Windows Ruleset Compliance Matrix
F5 Distributed Cloud App Infrastructure Protection (AIP) provides the Base Rule Set to help you get started on your Windows server security journey. We recognize that the Base Rule Set may not meet your organization's specific needs and so we created alternate compliance rulesets based on:
- HIPAA
- ISO 27001
- MPAA
- PCI
- SOC2
To help clarify how these other compliance rule sets compare to the Base Rule Set, we created comparison charts for each compliance rule set.
Distributed Cloud AIP also uses rules in the base ruleset to mitigate risky activity recognized by the MITRE ATT&CK Matrices.
HIPAA ISO 27001 MPAA PCI SOC2 2018
| Windows Base Rule Set | Supports Criteria | MITRE Criteria |
|---|---|---|
| Computer Account Management: Computer Account Changed | HIPAA 164.308(a)(3)(ii)(A) | N/A |
| Computer Account Management: Computer Account Created | HIPAA 164.308(a)(3)(ii)(A) | N/A |
| Computer Account Management: Computer Account Deleted | HIPAA 164.308(a)(3)(ii)(A) | N/A |
| File: Possible Accessibility Features Abuse | N/A | T1546, T1485 |
| File: Scheduled Tasks Modified | N/A | T1053 |
| Host: Possible Lateral Movement Tools | HIPAA 164.308(a)(5)(ii)(B) | T1570, T1021 |
| Host: Possible Domain Trust Policy Modification | N/A | T1484 |
| Host: Suspicious CScript Launch | HIPAA 164.308(a)(5)(ii)(B) | N/A |
| Host: System Time Changed | N/A | N/A |
| Logon: Failed Logon | HIPAA 164.308(a)(5)(ii)(C) | T1595, T1110 |
| Logon: Successful Logon: Batch or Service | HIPAA 164.308(a)(5)(ii)(C) | T1078 |
| Logon: Successful Logon: Elevated Batch or Service | HIPAA 164.308(a)(5)(ii)(C) | T1078 |
| Logon: Successful Logon: Elevated Interactive | HIPAA 164.308(a)(5)(ii)(C) | T1078 |
| Logon: Successful Logon: Elevated Network | HIPAA 164.308(a)(5)(ii)(C) | T1078 |
| Logon: Successful Logon: Elevated Remote Interactive | HIPAA 164.308(a)(5)(ii)(C) | T1078, T1021 |
| Logon: Successful Logon: Interactive | HIPAA 164.308(a)(5)(ii)(C) | T1078, T1021 |
| Logon: Successful Logon: Network | HIPAA 164.308(a)(5)(ii)(C) | T1078 |
| Logon: Successful Logon: Remote Interactive | HIPAA 164.308(a)(5)(ii)(C) | T1078, T1021 |
| Network: Firewall Service Stopped | HIPAA 164.308(a)(5)(ii)(B) | T1562 |
| Network: Outbound Connection to Non-Standard Port | HIPAA 164.312(b) | T1048 |
| Network: Outbound HTTP | HIPAA 164.312(b) | N/A |
| Network: Outbound HTTPS | HIPAA 164.312(b) | N/A |
| Network: Outbound RDP | HIPAA 164.312(b) | T1041, T1021 |
| Network: Outbound SMTP | HIPAA 164.312(b) | N/A |
| Network: Outbound SSH | HIPAA 164.312(b)) | T1041, T1021 |
| Network: Powershell Initiated Connection | HIPAA 164.312(b) | T1059 |
| Registry Event: Modification of Registry Run Keys | HIPAA 164.308(a)(5)(ii)(B) | T1547, T1112 |
| Registry Event: Possible Application Shim | HIPAA 164.308(a)(5)(ii)(B) | T1574, T1546, T1112 |
| Registry Event: Possible Code Execution via Assistive Technology Helper | HIPAA 164.308(a)(5)(ii)(B) | T1112 |
| Registry Event: Possible COM Hijacking | HIPAA 164.308(a)(5)(ii)(B) | T1574, T1546, T1112 |
| Registry Event: Possible Default File Association Change | N/A | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via AppCert DLL Registry Key | HIPAA 164.308(a)(5)(ii)(B) | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via Authentication Packages Registry Key | HIPAA 164.308(a)(5)(ii)(B) | T1556, T1547, T1112 |
| Registry Event: Possible DLL Loading via Netsh Helper DLL Registry Key | HIPAA 164.308(a)(5)(ii)(B) | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via Port Monitors Registry Key | HIPAA 164.308(a)(5)(ii)(B) | T1547, T1112 |
| Registry Event: Possible DLL Loading via Time Providers Registry Key | HIPAA 164.308(a)(5)(ii)(B) | T1547, T1112 |
| Registry Event: Possible DLL Loading via WinLogon Helper DLL Registry Keys | HIPAA 164.308(a)(5)(ii)(B) | T1574, T1547, T1112 |
| Registry Event: Possible Image File Execution Options Injection | HIPAA 164.308(a)(5)(ii)(B) | T1574, T1546, T1112 |
| Registry Event: Possible Service Modification | HIPAA 164.308(a)(5)(ii)(B) | T1112 |
| Registry Event: Possible SIP and Trust Provider Hijacking | HIPAA 164.308(a)(5)(ii)(B) | T1553, T1112 |
| Registry Event: Possible UAC Bypass | HIPAA 164.308(a)(5)(ii)(B) | T1548, T1112 |
