Skip to content

Built-in detection rules, EventIDs and EventProviders relations

SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture. This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and Event Providers are used by rule. Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules. Last update on 2026-06-04

The colors of the EventIDs in this page should be interpreted as follow:

  • Red: This EventID is not logged by default on a Windows 10+ or Windows Server 2016+ machine.
  • Orange: This EventID is logged by default on a Windows 10+ or Windows Server 2016+ machine but upgrading its configuration would greatly help detection. For instance, the EventID 4688 is logged by default, but logging the command line is incredibly helpful for the rules since almost 50% of our rules use command line for detection (usually showed as EventID 1 in this page).
  • Purple: This EventID is logged by default if you have Windows Defender activated.
  • Blue: This EventID is only logged if you have Sysmon. Our rules will have a master Effort Level if the recommended Sysmon Configuration is not enough and needs to be modified. Please be aware that a modification of Sysmon Configuration can greatly increase events logging in your network, which SEKOIA.IO can't know about and therefore is not responsible for that.

Rules x Effort Level x EventIDs x Event Providers

Rule Name Effort Level EventIDs Event Providers
Net.exe User Account Creation master 1 Microsoft-Windows-Sysmon
Windows Registry Persistence COM Search Order Hijacking master 13 Microsoft-Windows-Sysmon
SCM Database Privileged Operation master 4674 Microsoft-Windows-Security-Auditing
CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv master 7, 11 Microsoft-Windows-Sysmon
Microsoft Defender Antivirus Configuration Changed master 5007 Microsoft-Windows-Windows Defender
Data Compressed With Rar master 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Webshell Creation master 11, 4656, 4663 Microsoft-Windows-Sysmon
Remote Registry Management Using Reg Utility master 5145 Microsoft-Windows-Security-Auditing
Csrss Wrong Parent master 1 Microsoft-Windows-Sysmon
Malware Persistence Registry Key master 1, 13 Microsoft-Windows-Sysmon
Correlation Multi Service Disable master 1, 5 Kernel-Process
Usage Of Sysinternals Tools master 1, 13 Microsoft-Windows-Sysmon
Protected Storage Service Access master 5145 Microsoft-Windows-Security-Auditing
Outlook Registry Access master 1 Microsoft-Windows-Sysmon
xWizard Execution master 1 Kernel-Process
MS Office Product Spawning Exe in User Dir master 1 Microsoft-Windows-Sysmon
Registry Value Changed Via Windows Run Dialog master 4657 Microsoft-Windows-Security-Auditing
Remote Monitoring and Management Software - AnyDesk master 1, 22 Kernel-Process, Microsoft-Windows-DNS-Client
Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys master 13 Microsoft-Windows-Sysmon
WMI DLL Loaded Via Office master 7 Microsoft-Windows-Sysmon
Svchost DLL Search Order Hijack master 7 Microsoft-Windows-Sysmon
Stop Backup Services master 1, 13 Kernel-Process, Microsoft-Windows-Sysmon
Suspicious DLL Loaded Via Office Applications master 7 Microsoft-Windows-Sysmon
Advanced IP Scanner master 1 Microsoft-Windows-Sysmon
Suspicious Windows Installer Execution master 1 Microsoft-Windows-Sysmon
Account Added To A Security Enabled Group master 4728 Microsoft-Windows-Security-Auditing
AD User Enumeration master 4662 Microsoft-Windows-Security-Auditing
Microsoft Defender Antivirus Disable Using Registry master 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Web Application Launching Shell master 1, 4688 Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon
Correlation Internal Kerberos Password Spraying master 4768 Microsoft-Windows-Security-Auditing
Computer Account Deleted master 4743 Microsoft-Windows-Security-Auditing
Microsoft Defender Antivirus Exclusion Configuration master 13, 5007 Microsoft-Windows-Sysmon, Microsoft-Windows-Windows Defender
Putty Sessions Listing master 1, 4656, 4663 Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon
Registry Checked For Lanmanserver DisableCompression Parameter master 4663 Microsoft-Windows-Security-Auditing
Spoolsv Wrong Parent master 1 Microsoft-Windows-Sysmon
Taskhostw Wrong Parent master 1 Microsoft-Windows-Sysmon
Shadow Copies master 4104, 4688 Microsoft-Windows-PowerShell, Microsoft-Windows-Security-Auditing
Remote Monitoring and Management Software - Atera master 13 Microsoft-Windows-Sysmon
Antivirus Relevant File Paths Alerts master 1116 Microsoft-Windows-Windows Defender
Elevated Shell Launched By Browser master 5 Kernel-Process
Potential RDP Connection To Non-Domain Host master 8001 Microsoft-Windows-NTLM
Correlation Internal Ntlm Password Spraying master 4625 Microsoft-Windows-Security-Auditing
Suspicious Cmd.exe Command Line master 1 Microsoft-Windows-Sysmon
Privileged AD Builtin Group Modified master 4727, 4728, 4729, 4730, 4754, 4756, 4757, 4758, 4764 Microsoft-Windows-Security-Auditing
Autorun Keys Modification master 12 Microsoft-Windows-Sysmon
FromBase64String Command Line master 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Scheduled Task Creation By Non Privileged User master 4688 Microsoft-Windows-Security-Auditing
Netsh Port Opening master 1 Microsoft-Windows-Sysmon
