- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A Necessity of use cases related to Nessus and Windows.
Hi all,
We have the necessity to implements alerts related to Nessus scans and Windows systems.
We have seen a few of them related to Windows in the Use Case Library at Enterprise Security but I was wondering if you have any sort of alerts that we could implement furthermore than those.
Thank you in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
For Windows use cases I think you could consider monitoring:
- Windows authentication brute force attempts.
- Process creation and powershell execution
- Inclusion and Removal of users in admin groups
- Creation of local admin accounts
- Audit log clear
- RDP connections
- And much more...
You can also take a look at Splunk Security Essentials (https://splunkbase.splunk.com/app/3435/) and Splunk ES Content Updates (https://splunkbase.splunk.com/app/3449/). Both apps contain lots of alerts and correlation searches you can use, some of them even mapped to MITRE ATT&CK framework.
In addiction, this github repo has several monitoring rules that can be used in SIEM, including Windows use cases: https://github.com/Neo23x0/sigma
Maybe Tenable App for Splunk can give you some insights about Nessus: https://splunkbase.splunk.com/app/4061/#/details
