Windows Server

In this tutorial, we'll walk you through essential techniques to enhance the performance, security, and reliability of your Windows Server environment.

Before we delve into the specifics of file server monitoring, it's crucial to establish a strong foundation within your Windows Server setup. This includes configuring loggin g settings and seamlessly integrating them with your monitoring system, ensuring a streamlined monitoring process.

Throughout this guide, we'll focus on practical strategies designed to monitor your Windows Server effectively. By implementing these techniques, you'll be better equipped to identify potential security risks, track file access activities, and maintain the integrity of your data stored on Windows Server.

Auditing Windows Server using EventLog Analyzer

EventLog Analyzer covers the below Windows Server auditing use cases with its security auditing reports. These reports are predefined and can be scheduled to be generated at specific time and distributed over email.

Windows and Windows workstation
Use Case Description Why implement? Available Reports
Identify long-term trends The log trend report aggregates the events generated by the Windows Server to provide an overview of the log flow and events over a time. EventLog Analyzer provides weekly and hourly trend reports by default.
  • Log trends provide insights into the behavior and performance of your Windows systems over time.
  • By visualizing trends in Windows log data, you can identify patterns, anomalies, and potential issues that may impact your operations. Also, trend data aids predictive maintenance, identifying performance bottlenecks, and capacity planning.
  • Weekly Log Trend Report
  • Hourly Log Trend Report
  • You can also set up to receive real-time alerts when the log trend crosses a certain threshold using the solution's real-time alert console.
Resolve boot-related errors Windows Startup Events are log entries recorded during the system boot process, capturing crucial information about system and application initialization to diagnose startup issues and optimize performance. Unexpected shutdowns and restarts on critical Windows Servers can cause downtime and data loss. EventLog Analyzer monitors boot events, detects issues like BSOD and kernel power failures, and sends real-time alerts for prompt action.
  • Windows Startup
  • Windows ShutDown
  • Windows Restarts
  • Unexpected Shutdown
  • System Uptime
  • Windows Startup and Windows ShutDown
Monitor registry changes Windows registry changes involve modifying the hierarchical database that stores configuration settings and options for the Windows operating system and installed applications. Optimize system performance, customize user experiences, and troubleshoot or fix system issues by adjusting specific settings not available through the standard user interface.
  • Registry Accessed
  • Failed Registry Access
  • Registry Created
  • Failed Registry Creations
  • Registry Value Modified
  • Failed Registry Modifications
  • Registry Deleted
  • Failed Registry Deletions
  • Registry Permission Changes
  • Top Users on Registry
Audit service configurations and access A service audit is a monitoring mechanism that tracks service activities, configurations, and access on Windows systems. Service audits enhance security by tracking service activities and supporting compliance. Monitoring critical services is vital, as sudden stoppages can disrupt business and cause downtime.
  • New Service Installed
  • Service Paused
  • Service Started
  • Service Stopped
  • Service Failed
Data recovery readiness Windows Backup and Restore is a built-in feature in Windows OS for creating backups of files and system images, ensuring data integrity and recovery in case of hardware failure or data loss. Implementing it safeguards against data loss from deletions, crashes, or malware, enabling quick restoration. A successful system restore validates backup effectiveness and recovery readiness.
  • Failed Windows backup
  • Successful windows backup
  • Failed Windows restores
  • Successful Windows restores.
  • System Restored
Maintain software compliance A systematic record of all software installed on Windows systems, detailing versions, licenses, and dependencies. Ensures compliance with licensing agreements, facilitates security patch management, and optimizes resource allocation.
  • Software Installed
  • Software Updated
  • Failed software installations
  • Failed software installations due to privilege mismatches
  • Software Uninstalled
  • Windows Updates - Installed
  • Windows update process failed
  • Failed hotpatching
  • Update Packages Installed
  • Non-valid Windows license
  • Failed Windows license activations
  • Non-activated windows products
  • New Kernel Filter Driver
Application execution Application allowlisting restricts executable files to an approved list, enhancing security by preventing unauthorized software execution. Implementing it reduces malware risks and enforces control over software installation and execution.
  • Exe/Dll File Allowed to Run
  • Exe/Dll Files Not Allowed to Run due to Enforced rules
  • Exe/Dll File Not Allowed to Run
  • MSI/Script File Allowed to Run
  • MSI/Script Files Not Allowed to Run due to Enforced rules
  • MSI/Script File Not Allowed to Run
  • Software Restricted to Access Program
Malware alerts in real time Threat detection from antivirus involves real-time monitoring and analysis of system activities to identify and mitigate malware, suspicious behaviors, and vulnerabilities. Implementing it enhances cybersecurity by proactively detecting and neutralizing threats, safeguarding data integrity, and maintaining system performance.
  • Threats Detections by ESET Endpoint Antivirus
  • Threats Detections by Kaspersky
  • Threats Detection by Microsoft Antimalware
  • Threats Detection by Sophos Anti-virus
  • Threats Detection by Norton Anti-virus
  • Infected files detected by Symantec Endpoint Protection
  • Threat Detections by McAfee
  • Defender Malware Detection
  • Defender Real Time Protection Detection
Analyze application instability Windows Application Crashes refer to unexpected terminations of software due to issues like memory leaks or coding errors, disrupting user experience and system stability. Implementing crash monitoring helps diagnose root causes swiftly, enhancing software reliability and minimizing user frustration and downtime.
  • Application Errors
  • Application Hanged
  • Error Reporting
  • Blue Screen Error (BSOD)
  • System Errors
  • EMET Logs
  • File Protection

