DENSHI PRO

Security Operations Center Manual

A practical guide for running local Windows triage, reviewing evidence, applying precise containment, and building repeatable hardening workflows with DENSHI PRO.

Version 1.1.0 Offline Manual Windows Local-First Operations Updated 2026-07-15

1. Purpose

DENSHI PRO Security Operations Center is a local Windows security operations tool for triage, containment, hardening, rollback-aware changes, and evidence review. It is designed for operators who need to quickly answer:

  • Does this machine have signs of compromise or exposed attack surface?
  • Which evidence should be reviewed first?
  • Which controls can be applied precisely and safely?
  • What changed after containment or hardening?
Local-first design: DENSHI PRO reads local Windows evidence and applies local controls. It does not replace a SIEM, EDR, firewall appliance, legal review, or incident response procedure, but it helps organize the first operator pass on a Windows host.

2. Quick Start

  1. Run as Administrator.
    Administrative rights are required for the most complete audit and for remediation actions such as firewall blocks, session control, and system hardening.
  2. Set the lookback window.
    Use Hours to define how far back event logs and recent artifacts are reviewed. A smaller window is faster. A larger window may uncover older evidence.
  3. Select an event preset.
    Use Auth basics for fast logon/account triage, or enter specific event IDs manually.
  4. Click Run Audit.
    The audit collects event logs, startup persistence, terminal sessions, file-access clues, listeners, connections, software inventory, hardening posture, and security checks.
  5. Start in Dashboard or Action Center.
    Review risk, score, exposure, exact actions, and the highest-priority queue.
  6. Use Incident Control for precise containment.
    Prefer the smallest reversible control first, such as blocking one port or one executable path.
  7. Run Audit again.
    Verification matters. Confirm that exposure moved to contained or resolved before applying more controls.

3. Recommended Operator Flow

Normal Review

  1. Run Audit.
  2. Read Dashboard and Action Center.
  3. Review Network Control and Vulnerability Center.
  4. Apply hardening only after understanding expected services.
  5. Export a report for records.

Active Incident

  1. Run Audit.
  2. Save Snapshot before containment.
  3. Use Incident Control, not Break Glass, when one precise action is enough.
  4. Block first when possible, terminate only when necessary.
  5. Run Audit again and compare.
Important: Do not treat a high score or high-priority queue item as proof of compromise. It means "review sooner." Verification, business context, and operator judgment still matter.

4. Interface Map

Area What It Does Best Used For
Dashboard Summarizes readiness, risk, exposure, exact actions, and coverage. First view after each audit.
Action Center Operator queue with recommended next actions and evidence context. Deciding what to review or fix first.
Incident Control Precise controls generated from the audit, such as block port, block app, terminate PID, or log off session. Small, targeted containment.
Break Glass Broad emergency controls for active incidents. When precise controls are too slow or insufficient.
Vulnerability Center Correlates installed/running software with vulnerabilities and exposure. Patch and containment planning.
Network Control Connections, network-active processes, and trust scoring. Understanding live network activity and owners.
Listeners Listening sockets waiting for inbound connections, with block-port control. Reducing exposed attack surface.
System Hardening Baseline hardening controls with preview, apply, enforce, and rollback. Durable security posture improvements.

5. Audit Options

Hours

The lookback window for event logs and recent file-access clues. Shorter windows are faster and cleaner. Longer windows may capture older activity but can produce more noise.

Preset and Event IDs

The event preset controls which Windows event IDs are queried. The default authentication-focused preset commonly includes logon, failed logon, and account-creation events.

Session Whitelist

Approved users can be listed so terminal sessions are interpreted against your expected operators. Without a whitelist, session data is informational.

Raw XML

Includes raw event XML in exported JSON. This can be useful for forensic review, but increases output size and may contain sensitive data.

Enforce Sessions

Allows unauthorized/non-current session controls to be enforced when selected. Use with care and confirm the current operator session will not be affected.

6. Dashboard

The Dashboard is the executive summary after each audit. It is intended to answer: "What is the machine state, and where should I start?"

Metric Meaning
Risk High-level risk label based on observed exposure, findings, and available controls.
Score A readiness score. Higher generally means better posture, but always review details.
Exposure Live listeners, connections, and externally reachable surfaces worth reviewing.
Actions Exact controls DENSHI PRO can offer from the current audit state.

7. Action Center

The Action Center is the operator queue. It organizes findings by severity and gives a recommended destination and next step.

Use it when you want one prioritized list instead of reading every tab manually.

Good workflow: Start at the top of Action Center, verify the evidence, apply the smallest safe control, then run Audit again.

8. Incident Control

Incident Control is the precision containment surface. It shows exact controls generated from the latest audit. Each row says what action will happen before you press Enter or click Review / Apply Selected.

Action Meaning Typical Impact
BLOCK Adds a scoped Windows Firewall block rule for a port or executable. Usually reversible and preferred before killing a process.
TERMINATE Stops one selected PID. Immediate process interruption. Use only when blocking is not enough.
LOG OFF Signs out a selected non-current Windows session. Disconnects the session and may close user applications.
CHANGE Applies a configuration control, such as disabling RDP exposure. Changes system behavior until reversed or reconfigured.

Keyboard Behavior

When a row is selected, pressing Enter opens a confirmation dialog for that exact row. Nothing is applied unless the operator confirms with Yes.