Suspicious New Printer Ports In Registry master 13 Microsoft-Windows-Sysmon
SCM Database Handle Failure master 4656 Microsoft-Windows-Security-Auditing
LSASS Memory Dump master 10 Microsoft-Windows-Sysmon
ISO LNK Infection Chain master 5, 11 Kernel-Process, Microsoft-Windows-Kernel-File
Abusing Azure Browser SSO master 7 Microsoft-Windows-Sysmon
Windows Firewall Changes master 1 Microsoft-Windows-Sysmon
Disable Windows Defender Credential Guard master 13 Microsoft-Windows-Sysmon
Taskhost or Taskhostw Suspicious Child Found master 1 Microsoft-Windows-Sysmon
User Account Created master 4720 Microsoft-Windows-Security-Auditing
Svchost Wrong Parent master 4688 Microsoft-Windows-Security-Auditing
Elevated Msiexec Via Repair Functionality master 1, 5 Kernel-Process
Suspicious Microsoft Defender Antivirus Exclusion Command master 1 Microsoft-Windows-Sysmon
PowerView commandlets 2 master 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
AD Privileged Users Or Groups Reconnaissance master 4661 Microsoft-Windows-Security-Auditing
Credential Dumping-Tools Common Named Pipes master 17 Microsoft-Windows-Sysmon
Microsoft Office Product Spawning Windows Shell master 1 Microsoft-Windows-Sysmon
Admin User RDP Remote Logon master 4624 Microsoft-Windows-Security-Auditing
Pandemic Windows Implant master 1, 13 Microsoft-Windows-Sysmon
User Account Deleted master 4726 Microsoft-Windows-Security-Auditing
Windows Sandbox Start master 1, 5 Kernel-Process
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting master 13 Microsoft-Windows-Sysmon
Rebooting master 1 Kernel-Process
Logonui Wrong Parent master 1 Microsoft-Windows-Sysmon
Execution From Suspicious Folder master 1 Microsoft-Windows-Sysmon
Dllhost Wrong Parent master 1 Microsoft-Windows-Sysmon
Lsass Wrong Parent master 1 Microsoft-Windows-Sysmon
Possible Replay Attack master 4649 Microsoft-Windows-Security-Auditing
Winrshost Wrong Parent master 1 Microsoft-Windows-Sysmon
Cobalt Strike Named Pipes master 17 Microsoft-Windows-Sysmon
In-memory PowerShell master 7 Microsoft-Windows-Sysmon
Suspicious Access To Sensitive File Extensions master 5145 Microsoft-Windows-Security-Auditing
Smss Wrong Parent master 1 Microsoft-Windows-Sysmon
Microsoft Office Macro Security Registry Modifications master 13 Microsoft-Windows-Sysmon
WMIC Loading Scripting Libraries master 7 Microsoft-Windows-Sysmon
Failed Logon Followed By A Success From Public IP Addresses master 4625 Microsoft-Windows-Security-Auditing
Admin Share Access master 5140, 5145 Microsoft-Windows-Security-Auditing
Searchprotocolhost Wrong Parent master 1 Microsoft-Windows-Sysmon
Account Removed From A Security Enabled Group master 4729 Microsoft-Windows-Security-Auditing
Microsoft Defender Antivirus History Deleted master 1013 Microsoft-Windows-Windows Defender
Wsmprovhost Wrong Parent master 1 Microsoft-Windows-Sysmon
Grabbing Sensitive Hives Via Reg Utility master 1, 5 Kernel-Process, Microsoft-Windows-Sysmon
Process Herpaderping master 25 Microsoft-Windows-Sysmon
Windows Registry Persistence COM Key Linking master 1, 13 Microsoft-Windows-Sysmon
Powershell Winlogon Helper DLL master 13, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
FoggyWeb Backdoor DLL Loading master 7 Microsoft-Windows-Sysmon
User Added to Local Administrators master 4732 Microsoft-Windows-Security-Auditing
Windows Suspicious Scheduled Task Creation master 4698 Microsoft-Windows-Security-Auditing
Microsoft Office Creating Suspicious File master 11 Microsoft-Windows-Sysmon
Winlogon wrong parent master 1 Microsoft-Windows-Sysmon
LSASS Access From Non System Account master 4656, 4663 Microsoft-Windows-Security-Auditing
Disable Security Events Logging Adding Reg Key MiniNt master 13 Microsoft-Windows-Sysmon
Commonly Used Commands To Stop Services And Remove Backups master 1 Microsoft-Windows-Sysmon
Taskhost Wrong Parent master 1 Microsoft-Windows-Sysmon
Powershell Suspicious Startup Shortcut Persistence master 11 Microsoft-Windows-Kernel-File
Powershell Web Request master 3 Microsoft-Windows-Kernel-Network
Searchprotocolhost Child Found master 1 Microsoft-Windows-Sysmon
Suspicious PsExec Execution master 5145 Microsoft-Windows-Security-Auditing
DNS ServerLevelPluginDll Installation master 1, 13 Microsoft-Windows-Sysmon
Searchindexer Wrong Parent master 1 Microsoft-Windows-Sysmon
MMC Spawning Windows Shell master 1 Microsoft-Windows-Sysmon
Remote Service Activity Via SVCCTL Named Pipe master 5145 Microsoft-Windows-Security-Auditing
Compress Data for Exfiltration via Archiver master 1 Kernel-Process
Rubeus Register New Logon Process master 4611 Microsoft-Windows-Security-Auditing
PowerShell Malicious PowerShell Commandlets master 4104 Microsoft-Windows-PowerShell
Network Share Discovery master 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
AMSI Deactivation Using Registry Key master
File Or Folder Permissions Modifications master 1 Microsoft-Windows-Sysmon
Wininit Wrong Parent master 1 Microsoft-Windows-Sysmon
DNS Query For Iplookup master 22 Microsoft-Windows-DNS-Client
DNS Server Error Failed Loading The ServerLevelPluginDLL master 150, 770, 771 Microsoft-Windows-DNS-Server-Service
CVE-2017-11882 Microsoft Office Equation Editor Vulnerability master 3 Microsoft-Windows-Sysmon
