Active Directory

Default Brute Force Attack Successful
Description Is activated if more that 5 failed user logins are followed by a succesful login from the same user within 5 minutes
Log source Active Directory
Value Effective way to detect a potential breach of security
Rationale This alert detects a sequence of multiple failed login attempts followed by a successful one within a short window, which strongly suggests brute force activity. Detecting successful brute force login attempts is critical to prevent unauthorized access. It supports NIST 800-53 AC-7 (Login Attempts) and AU-6 (Audit Review), ISO 27001 Annex A.12.4.1 (Event logging), and aligns with CIS Control 16.12 (Account Monitoring and Control).
Query
Copy 
[label=User label=Login label=Fail -target_user=*$
| rename target_user as user
| chart count() as cnt by user
| search cnt > 5 ] as s1 followed by
[label=User label=Login label=Successful
| rename target_user as user] as s2 on s1.user = s2.user
| rename s2.user as User
Comments -
Type Alert
MITRE ATT&CK T1110.001 – Brute Force: Password Guessing

 

Detection of Remote Logon from Admin
Description Searches for type '10' succesful logins, which indicates login was remote. Filters for specific admin user with"Admin" the username.
Log source Active Directory
Value Can detect remote admin logins, which can be an IOC.
Rationale This alert identifies successful remote logins using Logon Type 10 by admin accounts, which can indicate lateral movement or unauthorized access via RDP. Monitoring such activity is essential in public-sector environments to detect intrusions early. It supports NIST 800-53 AC-2 (Account Management) and AC-17 (Remote Access), ISO 27001 Annex A.9.2 (User Access Management), and CIS Control 12.6 (Remote Access Monitoring).
Query
Copy 
"norm_id=WinServer event_id=4624 logon_type=""10""
(authentication_package=""Negotiate"" OR package=""Negotiate"")
user=""Admin-*"" -user IN EXCLUDED_USERS
| rename package as authentication_package"
Comments This alert is based on the fact that all admin users have the prefix 'Admin'. This is of course not always the caseand it is recommend that before using the alert that you get an overview of which prefixes are used on Admin accounts or insert all Admin users into a list and adjust the search accordingly.
Type Alert
MITRE ATT&CK T1021.001 – Remote Services: Remote Desktop Protocol

 

Windows User Removed from Domain Enterprise Admin
Description Activates if an user is removed from user group 'Domain Admins' or 'Enterprise Admins'.
Log source Active Directory
Value Critical users are often target for attacks, which is why it provides value and insight to continuously monitor these users.
Rationale Monitoring the removal of privileged accounts from critical groups like 'Domain Admins' and 'Enterprise Admins' can reveal lateral movement or privilege reduction activities by adversaries trying to hide tracks or weaken defenses. Aligns with NIST 800-53 AC-5 and AU-6, ISO 27001 A.12.4, and CIS Control 5.3.
Query
Copy 
"norm_id=WinServer* action=""removed""
(group_name=""Enterprise Admins"" OR group_name=""Domain
Admins"" OR group=""Enterprise Admins"" OR group=""Domain
Admins"")
(member=* OR target_user=*)
-user IN EXCLUDED_USERS
| rename group_name as group, target_user as member"
Comments It is possible to add multiple groups to this alert. It is important to update user to exclude in the 'EXCLUDED_USERS' list.
Type Alert
MITRE ATT&CK T1484.001 – Domain Policy Modification: Group Policy Modification

 

Windows User Added to Domain Enterprise Admin
Description Activates if a user is added to 'Domain Admins' or 'Enterprise Admins' user groups.
Log source Active Directory
Value Critical users are often target for attacks, which is why it provides value and insight to continuously monitor these users. I this case the infrastructure can be infiltrated.
Rationale This alert detects when users are added to privileged groups like "Domain Admins" or "Enterprise Admins," which is a high-risk activity commonly associated with privilege escalation or persistence techniques. Monitoring such events helps ensure administrative boundaries are enforced. It aligns with NIST 800-53 AC-5 (Separation of Duties), AC-6 (Least Privilege), ISO 27001 Annex A.9.2.3 (Management of privileged access rights), and CIS Control 5.1 (Establish and Maintain an Inventory of Accounts).
Query
Copy 
"norm_id=WinServer* action=""added""
(group_name=""Enterprise Admins"" OR group_name=""Domain
Admins"" OR group=""Enterprise Admins"" OR group=""Domain
Admins"")
member=* -user IN EXCLUDED_USERS
| rename target_user as member, group_name as group"
Comments It is possible to add multiple groups to this alert. It is important to update user to exclude in the 'EXCLUDED_USERS' list.
Type Alert
MITRE ATT&CK T1098.002 – Account Manipulation: Domain Accounts