Security use cases

Use Case Event type MITRE TTPs Rules
Removable media detected Removable media detected
  • ID: T1025
  • Tactic: Collection
  • USB Plugged In
Windows abnormal shutdown Unexpected shutdown
  • ID: T1529
  • Tactic: Impact
  • Unexpected Shutdown
Windows Service Stop-Restart Service control event
  • ID: T1489
  • Tactic: Impact
  • Service Stopped
  • Service Started
Windows Security Log is full System alert
  • D: T1070.001
  • Tactic: Defense Evasion
  • Security Log Full
Interactive use of service account Windows activity
  • ID: T1078
  • Tactics: Defense Evasion, Persistence, Privilege Escalation, Initial Access
  • Interactive session
  • Remote Interactive session
Brute force attempt from the same source Brute force attack
  • ID: T1110
  • Tactic: Credential Access
  • Brute force
Detection of system time changes (Boot time) Windows time change
  • ID: T1124
  • Tactic: Discovery
  • Windows time change
Audit Log cleared Audit log cleared
  • ID: T1070.001
  • Tactic: Defense Evasion
  • Event logs cleared
  • Audit events dropped
Windows Hardware Failure Disk error
  • ID: T1562.001
  • Tactic: Defense Evasion
  • Hard disk failures
Administrative Accounts- Multiple Login failure Multiple login failure detected
  • ID: T1110
  • Tactic: Credential Access
  • Excessive logon failures
Multiple Windows Accounts are Locked out Account lockout
  • ID: T1531
  • Tactic: Impact
  • User account locked out error
Unauthorized data exfiltration through removable media. Removable media activity
  • ID: T1074.001
  • Tactic: Exfiltration
  • USB Plugged In
  • USB Plugged Out
  • Removable Disk Reads
  • Removable Disk Failed Reads
  • Removable Disk Creates
  • Removable Disk Failed Creates
  • Removable Disk Modifications
Detect potential security breaches Network security logs
  • ID: T1499
  • Tactic: Impact
  • DoS Attack Subsided
  • DoS Attack Entered Defensive mode
  • DoS Attacks
  • Downgrade Attacks
  • Replay Attack
  • Terminal Server Attacks
  • Terminal Server Exceeds Maximum Logon Attempts
  • IP Conflicts
  • User Account Locked Out Error

