Requires: EventSentry NetFlow license pfSense 2.4 or later psexec kittyportable Starting with EventSentry v4.0.3 EventSentry can log events when a potentially malicious IP address has been detected via NetFlow. This event can subsequently be used to trigger a process that remotely logs into the pfSense firewall to block the IP addr...

KB-ID 402
Category: Network Services
Applies to: 4.0.3

The easiest way to get notified in realtime whenever a user is created in Active Directory is by forwarding MicrosoftWindowsSecurityAuditing event 4720https://system32.eventsentry.com/security/event/4720. This event is logged to the Security event log whenever an Active Directory user is created. More informa...

KB-ID 403
Category: Security

Recent CVE advisory CVE20200796https://cve.mitre.org/cgibin/cvename.cginame=CVE20200796 explains a remote code execution vulnerability that exists in the way that the Microsoft Server Message Block 3.1.1 SMBv3 protocol handles certain requests that affect Windows 10 and Windows Server. Microsoft has released a patch for this vulnera...

KB-ID 415
Category: Security

Utilman.exe is the utility program that is launched when the Ease of Access button on the login screen is clicked. At the time of writing it is still vulnerable to be replaced by cmd.exe allowing an attacker to simply reset any user password since the tool is executed with admin rights Infohttps://4sysops.com/archives/resetawindows1...

KB-ID 433
Category: Security
Applies to: 3.5 and later

This guide illustrates how to completely disable WinRM and how to deploy it over the network using the free tool EventSentry Admin Assistanthttps://www.eventsentry.com/adminassistant. 1. Disabling WinRM 2. Network deployment using EventSentry Admin Assistant Disabling WinRM The Windows Remote Management WinRM service is Micro...

KB-ID 436
Category: Security
Applies to: Admin Assistant

EventSentry can detect both successful and unsuccessful ZeroLogon attacks by examing various event patterns on domain computers. To use this package: Download the package using the link shown below Open the EventSentry management console Click on Packages Click on Import Select the ZeroLogon package resource 15

KB-ID 440
Category: Security
Applies to: 4.2.3

Starting with EventSentry v4.2.3 web attacks can be detected with a set of regular expression rules that can be applied to any monitored log file including IIS log files. New EventSentry installations not pre 4.2.x upgrades automatically have these rules activated in all IIS Windows log file packages except for 2008 users who upgra...

KB-ID 443
Category: Security
Applies to: 4.2.3

The EventSentry dashboard includes the generic Search tile which can be used to display data from any page in the web reports e.g. event log data. The Search tile also offers the ability to extract select data strings from events and display them in custom columns. This method can be applied to any type of event logged to the event log. ...

KB-ID 464
Category: Web Reports
Applies to: 4.2 and later

The Security Foundation dashboard identifies audit insufficiently configured Windows audit settings from all monitored hosts. Properly configured audit settings are the prerequisites of more advanced security initiatives and it is recommended that all tiles in the dashboard show OK. Numbers shown in the tiles reflect the number of audit pol...

KB-ID 514
Category: Dashboard
Applies to: 5.1.1.102 and higher

The Attack Surface dashboard utilized various validation scripts to ensure the monitored hosts meet basic security and best practices guidelines. To make it easier to prioritize resolving issues identified by the validation checks the scripts are grouped into Workstation Server ampamp Domain Controllers. Numbers shown in the tiles reflect th...

KB-ID 515
Category: Dashboard
Applies to: 5.1.1.102 and higher

The Critical Changes ampamp Activity dashboard utilized a variety of EventSentry features to identify ampamp review changes made to the network infrastructure and Active Directory. The ADMonitorbased tiles indicated with ADMonitor in title can be removed if ADMonitor is not activated. This dashboard offers the following benefits: Ident...

KB-ID 516
Category: Dashboard
Applies to: 5.1.1.102 and higher