 

Password never expires on Domain Admin account
Description Finds all Domain Admin accounts from DADMINS list, which has been changed to 'Never Expire'.
Log source Active Directory
Value This detection is valuable as regular password changes are essential, especially for critical users in the organization.
Rationale This alert detects when the "Password Never Expires" setting is enabled on privileged accounts like Domain Admins. This is a high-risk configuration change that weakens credential hygiene and can enable long-term persistence by adversaries. Enforcing password expiration policies is a core control in frameworks such as NIST 800-53 IA-5 (Authenticator Management), ISO 27001 Annex A.9.4.3 (Password Management), and CIS Control 5.2 (Use Unique Passwords).
Query
Copy 
"norm_id=WinServer label=Change label=Management label=Account
label=User
(user_account_control=*2089* OR ""'Don't Expire Password' -
Enabled"" OR ""'Don't Expire Password' - Disabled"") user=""DADMIN*""
-user=*$ -target_user=*$ user=*
| chart count() by user, domain, log_ts, action, target_user,
user_account_control"
Comments Certain organisations already have security policies in place, which makes it impossible to setup account passwords to 'Never Expire'.
Type Alert
MITRE ATT&CK T1098 – Account Manipulation

 

Failed login attempt from Domain Admin
Description Finds all failed logins from Domain accounts in the DADMINS list.
Log source Active Directory (can be expanded with standard Windows servers)
Value Monitoring failed logins on Domain Admin accounts is crucial for security, enabling early detection of potential attacks like brute force and insider threats. It ensures compliance and provides an audit trail for security assessments.
Rationale This alert tracks failed login attempts using Domain Admin accounts, which may indicate brute-force attempts, misconfigurations, or insider threat activity. Monitoring such events supports early detection of credential-based attacks and helps enforce authentication controls. It aligns with NIST 800-53 AC-7 (Unsuccessful Logon Attempts), AU-6 (Audit Review), ISO 27001 A.12.4.1 (Event logging), and CIS Control 16.13 (Detect Unsuccessful Logins).
Query
Copy 
"event_id=4625 (target_user=""DADMIN*"" OR user=""DADMIN*"")
| chart count() by user, target_user, displayName, logon_type,
reason, host, workstation, log_ts"
Comments To detect logins outside of Domain Controller servers, it is necessary to get logs from standard Windows servers.
Type Alert
MITRE ATT&CK T1110.001 – Brute Force: Password Guessing

 

Domain Admin login from an external IP address
Description Lists all succesful logins from Domain accounts from the DADMIN list with remote login type '10'.
Log source Active Directory
Value Monitoring of external/remote logins to Domain Admin accounts is imperative for por protecting critical systems. It helps detecting unauthorized access attempts, identifying potential security breaches in real time, and ensures compliance with regulatory standards.
Rationale This alert detects successful remote logins (logon type 10) by Domain Admin accounts, which may indicate adversary use of compromised credentials for lateral movement or persistence. It is critical to monitor such activity in public-sector systems to mitigate high-impact breaches. This detection supports NIST 800-53 AC-17 (Remote Access), AU-2 (Audit Events), ISO 27001 A.9.2.3 (Privileged Access), and CIS Control 12.6 (Remote Access Monitoring).
Query
Copy 
"event_id=4625 logon_type=""10"" (target_user=""DADMIN*"" OR user=""DADMIN*"") 
| chart count() by user, target_user, displayName, logon_type,
reason, host, workstation, log_ts"
Comments To detect logins outside of Domain Controller servers, it is necessary to get logs from standard Windows servers.
Type Alert
MITRE ATT&CK T1021.001 – Remote Services: Remote Desktop Protocol

 

