Achieve PNCiber compliance with ManageEngine

Ensure people can speak freely, keep their personal data and privacy safe, and still get the information they need. In practice, cybersecurity measures cannot be used as an excuse to spy on people or block access to information without good legal reason.

1. File Monitoring Overview
2. File Monitoring Trend
3. Folder Permission Changes
4. System File Changes
5. Top FileType Changes
6. All File or Folder Changes (Removable Storage/USB)
7. Host Based Removable Disk Changes
8. Installation Forbidden By GPO
9. Network Share Object Permission Added
10. Network Share Overview
11. Network Share Permission Deleted
12. Top network share modifications by remote host
13. User wise top failed network shares
14. User wise top successful Network Shares
15. AD Object WriteDAC Access
16. File or Folder Permissions Modifications
17. Sensitive Label Events
18. All S3 Requests
19. Created or Modified Files
20. Symantec DLP Reports Overview
21. Mailbox Folder Permission Changes
22. Mailbox Permission Changes
23. SendAs Permission Changes

1. File Deleted Via Sysinternals SDelete
2. EventLog EVTX File Deleted
3. Greedy File Deletion Using Del
4. Windows Backup Deleted Via Wbadmin.EXE]
5. Potential EventLog File Location Tampering

1. USB and network share monitoring
2. File integrity monitoring
3. Access auditing

Focus on protecting critical infrastructure such as defense systems or government intelligence and the most important services people rely on every day, such as electricity, hospitals, banking, transport, and communication systems from cyberattacks.

1. All Breach Data
2. Botnet Leak Data
3. Dark Web Breach Data
4. Supply Chain Breach
5. Disabled IE Security Features
6. Disabling Windows Event Auditing
7. Ke3chang Registry Key Modifications
8. Suspicious Driver Loaded By User
9. Weak Encryption Enabled and Kerberoast
10. Windows Defender Exclusion Set
11. Windows Defender Threat Detection Disabled
12. Commercial Application detected Reports
13. HIPS Activity Reports
14. Policy Changes
15. Port Scan Reports
16. Security Risk Found Reports
17. Virus Report
18. Top Signature
19. Top Traffic based on Severity
20. Allowed Exploits
21. Allowed Threats
22. Blocked Exploits
23. Detected Exploits
24. Threats Detection by Sophos Anti-Virus
25. Threats Detections by ESET Endpoint Antivirus
26. Threats Detections by Kaspersky
27. Downgrade Attacks
28. IP Conflicts
29. Replay Attack
30. Terminal Server Attacks
31. Terminal Server Exceeds Maximum Logon Attempts
32. Bad HostConfig Errors
33. Bad ISP Errors
34. DoS Attack
35. Invalid connection Remote Host
36. Reverse Lookup Errors

1. Notable Account Lockouts
2. Excessive password change failure
3. Login to Disabled Account
4. Suspicious Successful Password Change Activity
5. Kerbrute detection
6. HackTool - Mimikatz Kirbi File Creation

1. Real-time brute-force detection (failed logon reports and Kerbrute rules)
2. Kerberos attack monitoring (TGT ticket requests)
3. Over 400 threat rules for threat detection

Eusure both public and private organizations are aware and prepared to face cyber incidents by taking proactive actions. These can range from installing basic firewalls to advanced SIEM and IAM solutions for continuous monitoring and detection.

1. AD Backup Error
2. Active Directory database corruptions
3. Chassis Module Status
4. Code Integrity Check
5. Fan Off
6. Fan Failed
7. Firewall Service Stopped
8. GPO Queries - Failed
9. HA Status
10. Hardisk failures
11. Interface Down Suspended by Speed
12. Interface Status
13. Licence Expired
14. Logs Deleted
15. Process Restart
16. Process Restart Failed
17. Processes Killed by Host
18. Sensor Status
19. System Shutdown due to Temperature
20. System Start
21. Voltage Out of Tolerance
22. Yum installs
23. Audit Events Dropped
24. Security Logs Cleared
25. SceCli Group Policy
26. User Account Changes
27. HTTP Status Success
28. HTTP Unauthorized
29. Site Access Denied
30. Status Code Summary
31. Success Reports
32. UNC Authorization Failed
33. Web Server Busy
34. Write Access Forbidden
35. Risk Level
36. BOOTP Lease Report
37. Server found in domain
38. Top Clients
39. Top Gateway
40. Top IP Address
41. Top MAC Address
42. Top Operation
43. Unreachable domain
44. Warning Reports

1. Security Eventlog Cleared
2. Suspicious Eventlog Clearing or Configuration Change Activity
3. Potential EventLog File Location Tampering
4. EventLog EVTXFile Deleted

1. Log protection
2. Backup monitoring
3. Evidence preservation
4. Over 400 threat rules for threat detection

Ensure that only the right people can see and change important data, that the data is genuine and hasn’t been tampered with, and that it’s always available when needed. In simple terms, it’s about keeping your systems and information safe, accurate, and reliably accessible at all times.

