Windows Ruleset Compliance Matrix

Threat Stack provides the Base Rule Set to help you get started on your Windows server security journey. We recognize that the Base Rule Set may not meet your organization's specific needs and so we created alternate compliance rulesets based on:

  • HIPAA
  • ISO 27001
  • MPAA
  • PCI
  • SOC2

To help clarify how these other compliance rule sets compare to the Base Rule Set, we created comparison charts for each compliance rule set.

HIPAA ISO 27001 MPAA PCI SOC2 2018
Windows Base Rule Set Supports Criteria
Computer Account Management: Computer Account Changed HIPAA 164.308(a)(3)(ii)(A)
Computer Account Management: Computer Account Created HIPAA 164.308(a)(3)(ii)(A)
Computer Account Management: Computer Account Deleted HIPAA 164.308(a)(3)(ii)(A)
File: Scheduled Tasks Modified N/A
Host: Possible Lateral Movement Tools HIPAA 164.308(a)(5)(ii)(B)
Host: Suspicious CScript Launch HIPAA 164.308(a)(5)(ii)(B)
Host: System Time Changed N/A
Logon: Failed Logon HIPAA 164.308(a)(5)(ii)(C)
Logon: Successful Logon: Batch or Service HIPAA 164.308(a)(5)(ii)(C)
Logon: Successful Logon: Elevated Batch or Service HIPAA 164.308(a)(5)(ii)(C)
Logon: Successful Logon: Elevated Interactive HIPAA 164.308(a)(5)(ii)(C)
Logon: Successful Logon: Elevated Network HIPAA 164.308(a)(5)(ii)(C)
Logon: Successful Logon: Elevated Remote Interactive HIPAA 164.308(a)(5)(ii)(C)
Logon: Successful Logon: Interactive HIPAA 164.308(a)(5)(ii)(C)
Logon: Successful Logon: Network HIPAA 164.308(a)(5)(ii)(C)
Logon: Successful Logon: Remote Interactive HIPAA 164.308(a)(5)(ii)(C)
Network: Firewall Service Stopped HIPAA 164.308(a)(5)(ii)(B)
Network: Outbound Connection to Non-Standard Port HIPAA 164.312(b)
Network: Outbound DNS HIPAA 164.312(b)
Network: Outbound HTTP HIPAA 164.312(b)
Network: Outbound HTTPS HIPAA 164.312(b)
Network: Outbound RDP HIPAA 164.312(b)
Network: Outbound SMTP HIPAA 164.312(b)
Network: Outbound SSH HIPAA 164.312(b))
Network: Powershell Initiated Connection HIPAA 164.312(b)
Registry Event: Modification of Registry Run Keys HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible Accessibility Features Abuse HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible Application Shim HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible Code Execution via Assistive Technology Helper HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible COM Hijacking HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible Default File Association Change N/A
Registry Event: Possible DLL Loading via AppCert DLL Registry Key HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible DLL Loading via Authentication Packages Registry Key HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible DLL Loading via Netsh Helper DLL Registry Key HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible DLL Loading via Port Monitors Registry Key HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible DLL Loading via Time Providers Registry Key HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible DLL Loading via WinLogon Helper DLL Registry Keys HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible Image File Execution Options Injection HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible Service Modification HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible SIP and Trust Provider Hijacking HIPAA 164.308(a)(5)(ii)(B)
Registry Event: Possible UAC Bypass HIPAA 164.308(a)(5)(ii)(B)
Sysmon: Bash Spawned Process N/A
Sysmon: Bitsadmin Usage HIPAA 164.312(b)
Sysmon: Certutil Usage N/A
Sysmon: Create Remote Thread N/A
Sysmon: Creation of Hidden Folders or Files HIPAA 164.308(a)(5)(ii)(B)
Sysmon: Driver Loaded with Invalid Signature N/A
Sysmon: Driver Loaded with Valid Signature N/A
Sysmon: Error Occurred N/A
Sysmon: File Create in ProgramData Folder N/A
Sysmon: File Create in Team Folder N/A
Sysmon: File Create in Temp Folder N/A
Sysmon: File Create Stream Hash N/A
Sysmon: Image Loaded N/A
Sysmon: Image Loaded Possible Mimikatz HIPAA 164.308(a)(5)(ii)(B)
Sysmon: Network Connection N/A
Sysmon: Network Connection to Cryptocurrency Mining Pool N/A
Sysmon: Pipe Event: Pipe Connected N/A
Sysmon: Pipe Event: Pipe Created N/A
Sysmon: Possible Application Whitelisting Bypass HIPAA 164.308(a)(5)(ii)(B)
Sysmon: Possible Signed Binary Proxy Execution HIPAA 164.308(a)(5)(ii)(B)
Sysmon: Powershell Spawned from CMD N/A
Sysmon: Process Access N/A
Sysmon: Process Changed File Creation Time HIPAA 164.308(a)(5)(ii)(B)
Sysmon: Process Creation N/A
Sysmon: Process Terminated N/A
Sysmon: Raw Access Read N/A
Sysmon: Registry Event N/A
Sysmon: Registry Key and Value Rename N/A
Sysmon: Registry Value Modification N/A
Sysmon: Sysmon Configuration Change HIPAA 164.312(b)
Sysmon: Sysmon Service State Change HIPAA 164.312(b)
Sysmon: Wmi Event Consumer Bound to Filter Detected N/A
Sysmon: Wmi Event Consumer Detected N/A
Sysmon: Wmi Event Filter Detected N/A
User Account Management: User Account Created HIPAA 164.308(a)(3)(ii)(A)
User Account Management: User Account Modified HIPAA 164.308(a)(3)(ii)(A)
User Account Management: User Account Disabled HIPAA 164.308(a)(3)(ii)(A)
User Account Management: User Account Name Changed HIPAA 164.308(a)(3)(ii)(A)
Windows Audit: Audit Policy Change HIPAA 164.312(b)
Windows Audit: System Integrity Issue HIPAA 164.312(b)

Related Articles

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request