/
Event Sets for Integration Alerting

Event Sets for Integration Alerting

Owned by Ryan Seymour, created
Last updated: Feb 26, 2025
7 min read

In ConnectSecure, Event Sets are the predefined events that can trigger alerts in the supported integrations. Categories organize them and can be enabled with a simple checkbox.

Event Sets are hard-coded and can not be modified or removed from the system.

Event Set - Table of Contents

Event Set - Details

You will find the Event Set options listed under the integration details.

Not all supported ones are shown, so check your specific integration for the Event Set and Integration Rules options.

image-20240607-190051.png

You will not see the Event Set options until you have provided the credentials for the selected integration.

image-20250226-141338.png

Events by Category

Event Set categories include:

System Changes, Problems, Solutions, Entra ID Audit, Entra ID Error, AD Audit, Job Failed, and Certificate Expire in 30 Days.

Below is a breakdown of each category and the available 'events' you can monitor for each.

System Changes

Event

Description

Event

Description

New Company Created

A new company is created in the ConnectSecure portal, using local or PSA options.

New Asset Added

A new asset is added to the All Asset section; this can happen when agents are installed or assets are detected by probe scanning.

New Open Port Discovered (Probe Scan)

A new port is discovered on an internal asset during a probe scan; port discovery and scanning are only done by a Probe agent.

New Open Port Discovered (External Scan)

A new open port is discovered during an external scan; it requires

Probe Went Down

The probe agent is offline and can not be reached

Server Agent Went Down

Any agent (probe or lightweight) that is a ‘Server’ identified by its operating system is offline and can not be reached.

Problems

Event

Description

Event

Description

CISA Vulnerabilities Found

Vulnerabilities found that are published by CISA

Known Exploited Vulnerabilities Catalog | CISA

Critical Severity Vulnerabilities Found

Vulnerabilities found with a critical severity as found in the CVSS Base Score

High Severity Vulnerabilities Found

Vulnerabilities found with a critical severity as found in the CVSS Base Score

Medium Severity Vulnerabilities Found

Vulnerabilities found with a critical severity as found in the CVSS Base Score

Remote Login Vulnerabilities Found

Problems related to remote login or remote access problems; IE: RDP-NTLM

SMB Vulnerabilities Found

Problems related to the SMB protocol; IE: SMB_Signing

SSL/TLS Vulnerabilities Found

Problems related to SSL/TLS certificates and ciphers; IE: TLSv1.1, Sweet32, SSL_Heartbleed

Unquoted Service Path Found

Windows-based vulnerability for improperly formatted or unquoted file paths when defining the executable path; IE: C:\Program Files\My Service\service.exe

Vulnerabilities Found During External Scan

Vulnerabilities found during an external scan; refer to your External Assets for configuration and results.

Vulnerabilities Found With EPSS Score > 95

Vulnerability is found where the EPSS score is equal to or above 95% exploitability.

Solutions

  • Application Baseline Plans Available

  • Remediation Available

  • Remediation Found with EPSS >=0.95

  • Remediation Found with EPSS 0.9 and 0.95

  • Remediation Found With EPSS between 0.85 and 0.9

  • Remediation Found with EPSS between 0 and 0.85

  • Pending Remediations Found with Critical Severity

  • Pending Remediations Found with High Severity

  • Pending Remediations Found with Medium Severity

  • Pending Remediations Found with Low Severity

Entra ID Audit

  • A member was added to a security-disabled universal group

  • A member was added to a security-enabled universal group (AzureAD)

  • A member was removed from a security-disabled universal group (AzureAD)

  • A member was removed from a security-enabled universal group (AzureAD)

Entra ID Error

  • Entra ID Sync Failure

  • Azure Token Expired Error

AD Audit

  • A directory service object was created (Success)

  • A directory service object was deleted (Success)

  • A directory service object was moved (Success)

  • A group service object was modified (Success)

  • A logon was attempted using explicit credentials (Success)

  • A member was added to a security-disabled global group

  • A member was added to a security-disabled local group

  • A member was added to a security-disabled universal group

  • A member was added to a security-enabled global group

  • A member was added to a security-enabled local group

  • A member was added to a security-enabled universal group

  • A member was removed from a security-disabled global group

  • A member was removed from a security-disabled local group

  • A member was removed from a security-disabled universal group

  • A member was removed from a security-enabled global group

  • A member was removed from a security-enabled local group

  • A member was removed from a security-enabled universal group

  • A network share object was accessed

  • A request was made to authenticate to a wired network (Success/Failure)

  • A request was made to authenticate to a wireless network (Success/Failure)

  • A risky sign-in attempt made (Success)

  • A security-disabled global group was created

  • A security-disabled global group was deleted

  • A security-disabled local group was created

  • A security-disabled local group was deleted

  • A security-disabled universal group was created

  • A security-disabled universal group was deleted

  • A security-enabled global group was created

  • A security-enabled global group was deleted

  • A security-enabled local group was created

  • A security-enabled local group was deleted

  • A security-enabled universal group was changed

  • A security-enabled universal group was created

  • A security-enabled universal group was deleted

  • A session was disconnected from a Windows Station (Success)

  • A session was reconnected to a Windows Station (Success)