| Security Group Management: Global Group Modified | N/A | N/A |
| Security Group Management: Local Group Modified | N/A | N/A |
| Security Group Management: Members Modified in Global Group | N/A | N/A |
| Security Group Management: Members Modified in Local Group | N/A | N/A |
| Security Group Management: Members Modified in Universal Group | N/A | N/A |
| Security Group Management: Universal Group Modified | N/A | N/A |
| Sysmon: Bash Spawned Process | N/A | T1190 |
| Sysmon: Bitsadmin Usage | HIPAA 164.312(b) | T1197 |
| Sysmon: Certutil Usage | N/A | T1140 |
| Sysmon: Create Remote Thread | N/A | N/A |
| Sysmon: Creation of Hidden Folders or Files | HIPAA 164.308(a)(5)(ii)(B) | T1564 |
| Sysmon: Driver Loaded with Invalid Signature | N/A | N/A |
| Sysmon: Driver Loaded with Valid Signature | N/A | N/A |
| Sysmon: Error Occurred | N/A | N/A |
| Sysmon: File Create in ProgramData Folder | N/A | N/A |
| Sysmon: File Create in Team Folder | N/A | N/A |
| Sysmon: File Create in Temp Folder | N/A | N/A |
| Sysmon: File Create Stream Hash | N/A | N/A |
| Sysmon: Image Loaded | N/A | N/A |
| Sysmon: Image Loaded Possible Mimikatz | HIPAA 164.308(a)(5)(ii)(B) | T1036 |
| Sysmon: Network Connection | N/A | N/A |
| Sysmon: Network Connection to Cryptocurrency Mining Pool | N/A | T1496, T1041 |
| Sysmon: Pipe Event: Pipe Connected | N/A | N/A |
| Sysmon: Pipe Event: Pipe Created | N/A | N/A |
| Sysmon: Possible Application Whitelisting Bypass | HIPAA 164.308(a)(5)(ii)(B) | N/A |
| Sysmon: Possible Signed Binary Proxy Execution | HIPAA 164.308(a)(5)(ii)(B) | N/A |
| Sysmon: Powershell Spawned from CMD | N/A | T1059 |
| Sysmon: Process Access | N/A | N/A |
| Sysmon: Process Changed File Creation Time | HIPAA 164.308(a)(5)(ii)(B) | N/A |
| Sysmon: Process Creation | N/A | N/A |
| Sysmon: Process Terminated | N/A | N/A |
| Sysmon: Raw Access Read | N/A | N/A |
| Sysmon: Registry Event | N/A | N/A |
| Sysmon: Registry Key and Value Rename | N/A | N/A |
| Sysmon: Registry Value Modification | N/A | N/A |
| Sysmon: Shadow Volume Activity | N/A | N/A |
| Sysmon: Sysmon Configuration Change | HIPAA 164.312(b) | N/A |
| Sysmon: Sysmon Service State Change | HIPAA 164.312(b) | N/A |
| Sysmon: Wmi Event Consumer Bound to Filter Detected | N/A | N/A |
| Sysmon: Wmi Event Consumer Detected | N/A | N/A |
| Sysmon: Wmi Event Filter Detected | N/A | N/A |
| User Account Management: User Account Created | HIPAA 164.308(a)(3)(ii)(A) | T1136 |
| User Account Management: User Account Disabled | HIPAA 164.308(a)(3)(ii)(A) | T1531 |
| User Account Management: User Account Modified | HIPAA 164.308(a)(3)(ii)(A) | T1531 |
| User Account Management: User Account Name Changed | HIPAA 164.308(a)(3)(ii)(A) | N/A |
| User: Account was Locked | N/A | T1531, T1562 |
| User: Account was Unlocked | N/A | N/A |
| Windows Audit: Audit Policy Change | HIPAA 164.312(b) | T1562 |
| Windows Audit: System Integrity Issue | HIPAA 164.312(b) | N/A |
| Windows Base Rule Set | Supports Criteria | MITRE Criteria |
|---|---|---|
| Computer Account Management: Computer Account Changed | N/A | N/A |
| Computer Account Management: Computer Account Created | N/A | N/A |
| Computer Account Management: Computer Account Deleted | N/A | N/A |
| File: Possible Accessibility Features Abuse | N/A | T1546, T1485 |
| File: Scheduled Tasks Modified | ISO 27001 A.12.2.1 | T1053 |
| Host: Possible Lateral Movement Tools | N/A | T1570, T1021 |
| Host: Possible Domain Trust Policy Modification | N/A | T1484 |
| Host: Suspicious CScript Launch | ISO 27001 A.12.2.1 | N/A |
| Host: System Time Changed | ISO 27001 A.12.4.4 | N/A |
| Logon: Failed Logon | ISO 27001 A.9.2.5, A.12.2.1, A.12.4.1 | T1595, T1110 |
| Logon: Successful Logon: Batch or Service | ISO 27001 A.9.2.5, A.12.2.1, A.12.4.1 | T1078 |
| Logon: Successful Logon: Elevated Batch or Service | ISO 27001 A.9.2.5, A.12.2.1, A.12.4.1 | T1078 |
| Logon: Successful Logon: Elevated Interactive | ISO 27001 A.9.2.5, A.12.2.1, A.12.4.1 | T1078 |
| Logon: Successful Logon: Elevated Network | ISO 27001 A.9.2.5, A.12.2.1, A.12.4.1 | T1078 |
| Logon: Successful Logon: Elevated Remote Interactive | ISO 27001 A.9.2.5, A.12.2.1, A.12.4.1 | T1078, T1021 |
| Logon: Successful Logon: Interactive | ISO 27001 A.9.2.5, A.12.2.1, A.12.4.1 | T1078, T1021 |