Compliance use case

Reports Regulation Requirements
  • Windows Logon Reports
  • Windows Successful User Logons
  • Network Logon
  • Windows Successful User Logoffs
  • Network Logoff
  • Windows UnSuccessful User Logons
  • Failed Network Logons
 FISMA Access Control (AC)
  PCI-DSS
  • PCI-DSS requirements 10.1
  • PCI-DSS requirements 10.2.1
  • PCI-DSS requirements 10.2.2
  SOX SEC 302 (a) (4) (C)
  HIPAA
  • 64.308 (a) (5) (ii) (C)
  • 164.308 (a) (6) (ii)
  GLBA Section 501B (2) & (3)
  ISO 27001: 2013 Control A 12.4.3
  GPG Recording Relating to Network Connections (PMC Rule 6)
  ISLP
  • ARTICLE 16.3
  • ARTICLE 30.6
  GDPR
  • GDPR ARTICLE 5 (1B)
  • GDPR ARTICLE 5 (1F)
  NRC
  • ACT B.1.3
  • ACT B.1.7
  • ACT B.1.11
  • ACT B.1.15
  • ACT B.3.11
  • ACT C.4.3
  • ACT C.11.4
  NERC
  • CIP 007-6 R4.1
  • CIP 007-6 R4.2
  • CIP 007-6 R5.7
  PDPA
  • RULE VI Section 25
  • RULE VII Section 30
  NIST CSF Data Security (PR.DS)
  POPIA
  • Chapter 2 - Section 4
  • Chapter 3 - Section 19 (1) (a)
  • Chapter 3 - Section 19 (2) (a)
  QCF 5.2.2 Network Access Control Management Service
  TISAX 5.2.4
  ECC
  • 2-8 Cryptography
  • 2-12 Cybersecurity Event Logs and Monitoring Management
  PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
  • Windows Services
  • Service Started
  • Service Stopped
  • Service Failed
 FISMA Certification, Accreditation, and Security Assessments (CA)
  NRC ACT B.3.11
  Cyber essentials Patch Management
  COCO
  • 1.A.Vulnerability management
  • 1.B.Secure Configuration
  NERC
  • CIP 007-6 R3.1
  • CIP 009-6 R1.4
  • CIP 010-2 R1.1
  • Windows Backup and Restore
  • Successful Windows Backup
  • Failed Windows Backup
  • Successful Windows Restore
  • Failed Windows Restores
 FISMA Contingency Planning (CP)
  GPG Recording on Data Backup Status(PMC Rule 8)
  ISLP
  • ARTICLE 12
  • ARTICLE 13
  • ARTICLE 19.3
  • ARTICLE 20.5
  • ARTICLE 30.4
  • ARTICLE 30.6
  NERC CIP 009-6 R1.4
  TISAX 5.2.4
  • Windows User Access
  • Windows Individual User Action
 FISMA Identification and Authentication (IA)
  PCI-DSS
  • PCI-DSS requirements 10.1
  • PCI-DSS requirements 10.2.2
  SOX SEC 302 (a) (5) (B)
  ISO 27001: 2013
  • Control A 9.2.1
  • Control A 9.4.2
  • Control A 12.4.1
  • Control A 12.4.3
  ISLP
  • ARTICLE 16.3
  • ARTICLE 18.1
  • ARTICLE 19.3
  • ARTICLE 30.6
  GDPR
  • GDPR ARTICLE 5 (1B)
  • GDPR ARTICLE 5 (1F)
  NRC
  • ACT B.1.5
  • ACT B.1.6
  • ACT B.1.22
  • ACT B.2.6
  • ACT C.2.2
  Cyber essentials
  • Secure Configuration
  • User Access Control
  NERC
  • CIP 007-6 R5.3
  • CIP 009-6 R1.3
  PDPA
  • RULE VI Section 25
  • RULE VII Section 30
  NIST CSF Data Security (PR.DS)
  QCF
  • 5.2.2 Network Access Control Management Service
  • 5.8.6.2 Network domain security IP core
  TISAX
  • 4.1.2
  • 4.1.3
  • 4.2.1
  • 5.2.4
  • 5.2.7
  SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.1.3 Cyber Security Risk Response
  UAE-NESA T3.2.1
  SOC 2
  • 5.2.02
  • 6.1.07
Windows Software Updates FISMA Configuration Management (CM)
NRC ACT C.11.4  
Cyber essentials Malware Protection  
NERC
  • CIP 007-6 R3.1
  • CIP 010-2 R1.1
  