NjRat Registry Changes master 1, 13 Kernel-Process, Microsoft-Windows-Sysmon
Windows Defender Deactivation Using PowerShell Script master 4104 Microsoft-Windows-PowerShell
User Couldn't Call A Privileged Service LsaRegisterLogonProcess master 4673 Microsoft-Windows-Security-Auditing
Process Hollowing Detection master 25 Microsoft-Windows-Sysmon
Opening Of a Password File master 5 Kernel-Process
Narrator Feedback-Hub Persistence master 13 Microsoft-Windows-Sysmon
Suspicious Windows DNS Queries advanced 5, 22 Kernel-Process, Microsoft-Windows-Sysmon
PowerShell Suspicious Context Changes advanced 4104 Microsoft-Windows-PowerShell
Certify Or Certipy advanced 3, 5 Kernel-Process
WerFaultSecure Abuse advanced 1 Kernel-Process
Lateral Movement Remote Named Pipe advanced 5145 Microsoft-Windows-Security-Auditing
HTML Smuggling Suspicious Usage advanced 1, 11, 15 Microsoft-Windows-Sysmon
HackTools Suspicious Names advanced 5, 11 Microsoft-Windows-Kernel-File, Microsoft-Windows-Sysmon
PowerShell Download From URL advanced 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Capture a network trace with netsh.exe advanced 1 Microsoft-Windows-Sysmon
Suspicious Double Extension advanced 5 Microsoft-Windows-Sysmon
Exploit For CVE-2017-0261 Or CVE-2017-0262 advanced 1 Microsoft-Windows-Sysmon
Account Tampering - Suspicious Failed Logon Reasons advanced 4625, 4776 Microsoft-Windows-Security-Auditing
Rclone Process advanced 1 Microsoft-Windows-Sysmon
PowerShell Data Compressed advanced 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
BITSAdmin Download advanced
Adidnsdump Enumeration advanced 11, 4688 Microsoft-Windows-Kernel-File, Microsoft-Windows-Security-Auditing
Remote System Discovery Via Telnet advanced 5 Kernel-Process
Logon Scripts (UserInitMprLogonScript) advanced 1, 13 Microsoft-Windows-Sysmon
System Network Connections Discovery advanced 1 Microsoft-Windows-Sysmon
Microsoft Defender Antivirus Tampering Detected advanced 1127, 2013, 5001, 5010, 5012, 5101 Microsoft-Windows-Windows Defender
Openfiles Usage advanced 1 Kernel-Process
OneNote Suspicious Children Process advanced 1, 15 Microsoft-Windows-Sysmon
Language Discovery advanced 4104 Microsoft-Windows-PowerShell
Alternate PowerShell Hosts Pipe advanced 17 Microsoft-Windows-Sysmon
Netsh Allow Command advanced 1 Microsoft-Windows-Sysmon
Exfiltration Via Pscp advanced 1 Microsoft-Windows-Sysmon
Hiding Files With Attrib.exe advanced 1 Microsoft-Windows-Sysmon
AzureEdge in Command Line advanced 5 Kernel-Process
ACLight Discovering Privileged Accounts advanced 4103 Microsoft-Windows-PowerShell
Domain Trust Created Or Removed advanced 4706, 4707 Microsoft-Windows-Security-Auditing
Credentials Extraction advanced 1 Kernel-Process
Microsoft Windows Active Directory Module Commandlets advanced 4104 Microsoft-Windows-PowerShell
Rare Logonui Child Found advanced 1 Microsoft-Windows-Sysmon
Legitimate Process Execution From Unusual Folder advanced 1, 5, 4688 Microsoft-Windows-Sysmon
NetSh Used To Disable Windows Firewall advanced 1 Microsoft-Windows-Sysmon
Non-Legitimate Executable Using AcceptEula Parameter advanced 5, 8 Kernel-Process, Microsoft-Windows-Kernel-Process
RDP Login From Localhost advanced 4624 Microsoft-Windows-Security-Auditing
Control Panel Items advanced 1 Microsoft-Windows-Sysmon
Permission Discovery Via Wmic advanced 1 Microsoft-Windows-Sysmon
Exfiltration And Tunneling Tools Execution advanced 1 Microsoft-Windows-Sysmon
Wmic Suspicious Commands advanced 5 Kernel-Process
Rubeus Tool Command-line advanced 1 Microsoft-Windows-Sysmon
Unsigned Driver Loaded From Suspicious Location advanced 6 Microsoft-Windows-Sysmon
PowerShell Malicious Nishang PowerShell Commandlets advanced 4104 Microsoft-Windows-PowerShell
Suspicious Regsvr32 Execution advanced 1 Microsoft-Windows-Sysmon
Suspicious PowerShell Invocations - Generic advanced 1 Microsoft-Windows-Sysmon
Usage Of Procdump With Common Arguments advanced 1, 13 Microsoft-Windows-Sysmon
Correlation Admin Files Checked On Network Share advanced 5145 Microsoft-Windows-Security-Auditing
PowerShell NTFS Alternate Data Stream advanced 4104 Microsoft-Windows-PowerShell
WMI Persistence Script Event Consumer File Write advanced 11 Microsoft-Windows-Sysmon
Python Opening Ports advanced 5154 Microsoft-Windows-Security-Auditing
WMI Event Subscription advanced 19, 20, 21 Microsoft-Windows-Sysmon
Suspicious Hostname advanced 4624 Microsoft-Windows-Security-Auditing
WiFi Credentials Harvesting Using Netsh advanced 1 Microsoft-Windows-Sysmon
AD Object WriteDAC Access advanced 4662 Microsoft-Windows-Security-Auditing
Default Encoding To UTF-8 PowerShell advanced 1 Microsoft-Windows-Sysmon
WMImplant Hack Tool advanced 4104 Microsoft-Windows-PowerShell
WMIC Command To Determine The Antivirus advanced 1, 5, 4104 Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Credential Harvesting Via Vaultcmd.exe advanced 1 Kernel-Process
Active Directory Replication from Non Machine Account advanced 4662 Microsoft-Windows-Security-Auditing
Ntfsinfo Usage advanced 4688 Microsoft-Windows-Security-Auditing
PowerShell EncodedCommand advanced 1 Microsoft-Windows-Sysmon
SAM Registry Hive Handle Request advanced 4656 Microsoft-Windows-Security-Auditing
Suspicious ADSI-Cache Usage By Unknown Tool advanced 11 Microsoft-Windows-Sysmon