| Logon: Successful Logon: Network | ISO 27001 A.9.2.5, A.12.2.1, A.12.4.1 | T1078 |
| Logon: Successful Logon: Remote Interactive | ISO 27001 A.9.2.5, A.12.2.1, A.12.4.1 | T1078, T1021 |
| Network: Firewall Service Stopped | ISO 27001 A.18.2 and A.18.1.4 | T1562 |
| Network: Outbound Connection to Non-Standard Port | ISO 27001 A.13.1, A.13.2 | T1048 |
| Network: Outbound HTTP | ISO 27001 A.13.1, A.13.2 | N/A |
| Network: Outbound HTTPS | ISO 27001 A.13.1, A.13.2 | N/A |
| Network: Outbound RDP | ISO 27001 A.13.1, A.13.2 | T1041, T1021 |
| Network: Outbound SMTP | ISO 27001 A.13.1, A.13.2 | N/A |
| Network: Outbound SSH | ISO 27001 A.13.1, A.13.2 | T1041, T1021 |
| Network: Powershell Initiated Connection | ISO 27001 A.13.1.1 | T1059 |
| Registry Event: Modification of Registry Run Keys | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1547, T1112 |
| Registry Event: Possible Application Shim | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1574, T1546, T1112 |
| Registry Event: Possible Code Execution via Assistive Technology Helper | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1112 |
| Registry Event: Possible COM Hijacking | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1574, T1546, T1112 |
| Registry Event: Possible Default File Association Change | N/A | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via AppCert DLL Registry Key | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via Authentication Packages Registry Key | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1556, T1547, T1112 |
| Registry Event: Possible DLL Loading via Netsh Helper DLL Registry Key | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via Port Monitors Registry Key | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1547, T1112 |
| Registry Event: Possible DLL Loading via Time Providers Registry Key | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1547, T1112 |
| Registry Event: Possible DLL Loading via WinLogon Helper DLL Registry Keys | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1574, T1547, T1112 |
| Registry Event: Possible Image File Execution Options Injection | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1574, T1546, T1112 |
| Registry Event: Possible Service Modification | ISO 27001 A.18.2 and A.18.1.4 | T1112 |
| Registry Event: Possible SIP and Trust Provider Hijacking | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1553, T1112 |
| Registry Event: Possible UAC Bypass | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1548, T1112 |
| Security Group Management: Global Group Modified | N/A | N/A |
| Security Group Management: Local Group Modified | N/A | N/A |
| Security Group Management: Members Modified in Global Group | N/A | N/A |
| Security Group Management: Members Modified in Local Group | N/A | N/A |
| Security Group Management: Members Modified in Universal Group | N/A | N/A |
| Security Group Management: Universal Group Modified | N/A | N/A |
| Sysmon: Bash Spawned Process | N/A | T1190 |
| Sysmon: Bitsadmin Usage | ISO 27001 A.9.4.4 | T1197 |
| Sysmon: Certutil Usage | ISO 27001 A.9.4.4 | T1140 |
| Sysmon: Create Remote Thread | N/A | N/A |
| Sysmon: Creation of Hidden Folders or Files | ISO 27001 A.12.2.1 | T1564 |
| Sysmon: Driver Loaded with Invalid Signature | N/A | N/A |
| Sysmon: Driver Loaded with Valid Signature | N/A | N/A |
| Sysmon: Error Occurred | N/A | N/A |
| Sysmon: File Create in ProgramData Folder | N/A | N/A |
| Sysmon: File Create in Team Folder | N/A | N/A |
| Sysmon: File Create in Temp Folder | N/A | N/A |
| Sysmon: File Create Stream Hash | N/A | N/A |
| Sysmon: Image Loaded | N/A | N/A |
| Sysmon: Image Loaded Possible Mimikatz | ISO 27001 A.12.2.1 | T1036 |
| Sysmon: Network Connection | N/A | N/A |
| Sysmon: Network Connection to Cryptocurrency Mining Pool | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | T1496, T1041 |
| Sysmon: Pipe Event: Pipe Connected | N/A | N/A |
| Sysmon: Pipe Event: Pipe Created | N/A | N/A |
| Sysmon: Possible Application Whitelisting Bypass | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | N/A |
| Sysmon: Possible Signed Binary Proxy Execution | ISO 27001 A.12.1.2, A.12.2.1 and A.12.5.1 | N/A |
| Sysmon: Powershell Spawned from CMD | N/A | T1059 |