1. Successful user disconnections from the resource based on administrators
2. Failed VPN Logons
3. Top Failed VPN Logons based on Group
4. VPN Unlocks
5. Account Management Event
6. Failed user additions
7. Added Members to Groups
8. User Accounts Created With no password expiry
9. Alter System
10. Altered profiles
11. System Revoke
12. Blocked Processes Report
13. Column Modified Reports
14. Connected Applications Report
15. Index Information Report
16. Last Backup of Database
17. Last DBCC Activity
18. Most Used Tables
19. Object Change History
20. Security Changes Report
21. Server Information Report
22. Table Update Report
23. Waits Information Report
24. Client wise top successful DC credential validations
25. DC Credential Validation Failure due to Bad Password
26. Kerberos authentication ticket (TGT) - Requested
27. UnSuccessful Post Authentication
28. User wise top failure DC credential validations
29. RADIUS Logon History(NPS)
30. Remote Desktop Gateway
31. SSH logons
32. SU Logons
33. User Logons
34. Web Logons
35. Firewall Flood Attack
36. Firewall SYN Attack
37. Windows Firewall Rule Added
38. Windows Firewall Rule Deleted
39. Windows Firewall Rule Modified
40. Windows Firewall Settings Changed
41. Windows Firewall Settings Restored

1. Suspicious Modification Of Scheduled Tasks
2. Potential Tampering With Security Products Via WMIC
3. System Disk And Volume Reconnaissance Via Wmic.EXE
4. Potential DLL Sideloading Via comctl32.dll

1. File integrity monitoring (for files created, modified, or deleted)
2. Real-time AD auditing (of user, group, GPO, and computer changes)
3. Registry change tracking
4. Database activity anomaly detection
5. Windows backup monitoring
6. Defence evasion monitoring
7. Ransomware detection and containment
8. Configuration change tracking

Helping police, governments, and companies spot, stop, and investigate cyber crimes like hacking, fraud, data theft, and more. It also means sharing information and tools so everyone can work together to make the online world safer and more difficultfor criminals to operate in.

1. Hacktool Ruler
2. NTLM Logon
3. Pass the Hash Activity
4. Pass the Hash Activity 2
5. Successful Overpass the Hash Attempt
6. Reconnaissance Activity
7. Judgement Panda Credential Access Activity
8. Local User Creation
9. Net.exe User Account Creation
10. Suspicious Windows ANONYMOUS LOGON Local Account Created
11. Account Tampering - Suspicious Failed Logon Reasons
12. Admin User Remote Logon
13. Enabled User Right in AD to Control User Objects
14. Failed Logon From Public IP
15. Active Directory User Backdoors
16. Judgement Panda Exfil Activity
17. Addition of SID History to Active Directory Object
18. AD Privileged Users or Groups Reconnaissance
19. AD User Enumeration
20. Bloodhound and Sharphound Hack Tool
21. Hacktool Ruler
22. Malicious Service Installations
23. Mimikatz Command Line
24. Mimikatz DC Sync
25. Mimikatz Use
26. NotPetya Ransomware Activity
27. WCE wceaux.dll Access
28. Hurricane Panda Activity
29. Local Privilege Escalation via WER service
30. Possible LocalPotato Execution

1. MITRE technique and TTP detection
2. Credential dumping and privilege-escalation detection
3. Anomalous behavior and reconnaissance detection

Helping organizations actually put in place security tools and routines so they can find and fix weaknesses before attackers use them. It also means reducing the damage when attacks do happen, so incidents are contained quickly and have as little impact as possible.

1. Open Ports
2. Top Vulnerable OS
3. Top Vulnerable Service
4. Critical Threat Reports
5. Exploited Vulnerability
6. High Threat Reports
7. OpenVas Reports Overview
8. NMAP Reports Overview
9. NMAP-Filtered Ports
10. Top CVS Score by Count
11. Top Open Ports
12. Vulnerability Reports Overview
13. Admin Discovery Report
14. Credential Failures Report
15. Elevated Privilege Failures Report
16. GHOST in Linux
17. Shellshock Report
18. Confirmed vulnerabilities
19. Information gathered vulnerabilities
20. Open TCP Ports
21. Open UDP Ports
22. Operating System Detected
23. Potential vulnerabilities
24. Qualys Reports Overview
25. Services vulnerabilities
26. Severe Vulnerabilities

1. MBR Tampering Via Bcdedit.EXE
2. DNS Exfiltration and Tunneling Tools Execution
3. Windows Defender Exclusions Added - Registry
4. Disable Microsoft Defender Firewall via Registry
5. Firewall Disabled via Netsh.EXE

1. Vulnerability scanning
2. Ransomware detection
3. Defence evasion
4. Policy-change monitoring

Ensure both public and private organizations are aware and prepared to face cyber incidents by taking proactive actions. These can range from installing basic firewalls to advanced SIEM and IAM solutions for continuous monitoring and detection.