RDP Session Discovery advanced 1 Microsoft-Windows-Sysmon
Dynwrapx Module Loading advanced 7 Microsoft-Windows-Sysmon
FLTMC command usage advanced 5 Kernel-Process
Suspicious XOR Encoded PowerShell Command Line advanced 4104 Microsoft-Windows-PowerShell
Powershell UploadString Function advanced 1 Microsoft-Windows-Sysmon
NlTest Usage advanced 1, 5 Kernel-Process, Microsoft-Windows-Sysmon
Netsh Program Allowed With Suspicious Location advanced 1 Microsoft-Windows-Sysmon
XCopy Suspicious Usage advanced 1 Microsoft-Windows-Sysmon
External Disk Drive Or USB Storage Device advanced 6416 Microsoft-Windows-Security-Auditing
PowerView commandlets 1 advanced 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Malicious PowerShell Keywords advanced 4104 Microsoft-Windows-PowerShell
Suspicious Control Process advanced 1 Microsoft-Windows-Sysmon
Suspicious PROCEXP152.sys File Created In Tmp advanced 11 Microsoft-Windows-Sysmon
Microsoft Defender Antivirus Threat Detected advanced 1006, 1007, 1008, 1015, 1116, 1117, 1118, 1119, 1125, 1126 Microsoft-Windows-Windows Defender
PowerShell Invoke-Obfuscation Obfuscated IEX Invocation advanced 4104 Microsoft-Windows-PowerShell
Load Of dbghelp/dbgcore DLL From Suspicious Process advanced 7 Microsoft-Windows-Sysmon
PsExec Process advanced 13, 7045 Microsoft-Windows-Sysmon, Service Control Manager
Successful Overpass The Hash Attempt advanced 4624 Microsoft-Windows-Security-Auditing
PowerShell AMSI Deactivation Bypass Using .NET Reflection advanced 4104 Microsoft-Windows-PowerShell
CreateRemoteThread Common Process Injection advanced 8 Microsoft-Windows-Sysmon
RDP Sensitive Settings Changed advanced 13 Microsoft-Windows-Sysmon
PowerShell Commands Invocation advanced 1 Kernel-Process
RDP Configuration File From Mail Process advanced 1, 11 Kernel-Process, Microsoft-Windows-Kernel-File
AccCheckConsole Executing Dll advanced 5 Kernel-Process
Domain Group And Permission Enumeration advanced 1 Microsoft-Windows-Sysmon
Suspicious desktop.ini Action advanced 15 Microsoft-Windows-Sysmon
Suspicious PowerShell Keywords advanced 4104 Microsoft-Windows-PowerShell
Csrss Child Found advanced 1 Microsoft-Windows-Sysmon
Suspicious Regasm Regsvcs Usage advanced 1 Kernel-Process
NTDS.dit File In Suspicious Directory advanced 11 Microsoft-Windows-Sysmon
Cmd.exe Used To Run Reconnaissance Commands advanced 1 Microsoft-Windows-Sysmon
Disabled IE Security Features advanced 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
PowerShell Credential Prompt advanced 4104 Microsoft-Windows-PowerShell
AutoIt3 Execution From Suspicious Folder advanced 5 Kernel-Process
Metasploit PSExec Service Creation advanced 7045 Service Control Manager
Component Object Model Hijacking advanced 23 Microsoft-Windows-Kernel-File
Unsigned Image Loaded Into LSASS Process advanced 7 Microsoft-Windows-Sysmon
Credential Dump Tools Related Files advanced 11, 15 Microsoft-Windows-Kernel-File, Microsoft-Windows-Sysmon
Compression Followed By Suppression advanced 5 Kernel-Process
Suspicious PrinterPorts Creation (CVE-2020-1048) advanced 10 Microsoft-Windows-Sysmon
Mimikatz LSASS Memory Access advanced 10 Microsoft-Windows-Sysmon
Suspicious Outbound Kerberos Connection advanced 5156 Microsoft-Windows-Security-Auditing
Powershell AMSI Bypass advanced 4104 Microsoft-Windows-PowerShell
Microsoft IIS Module Installation advanced 1, 5, 4104 Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Svchost Modification advanced 13 Microsoft-Windows-Sysmon
New Service Creation advanced 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Dism Disabling Windows Defender advanced 1 Kernel-Process
Adexplorer Usage advanced 1 Microsoft-Windows-Sysmon
Change Default File Association advanced 1 Microsoft-Windows-Sysmon
VSCode Tunnel Shell Exec advanced 1 Kernel-Process
Remote Privileged Group Enumeration advanced 4799
MOFComp Execution intermediate 1 Microsoft-Windows-Sysmon
Chafer (APT 39) Activity intermediate 4697, 7045 Microsoft-Windows-Security-Auditing, Service Control Manager
BazarLoader Persistence Using Schtasks intermediate 1 Microsoft-Windows-Sysmon
Gpscript Suspicious Parent intermediate 1 Microsoft-Windows-Sysmon
Spyware Persistence Using Schtasks intermediate 1 Microsoft-Windows-Sysmon
Suspicious Rundll32.exe Executions intermediate 1, 5 Kernel-Process, Microsoft-Windows-Sysmon
Ngrok Process Execution intermediate 1 Microsoft-Windows-Sysmon
Suspicious Mshta Execution From Wmi intermediate 1 Microsoft-Windows-Sysmon
NetNTLM Downgrade Attack intermediate 13, 4657 Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon
Suspicious Process Requiring DLL Starts Without DLL intermediate 1 Microsoft-Windows-Sysmon
Schtasks Suspicious Parent intermediate 1 Kernel-Process
Hijack Legit RDP Session To Move Laterally intermediate 11 Microsoft-Windows-Sysmon
Correlation Post Exploitation Patterns Via Winrm intermediate 1, 5 Kernel-Process
Microsoft Exchange Server Creating Unusual Files intermediate 11 Microsoft-Windows-Sysmon
Reconnaissance Commands Activities intermediate 1 Kernel-Process
Microsoft Defender Antivirus Disable Services intermediate 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
QakBot Process Creation intermediate 1 Microsoft-Windows-Sysmon
Data Compressed With Rar With Password intermediate 1 Microsoft-Windows-Sysmon