| Sysmon: Process Access | N/A | N/A |
| Sysmon: Process Changed File Creation Time | N/A | N/A |
| Sysmon: Process Creation | N/A | N/A |
| Sysmon: Process Terminated | N/A | N/A |
| Sysmon: Raw Access Read | N/A | N/A |
| Sysmon: Registry Event | N/A | N/A |
| Sysmon: Registry Key and Value Rename | N/A | N/A |
| Sysmon: Registry Value Modification | N/A | N/A |
| Sysmon: Shadow Volume Activity | N/A | N/A |
| Sysmon: Sysmon Configuration Change | ISO 27001 A.18.2 and A.18.1.4 | N/A |
| Sysmon: Sysmon Service State Change | ISO 27001 A.18.2 and A.18.1.4 | N/A |
| Sysmon: Wmi Event Consumer Bound to Filter Detected | N/A | N/A |
| Sysmon: Wmi Event Consumer Detected | N/A | N/A |
| Sysmon: Wmi Event Filter Detected | N/A | N/A |
| User Account Management: User Account Created | ISO 27001 A.9.2 | T1136 |
| User Account Management: User Account Disabled | ISO 27001 A.9.2 | T1531 |
| User Account Management: User Account Modified | ISO 27001 A.9.2 | T1531 |
| User Account Management: User Account Name Changed | ISO 27001 A.9.2 | N/A |
| User: Account was Locked | N/A | T1531, T1562 |
| User: Account was Unlocked | N/A | N/A |
| Windows Audit: Audit Policy Change | ISO 27001 A.18.2 and A.18.1.4 | T1562 |
| Windows Audit: System Integrity Issue | ISO 27001 A.18.2 and A.18.1.4 | N/A |
| Windows Base Rule Set | Supports Criteria | MITRE Criteria |
|---|---|---|
| Computer Account Management: Computer Account Changed | N/A | N/A |
| Computer Account Management: Computer Account Created | N/A | N/A |
| Computer Account Management: Computer Account Deleted | N/A | N/A |
| File: Possible Accessibility Features Abuse | N/A | T1546, T1485 |
| File: Scheduled Tasks Modified | MPAA DS-9.3 | T1053 |
| Host: Possible Lateral Movement Tools | N/A | T1570, T1021 |
| Host: Possible Domain Trust Policy Modification | N/A | T1484 |
| Host: Suspicious CScript Launch | MPAA DS-9.3 | N/A |
| Host: System Time Changed | N/A | N/A |
| Logon: Failed Logon | MPAA DS-3.1 and MPAA DS-3:2 | T1595, T1110 |
| Logon: Successful Logon: Batch or Service | MPAA DS-3.1 and MPAA DS-3:2 | T1078 |
| Logon: Successful Logon: Elevated Batch or Service | MPAA DS-3.1 and MPAA DS-3:2 | T1078 |
| Logon: Successful Logon: Elevated Interactive | MPAA DS-3.1 and MPAA DS-3:2 | T1078 |
| Logon: Successful Logon: Elevated Network | MPAA DS-3.1 and MPAA DS-3:2 | T1078 |
| Logon: Successful Logon: Elevated Remote Interactive | MPAA DS-3.1 and MPAA DS-3:2 | T1078, T1021 |
| Logon: Successful Logon: Interactive | MPAA DS-3.1 and MPAA DS-3:2 | T1078, T1021 |
| Logon: Successful Logon: Network | MPAA DS-3.1 and MPAA DS-3:2 | T1078 |
| Logon: Successful Logon: Remote Interactive | MPAA DS-3.1 and MPAA DS-3:2 | T1078, T1021 |
| Network: Firewall Service Stopped | N/A | T1562 |
| Network: Outbound Connection to Non-Standard Port | N/A | T1048 |
| Network: Outbound HTTP | N/A | N/A |
| Network: Outbound HTTPS | N/A | N/A |
| Network: Outbound RDP | N/A | T1041, T1021 |
| Network: Outbound SMTP | N/A | N/A |
| Network: Outbound SSH | N/A | T1041, T1021 |
| Network: Powershell Initiated Connection | N/A | T1059 |
| Registry Event: Modification of Registry Run Keys | MPAA DS-9.3 | T1547, T1112 |
| Registry Event: Possible Application Shim | MPAA DS-9.3 | T1574, T1546, T1112 |
| Registry Event: Possible Code Execution via Assistive Technology Helper | MPAA DS-9.3 | T1112 |
| Registry Event: Possible COM Hijacking | MPAA DS-9.3 | T1574, T1546, T1112 |
| Registry Event: Possible Default File Association Change | N/A | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via AppCert DLL Registry Key | MPAA DS-9.3 | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via Authentication Packages Registry Key | MPAA DS-9.3 | T1556, T1547, T1112 |
| Registry Event: Possible DLL Loading via Netsh Helper DLL Registry Key | MPAA DS-9.3 | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via Port Monitors Registry Key | MPAA DS-9.3 | T1547, T1112 |
| Registry Event: Possible DLL Loading via Time Providers Registry Key | MPAA DS-9.3 | T1547, T1112 |
| Registry Event: Possible DLL Loading via WinLogon Helper DLL Registry Keys | MPAA DS-9.3 | T1574, T1547, T1112 |
| Registry Event: Possible Image File Execution Options Injection | MPAA DS-9.3 | T1574, T1546, T1112 |