1. Database Backup Failed
2. Database Restore
3. Modification of Boot Configuration
4. Shadow Copies Deletion Using Operating Systems Utilities
5. Failed Windows backup
6. Failed Windows restores
7. Successful Windows restores
8. Successful windows backup
9. System Restored
10. Audit Sessions Changed
11. Audit Shutdown on Failure
12. Database Audit Specifications Altered
13. Database Audit Specifications Created
14. Database Audit Specifications Dropped
15. Server Audit Specifications Altered
16. Registry Created
17. Registry Deleted
18. Registry Permission Changes
19. Registry Value Modified
20. Top Users on Registry
21. Audit Policy (SACL) on Object Changes
22. Authentication Policy Change(Grant)
23. Authentication Policy Change(Revoke)
24. Domain Policy Changes
25. Per User Audit Policy Changes
26. Policy Added
27. Policy Deleted
28. GPO Created
29. GPO Deleted
30. GPO Modified
31. External Disk Drive or USB Storage Device

1. Active Directory Computers Enumeration With Get-AdComputer
2. Local Accounts Discovery
3. LSASS Process Memory Dump Files
4. Excessive Inbound or Outbound Connections from same Source
5. Brute Force Login Violation
6. Botnet Detection

1. Reconnaissance detection
2. Incident management
3. Lateral movement detection

Create rules, monitoring systems, and checks that help make Brazil's digital infrastructure stronger and more secure against cyber threats. In simple terms, it focuses on building oversight tools and controls to continuously improve how the country detects, responds to, and recovers from cyberattacks.

1. Removed Applications
2. Updated Applications
3. Cisco IOS Compliance Checks
4. Citrix XenServer Compliance Checks
5. Database Compliance Checks
6. Huawei Compliance Checks
7. IBM iSeries Compliance Checks
8. PCI DSS Compliance: Database Reachable from the Internet
9. PCI DSS Compliance: Handling False Positives
10. PCI DSS Compliance: Insecure Communication Has Been Detected
11. PCI DSS Compliance: Remote Access Software Has Been Detected
12. PCI DSS Compliance:Passed
13. PCI DSS Compliance:Tests Requirements
14. PCI DSS compliance
15. SonicWALL SonicOS Compliance Checks
16. Unix Compliance Checks
17. Unix File Contents Compliance Checks
18. VMware vCenter/vSphere Compliance Checks
19. Windows Compliance Checks
20. Windows File Contents Compliance Checks

Compliance oversight and control dashboards

CNCiber's responsibility is to suggest practical improvements for better preventing cyber attacks, spotting them early, investigating what happened, and responding effectively to minimize damage. In simple terms, they recommend ways to make organizations stronger at stopping threats before they strike and handling incidents quickly when they do occur.

1. Logon Scripts (UserInitMprLogonScript)
2. Failed Logons
3. Failed Logons Trend
4. Top Failure Logons based on Remote Devices
5. Top failure logons based on users
6. Failed VPN Logons
7. Top Failed VPN Logons based on Remote Device
8. Top Failed VPN Logons based on Source
9. Top Failed VPN Logons based on User
10. VPN Failed Logon Trend Reports
11. Computer Account Created
12. Computer Account Deleted
13. Computer Account Modified
14. All User Management Activities
15. MFA Reset Activity
16. Other User Activities
17. Password Policy Modifications
18. Recent Password Change Activities
19. Recent Password Changes Through Self Service
20. Recent Password Reset Activities
21. Role Changes
22. Successful Logons
23. User Account Modifications
24. Direct Autorun Keys Modification
25. Kerberos Manipulation
26. NetNTLM Downgrade Attack

1. Firewall IPS Signature Detected
2. Sign-in Brute Force against M365 Accounts
3. Generic Attacks Detection
4. External Threat
5. Malicious URL Detection
6. Virus detected
7. Suspicious Eventlog Clearing or Configuration Change Activity

1. Incident management and SOAR automation
2. Forensic analysis and before/after comparisons
3. Cloud threat detection