Activity |
1. Account Lockouts by User • Last 24 Hours、Last 7 Days、Last 30 Days |
2. Account Lockouts by Endpoint • Last 30 Days |
3. Used Endpoints • Last 7 Days、Last 30 Days |
4. Unused Endpoints • Last 7 Days、Last 30 Days |
5. Unused Servers • Last 7 Days、Last 30 Days |
6. NTLM Usage by User |
7. NTLM Usage by Endpoint |
Incidents |
1. Top 10 by Severity |
2. Top 10 Users by Number of Incidents |
3. Summary • Last 24 Hours、Last 7 Days、Last 30 Days |
Insights |
1. Accounts About to Expire within 7 Days |
2. Added Computers - Last 7 Days |
3. Admin Owned Endpoints |
4. Administrative Logins • Last 24 Hours、Last 7 Days、Last 30 Days |
5. All Accounts With Compromised Password |
6. Departmental Risk by Severity • Last 7 Days、Last 30 Days |
7. Detailed Failed Authentication • Last 24 Hours、Last 7 Days、Last 30 Days |
8. Disabled Accounts |
9. Discovered Accounts With Compromised Passwords • Last 24 Hours、Last 7 Days、Last 30 Days |
10. Expired Accounts - Last 7 Days |
11. Inactive Admins |
12. Never Logged On Users |
13. OU Risk by Severity • Last 7 Days、Last 30 Days |
14. Removed Computers Last - Last 7 Days |
15. Security Assessment |
16. Removed Computers |
17. Stealthy Admins |
18. Top 10 Risky Users |
Authentication |
• Domain Login |
• Failed Authentication |
• Kerberos Authentication |
• LDAP Authentication |
• SSO Login |
• VPN Authentication |
Service |
• LDAP |
• Web |
• File Share |
• DB |
• Remote Procedures (RPC) |
• Remote Desktop (RDP) |
• SCCM Remote Control |
• SIP |
• Computer Access |
User Account Events |
• Authorizer Modified |
• Created |
• Department Membership Modified |
• Disabled |
• Email Address Modified |
• Enabled |
• Locked |
• Remote Task Management |
• Netlogon Server Authenticate |
• Remote Code Execution |
• Email Address Modified |
• Enabled |
• Locked |
• OU Membership Modified |
• Password Changed |
• Privileged Decreased |
• Privileged Escalation |
• Unlocked |
• Username Modified |
Service |
• Cloud Service |
• Uncategorized |
• LDAP Operations |
• LDAP Search |
• RPC Operations |
• Domain Replication |
• SPN Modification |
• Replication Server Registration |
• Scheduled Task Creation |
• Remote Service Configuration |
• Net Session Enumeration |
• User Management |
• Remote SCM Activation (DCOM) |
Alerts |
• Access from Forbidden Country |
• Anomalous RPC |
• Credential Scanning |
• Excessive Activity - Destination Endpoint |
• Excessive Activity - Origin Endpoints |
• Forged PAC Alert |
• Geographic Anomaly |
• Golden Ticket Attack |
• Hidden Object Detected |
• Identity Verification Approved |
• Identity Verification Denied |
• Identity Verification Timeout |
• Password Brute Force |
• Policy Rule Match |
• Possible Exploitation Attempt |
• Remote Code Execution |
• Skeleton Key Alert |
• Stale Endpoint Usage |
• Stale Service Usage |
• Stale User Account Usage |
• Suspected NTLM Relay Activity |
• Suspicious Domain Replication |
• Suspicious LDAP Activity |
• Suspicious Lateral Movement |
• Suspicious Protocol Implementation |
• Suspicious Ticket Reuse |
• Unusual Access to Application |
• Unusual Access to Server |
• Unusual New Account Activity |
• Unusual Use of Endpoint |
• Unusual User Geolocation |
• Usage of IP with Bad Reputation |
• User Brute Force |