| Registry Event: Possible Service Modification | N/A | T1112 |
| Registry Event: Possible SIP and Trust Provider Hijacking | MPAA DS-9.3 | T1553, T1112 |
| Registry Event: Possible UAC Bypass | MPAA DS-9.3 | T1548, T1112 |
| Security Group Management: Global Group Modified | N/A | N/A |
| Security Group Management: Local Group Modified | N/A | N/A |
| Security Group Management: Members Modified in Global Group | N/A | N/A |
| Security Group Management: Members Modified in Local Group | N/A | N/A |
| Security Group Management: Members Modified in Universal Group | N/A | N/A |
| Security Group Management: Universal Group Modified | N/A | N/A |
| Sysmon: Bash Spawned Process | N/A | T1190 |
| Sysmon: Bitsadmin Usage | N/A | T1197 |
| Sysmon: Certutil Usage | N/A | T1140 |
| Sysmon: Create Remote Thread | N/A | N/A |
| Sysmon: Creation of Hidden Folders or Files | MPAA DS-9.3 | T1564 |
| Sysmon: Driver Loaded with Invalid Signature | N/A | N/A |
| Sysmon: Driver Loaded with Valid Signature | N/A | N/A |
| Sysmon: Error Occurred | N/A | N/A |
| Sysmon: File Create in ProgramData Folder | N/A | N/A |
| Sysmon: File Create in Team Folder | N/A | N/A |
| Sysmon: File Create in Temp Folder | N/A | N/A |
| Sysmon: File Create Stream Hash | N/A | N/A |
| Sysmon: Image Loaded | N/A | N/A |
| Sysmon: Image Loaded Possible Mimikatz | MPAA DS-9.3 | T1036 |
| Sysmon: Network Connection | N/A | N/A |
| Sysmon: Network Connection to Cryptocurrency Mining Pool | MPAA DS-9.3 | T1496, T1041 |
| Sysmon: Pipe Event: Pipe Connected | N/A | N/A |
| Sysmon: Pipe Event: Pipe Created | N/A | N/A |
| Sysmon: Possible Application Whitelisting Bypass | MPAA DS-9.3 | N/A |
| Sysmon: Possible Signed Binary Proxy Execution | MPAA DS-9.3 | N/A |
| Sysmon: Powershell Spawned from CMD | N/A | T1059 |
| Sysmon: Process Access | N/A | N/A |
| Sysmon: Process Changed File Creation Time | N/A | N/AN/A |
| Sysmon: Process Creation | N/A | N/A |
| Sysmon: Process Terminated | N/A | N/A |
| Sysmon: Raw Access Read | N/A | N/A |
| Sysmon: Registry Event | N/A | N/A |
| Sysmon: Registry Key and Value Rename | N/A | N/A |
| Sysmon: Registry Value Modification | N/A | N/A |
| Sysmon: Shadow Volume Activity | N/A | N/A |
| Sysmon: Sysmon Configuration Change | N/A | N/A |
| Sysmon: Sysmon Service State Change | N/A | N/A |
| Sysmon: Wmi Event Consumer Bound to Filter Detected | N/A | N/A |
| Sysmon: Wmi Event Consumer Detected | N/A | N/A |
| Sysmon: Wmi Event Filter Detected | N/A | N/A |
| User Account Management: User Account Created | MPAA DS-3.1 | T1136 |
| User Account Management: User Account Disabled | MPAA DS-3.1 | T1531 |
| User Account Management: User Account Modified | MPAA DS-3.1 | T1531 |
| User Account Management: User Account Name Changed | MPAA DS-3.1 | N/A |
| User: Account was Locked | N/A | T1531, T1562 |
| User: Account was Unlocked | N/A | N/A |
| Windows Audit: Audit Policy Change | N/A | T1562 |
| Windows Audit: System Integrity Issue | N/A | N/A |
| Windows Base Rule Set | Supports Criteria | MITRE Criteria |
|---|---|---|
| Computer Account Management: Computer Account Changed | PCI 10.2, 10.3 | N/A |
| Computer Account Management: Computer Account Created | PCI 10.2, 10.3 | N/A |
| Computer Account Management: Computer Account Deleted | PCI 10.2, 10.3 | N/A |
| File: Possible Accessibility Features Abuse | N/A | T1546, T1485 |
| File: Scheduled Tasks Modified | PCI 11.5 | T1053 |
| Host: Possible Lateral Movement Tools | PCI 11.5 | T1570, T1021 |
| Host: Possible Domain Trust Policy Modification | N/A | T1484 |
| Host: Suspicious CScript Launch | PCI 11.5 | N/A |
| Host: System Time Changed | PCI 10.4 | N/A |
| Logon: Failed Logon | PCI 10.2, 10.3, and 11.4 | T1595, T1110 |
| Logon: Successful Logon: Batch or Service | PCI 10.2, 10.3, and 11.4 | T1078 |
| Logon: Successful Logon: Elevated Batch or Service | PCI 10.2, 10.3, and 11.4 | T1078 |
| Logon: Successful Logon: Elevated Interactive | PCI 10.2, 10.3, and 11.4 | T1078 |
| Logon: Successful Logon: Elevated Network | PCI 10.2, 10.3, and 11.4 | T1078 |
| Logon: Successful Logon: Elevated Remote Interactive | PCI 10.2, 10.3, and 11.4 | T1078, T1021 |
| Logon: Successful Logon: Interactive | PCI 10.2, 10.3, and 11.4 | T1078, T1021 |
| Logon: Successful Logon: Network | PCI 10.2, 10.3, and 11.4 | T1078 |