User changes on a Domain Admin account
Description Lists all user changes on Domain accounts from the DADMINS list.
Log source Active Directory
Value Monitoring changes to Domain Admin accounts is essential to ensure security. It helps detect unauthorized changes, such as privilege escalations or account deletions, which may indicate malicious activity or insider threats. By tracking these changes, organizations can maintain compliance with regulatory requirements and ensure that access rights are appropriate and justified.
Rationale This alert identifies changes made to Domain Admin accounts, including modifications to permissions or properties. Such changes could indicate privilege escalation, insider threats, or unauthorized administrative actions. Continuous monitoring supports NIST 800-53 AC-2 (Account Management) and AU-12 (Audit Generation), ISO 27001 A.9.2.5 (Review of user access rights), and CIS Control 5.3 (Disable Dormant Accounts).
Query
Copy 
"norm_id=WinServer label=User label=Account label=Management -
user=""ANONYMOUS LOGON"" target_user=""DADMIN*"" -domain=""NT
AUTHORITY"" action=*
| chart count() by user, target_user, action, message, log_ts"
Comments For this alarm to work, the usernames from Domain accounts must be created and inserted into the DADMINS list to be monitored.
Type Alert
MITRE ATT&CK T1098 – Account Manipulation

 

Windows Audit Logs Cleared
Description Is activated if the event log has been deleted/cleared.
Log source Active Directory
Value It clearly indicates an issue, as there should never be a reason to manually delete the Event Log.
Rationale This alert detects the clearing of Windows Event Logs, which is a strong indicator of adversary activity attempting to evade detection and hinder forensic analysis. Such behavior should trigger immediate investigation. This aligns with NIST 800-53 AU-9 (Protection of Audit Information), SI-4 (Information System Monitoring), ISO 27001 A.12.4.1 (Event logging), and CIS Control 8.7 (Audit Log Protection).
Query
Copy 
"norm_id=WinServer label=User label=Account label=Management -
user=""ANONYMOUS LOGON"" target_user=""DADMIN*"" -domain=""NT
AUTHORITY"" action=*
| chart count() by user, target_user, action, message, log_ts"
Comments This alert should never be triggered as there is no reason to delete the Windows Eventlog manually. Consider replacing 'EXCLUDED_USERS' with another list in monitoring this alert.
Type Alert
MITRE ATT&CK T1070.001 – Indicator Removal on Host: Clear Windows Event Logs

 

LP_Windows User Password Never Expires
Description This is initiated if a user is assigned 'Password Never Expires' (Event ID: 4738)
Log source Active Directory
Value This detection is of value, as it is important to change passwords regularly - especially for the critical users in the organisation.
Rationale This alert identifies when a user account is configured with the "Password Never Expires" setting, which weakens credential lifecycle management and may support adversary persistence. Regular password changes are critical for maintaining a secure environment. This alert supports NIST 800-53 IA-5 (Authenticator Management), ISO 27001 A.9.4.3 (Password Management System), and CIS Control 5.2 (Use Unique Passwords).
Query
Copy 
"norm_id=WinServer* label=Change label=Management
label=Account label=User user_account_control=""*Don't Expire
Password - Enabled""
-target_user=*$ -user IN EXCLUDED_USERS
| rename caller_user as user, caller_domain as domain"
Comments This alarm cannot detect users who already have their password set to 'Never Expire'.
Type Alert
MITRE ATT&CK T1098 – Account Manipulation

 

LP_Windows Failed Login Attempt using an Expired Account
Description This Alert searches for Failed Logins with the disabled account status code 0xC0000193.
Log source Active Directory
Value There should be no login attempts from expired accounts, which is why it is important to be able to detect.
Rationale This alert identifies failed login attempts using expired accounts (status code 0xC0000193), which may indicate misuse of dormant credentials by adversaries or automated systems. It helps detect unauthorized access attempts and supports cleanup of legacy accounts. This aligns with NIST 800-53 AC-2 (Account Management), AU-6 (Audit Review), ISO 27001 A.9.2.6 (Removal or adjustment of access rights), and CIS Control 5.4 (Remove Unnecessary Accounts).
Query
Copy 
"norm_id=WinServer* label=User label=Login label=Fail
sub_status_code=""0xC0000193"" -target_user=*$ -user=*$ -user IN
EXCLUDED_USERS | rename user as target_user, domain as
target_domain, reason as failure_reason"
Comments An alert is issued on all failed login attempts for expired accounts. It is also possible to set up a list of specific accounts to reduce the risk of false positives.
Type Alert
MITRE ATT&CK T1078 – Valid Accounts

 