COM Hijack Via Sdclt intermediate 1 Microsoft-Windows-Sysmon
Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data intermediate 4104 Microsoft-Windows-PowerShell
SolarWinds Wrong Child Process intermediate 1 Microsoft-Windows-Sysmon
Bloodhound and Sharphound Tools Usage intermediate 1 Microsoft-Windows-Sysmon
Process Memory Dump Using Comsvcs intermediate 1 Kernel-Process, Microsoft-Windows-Sysmon
Exchange Server Spawning Suspicious Processes intermediate 1 Microsoft-Windows-Sysmon
Netsh Port Forwarding intermediate 1 Microsoft-Windows-Sysmon
Network Sniffing Windows intermediate 1, 5 Microsoft-Windows-Sysmon
Suspicious Taskkill Command intermediate 1 Microsoft-Windows-Sysmon
Impacket Secretsdump.py Tool intermediate 5145 Microsoft-Windows-Security-Auditing
Suspicious PowerShell Invocations - Specific intermediate 1 Microsoft-Windows-Sysmon
PowerCat Function Loading intermediate 4104 Microsoft-Windows-PowerShell
Microsoft Defender Antivirus Set-MpPreference Base64 Encoded intermediate 1 Microsoft-Windows-Sysmon
StoneDrill Service Install intermediate 7045 Service Control Manager
Credential Dumping Tools Service Execution intermediate 7045 Service Control Manager
Correlation Supicious Powershell Drop and Exec intermediate 1, 3, 11 Kernel-Process, Microsoft-Windows-Kernel-File, Microsoft-Windows-Kernel-Network
Njrat Registry Values intermediate 1, 13 Microsoft-Windows-Sysmon
Possible RottenPotato Attack intermediate 4624 Microsoft-Windows-Security-Auditing
Suspicious DNS Child Process intermediate 1 Microsoft-Windows-Sysmon
MalwareBytes Uninstallation intermediate 1 Microsoft-Windows-Sysmon
GPO Executable Delivery intermediate 5136 Microsoft-Windows-Security-Auditing
Transferring Files With Credential Data Via Network Shares intermediate 5145 Microsoft-Windows-Security-Auditing
NTDS.dit File Interaction Through Command Line intermediate 1 Microsoft-Windows-Sysmon
Netscan Share Access Artefact intermediate 5145 Microsoft-Windows-Security-Auditing
Suspicious CodePage Switch with CHCP intermediate 1 Microsoft-Windows-Sysmon
XSL Script Processing And SquiblyTwo Attack intermediate 1 Microsoft-Windows-Sysmon
Suspicious SAM Dump intermediate 16 Microsoft-Windows-Kernel-General
Remote Enumeration Of Lateral Movement Groups intermediate 4799 Microsoft-Windows-Security-Auditing
Cobalt Strike Default Beacons Names intermediate 1, 15 Microsoft-Windows-Sysmon
Screenconnect Remote Execution intermediate 1, 5 Kernel-Process
Microsoft Defender Antivirus Restoration Abuse intermediate 1 Microsoft-Windows-Sysmon
Eventlog Cleared intermediate 517, 1102 Microsoft-Windows-Eventlog
WCE wceaux.dll Creation intermediate 11 Microsoft-Windows-Kernel-File
Exfiltration Domain In Command Line intermediate 1 Microsoft-Windows-Sysmon
Suspicious Network Args In Command Line intermediate 1 Kernel-Process, Microsoft-Windows-Sysmon
Suspicious Cmd File Copy Command To Network Share intermediate 11 Microsoft-Windows-Kernel-File
Rare Lsass Child Found intermediate 1 Microsoft-Windows-Sysmon
KeePass Config XML In Command-Line intermediate 1 Microsoft-Windows-Sysmon
Windows Suspicious Service Creation intermediate 13, 4697 Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon
Backup Catalog Deleted intermediate 524 Microsoft-Windows-Backup
CMSTP UAC Bypass via COM Object Access intermediate 1 Microsoft-Windows-Sysmon
Python HTTP Server intermediate 1 Microsoft-Windows-Sysmon
Remote Task Creation Via ATSVC Named Pipe intermediate 5145 Microsoft-Windows-Security-Auditing
New Or Renamed User Account With '$' In Attribute 'SamAccountName' intermediate 4720, 4781 Microsoft-Windows-Security-Auditing
Detection of default Mimikatz banner intermediate 4103 Microsoft-Windows-PowerShell
Suspicious Scripting In A WMI Consumer intermediate 20 Microsoft-Windows-Sysmon
Venom Multi-hop Proxy agent detection intermediate 1 Kernel-Process
Active Directory Replication User Backdoor intermediate 5136 Microsoft-Windows-Security-Auditing
Exchange Mailbox Export intermediate 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Registry Key Used By Some Old Agent Tesla Samples intermediate 13 Microsoft-Windows-Sysmon
SquirrelWaffle Malspam Execution Loading DLL intermediate 1 Microsoft-Windows-Sysmon
Qakbot Persistence Using Schtasks intermediate 1 Microsoft-Windows-Sysmon
Mshta Suspicious Child Process intermediate 1, 5 Kernel-Process
UAC Bypass Using Fodhelper intermediate 13 Microsoft-Windows-Sysmon
Suspicious LDAP-Attributes Used intermediate 5136 Microsoft-Windows-Security-Auditing
Correlation Priv Esc Via Remote Thread intermediate 1, 8, 4703 Kernel-Process, Microsoft-Windows-Kernel-Process, Microsoft-Windows-Security-Auditing
Microsoft Malware Protection Engine Crash intermediate 1000 Application Error
Suspicious CommandLine Lsassy Pattern intermediate 5 Kernel-Process
Suspicious Windows Script Execution intermediate 5 Kernel-Process
Suspicious Commands From MS SQL Server Shell intermediate 1 Kernel-Process
DHCP Server Error Failed Loading the CallOut DLL intermediate 1031, 1032, 1033, 1034 Microsoft-Windows-DHCP-Server
Active Directory User Backdoors intermediate 4662, 5136 Microsoft-Windows-Security-Auditing
Password Dumper Activity On LSASS intermediate 4656 Microsoft-Windows-Security-Auditing
