Network threat detection¶

SMB/NetBIOS auditing¶

Logs lateral movement via:

• NetSessionEnum (detects BloodHound reconnaissance)

• DsGetDCName (flags Golden Ticket attacks)

Critical for Active Directory environments.

Enable:

auditpol /set /subcategory:"Network Share" /success:enable /failure:enable

RDP/Suspicious Port Monitoring¶

Alerts on:

• Unexpected RDP connections (Event ID 4624)

• High-volume SMB traffic (potential ransomware)

Tools:

• Azure Sentinel (cloud-native SIEM)

• Zeek (for network metadata)