LP_Suspicious Kerberos RC4 Ticket Encryption
Description This alert is triggered whenever it detects suspicous service ticket requests using RC4 encryption type.
Log source Active Directory
Value Can detect if a threat actor is attempting to exploit vulnerable Kerberos Service accounts in Active Directory.
Rationale This alert detects Kerberos service ticket requests using RC4 encryption (0x17), which is commonly targeted during Kerberoasting attacks due to its vulnerability to offline password cracking. Monitoring such activity helps detect lateral movement and credential compromise attempts. This supports NIST 800-53 IA-5 (Authenticator Management), SI-4 (System Monitoring), ISO 27001 A.12.4.1 (Event Logging), and CIS Control 6.7 (Central Log Management).
Query
Copy 
"norm_id=WinServer event_id=4769 (ticket_option=""0x40810000"" or ticket_option = ""0x40800000"") 
Encryption_type=""0x17"" -service=""$*"" -user IN EXCLUDED_USERS "
Comments "To minimize kerberoasting in your environment, it is recommended to have long passwords on service accounts that change frequently.False positives are inevitable in this detection, so it is important to have a clear understanding of the ""trends"" in your environment."
Type Alert
MITRE ATT&CK T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting

 

LP_Password Spraying Attack Detected
Description This alarm is triggered if the same source address fails login from more than 5 different users.
Log source Active Directory
Value This is a clear indication that someone is trying to gain unauthorized access to your environment.
Rationale This alert detects multiple failed login attempts from a single IP against different accounts, a pattern typical of password spraying. This technique avoids lockouts by rotating usernames instead of passwords. Detecting it early supports NIST 800-53 AC-7 (Unsuccessful Login Attempts), SI-4 (System Monitoring), ISO 27001 A.12.4.1 (Logging), and CIS Control 16.11 (Brute Force Detection).
Query
Copy 
"norm_id=WinServer event_id=4625 -user IN EXCLUDED_USERS -user
IN EXCLUDED_USERS | chart distinct_count(user) as UserCount,
distinct_list(user) as Users by source_address | search UserCount > 5"
Comments It is possible to increase the number of users from 5, so that it fits your organization's limit value.
Type Alert
MITRE ATT&CK T1110.003 – Brute Force: Password Spraying

 

Potential Failed Lateral Movement By Using Pass the Hash
Description This alert is triggered if there are failed login attempts that use 'Pass the Hash' to move across the network. DOMAIN is the list of valid domains with expected authentication activity.
Log source Active Directory
Value This is a clear indication that someone is trying to move across your environment - often with the intention of reconnaisance, acquiring more rights and in the worst case, stealing or encrypting data.
Rationale This alert identifies failed login attempts using logon type 9 (NewCredentials), often associated with Pass the Hash attacks. Such activity suggests attempts at lateral movement using stolen NTLM hashes. Detecting this behavior supports NIST 800-53 SI-4 (System Monitoring), AC-2 (Account Management), ISO 27001 A.12.4.1 (Logging), and CIS Control 16.1 (Monitor Authentication Activity).
Query
Copy 
"norm_id=WinServer* label=User label=Login label=Fail logon_type=9 -
caller_domain IN DOMAIN -target_user=""ANONYMOUS LOGON"" -
user=""ANONYMOUS LOGON"" -user IN EXCLUDED_USERS | rename
target_user as user, target_domain as domain"
Comments Alerts on potentially failed attempts to use the technique 'Pass the Hash' can give an indication of how much your organizations are being attacked.
Type Alert
MITRE ATT&CK T1550.002 – Use Alternate Authentication Material: Pass the Hash

 

LP_Windows Possible Succesful Lateral Movement using Pass the Hash
Description This alert is triggered if there are successful login attempts that potentially use 'Pass the Hash' to move across the network. DOMAIN is the list of valid domains with expected authentication activity.
Log source Active Directory
Value This alert indicates potential successful lateral movement using the 'Pass the Hash' technique. This may be an indication that someone from outside is in your network.
Rationale This alert detects successful logins using logon type 3 (network logon) under conditions commonly associated with Pass the Hash activity. Successful lateral movement via NTLM hash reuse is a critical risk that may indicate a compromised asset. Detecting it supports NIST 800-53 SI-4 (System Monitoring), AC-17 (Remote Access), ISO 27001 A.12.4.1 (Event Logging), and CIS Control 16.1 (Monitor Authentication Activity).
Query
Copy 
norm_id=WinServer* label=User label=Login label=Successful
logon_type=3 -caller_domain IN DOMAIN -user="ANONYMOUS
LOGON" -user=*$ caller_user=* caller_domain=* user=* domain=*
source_address=* -user IN EXCLUDED_USERS
Comments This alert indicates potential successful lateral movement using the 'Pass the Hash' technique. This may be an indication that someone from outside is in your network.
Type Alert
MITRE ATT&CK T1550.002 – Use Alternate Authentication Material: Pass the Hash

