Windows Content Pack

Overview

Monitoring your Windows devices is a critical part of ensuring environment security. Windows services can be monitored to assess appropriate use such as proper expected functionality, as well as detect threats such as suspicious activity involving high-value hosts, signs of data exfiltration, and even copyright infringement. The Windows content pack focuses on these specific events and helps highlight them for immediate investigation and timely resolution.

Content Pack Components

Alarms

Warn about external devices being connected to high-risk hosts.

  • Windows– High Value Host External Media Activity
Reports

Designed to give a general overview into specific Windows events.

  • Windows - System and Service Failure Report
Views

Provides more details into service failures and expand on where they are originating from.

  • Windows System and Service Failures
  • Windows External Media Activity
  • Windows Application Failures
  • Applocker EXE and DLL Events
  • Applocker MSI and Script Events
  • Applocker Packaged App Events
  • Applocker Overview
Correlation Rules

Designed to fire when multiple failures occur or when malicious activity and failures have been detected in the same time frame.

  • Windows - System or Service Failures on a Single Host
  • Windows - System or Service Failure with Malicious Activity
  • Windows - Application Crashes or Hangs on a Single Host
  • Windows - Application Crashes or Hangs on Multiple Hosts
  • Windows - BSoD System Crashes on Multiple Hosts
  • Windows - BSoD System Crashes on a Single Host
  • Windows - Multiple Failed EXE or DLL Applocker Events - Multiple Hosts
  • Windows - Multiple Failed EXE or DLL Applocker Events - Single Host
  • Windows - Multiple Failed MSI or Script Applocker Events - Multiple Hosts
  • Windows - Multiple Failed MSI or Script Applocker Events - Single Host
  • Windows - Multiple Failed Packaged App Applocker Events - Multiple Hosts
  • Windows - Multiple Failed Packaged App Applocker Events - Single Host
Watchlists

Provides the capability to warn when high-risk hosts have external media connected to them.

  • High-Value Hosts

Required Products

  • McAfee Enterprise Security Manager (ESM) 10.0.x, 9.6.x, 9.5.x
  • McAfee Advanced Correlation Engine (ACE) 10.0.x, 9.6.x, 9.5.x
  • At least one Microsoft Windows Event Log - WMI data source added to the McAfee Enterprise Security Manager.
  • In order to use AppLocker-specific components, AppLocker will need to be established within your environment.

Download Content Pack

Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.

Read Article

Explore

Find other content packs and partner integrations.

See All

Free Trial

Interested in McAfee Enterprise Security Manager?

Register for Free Trial