DPAPI Domain Backup Key Extraction intermediate 4662 Microsoft-Windows-Security-Auditing
Microsoft Defender Antivirus Disable Scheduled Tasks intermediate 1, 4104 Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
TUN/TAP Driver Installation intermediate 4697, 7045 Service Control Manager
Malicious Named Pipe intermediate 17 Microsoft-Windows-Sysmon
Cmdkey Cached Credentials Recon intermediate 1 Microsoft-Windows-Sysmon
Clear EventLogs Through CommandLine intermediate 1 Microsoft-Windows-Sysmon
UAC Bypass via Event Viewer intermediate 13 Microsoft-Windows-Sysmon
New DLL Added To AppCertDlls Registry Key intermediate 1, 13 Microsoft-Windows-Sysmon
Netsh Allowed Python Program intermediate 1 Microsoft-Windows-Sysmon
High Privileges Network Share Removal intermediate 1 Kernel-Process, Microsoft-Windows-Sysmon
Powershell Web Request And Windows Script intermediate 5 Kernel-Process
ETW Tampering intermediate 1 Microsoft-Windows-Sysmon
Denied Access To Remote Desktop intermediate 4825 Microsoft-Windows-Security-Auditing
Impacket Addcomputer intermediate 4741 Microsoft-Windows-Security-Auditing
Suspicious DLL side loading from ProgramData intermediate 7 Microsoft-Windows-Sysmon
Microsoft Office Spawning Script intermediate 1 Microsoft-Windows-Sysmon
JS PowerShell Infection Chains intermediate 1 Kernel-Process
Active Directory Delegate To KRBTGT Service intermediate 4738 Microsoft-Windows-Security-Auditing
SOCKS Tunneling Tool intermediate 1 Microsoft-Windows-Sysmon
Netsh RDP Port Opening intermediate 1 Microsoft-Windows-Sysmon
Werfault DLL Injection intermediate 7 Microsoft-Windows-Sysmon
Phosphorus Domain Controller Discovery intermediate 4104 Microsoft-Windows-PowerShell
PowerShell Execution Via Rundll32 intermediate 1 Microsoft-Windows-Sysmon
Network Connection Via Certutil intermediate 1 Kernel-Process
DC Shadow via Service Principal Name (SPN) creation intermediate 4742, 5136 Microsoft-Windows-Security-Auditing
Audio Capture via PowerShell intermediate 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
MavInject Process Injection intermediate 1 Microsoft-Windows-Sysmon
STRRAT Scheduled Task intermediate 1 Microsoft-Windows-Sysmon
HackTools Suspicious Process Names In Command Line intermediate 1 Microsoft-Windows-Sysmon
Suspect Svchost Memory Access intermediate 10 Microsoft-Windows-Sysmon
MSBuild Abuse intermediate 1 Kernel-Process
Secure Deletion With SDelete intermediate 4656, 4658, 4663 Microsoft-Windows-Security-Auditing
OceanLotus Registry Activity intermediate 13 Microsoft-Windows-Sysmon
Suspicious DLL Loading By Ordinal intermediate 1 Microsoft-Windows-Sysmon
CertOC Loading Dll intermediate 1 Kernel-Process
Suspicious Finger Usage intermediate 1 Microsoft-Windows-Sysmon
TrustedInstaller Impersonation intermediate 4104 Microsoft-Windows-PowerShell
Disable .NET ETW Through COMPlus_ETWEnabled intermediate 1, 13 Microsoft-Windows-Sysmon
Exploiting SetupComplete.cmd CVE-2019-1378 intermediate 1 Microsoft-Windows-Sysmon
Wmic Service Call intermediate 1 Microsoft-Windows-Sysmon
DHCP Callout DLL Installation intermediate 13 Microsoft-Windows-Sysmon
Correlation PowerShell Suspicious DLL Loading intermediate 5 Kernel-Process, Microsoft-Windows-PowerShell
Wmic Process Call Creation intermediate 1 Microsoft-Windows-Sysmon
MMC20 Lateral Movement intermediate 1 Microsoft-Windows-Sysmon
RDP Port Change Using Powershell intermediate 13, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Evil Winrm Modules Execution intermediate 4104 Microsoft-Windows-PowerShell
Mshta Command From A Scheduled Task intermediate 1 Kernel-Process
Correlation Suspicious Authentication Coercer Behavior intermediate 4624, 5145 Microsoft-Windows-Security-Auditing
Inhibit System Recovery Deleting Backups intermediate 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
OneNote Embedded File intermediate 11, 15 Microsoft-Windows-Sysmon
SolarWinds Suspicious File Creation intermediate 11 Microsoft-Windows-Sysmon
Copy Of Legitimate System32 Executable intermediate 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Suspicious Outlook Child Process intermediate 4688 Microsoft-Windows-Security-Auditing
CMSTP Execution intermediate 1 Microsoft-Windows-Sysmon
Formbook Hijacked Process Command intermediate 1 Microsoft-Windows-Sysmon
Creation or Modification of a GPO Scheduled Task intermediate 5145 Microsoft-Windows-Security-Auditing
Suspicious Desktopimgdownldr Execution intermediate 1 Microsoft-Windows-Sysmon
WMIC Uninstall Product intermediate 1 Microsoft-Windows-Sysmon
LSASS Memory Dump File Creation intermediate 11 Microsoft-Windows-Sysmon
DCSync Attack intermediate 4662 Microsoft-Windows-Security-Auditing
Suspicious Driver Loaded intermediate 13 Microsoft-Windows-Sysmon
Suspicious certutil command intermediate 1 Microsoft-Windows-Sysmon
Lsass Access Through WinRM intermediate 10 Microsoft-Windows-Sysmon
Explorer Process Executing HTA File intermediate 1 Microsoft-Windows-Sysmon
Password Change On Directory Service Restore Mode (DSRM) Account intermediate 4794 Microsoft-Windows-Security-Auditing
DLL Load via LSASS Registry Key intermediate 12, 13 Microsoft-Windows-Sysmon
Trickbot Malware Activity intermediate 1 Microsoft-Windows-Sysmon
Formbook File Creation DB1 intermediate 11 Microsoft-Windows-Sysmon
