Cyber provides predefined templates for Windows Server Sensor settings. These templates have been carefully configured to match common deployment scenarios. Once you have reviewed the settings in a template and seen how it operates in your environment, you can tailor the settings in individual channels to fit your needs using the instructions in Configuring Standard Sensor Profiles

The following templates are available for options in the Windows tab of the ADD/EDIT SENSOR PROFILE window:

  • Windows Detect Profile (Low Volume). The selection covers the minimal events required for all native detections in Stellar Cyber.

  • Windows Context Profile (Medium Volume). Adds events commonly used by third-party detection rules.

  • Windows Compliance Profile (High Volume). Covers all Windows events.

Each of these profiles collects a different set of logs/events and results in a progressively higher volume of data ingestion from Low to Medium to High.

If you find that you are ingesting a higher volume of data than you would like relative to your license limits, you may want to reconfigure these settings, keeping in mind that the Low Volume profile provides enough coverage for all native Stellar Cyber detections.

The settings for each template are summarized in the table below:

Channel

 

 

Notes

Windows Detect Profile

Windows Context Profile

Windows Compliance Profile

Security

Collect Windows advanced security audit policy settings events.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

      
Account Logon Events

 

 

 

 

 

 

      

Credential Validation

For UEBA alerts.

Kerberos Authentication Service

For UEBA alerts

Kerberos Service Ticket Operations

 

Other Account Logon Events

 

    
Account Management Events

 

 

 

 

 

 

 

 

      

Application Group Management

 

 

 

Computer Account Management

 

Distribution Group Management

 

 

 

Security Group Management

 

User Account Management

 

Other Account Management Events

 

Detailed Tracking Events

 

 

 

 

 

 

 

 

 

 

 

DPAPI Activity

 

PNP Activity

 

 

 

Process Creation

For alerts related to process creation anomalies.

Process Termination

 

 

RPC Events

 

 

 

Token Right Adjustment Events

 

 

 
DS Access Events

 

 

 

 

 

 

 

 

 

Detailed Directory Service Replication

 

 

 

Directory Service Access

 

Directory Service Changes

 

Directory Service Replication

 

 

 
Logon/Logoff Events

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Account Lockout

 

 

 

User/Device Claims

 

 

 

Group Membership

 

 

 

IPsec Extended Mode

 

 

 

IPsec Main Mode

 

 

 

IPSec Quick Mode

 

 

 

Logoff

 

 

 

Logon

For UEBA alerts

Network Policy Server

 

 

 

Special Logon

 

 

Other Logon/Logoff Events

 

Object Access Events

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Application Generated

 

 

 

Certification Services

 

Detailed File Share

 

File Share

 

File System

 

Filtering Platform Connection

 

Filtering Platform Packet Drop

 

 

 

Handle Manipulation

 

 

 

Kernel Object

 

Registry

 

Removable Storage

 

 

 

SAM

 

 

Central Access Policy Staging

 

 

 

Other Object Access Events

 

Policy Change Events

 

 

 

 

 

 

 

 

 

 

 

Audit Policy Change

 

Authentication Policy Change

 

Authorization Policy Change

 

Filtering Platform Policy Change

 

 

 

MPSSVC Rule-Level Policy Change

 

 

 

Other Policy Change Events

 

 

 
Privilege Use Events

 

 

 

 

 

 

 

 

Non-Sensitive Privilege Use

 

 

 

Sensitive Privilege Use

 

Other Privilege Use Events

 

 

 
System Events

 

 

 

 

 

 

 

 

 

 

 

 

 

IPsec Driver

 

 

 

Security State Change

 

Security System Extension

 

System Integrity

 

Log Clear

 

Other System Events

 

Specify Event IDs

Exclude or Include Only

 

Include Only:
1102, 1104, 4611, 4616, 4624-4625, 4648-4649, 4656-4658, 4660-4662, 4663, 4673-4674, 4688, 4768, 4692, 4697-4699, 4701-4702, 4704, 4706, 4713-4714, 4720, 4722, 4725-4732, 4734, 4738, 4741-4743, 4754, 4756-4758, 4765-4767, 4769, 4771, 4776, 4781-4782, 4794, 4799, 4825, 4898-4899, 4905, 5030, 5034-5035, 5038, 5136, 5140, 5145, 5156, 5379, 6281, 6416, 6423

Include Only:
1102, 1104, 4611, 4616, 4624-4625, 4648-4649, 4656-4658, 4660-4663, 4672-4674, 4688-4689, 4692, 4697-4699, 4701-4702, 4704, 4706, 4713-4714, 4718-4720, 4722, 4724-4734, 4738-4743, 4754, 4756-4758, 4765-4767, 4768-4769, 4771, 4776, 4781-4782, 4794, 4799, 4825, 4898-4899, 4905, 5030, 5034-5035, 5038, 5136, 5140, 5145, 5156, 5379, 6281, 6416, 6423

 

System

Collect Windows system events.

 

 

 

Application

Collext Windows aplication events.

 

 

 

Forwarded Events

Collect Windows events forwarded from other Windows machines.

 

 

 

Microsoft Windows DHCP Client

Collect Windows DHCP client events

 

 

 

Microsoft Windows Firewall with Advanced Security Firewall

Collect Windows advanced security firewall events.

 

 

 

Microsoft Windows Defender

Collect Windows Defender events.

 

 

 

 

Specify Event IDs

 

 

Include Only:
1006-1008, 1015, 1116-1119, 2013

Include Only:
1006-1008, 1013, 1015, 1116-1119, 1121, 2013, 5001, 5010, 5012-5013, 5101

 

Microsoft Windows Sysmon

Collect Windows sysmon events for process anomaly detections.

 

 

 

 

Specify Event IDs

 

 

Include Only:
1, 3, 10, 13

Include Only:
1, 3, 5, 7-8, 10-13, 15, 17, 20-21, 23

 

Microsoft Windows PowerShell Operational

Collect Windows PowerShell operational logs.

 

 

 

 

Specify Event IDs

 

 

Include Only:
4104

Include Only:
4103-4104, 40961-40962

 

FIM

Configure and enable file integrity monitoring.

Not enabled by default in any template.