| Logon: Successful Logon: Remote Interactive | PCI 10.2, 10.3, and 11.4 | T1078, T1021 |
| Network: Firewall Service Stopped | PCI 10.2, 10.3 | T1562 |
| Network: Outbound Connection to Non-Standard Port | PCI 11.4 | T1048 |
| Network: Outbound HTTP | PCI 11.4 | N/A |
| Network: Outbound HTTPS | PCI 11.4 | N/A |
| Network: Outbound RDP | PCI 11.4 | T1041, T1021 |
| Network: Outbound SMTP | PCI 11.4 | N/A |
| Network: Outbound SSH | PCI 11.4 | T1041, T1021 |
| Network: Powershell Initiated Connection | PCI 11.4 | T1059 |
| Registry Event: Modification of Registry Run Keys | PCI 11.5 | T1547, T1112 |
| Registry Event: Possible Application Shim | PCI 11.5 | T1574, T1546, T1112 |
| Registry Event: Possible Code Execution via Assistive Technology Helper | PCI 11.5 | T1112 |
| Registry Event: Possible COM Hijacking | PCI 11.5 | T1574, T1546, T1112 |
| Registry Event: Possible Default File Association Change | PCI 10.2, 10.3 | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via AppCert DLL Registry Key | PCI 11.5 | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via Authentication Packages Registry Key | PCI 11.5 | T1556, T1547, T1112 |
| Registry Event: Possible DLL Loading via Netsh Helper DLL Registry Key | PCI 11.5 | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via Port Monitors Registry Key | PCI 11.5 | T1547, T1112 |
| Registry Event: Possible DLL Loading via Time Providers Registry Key | PCI 11.5 | T1547, T1112 |
| Registry Event: Possible DLL Loading via WinLogon Helper DLL Registry Keys | PCI 11.5 | T1574, T1547, T1112 |
| Registry Event: Possible Image File Execution Options Injection | PCI 11.5 | T1574, T1546, T1112 |
| Registry Event: Possible Service Modification | PCI 11.5 | T1112 |
| Registry Event: Possible SIP and Trust Provider Hijacking | PCI 11.5 | T1553, T1112 |
| Registry Event: Possible UAC Bypass | PCI 11.5 | T1548, T1112 |
| Security Group Management: Global Group Modified | N/A | N/A |
| Security Group Management: Local Group Modified | N/A | N/A |
| Security Group Management: Members Modified in Global Group | N/A | N/A |
| Security Group Management: Members Modified in Local Group | N/A | N/A |
| Security Group Management: Members Modified in Universal Group | N/A | N/A |
| Security Group Management: Universal Group Modified | N/A | N/A |
| Sysmon: Bash Spawned Process | PCI 10.2, 10.3 | T1190 |
| Sysmon: Bitsadmin Usage | PCI 10.6 | T1197 |
| Sysmon: Certutil Usage | PCI 10.6 | T1140 |
| Sysmon: Create Remote Thread | PCI 10.2, 10.3 | N/A |
| Sysmon: Creation of Hidden Folders or Files | N/A | T1564 |
| Sysmon: Driver Loaded with Invalid Signature | PCI 10.6 | N/A |
| Sysmon: Driver Loaded with Valid Signature | N/A | N/A |
| Sysmon: Error Occurred | N/A | N/A |
| Sysmon: File Create in ProgramData Folder | PCI 11.5 | N/A |
| Sysmon: File Create in Team Folder | PCI 11.5 | N/A |
| Sysmon: File Create in Temp Folder | PCI 11.5 | N/A |
| Sysmon: File Create Stream Hash | PCI 11.5 | N/A |
| Sysmon: Image Loaded | N/A | N/A |
| Sysmon: Image Loaded Possible Mimikatz | PCI 10.6 | T1036 |
| Sysmon: Network Connection | PCI 11.4 | N/A |
| Sysmon: Network Connection to Cryptocurrency Mining Pool | PCI 11.4 | T1496, T1041 |
| Sysmon: Pipe Event: Pipe Connected | N/A | N/A |
| Sysmon: Pipe Event: Pipe Created | N/A | N/A |
| Sysmon: Possible Application Whitelisting Bypass | PCI 11.5 | N/A |
| Sysmon: Possible Signed Binary Proxy Execution | PCI 11.5 | N/A |
| Sysmon: Powershell Spawned from CMD | N/A | T1059 |
| Sysmon: Process Access | N/A | N/A |
| Sysmon: Process Changed File Creation Time | N/A | N/A |
| Sysmon: Process Creation | N/A | N/A |
| Sysmon: Process Terminated | N/A | N/A |
| Sysmon: Raw Access Read | N/A | N/A |
| Sysmon: Registry Event | N/A | N/A |
| Sysmon: Registry Key and Value Rename | N/A | N/A |
| Sysmon: Registry Value Modification | N/A | N/A |
| Sysmon: Shadow Volume Activity | N/A | N/A |
| Sysmon: Sysmon Configuration Change | N/A | N/A |
| Sysmon: Sysmon Service State Change | N/A | N/A |
| Sysmon: Wmi Event Consumer Bound to Filter Detected | N/A | N/A |
| Sysmon: Wmi Event Consumer Detected | N/A | N/A |
| Sysmon: Wmi Event Filter Detected | N/A | N/A |
| User Account Management: User Account Created | PCI 10.2, 10.3 | T1136 |