DNS Exfiltration and Tunneling Tools Execution intermediate 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Microsoft Defender Antivirus Disable SecurityHealth intermediate 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Sysprep On AppData Folder intermediate 1 Microsoft-Windows-Sysmon
Suspicious Kerberos Ticket intermediate 4768 Microsoft-Windows-Security-Auditing
DHCP Server Loaded the CallOut DLL intermediate 1033
Disable Workstation Lock elementary 13 Microsoft-Windows-Sysmon
LanManServer Registry Modify elementary 13 Microsoft-Windows-Sysmon
Suspicious Headless Web Browser Execution To Download File elementary 5 Kernel-Process
Active Directory Data Export Using Csvde elementary 1 Kernel-Process
Suspicious Hangul Word Processor Child Process elementary 1 Microsoft-Windows-Sysmon
UAC Bypass Via Sdclt elementary 1, 13 Microsoft-Windows-Sysmon
Tactical RMM Installation elementary 5 Kernel-Process
Debugging Software Deactivation elementary 1 Microsoft-Windows-Sysmon
Copying Sensitive Files With Credential Data elementary 1 Microsoft-Windows-Sysmon
SeEnableDelegationPrivilege Granted To User Or Machine In Active Directory elementary 4704 Microsoft-Windows-Security-Auditing
Suspicious Windows ANONYMOUS LOGON Local Account Created elementary 4720 Microsoft-Windows-Security-Auditing
FlowCloud Malware elementary 13 Microsoft-Windows-Sysmon
Kerberos Pre-Auth Disabled in UAC elementary 4738 Microsoft-Windows-Security-Auditing
Antivirus Exploitation Framework Detection elementary 1011, 1116 Microsoft-Windows-Windows Defender
Wdigest Enable UseLogonCredential elementary 1, 13 Microsoft-Windows-Sysmon
Meterpreter or Cobalt Strike Getsystem Service Installation elementary 1, 13, 17, 4697, 7045 Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager
Schtasks Persistence With High Privileges elementary 1 Microsoft-Windows-Sysmon
Leviathan Registry Key Activity elementary 1, 13 Microsoft-Windows-Sysmon
CVE-2019-0708 Scan elementary 4625 Microsoft-Windows-Security-Auditing
Process Memory Dump Using Rdrleakdiag elementary 5 Kernel-Process
SysKey Registry Keys Access elementary 4656, 4663 Microsoft-Windows-Security-Auditing
Malicious Service Installations elementary 4697, 7045 Service Control Manager
Domain Trust Discovery Through LDAP elementary 1, 4688 Microsoft-REDACTED-Security-Auditing, Microsoft-Windows-Sysmon
Exploit For CVE-2015-1641 elementary 1 Microsoft-Windows-Sysmon
Office Application Startup Office Test elementary 1, 13 Microsoft-Windows-Sysmon
PasswordDump SecurityXploded Tool elementary 1 Microsoft-Windows-Sysmon
PowerShell Downgrade Attack elementary 1 Microsoft-Windows-Sysmon
Audit CVE Event elementary 1 Microsoft-Windows-Audit-CVE
Disabling SmartScreen Via Registry elementary 13 Microsoft-Windows-Sysmon
Suncrypt Parameters elementary 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
RedMimicry Winnti Playbook Registry Manipulation elementary 1, 13 Microsoft-Windows-Sysmon
Microsoft Office Startup Add-In elementary 11 Microsoft-Windows-Sysmon
Suspicious VBS Execution Parameter elementary 1 Microsoft-Windows-Sysmon
Raccine Uninstall elementary 1 Microsoft-Windows-Sysmon
Sigma Intelligence ErrTraffic PowerShell Command Line elementary 4104 Microsoft-Windows-PowerShell
IcedID Execution Using Excel elementary 1 Microsoft-Windows-Sysmon
Microsoft Defender Antivirus Signatures Removed With MpCmdRun elementary 1 Microsoft-Windows-Sysmon
RedMimicry Winnti Playbook Dropped File elementary 11 Microsoft-Windows-Sysmon
Phosphorus (APT35) Exchange Discovery elementary 4104 Microsoft-Windows-PowerShell
Invoke-TheHash Commandlets elementary 4104 Microsoft-Windows-PowerShell
Elise Backdoor elementary 1 Microsoft-Windows-Sysmon
Active Directory Database Dump Via Ntdsutil elementary 325 ESENT
Windows Defender Logging Modification Via Registry elementary 1, 13 Kernel-Process, Microsoft-Windows-Sysmon
Ursnif Registry Key elementary 13 Microsoft-Windows-Sysmon
WMI Persistence Command Line Event Consumer elementary 7 Microsoft-Windows-Sysmon
Phorpiex DriveMgr Command elementary 1 Microsoft-Windows-Sysmon
APT29 Fake Google Update Service Install elementary 7045 Service Control Manager
Malspam Execution Registering Malicious DLL elementary 1, 11 Microsoft-Windows-Sysmon
Turla Named Pipes elementary 17 Microsoft-Windows-Sysmon
Credential Dumping By LaZagne elementary 10 Microsoft-Windows-Sysmon
Mshta JavaScript Execution elementary 1 Microsoft-Windows-Sysmon
Impacket Wmiexec Module elementary 1, 4688 Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon
Winword Document Droppers elementary 1 Microsoft-Windows-Sysmon
Antivirus Web Shell Detection elementary 1116 Microsoft-Windows-Windows Defender
Smbexec.py Service Installation elementary 6, 4697, 7045 Service Control Manager
Security Support Provider (SSP) Added to LSA Configuration elementary 13 Microsoft-Windows-Sysmon
Exploited CVE-2020-10189 Zoho ManageEngine elementary 1 Microsoft-Windows-Sysmon
Netsh RDP Port Forwarding elementary 1 Microsoft-Windows-Sysmon
Empire Monkey Activity elementary 1 Microsoft-Windows-Sysmon
Antivirus Password Dumper Detection elementary 1116 Microsoft-Windows-Windows Defender
Sticky Key Like Backdoor Usage elementary 13 Microsoft-Windows-Sysmon
Mustang Panda Dropper elementary 1 Microsoft-Windows-Sysmon