  • Windows Registry Changes
  • Registry Accessed
  • Registry Created
  • Registry Deleted
  • Registry Value Modified
 PCI-DSS
  • PCI-DSS requirements 10.1
  • PCI-DSS requirements 10.2.3
  GPG Recording on Internal Workstation, Server or Device Status (PMC Rule 4)
  • Windows Firewall Auditing
  • Windows FireWall Rule Added
  • Windows FireWall Rule Modified
  • Windows FireWall Rule Deleted
  • Windows Firewall Settings Restored
  • Windows Firewall Settings Changed
  • Windows Firewall Group Policy Changes
 PCI-DSS PCI-DSS requirements 10.2.3
  Cyber essentials Secure Configuration
  COCO 1.C.Physical Security
  NERC
  • CIP 007-6 R1.1
  • CIP 009-6 R1.3
  QCF 5.7.3 Management module
  TISAX 4.2.15.2.7
  SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.3.14 Cyber Security Event Management
  PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
  UAE-NESA T3.2.1
  • Windows System Events
  • Audit Logs Cleared
  • System Startup
  • System Shutdown
  • Software Installed
  • Software Updated
  • Software Uninstalled
  • Failed software installations
  • Failed software installations due to privilege mismatches
  • New Service Installed
  • Error in EventLog Service
  • AD Backup Error
  • Event log automatic backup
  • Failed hotpatching
 PCI-DSS PCI-DSS requirements 10.2.6
  SOX SEC 302 (a) (4) (A)
  HIPAA 164.308 (a) (7) (i)
  GLBA Section 501B (1)
  ISO 27001: 2013 Control A 12.4.2
  NRC
  • ACT B.1.17
  • ACT C.3.4
  Cyber essentials Patch Management
  COCO
  • 1.A.Vulnerability management
  • 1.B.Secure Configuration
  NERC
  • CIP 007-6 R3.1
  • CIP 009-6 R1.4
  • CIP 010-2 R1.1
  CMMC
  • C007 - AU.3.045, AU.3.046,
  • C008 - AU.2.042, AU.3.048,
  • C010 - AU.2.044, AU.3.052
  POPIA Chapter 3 - Section 22 (5) (a)
  QCF
  • 5.2.1 Network Configuration Management Service
  • 5.2.3 Network Monitoring Management Service
  TISAX 5.2.4
  SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.5 Cyber Security Audits
  ECC 2-12 Cybersecurity Event Logs and Monitoring Management
  UAE-NESA
  • T3.4.1
  • T7.5.2
  SOC 2
  • 5.2.02
  • 6.1.07
  • 6.8.04
  • 6.8.05
  • 7.1.01
  • 7.2.01
  • 7.2.02
  • 7.3.02
  • 7.4.05
  • 8.1.01
  • A1.2.08
  • PI1.3.03
  • PI1.5.01
  • Windows Threat Detection
  • DoS Attacks
  • Event Logging Service Shutdown
  • Downgrade Attacks
  • Replay Attack
  • Defender Malware Detection
  • Defender Real Time Protection Detection
  • Terminal Server Attacks
  • IP Conflicts
  • User Account Locked Out Error
  • Security Logs Cleared
  • Event Logs Cleared
 GPG Reporting on The Status of The Audit System (PMC Rule 10)
  Cyber essentials Malware Protection
  COCO 3.Boundary Protection and Interfaces
  POPIA
  • Chapter 3 - Section 19 (2) (a)
  • Chapter 3 - Section 22 (5) (a)
  QCF
  • 5.2.3 Network Monitoring Management Service
  • 5.8.6.2 Network domain security IP core
  SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.5 Cyber Security Audits
  • 3.3.14 Cyber Security Event Management
  UAE-NESA T3.4.1
  SOC 2
  • 7.3.02
  • 7.4.05
  • A1.2.08
  • PI1.3.03
  • Windows Wireless Network Reports
  • Wireless Network Authentication
  • Wireless Network Connected
  • Wireless Network Disconnected
 NRC ACT B.1.17
  PDPA
  • RULE VI Section 25
  • RULE VII Section 30
  NIST CSF Data Security (PR.DS)
  QCF
  • 5.8.5.5 Wireless network security
  • 5.8.6.2 Network domain security IP core
  TISAX 5.2.7
  SAMA 3.2.1.3 Cyber Security Risk Response
  PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
Windows Removable Disk Auditing USB Plugged In USB Plugged Out Removable Disk Reads Removable Disk Failed Reads Removable Disk Failed Creates Removable Disk Modifications Removable Disk Failed Modifications Removable Disk Deletes Removable Disk Failed Deletes Device Based Removable Disk Changes Removable Disk Creates NRC ACT B.1.19
