Event Sets for Alerting
What is an Event Set?
In ConnectSecure, Event Sets are the predefined events that can trigger alerts in the supported integrations. Categories organize them and can be enabled with a simple checkbox.
Event Sets are hard-coded and can not be modified or removed from the system.
Event Set - Table of Contents
Event Set - Details
Event Sets are listed under the integration tile(s). They are configured ‘globally’ and can be used across any integrations that support Event Set Alerting.
Not all supported are shown so make sure you check your specific integration for the Event Set and Integration Rules options
Events by Category
Event Set categories include:
System Changes, Problems, Solutions, Entra ID Audit, Entra ID Error, AD Audit, Job Failed, and Certificate Expire in 30 Days.
Below is a breakdown of each category and the available 'events' you can monitor for each.
System Changes
Event | Description |
---|---|
New Company Created | A new company is created in the ConnectSecure portal, using local or PSA options. |
New Asset Added | A new asset is added to the All Asset section; this can happen when agents are installed or assets are detected by probe scanning. |
New Open Port Discovered (Probe Scan) | A new port is discovered on an internal asset during a probe scan; port discovery and scanning are only done by a Probe agent. |
New Open Port Discovered (External Scan) | A new open port is discovered during an external scan; it requires Company External Assets |
Probe Went Down | The probe agent is offline and can not be reached |
Server Agent Went Down | Any agent (probe or lightweight) that is a ‘Server’ identified by its operating system is offline and can not be reached. |
Problems
Event | Description |
---|---|
CISA Vulnerabilities Found | Vulnerabilities found that are published by CISA https://www.cisa.gov/known-exploited-vulnerabilities-catalog |
Critical Severity Vulnerabilities Found | Vulnerabilities found with a critical severity as found in the CVSS Base Score |
High Severity Vulnerabilities Found | Vulnerabilities found with a critical severity as found in the CVSS Base Score |
Medium Severity Vulnerabilities Found | Vulnerabilities found with a critical severity as found in the CVSS Base Score |
Remote Login Vulnerabilities Found | Problems related to remote login or remote access problems; IE: RDP-NTLM |
SMB Vulnerabilities Found | Problems related to the SMB protocol; IE: SMB_Signing |
SSL/TLS Vulnerabilities Found | Problems related to SSL/TLS certificates and ciphers; IE: TLSv1.1, Sweet32, SSL_Heartbleed |
Unquoted Service Path Found | Windows-based vulnerability for improperly formatted or unquoted file paths when defining the executable path; IE: C:\Program Files\My Service\service.exe |
Vulnerabilities Found During External Scan | Vulnerabilities found during an external scan; refer to your Company External Assets for configuration and results. |
Vulnerabilities Found With EPSS Score > 95 | Vulnerability is found where the EPSS score is equal to or above 95% exploitability. |
Solutions
Application Baseline Plans Available
Remediation Available
Remediation Found with EPSS >=0.95
Remediation Found with EPSS 0.9 and 0.95
Remediation Found With EPSS between 0.85 and 0.9
Remediation Found with EPSS between 0 and 0.85
Pending Remediations Found with Critical Severity
Pending Remediations Found with High Severity
Pending Remediations Found with Medium Severity
Pending Remediations Found with Low Severity
Entra ID Audit
A member was added to a security-disabled universal group
A member was added to a security-enabled universal group (AzureAD)
A member was removed from a security-disabled universal group (AzureAD)
A member was removed from a security-enabled universal group (AzureAD)
Entra ID Error
Entra ID Sync Failure
Azure Token Expired Error
AD Audit
A directory service object was created (Success)
A directory service object was deleted (Success)
A directory service object was moved (Success)
A group service object was modified (Success)
A logon was attempted using explicit credentials (Success)
A member was added to a security-disabled global group
A member was added to a security-disabled local group
A member was added to a security-disabled universal group
A member was added to a security-enabled global group
A member was added to a security-enabled local group
A member was added to a security-enabled universal group
A member was removed from a security-disabled global group
A member was removed from a security-disabled local group
A member was removed from a security-disabled universal group
A member was removed from a security-enabled global group
A member was removed from a security-enabled local group
A member was removed from a security-enabled universal group
A network share object was accessed
A request was made to authenticate to a wired network (Success/Failure)
A request was made to authenticate to a wireless network (Success/Failure)
A risky sign-in attempt made (Success)
A security-disabled global group was created
A security-disabled global group was deleted
A security-disabled local group was created
A security-disabled local group was deleted
A security-disabled universal group was created
A security-disabled universal group was deleted
A security-enabled global group was created
A security-enabled global group was deleted
A security-enabled local group was created
A security-enabled local group was deleted
A security-enabled universal group was changed
A security-enabled universal group was created
A security-enabled universal group was deleted
A session was disconnected from a Windows Station (Success)
A session was reconnected to a Windows Station (Success)
A user Account was created
A user Account was deleted
A user Account was disabled
A user account was enabled
A user account was locked out
A user account was unlocked
A user-initiated logoff (Success)
An attempt was made to change an Account's password
An attempt was made to create a hard link
An attempt was made to reset an Account's password
Computer Account was created
Computer Account was deleted
Login Failure
Login Success
System security access was granted to an Account (Success)
The domain controller failed to validate the credentials for an Account
The name of an Account was changed
The requested credentials delegation was disallowed by policy (Failed)
The workstation was locked (Success)
The workstation was unlocked (Success)
Job Failed
Scheduler Patch Job Failed
Scheduler Report Job Failed
Certificate Expire in 30 Days
Certificate Expire In 30 Days
Events Group By Options
Event Set Category | Group By Options | Filter By Options |
---|---|---|
System Changes | ASSET, COMPANY |
|
Problems | OS, PRODUCT, ASSET, COMPANY | OS, APPLICATION, NONE |
Solutions | PRODUCT, ASSET, COMPANY, FIX, ASSET AND PRODUCT | OS, APPLICATION, NONE |
Entra ID Audit | EVENT, COMPANY |
|
Entra ID Error | COMPANY |
|
AD Audit | EVENT, COMPANY, USER |
|
Job Failed | COMPANY |
|
Certificate Expire In 30 Days | ASSET, COMPANY |
|
Need Support?
Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.
https://cybercns.freshdesk.com/en/support/login