Detecting suspicious windows behavior

[OlexTratisky]

Hello community,

Is there any specific plugin or feature that analyses windows event log and tries to correlate if there is any suspicious activity? For example, try to detect priviledge escalation, brute force attempts, file deletion of critical files, exfiltration etc.

I am currently adding the winlogbeat to SO but cant see any alarms for windows events that might be attacks

Thank you
Olex

[dougburks]

You can use Playbook to enable Sigma rules or write your own detections.