  Cyber essentials Malware Protection
  CCPA and CPRA Section 1798.150.(a)
  FERPA Section 99.31 (a)(1)(ii)
  PDPA
  • RULE VI Section 25
  • RULE VII Section 30
  NIST CSF Data Security (PR.DS)
  SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.1.3 Cyber Security Risk Response
  • 3.3.7 Change Management
  • 3.3.9 Cryptography
  ECC 2-8 Cryptography
  PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
  UAE-NESA
  • T3.2.3
  • T3.4.1
  LGPD Art 14
  • Windows Threat Detection from Antivirus
  • Threats Detections by ESET Endpoint Antivirus
  • Threats Detections by Kaspersky
  • Threats Detection by Microsoft Antimalware
  • Threats Detection by Sophos Anti-Virus
  • Threats Detection by Norton AntiVirus
  • Threat Detections by Mcafee
 Cyber essentials Malware Protection
  COCO 1.D.Protective monitoring and intrusion detection
  NERC CIP 007-6 R3.1
  NIST CSF Risk Assessment (ID.RA)
  POPIA Chapter 3 - Section 19 (2) (a)
  QCF
  • 3.2 Endpoint Security Service
  • 5.7.3 Management module
  PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
  • Windows Application Whitelisting
  • Exe/Dll File Allowed to Run
  • Exe/Dll Files Not Allowed to Run due to Enforced rules
  • Exe/Dll File not allowed to run
  • MSI/Script File Allowed to Run
  • MSI/Script Files Not Allowed to Run due to Enforced rules
  • Software Restricted to Access Program
 Cyber essentials Malware Protection
  NERC
  • CIP 007-6 R3.1
  • CIP 010-2 R1.1
  PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
  UAE-NESA T3.4.1
  • Windows Firewall Threats
  • Firewall Spoof Attack
  • Firewall Internet Protocol half-scan attack
  • Firewall Flood Attack
  • Firewall Ping of Death Attack
  • Firewall SYN Attack
 Cyber essentials Boundary firewalls and internet gateways
  • Windows Application Crashes
  • Application ErrorsApplication Hanged
 COCO 1.B.Secure Configuration
  TISAX 5.2.45.2.7
  • Windows Program Inventory
  • New application installations
  • Removed Applications
  • Updated Applications
 COCO 1.B.Secure Configuration
  • Windows Software Updates
  • Installed
  • Downloaded
  • Detected
  • Connectivity
  • Availability
 NERC
  • CIP 007-6 R3.1
  • CIP 010-2 R1.1
  UAE-NESA T3.4.1
  • Detailed Windows Logon Reports
  • Windows Successful User Logons
  • Interactive Logon
  • Remote Interactive Logon
  • Network Logon
  • Logon Attempt Using explicit Credentials
  • Privilege Assigned to New Logon
 CMMC
  • C001 - AC.1.001
  • C007 - AU.2.041
  • C015 - IA.1.076
  QCF 5.8.6.2 Network domain security IP core
  TISAX
  • 4.1.2
  • 4.2.1
  • 5.2.7
  SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.1.3 Cyber Security Risk Response
  • 3.2.5 Cyber Security Audits
  • 3.3.5 Identity and Access Management
  • 3.3.8 Infrastructure Security
  • 3.3.9 Cryptography
  • 3.3.11 Secure Disposal of Information Assets
  • 3.3.14 Cyber Security Event Management
  • 3.3.15 Cyber Security Incident Management
  • 3.2.5 Cyber Security Audits
  ECC 2-2 Identity and Access Management
  CJDN Logging
  UAE-NESA
  • T5.2.2
  • T7.5.3
  SOC 2
  • 4.1.01
  • 4.2.02
  • 5.1.06
  • 5.2.03
  • 6.1.04
  • 6.1.08
  • 6.3.03
  • 6.8.02
  • 7.2.02
  LGPD
  • Art 6 VII
  • Art 7 II
  • Art 7 VIII
  • Art 11
  • Art 16
  • Art 46
Windows Logoff ReportsWindows Successful User LogoffsUser Initiated LogoffsInteractive LogoffsRemote Interactive LogoffsNetwork Logoff CMMC C001 - AC.1.001
  POPIA
  • Chapter 3 - Section 19 (1) (a)
  • Chapter 3 - Section 19 (2) (a)
  QCF 5.8.6.2 Network domain security IP core
  TISAX
  • 4.1.2
  • 5.2.4
  SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.3.9 Cryptography