  • A user Account was created

  • A user Account was deleted

  • A user Account was disabled

  • A user account was enabled

  • A user account was locked out

  • A user account was unlocked

  • A user-initiated logoff (Success)

  • An attempt was made to change an Account's password

  • An attempt was made to create a hard link

  • An attempt was made to reset an Account's password

  • Computer Account was created

  • Computer Account was deleted

  • Login Failure

  • Login Success

  • System security access was granted to an Account (Success)

  • The domain controller failed to validate the credentials for an Account

  • The name of an Account was changed

  • The requested credentials delegation was disallowed by policy (Failed)

  • The workstation was locked (Success)

  • The workstation was unlocked (Success)

Job Failed

  • Scheduler Patch Job Failed

  • Scheduler Report Job Failed

Certificate Expires in 30 Days

  • Certificate expires in 30 Days

Microsoft 365 Assessment

  • Administrative Users with No Multi-Factor Authentication Enforced

  • Applications Registered to Tenant with Certificate Credentials

  • Applications Registered to Tenant with Client Secret (Password) Credentials

  • Azure PowerShell Service Principal Assignment Not Enforced

  • Azure PowerShell Service Principal Configuration Missing

  • Basic Authentication is Enabled

  • Common Malicious Attachment Extensions are Not Filtered

  • Conditional Access Policies

  • Conditional Access Policies - Device Platforms

  • Dangerous Application Permissions Found

  • Dangerous Attachment Extensions are Not Filtered

  • Dangerous Default Permissions

  • Directory Synced Users Found in Admin Roles

  • Do Not Bypass the Safe Attachments Filter

  • Do Not Bypass the Safe Links Feature

  • Exchange Mailboxes with IMAP Enabled

  • Exchange Mailboxes with POP Enabled

  • Exchange Online Mailboxes with SMTP Authentication Enabled

  • Exchange Modern Authentication is Not Enabled

  • External Sender Message Tagging Not Enabled

  • Highly Privileged Hidden Role Assignment Found

  • Mailboxes without Mailbox Auditing Enabled

  • Mailbox Auditing Should be Enabled at Tenant Level

  • Malware Filter Policies Don't Alert for Internal Users Sending Malware

  • MFA Not Required for Device Registration

  • MFA Not Required for Security Information Registration

  • Microsoft Secure Defaults

  • No Conditional Access Policies Block Risky Sign-in

  • No Conditional Access Policies Mitigate User Risk

  • No Transport Rules to Block Exchange Auto-Forwarding

  • No Transport Rules to Block Executable Attachments

  • No Transport Rules to Block Large Attachments

  • Phish ZAP (Zero-Hour Auto Purge) Not Enabled

  • Safe Attachments Not Enabled

  • Safe Links Click-Through is Allowed

  • Safe Links Does Not Flag Links in Real Time

  • Safe Links for Teams is Not Enabled

  • Safe Links Not Enabled

  • Service Principals Found on Tenant with Certificate Credentials

  • Service Principals Found on Tenant with Client Secret (Password) Credentials

  • SharePoint 'Anyone' Shared Links Never Expire

  • SharePoint External Sharing Enabled (Global)

  • SharePoint External User Resharing Permitted

  • SharePoint Legacy Authentication is Enabled

  • SharePoint Online Modern Authentication is Not Enabled

  • SMTP Authentication not Globally Disabled

  • Spam ZAP (Zero-Hour Auto Purge) Not Enabled

  • Third-Party Applications Allowed

  • Unified Audit Log Search is Not Enabled

  • User consent to OAUTH applications not restricted

  • Users with No MFA Configured

Events Group By Options

When creating an Event Set alert using one of the options above, you can set the ‘Group By’ field to organize the alerts into groups instead of individual alerts. Each category has its own ‘Group By’ options, as shown in the table below.

image-20240607-191449.png

Event Set Category

Group By Options

Filter By Options

Event Set Category

Group By Options

Filter By Options

System Changes

ASSET, COMPANY

 

Problems

OS, PRODUCT, ASSET, COMPANY

OS, APPLICATION, NONE

Solutions

PRODUCT, ASSET, COMPANY, FIX, ASSET AND PRODUCT

OS, APPLICATION, NONE

Entra ID Audit

EVENT, COMPANY

 

Entra ID Error

COMPANY

 

AD Audit

EVENT, COMPANY, USER

 

Job Failed

COMPANY

 

Certificate Expire In 30 Days

ASSET, COMPANY

 

Microsoft 365 Assessment

COMPANY

 

image-20241115-191709.png
Filter By Options

Example Scenarios

Group By OS vs. Filter By OS:

Group By OS: Groups all entries with the same operating system (e.g., Windows 10, Ubuntu 22.04), providing a summarized view per OS.

Filter By OS: Displays only the data matching the selected OS, excluding all others from the results.

Group By Product vs. Filter By Application:

Group By Product: Group data by product category (e.g., Microsoft Office, Adobe Suite), showing all related applications under each product.

Filter By Application: Displays only records related to a specific application only (e.g., Microsoft Word), regardless of the product it belongs to.

Need Support?

Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.

https://cybercns.freshdesk.com/en/support/login

image-20240206-144508.png

 

Related content