Snapshot First

For active incidents, click Save Snapshot First before applying containment. This preserves a point-in-time JSON and text report for later review.

Terminate with care: A terminate action can stop services or processes immediately. Prefer blocking a port or executable when you only need to reduce exposure while preserving evidence.

9. Break Glass

Break Glass is for broad emergency controls. It is intentionally separate from Incident Control because it can affect many sessions, ports, processes, or settings at once.

Use Break Glass when the host is actively exposed, precision controls are not enough, or the operator needs to buy time quickly.

Recommended order: Snapshot, smallest Break Glass option, run Audit again, then follow up with precise cleanup.

10. Vulnerability Center

The Vulnerability Center connects local software inventory, running binaries, known vulnerable products, and live exposure. It helps separate patch work from containment work.

Findings

Shows vulnerabilities detected or inferred from installed/running software and known affected products.

Hardening Plan

Converts vulnerability context into durable hardening, patching, and containment recommendations.

Safe Contain Top Finding

Chooses a scoped firewall containment action where available. It does not broadly terminate processes or apply Break Glass controls.

11. Network Control

Network Control is the live network activity workspace. It combines connections, network-active processes, and process trust scoring.

Nested Tab What It Shows
Connections TCP/UDP endpoints in a netstat-style view, including local/remote addresses and states.
Processes Network-active process owners, signer status, PIDs, paths, and exact block/close controls.
Process Trust Ranks executables by exposure and trust signals. Higher score means review sooner, not automatic guilt.

Live Refresh

Refreshes sockets, active connections, process owners, signer status, and executable metadata without running the full audit.

12. Listeners

A listener is a socket waiting for inbound connections. DENSHI PRO prioritizes all-interface exposure, unsigned owners, unknown owners, and third-party processes.

Use the selectable listener list to block a port with confirmation. Blocking a listener port adds a Windows Firewall inbound rule. It does not terminate the owning process.

13. Evidence and Timeline

Host Evidence

Includes Event Logs, Registry startup persistence, and Terminal Sessions. These sections are meant to explain what Windows reported and what requires operator review.

Exfiltration

Shows USN journal availability, audited read indicators where available, and shell artifacts such as Recent Files and Jump Lists.

Evidence caveat: Recent Files and Jump Lists are breadcrumbs, not proof of exfiltration. High-confidence read detection depends on Security event 4663 being enabled for target directories.

Evidence Timeline

Merges logons, sessions, listeners, startup clues, connection activity, file-access indicators, and DENSHI actions into one review path.

14. System Hardening

System Hardening provides baseline controls with preview, apply, enforce, and rollback-aware behavior.

Mode Use Case
Preview Baseline Shows what would change before making changes.
Apply Applies selected hardening controls.
Enforce Level Applies the chosen level and restores managed controls that no longer belong to it.
Restore Uses a managed pre-change snapshot when available.

Common Controls

  • Enable Windows Firewall baseline.
  • Disable SMB1.
  • Disable AutoRun.
  • Disable Guest account.
  • Enable PowerShell script block logging.
  • Optionally enable PowerShell transcription.

15. Reports and Snapshots

Export Report

Exports the latest audit to text or JSON. Text reports are readable by operators. JSON reports are better for parsing or archiving structured evidence.

Save Snapshot

Creates a point-in-time incident package under the default export directory. Use snapshots before containment, before Break Glass, and before major hardening changes.

Recommended naming pattern:
DENSHI-Report-HOSTNAME-YYYYMMDD-HHMMSS.txt
DENSHI-Incident-HOSTNAME-YYYYMMDD-HHMMSS.json

16. Safety Model

DENSHI PRO separates precise controls from broad controls.

  • Precise controls target one port, executable path, PID, session, or setting.
  • Break Glass controls can affect many parts of the host at once.
  • Hardening controls are durable posture changes, not emergency response by themselves.
Preferred containment rule: Block first, terminate second, patch third, rescan always.

17. Troubleshooting

Symptom Likely Cause What To Do
Audit takes longer than expected Windows event log, security posture, or network inventory query is slow. Use a smaller Hours window, reduce event IDs, or use Live Refresh for network-only updates.
No vulnerability matches Database cache may be old or local product/version match is incomplete. Update Database, rerun Audit, then review local software inventory.
Incident Control has no rows The latest audit did not generate exact controls. Run Audit again, check Listeners and Network Control, or use System Hardening for durable posture.
Terminate is not offered The process is Microsoft-signed, protected, system-critical, or unsafe to one-click kill. Use Block Port or Block App if available, or investigate manually.
Text reports are large The audit found many events, connections, artifacts, or vulnerabilities. Use tabs for triage and export full reports for archival review.

18. Glossary

Term Definition
Listener A socket waiting for inbound connections, such as TCP/445 on all interfaces.
All interfaces A listener bound to 0.0.0.0 or ::, meaning it may accept traffic on multiple local addresses.
Incident Control The precise containment queue generated from the latest audit state.
Break Glass Broad emergency containment actions for active incidents.
USN Journal NTFS change journal metadata. It proves change tracking exists but does not prove file reads.
Event 4663 Windows Security event that can show object access when auditing is enabled.
Rollback snapshot Pre-change state captured so managed hardening can be restored where supported.