| User Account Management: User Account Disabled | PCI 10.2, 10.3 | T1531 |
| User Account Management: User Account Modified | PCI 10.2, 10.3 | T1531 |
| User Account Management: User Account Name Changed | PCI 10.2, 10.3 | N/A |
| User: Account was Locked | N/A | T1531, T1562 |
| User: Account was Unlocked | N/A | N/A |
| Windows Audit: Audit Policy Change | PCI 10.2, 10.3 | T1562 |
| Windows Audit: System Integrity Issue | PCI 10.2, 10.3 | N/A |
| Windows Base Rule Set | Supports Criteria | MITRE Criteria |
|---|---|---|
| Computer Account Management: Computer Account Changed | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| Computer Account Management: Computer Account Created | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| Computer Account Management: Computer Account Deleted | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| File: Possible Accessibility Features Abuse | N/A | T1546, T1485 |
| File: Scheduled Tasks Modified | N/A | T1053 |
| Host: Possible Lateral Movement Tools | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1570, T1021 |
| Host: Possible Domain Trust Policy Modification | N/A | T1484 |
| Host: Suspicious CScript Launch | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| Host: System Time Changed | SOC-2 (CC 3.4) | N/A |
| Logon: Failed Logon | SOC-2 (CC 4.1, 6.1, 6.3, and 6.6) | T1595, T1110 |
| Logon: Successful Logon: Batch or Service | SOC-2 (CC 6.1) | T1078 |
| Logon: Successful Logon: Elevated Batch or Service | SOC-2 (CC 4.1, 6.1, 6.3, and 6.6) | T1078 |
| Logon: Successful Logon: Elevated Interactive | SOC-2 (CC 4.1, 6.1, 6.3, and 6.6) | T1078 |
| Logon: Successful Logon: Elevated Network | SOC-2 (CC 4.1, 6.1, 6.3, and 6.6) | T1078 |
| Logon: Successful Logon: Elevated Remote Interactive | SOC-2 (CC 4.1, 6.1, 6.3, and 6.6) | T1078, T1021 |
| Logon: Successful Logon: Interactive | SOC-2 (CC 6.1) | T1078, T1021 |
| Logon: Successful Logon: Network | SOC-2 (CC 6.1)) | T1078 |
| Logon: Successful Logon: Remote Interactive | SOC-2 (CC 6.1) | T1078, T1021 |
| Network: Firewall Service Stopped | N/A | T1562 |
| Network: Outbound Connection to Non-Standard Port | SOC-2 (CC 3.2, 3.3, 3.4, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) | T1048 |
| Network: Outbound HTTP | SOC-2 (CC 3.2, 3.3, 3.4, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) | N/A |
| Network: Outbound HTTPS | SOC-2 (CC 3.2, 3.3, 3.4, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) | N/A |
| Network: Outbound RDP | SOC-2 (CC 3.2, 3.3, 3.4, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) | T1041, T1021 |
| Network: Outbound SMTP | SOC-2 (CC 3.2, 3.3, 3.4, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) | N/A |
| Network: Outbound SSH | SOC-2 (CC 3.2, 3.3, 3.4, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) | T1041, T1021 |
| Network: Powershell Initiated Connection | SOC-2 (CC 3.2, 3.3, 3.4, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) | T1059 |
| Registry Event: Modification of Registry Run Keys | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1547, T1112 |
| Registry Event: Possible Application Shim | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1574, T1546, T1112 |
| Registry Event: Possible Code Execution via Assistive Technology Helper | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1112 |
| Registry Event: Possible COM Hijacking | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1574, T1546, T1112 |
| Registry Event: Possible Default File Association Change | N/A | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via AppCert DLL Registry Key | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via Authentication Packages Registry Key | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1556, T1547, T1112 |
| Registry Event: Possible DLL Loading via Netsh Helper DLL Registry Key | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1574, T1546, T1112 |
| Registry Event: Possible DLL Loading via Port Monitors Registry Key | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1547, T1112 |
| Registry Event: Possible DLL Loading via Time Providers Registry Key | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1547, T1112 |
| Registry Event: Possible DLL Loading via WinLogon Helper DLL Registry Keys | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1574, T1547, T1112 |
