Newbie - where to start?

Hi.  The base install of SEM is in place (maybe 2-3 machines deployed).  We hired a contractor (40 hours) to complete deploy for our small network (200 Windows PCs, 20 Servers - no routers/switches/firewalls).  We have a Vuln Scanner and Symantec AV.  Focusing on NIST 800-53 standard monitoring requirements

Any critical milestones/steps I should ensure he does?  I know we need a connector for the Greenbone vuln scanner.  I can make up arbitrary steps like roll out 20 clients a day / 2 alerts per day but I want to be efficient with his time and ours.  I tried to do some research on best alerts.  I attached the whitepaper (summary below).  I think we will end up around 10-12 alerts but I may be WAY off.

Registry Run keys exploited for persistence
New/changed services
Local account changes
Local group changes
Rights assignments
Scheduled Task changes
WMI Event Subscription
DLL and EXE file system modifications

Please let me know if you need more info.  I appreciate your feedback.  Thank you,


  •  probably has some tips. He is well versed in this product. 

  • A couple others we use are:

    Detect USB - Send email if file is copied to USB.  (works with windows machines that have the USB-Defender loaded)

    We also have a tools we made for when people do any DTA Data Transfers.  It logs to a custom log we created and we created a rule that alerts on the tools use.

    We alert when a workstation that isn't in an AD group DTA approved workstation try to transfer data.

    We created an alert that reminds users to use the logging tool if they launch Roxio Secure Burn software.

    We have some custom AD groups that we alert on when anyone is added or removed from one of the privileged user groups.