 

Change in Kerberos Policy
Description This alert looks for changes made to the Kerberos Policy (Event ID: 4713)
Log source Active Directory
Value If there are no planned changes in relation to Kerberos Policy, then this should not take place and therefore it is important to monitor.
Rationale This alert monitors Event ID 4713, indicating changes to the Kerberos Policy. Unauthorized changes to Kerberos settings can weaken authentication security, potentially enabling ticket forgery or other credential abuse techniques. Monitoring this supports NIST 800-53 CM-3 (Configuration Change Control), IA-5 (Authenticator Management), ISO 27001 A.12.1.2 (Change Management), and CIS Control 4.3 (Security Configuration Management).
Query
Copy 
norm_id = winserver* label = Kerberos label = Policy label = Change |
chart count() by log_ts, target_user, user, message, policy
Comments If there are no planned changes in relation to Kerberos Policy, then this should not take place and therefore it is important to monitor.
Type Alert
MITRE ATT&CK T1484.001 – Domain Policy Modification: Group Policy Modification

Active Directory Dashboards

LP_AD: User Account Management
Description This dashboard has widgets that can provide an overview of the management of user accounts in Active Directory and the related activity.
Log source Active Directory
Value Since users in an organization are often the ones exposed to targeted attacks, it is important to conduct continuous monitoring to detect potential compromise or suspicious behavior
Rationale This dashboard tracks high-risk changes to critical user accounts, including admin group membership, account enabling/disabling, and persistence-related naming patterns (e.g., accounts ending with $). These activities are often precursors to privilege escalation or stealthy persistence by threat actors. Continuous visibility aligns with NIST 800-53 AC-2 (Account Management), CM-5 (Access Restrictions), ISO 27001 A.9.2.3 (Privileged Access Rights), and CIS Control 5.1/5.2.
Widgets / Use cases

1. Activities in User Account Management

2. Top 10 Actions in User Account Management

3. Activities in User Account Management

4. Top 10 Users in Account Creation

5. User Accounts Created

6. Top 10 Users in Account Deletion

7. User Accounts Deleted

8. Created Accounts

9. Deleted Accounts

10. Top 10 Users in Accounts Changed

11. Top 10 Accounts Changed

12. Changed Accounts

13. Top 10 User Accounts Locked

14. User Accounts Unlocked

15. Success vs Failure Password Change Attempts

16. Password Set or Reset Attempts
Comments Some widgets display Top 10 data, which gives an overview of ​​what is happening in your environment. It is possible to adjust the number of views to suit your organization.
Type Dashboard

 

LP_AD: Critical User Activities
Description This dashboard has widgets that can provide an overview of the management of critical user accounts in Active Directory and the related activity.
Log source Active Directory
Value Since users in an organization are often the ones exposed to targeted attacks, it is important to conduct continuous monitoring to detect potential compromise or suspicious behavior
Rationale This dashboard tracks high-risk changes to critical user accounts, including admin group membership, account enabling/disabling, and persistence-related naming patterns (e.g., accounts ending with $). These activities are often precursors to privilege escalation or stealthy persistence by threat actors. Continuous visibility aligns with NIST 800-53 AC-2 (Account Management), CM-5 (Access Restrictions), ISO 27001 A.9.2.3 (Privileged Access Rights), and CIS Control 5.1/5.2.
Widgets / Use cases

1. Users Added to Administrator Group

2. Users Removed from Administrator Group

3. Users Disabled

4. Users Enabled

5. Password Never Expires

6. Users Created with a $.

7. Users Changed to End with $

8. User Added to a LogPoint Group in Active Directory

9. User Removed from a LogPoint Group in Active Directory
Comments For Logpoint Group widgets to work, a Logpoint Group must be configured in your Active Directory environment with the users who have access to Logpoint and update the 'LOGPOINT_GROUPS' list. The setting for the 'Users Added / Removed from Administrator Group' widget uses 'Admins' or 'Administrators'. If other names are used in your organization groups, these can be changed in Widget Settings.
Type Dashboard