  • 3.3.11 Secure Disposal of Information Assets
  ECC
  • 2-8 Cryptography
  • 2-12 Cybersecurity Event Logs and Monitoring Management
  PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
  CJDN Logging
  UAE-NESA T7.5.3
  SOC 2
  • 4.1.01
  • 4.2.02
  LGPD Art 16
  • Windows Failed Logon Reports
  • Windows UnSuccessful User Logons
  • Failed Interactive Logons
  • Failed Remote Interactive Logons
  • Failed Network Logons
  • Failed logons due to password expiry
  • Failed logons due to account expiry
  • Failed logons due to account lock outs
  • Failed logons due to disabled accounts
  • Failed logons during non-working hours
  • Failed Logons due to Bad Password
  • Failed Logons due to Bad UserName
 CMMC C001 - AC.1.001
  SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.5 Cyber Security Audits
  • 3.3.8 Infrastructure Security
  • 3.3.9 Cryptography
  • 3.3.15 Cyber Security Incident Management
  POPIA
  • Chapter 3 - Section 19 (1) (a)
  • Chapter 3 - Section 19 (2) (a)
  QCF 5.8.6.2 Network domain security IP core
  TISAX
  • 4.1.2
  • 5.2.4
  ECC
  • 2-8 Cryptography
  • 2-12 Cybersecurity Event Logs and Monitoring Management
  PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
  CJDN Logging
  UAE-NESA T7.5.3
  SOC 2
  • 4.1.01
  • 4.2.02
  • 5.1.06
  • 6.1.07
  • 6.1.08
  • 6.2.01
  LGPD Art 16
  • Windows Events
  • User Based Activity
 CMMC
  • C001 - AC.1.001
  • C007 - AU.2.041
  • C015 - IA.1.076
  POPIA
  • Chapter 2 - Section 4
  • Chapter 3 - Section 19 (1) (a)
  TISAX 5.2.4
  SAMA
  • 3.3.9 Cryptography
  • 3.3.11 Secure Disposal of Information Assets
  ECC 2-8 Cryptography
  LGPD Art 16
  • Detailed Windows Software Update Reports
  • Installed
  • Downloaded
  • Detected
  • Connectivity
  • Availability
  • Windows update process failed
  • Update Packages Installed
 CMMC
  • C007 - AU.3.045, AU.3.046,
  • C008 - AU.2.042, AU.3.048,
  • C010 - AU.2.044, AU.3.052
  • C013 - CM.2.063
  • C041 - SI.5.222
  TISAX 5.2.4
  SOC 2
  • 5.2.02
  • 6.8.02
  • 6.8.04
  • 6.8.05
  • 7.1.01
  • 7.2.01
  • 7.2.02
  • 8.1.01
Windows Threat DetectionAudit Events DroppedSecurity Log Full CMMC
  • C007 - AU.3.045, AU.3.046,
  • C008 - AU.2.042, AU.3.048,
  • C010 - AU.2.044, AU.3.052
  TISAX 5.2.4
  • Windows and software reports
  • Software Installed
  • Software Updated
  • Failed software installations
  • Failed software installations due to privilege mismatches
  • Non valid Windows license
  • Failed Windows license activations
  • Non activated windows products
  • New Kernel Filter Driver
 CMMC
  • C013 - CM.2.063
  • C041 - SI.5.222
  TISAX 5.2.4
  SOC 2
  • 5.2.02
  • 6.8.02
  • 6.8.04
  • 6.8.05
  • 7.1.01
  • 7.2.01
  • 7.2.02
  • 8.1.01
  • Windows Services - Detailed Reports
  • Service Started
  • Service Stopped
  • Service Failed
  • New Service Installed
 CMMC C041 - SI.5.222
  QCF 5.2.1 Network Configuration Management Service
  TISAX 5.2.4
  • Windows Threat Detection from Antivirus Detailed Reports
  • Threats Detections by ESET Endpoint Antivirus
  • Threats Detections by Kaspersky
  • Threats Detection by Microsoft Antimalware
  • Threats Detection by Sophos Anti-Virus
  • Threats Detection by Norton AntiVirus
  • Threat Detections by Mcafee
  • Infected files detected by Symantec Endpoint Protection
 CMMC C041 - SI.5.222
  SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.1.2 Cyber Security Risk Analysis
  • 3.2.1.3 Cyber Security Risk Response
  • 3.2.1.4 Cyber Risk Monitoring and Review
  UAE-NESA T3.4.1
 

Additional Resource

Benefits of monitoring Windows terminal servers Configuring terminal servers in EventLog Analyzer
 
 

Relevant Videos

SQL Auditing Using EventLog Analyzer