RTLO Character elementary 15 Microsoft-Windows-Sysmon
Msdt (Follina) File Browse Process Execution elementary 1, 4104 Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon
Dumpert LSASS Process Dumper elementary 7, 11 Microsoft-Windows-Sysmon
Windows Credential Editor Registry Key elementary 13 Microsoft-Windows-Sysmon
Correlation Impacket Smbexec elementary 5145 Microsoft-Windows-Security-Auditing
AdFind Usage elementary 1 Microsoft-Windows-Sysmon
Windows Update LolBins elementary 1 Microsoft-Windows-Sysmon
DNS Tunnel Technique From MuddyWater elementary 1 Microsoft-Windows-Sysmon
Cobalt Strike Default Service Creation Usage elementary 4697, 7045 Microsoft-Windows-Security-Auditing, Service Control Manager
Microsoft Defender Antivirus History Directory Deleted elementary 1 Microsoft-Windows-Sysmon
Suspicious Netsh DLL Persistence elementary 1 Microsoft-Windows-Sysmon
Lazarus Loaders elementary 1 Microsoft-Windows-Sysmon
Enabling Restricted Admin Mode elementary 1 Kernel-Process
WMI Install Of Binary elementary 1 Microsoft-Windows-Sysmon
Phorpiex Process Masquerading elementary 1 Microsoft-Windows-Sysmon
Process Memory Dump Using Createdump elementary 1 Kernel-Process
Mimikatz Basic Commands elementary 4103 Microsoft-Windows-PowerShell
Suspicious Certificate Request-adcs Abuse elementary 4886, 4887 Microsoft-Windows-Security-Auditing
Active Directory Shadow Credentials elementary 5136 Microsoft-Windows-Security-Auditing
Blue Mockingbird Malware elementary 1 Microsoft-Windows-Sysmon
Disable Task Manager Through Registry Key elementary 1, 13 Microsoft-Windows-Sysmon
Equation Group DLL_U Load elementary 1 Microsoft-Windows-Sysmon
ICacls Granting Access To All elementary 1 Microsoft-Windows-Sysmon
Copying Browser Files With Credentials elementary 1 Microsoft-Windows-Sysmon

EventIDs occurrences in rules

EventID Number of rules concerned Percentage of rules concerned (Total rules: 480)
1 236 49.17 %
13 52 10.83 %
4104 48 10.0 %
5 35 7.29 %
11 27 5.62 %
7 15 3.12 %
5145 15 3.12 %
7045 11 2.29 %
4688 10 2.08 %
4656 8 1.67 %
4697 7 1.46 %
15 7 1.46 %
4663 6 1.25 %
17 6 1.25 %
4662 6 1.25 %
4624 6 1.25 %
5136 6 1.25 %
10 6 1.25 %
1116 5 1.04 %
3 4 0.83 %
4625 4 0.83 %
22 3 0.62 %
4720 3 0.62 %
4103 3 0.62 %
8 3 0.62 %
5007 2 0.42 %
4657 2 0.42 %
4738 2 0.42 %
4728 2 0.42 %
4768 2 0.42 %
4799 2 0.42 %
4729 2 0.42 %
12 2 0.42 %
6 2 0.42 %
20 2 0.42 %
1033 2 0.42 %
25 2 0.42 %
4674 1 0.21 %
4704 1 0.21 %
4776 1 0.21 %
1011 1 0.21 %
1127 1 0.21 %
5001 1 0.21 %
5101 1 0.21 %
5010 1 0.21 %
5012 1 0.21 %
2013 1 0.21 %
4743 1 0.21 %
16 1 0.21 %
4706 1 0.21 %
4707 1 0.21 %
517 1 0.21 %
1102 1 0.21 %
8001 1 0.21 %
4754 1 0.21 %
4756 1 0.21 %
4757 1 0.21 %
4758 1 0.21 %
4727 1 0.21 %
4730 1 0.21 %
4764 1 0.21 %
524 1 0.21 %
4781 1 0.21 %
5154 1 0.21 %
19 1 0.21 %
21 1 0.21 %
325 1 0.21 %
4703 1 0.21 %
4661 1 0.21 %
1000 1 0.21 %
1032 1 0.21 %
1034 1 0.21 %
1031 1 0.21 %
4726 1 0.21 %
4649 1 0.21 %
4825 1 0.21 %
4741 1 0.21 %
6416 1 0.21 %
4742 1 0.21 %
1125 1 0.21 %
1126 1 0.21 %
1006 1 0.21 %
1007 1 0.21 %
1008 1 0.21 %
1015 1 0.21 %
1117 1 0.21 %
1118 1 0.21 %
1119 1 0.21 %
5140 1 0.21 %
1013 1 0.21 %
4658 1 0.21 %
4732 1 0.21 %
4698 1 0.21 %
4611 1 0.21 %
23 1 0.21 %
4886 1 0.21 %
4887 1 0.21 %
4794 1 0.21 %
770 1 0.21 %
771 1 0.21 %
150 1 0.21 %
5156 1 0.21 %
4673 1 0.21 %

EventProviders occurrences in rules

EventProvider Number of rules concerned Percentage of rules concerned (Total rules: 480)
Microsoft-Windows-Sysmon 288 60.0 %
Microsoft-Windows-Security-Auditing 87 18.12 %
Kernel-Process 65 13.54 %
Microsoft-Windows-PowerShell 52 10.83 %
Service Control Manager 11 2.29 %
Microsoft-Windows-Kernel-File 10 2.08 %
Microsoft-Windows-Windows Defender 9 1.88 %
Microsoft-Windows-DNS-Client 2 0.42 %
Microsoft-Windows-Kernel-Network 2 0.42 %
Microsoft-Windows-Kernel-Process 2 0.42 %
Microsoft-REDACTED-Security-Auditing 1 0.21 %
Microsoft-Windows-Kernel-General 1 0.21 %
Microsoft-Windows-Audit-CVE 1 0.21 %
Microsoft-Windows-Eventlog 1 0.21 %
Microsoft-Windows-NTLM 1 0.21 %
Microsoft-Windows-Backup 1 0.21 %
ESENT 1 0.21 %
Application Error 1 0.21 %
Microsoft-Windows-DHCP-Server 1 0.21 %
Microsoft-Windows-DNS-Server-Service 1 0.21 %

EffortLevel x EventIDs

Effort Level EventIDs Number of related rules Percentage of related rules (Total rules: 480
master , 1, 10, 1013, 11, 1116, 12, 13, 150, 17, 22, 25, 3, 4104, 4611, 4624, 4625, 4649, 4656, 4657, 4661, 4662, 4663, 4673, 4674, 4688, 4698, 4720, 4726, 4727, 4728, 4729, 4730, 4732, 4743, 4754, 4756, 4757, 4758, 4764, 4768, 5, 5007, 5140, 5145, 7, 770, 771, 8001 125 26.04 %
advanced , 1, 10, 1006, 1007, 1008, 1015, 11, 1116, 1117, 1118, 1119, 1125, 1126, 1127, 13, 15, 17, 19, 20, 2013, 21, 22, 23, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 4776, 4799, 5, 5001, 5010, 5012, 5101, 5145, 5154, 5156, 6, 6416, 7, 7045, 8 115 23.96 %
intermediate 1, 10, 1000, 1031, 1032, 1033, 1034, 11, 1102, 12, 13, 15, 16, 17, 20, 3, 4103, 4104, 4624, 4656, 4657, 4658, 4662, 4663, 4688, 4697, 4703, 4720, 4738, 4741, 4742, 4768, 4781, 4794, 4799, 4825, 5, 5136, 5145, 517, 524, 7, 7045, 8 154 32.08 %
elementary 1, 10, 1011, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4625, 4656, 4663, 4688, 4697, 4704, 4720, 4738, 4886, 4887, 5, 5136, 5145, 6, 7, 7045 86 17.92 %