| Registry Event: Possible Image File Execution Options Injection | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1574, T1546, T1112 |
| Registry Event: Possible Service Modification | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1112 |
| Registry Event: Possible SIP and Trust Provider Hijacking | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1553, T1112 |
| Registry Event: Possible UAC Bypass | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1548, T1112 |
| Security Group Management: Global Group Modified | N/A | N/A |
| Security Group Management: Local Group Modified | N/A | N/A |
| Security Group Management: Members Modified in Global Group | N/A | N/A |
| Security Group Management: Members Modified in Local Group | N/A | N/A |
| Security Group Management: Members Modified in Universal Group | N/A | N/A |
| Security Group Management: Universal Group Modified | N/A | N/A |
| Sysmon: Bash Spawned Process | SOC-2 (CC 3.4, 4.1, 4.2, 6.1, 7.2, 7.3, 7.4, 7.5, & 8.1) | T1190 |
| Sysmon: Bitsadmin Usage | SOC-2 (CC 3.4, 4.1, 4.2, 6.1, 7.2, 7.3, 7.4, 7.5, & 8.1) | T1197 |
| Sysmon: Certutil Usage | SOC-2 (CC 3.4, 4.1, 4.2, 6.1, 7.2, 7.3, 7.4, 7.5, & 8.1) | T1140 |
| Sysmon: Create Remote Thread | N/A | N/A |
| Sysmon: Creation of Hidden Folders or Files | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1564 |
| Sysmon: Driver Loaded with Invalid Signature | SOC-2 (CC 3.4, 4.1, 4.2, 6.1, 7.2, 7.3, 7.4, 7.5, & 8.1) | N/A |
| Sysmon: Driver Loaded with Valid Signature | N/A | N/A |
| Sysmon: Error Occurred | N/A | N/A |
| Sysmon: File Create in ProgramData Folder | N/A | N/A |
| Sysmon: File Create in Team Folder | N/A | N/A |
| Sysmon: File Create in Temp Folder | N/A | N/A |
| Sysmon: File Create Stream Hash | N/A | N/A |
| Sysmon: Image Loaded | N/A | N/AT1036 |
| Sysmon: Image Loaded Possible Mimikatz | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1036 |
| Sysmon: Network Connection | N/A | N/A |
| Sysmon: Network Connection to Cryptocurrency Mining Pool | SOC-2 (CC 3.2, 3.3, 3.4, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) | T1496, T1041 |
| Sysmon: Pipe Event: Pipe Connected | N/A | N/A |
| Sysmon: Pipe Event: Pipe Created | N/A | N/A |
| Sysmon: Possible Application Whitelisting Bypass | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| Sysmon: Possible Signed Binary Proxy Execution | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| Sysmon: Powershell Spawned from CMD | SOC-2 (CC 3.4, 4.1, 4.2, 6.1, 7.2, 7.3, 7.4, 7.5, & 8.1) | T1059 |
| Sysmon: Process Access | N/A | N/A |
| Sysmon: Process Changed File Creation Time | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| Sysmon: Process Creation | N/A | N/A |
| Sysmon: Process Terminated | N/A | N/A |
| Sysmon: Raw Access Read | N/A | N/A |
| Sysmon: Registry Event | N/A | N/A |
| Sysmon: Registry Key and Value Rename | N/A | N/A |
| Sysmon: Registry Value Modification | N/A | N/A |
| Sysmon: Shadow Volume Activity | N/A | N/A |
| Sysmon: Sysmon Configuration Change | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| Sysmon: Sysmon Service State Change | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| Sysmon: Wmi Event Consumer Bound to Filter Detected | SOC-2 (CC 3.4, 4.1, 4.2, 6.1, 7.2, 7.3, 7.4, 7.5, & 8.1) | N/A |
| Sysmon: Wmi Event Consumer Detected | SOC-2 (CC 3.4, 4.1, 4.2, 6.1, 7.2, 7.3, 7.4, 7.5, & 8.1) | N/A |
| Sysmon: Wmi Event Filter Detected | SOC-2 (CC 3.4, 4.1, 4.2, 6.1, 7.2, 7.3, 7.4, 7.5, & 8.1) | N/A |
| User Account Management: User Account Created | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1136 |
| User Account Management: User Account Disabled | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1531 |
| User Account Management: User Account Modified | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1531 |
| User Account Management: User Account Name Changed | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| User: Account was Locked | N/A | T1531, T1562 |
| User: Account was Unlocked | N/A | N/A |
| Windows Audit: Audit Policy Change | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1562 |
| Windows Audit: System Integrity Issue | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |