This website uses cookies

Read our Privacy policy and Terms of use for more information.

What you don’t watch for could be exactly what attackers exploit.

Most orgs watch for malware, phishing, account compromise and a whole host of other attacks.

But so often I see, what I would consider low-hanging fruit detections, missed by security teams.

Here’s a few high value alerts not enough orgs have implemented:

Active Directory enumeration - especially when privileged (tier 0) resources are touched, like Domain Admins. But also, looking at volume of LDAP traffic from a single host can also be a great indicator of recon activity. By the way, according to a recent CrowdStrike report, 50% of TTPs they see are recon activities.

Adding users to local admins on workstations - this one should be obvious, but in reality, I’ve almost never seen orgs alerting on this. The telemetry is there in your EDR waiting for you to use it.

Lateral movement with RDP, PSRemoting, SMB - if you’ve done the work to understand your environment, then writing rules to detect when an admin is attempting to RDP to a domain controller from Susie’s workstation should be easy. But most don’t do the upfront work to get to this point.

Hosts without EDR installed - I suspect this should be fairly easy for most orgs. If there are hosts in your network, that you control, that support EDR and it’s not installed, you should know it immediately.

Here’s a few other ideas for alerts that not enough folks have turned on:

  • Service Account Logins (outside expected systems/times)

  • New Domain Admins being added

  • Disabling Security Tools (AV, EDR, logging)

  • Mass File Access (precursor to data theft or ransomware)

Too many organizations rely too much on out of the box configurations of their security tools.

It’s especially evident with EDR.

There are few tools that are truly set it and forget it.

If you don’t create any custom alerts and you don’t review your existing alerts for effectiveness and completeness, you’re leaving room for attackers.

And by the way, one of the best things you can do from a security monitoring perspective, is to setup deception assets.

Whether you’re trying to better detect enumeration/recon, lateral movement, privilege escalation or even credential access…

Deception can be used very effectively for all those use cases.

If you want to see how deception can be used at various stages of an attack, watch the recording of my deception webinar.

Deceptively Defensive: What Kevin McAllister Can Teach Us About Cyber Defense

All the best
Spencer Alessi

Keep Reading

© 2026 Ethical Threat Insights.
beehiivPowered by beehiiv