What is the Mezmo Windows Security Template?

The Windows Security Template allows you to quickly gain insights into excessive login attempts, audits on cleared logs, or anomalous access patterns. Set up alerts to monitor when unexpected events happen or use our dashboards to get constant visibility into the access patterns of your servers.

📘

Prerequisites

The Windows Security Template requires NXLog to be set up to collect security event logs. Simply uncomment the <Select Path='Security'>*</Select> line in your NXLog config file and restart NXLog to apply changes. See here for more information about our NXLog integration. The Windows Security Template will not work with other integrations such as FluentD.

Included in the Windows Security Template

Views

1. 1102 / Audit log cleared (Recommended to Alert On)
2. 4616 / System time was changed
3. 4624 / Successful account log on
4. 4625 / An account failed to log on
5. 4634 / An account logged off
6. 4720 / User account created
7. 4725 / Disabled account
8. 4740 / Locked account
9. 4946 / Firewall exception added
10. 5025 / Windows Firewall stopped (Recommended to Alert On)

Boards

1. Windows Server Activity
2. Events Count by Channel
3. Failed Logins
4. Successful Logins

Screens

1. Security log events daily and weekly trends
2. Distribution of log events by event id
3. Distribution of log on events by user name
4. Total successful and failed authentications per week
5. Total log events per week

Have any feedback or thoughts on our Template Library? Join our forum and let us know!