1. Purpose
DENSHI PRO Security Operations Center is a local Windows security operations tool for triage, containment, hardening, rollback-aware changes, and evidence review. It is designed for operators who need to quickly answer:
- Does this machine have signs of compromise or exposed attack surface?
- Which evidence should be reviewed first?
- Which controls can be applied precisely and safely?
- What changed after containment or hardening?
2. Quick Start
- Run as Administrator.
Administrative rights are required for the most complete audit and for remediation actions such as firewall blocks, session control, and system hardening. - Set the lookback window.
UseHoursto define how far back event logs and recent artifacts are reviewed. A smaller window is faster. A larger window may uncover older evidence. - Select an event preset.
UseAuth basicsfor fast logon/account triage, or enter specific event IDs manually. - Click Run Audit.
The audit collects event logs, startup persistence, terminal sessions, file-access clues, listeners, connections, software inventory, hardening posture, and security checks. - Start in Dashboard or Action Center.
Review risk, score, exposure, exact actions, and the highest-priority queue. - Use Incident Control for precise containment.
Prefer the smallest reversible control first, such as blocking one port or one executable path. - Run Audit again.
Verification matters. Confirm that exposure moved to contained or resolved before applying more controls.
3. Recommended Operator Flow
Normal Review
- Run Audit.
- Read Dashboard and Action Center.
- Review Network Control and Vulnerability Center.
- Apply hardening only after understanding expected services.
- Export a report for records.
Active Incident
- Run Audit.
- Save Snapshot before containment.
- Use Incident Control, not Break Glass, when one precise action is enough.
- Block first when possible, terminate only when necessary.
- Run Audit again and compare.
4. Interface Map
| Area | What It Does | Best Used For |
|---|---|---|
| Dashboard | Summarizes readiness, risk, exposure, exact actions, and coverage. | First view after each audit. |
| Action Center | Operator queue with recommended next actions and evidence context. | Deciding what to review or fix first. |
| Incident Control | Precise controls generated from the audit, such as block port, block app, terminate PID, or log off session. | Small, targeted containment. |
| Break Glass | Broad emergency controls for active incidents. | When precise controls are too slow or insufficient. |
| Vulnerability Center | Correlates installed/running software with vulnerabilities and exposure. | Patch and containment planning. |
| Network Control | Connections, network-active processes, and trust scoring. | Understanding live network activity and owners. |
| Listeners | Listening sockets waiting for inbound connections, with block-port control. | Reducing exposed attack surface. |
| System Hardening | Baseline hardening controls with preview, apply, enforce, and rollback. | Durable security posture improvements. |
5. Audit Options
Hours
The lookback window for event logs and recent file-access clues. Shorter windows are faster and cleaner. Longer windows may capture older activity but can produce more noise.
Preset and Event IDs
The event preset controls which Windows event IDs are queried. The default authentication-focused preset commonly includes logon, failed logon, and account-creation events.
Session Whitelist
Approved users can be listed so terminal sessions are interpreted against your expected operators. Without a whitelist, session data is informational.
Raw XML
Includes raw event XML in exported JSON. This can be useful for forensic review, but increases output size and may contain sensitive data.
Enforce Sessions
Allows unauthorized/non-current session controls to be enforced when selected. Use with care and confirm the current operator session will not be affected.
6. Dashboard
The Dashboard is the executive summary after each audit. It is intended to answer: "What is the machine state, and where should I start?"
| Metric | Meaning |
|---|---|
| Risk | High-level risk label based on observed exposure, findings, and available controls. |
| Score | A readiness score. Higher generally means better posture, but always review details. |
| Exposure | Live listeners, connections, and externally reachable surfaces worth reviewing. |
| Actions | Exact controls DENSHI PRO can offer from the current audit state. |
7. Action Center
The Action Center is the operator queue. It organizes findings by severity and gives a recommended destination and next step.
Use it when you want one prioritized list instead of reading every tab manually.
8. Incident Control
Incident Control is the precision containment surface. It shows exact controls generated from the latest audit. Each row says what action will happen before you press Enter or click Review / Apply Selected.
| Action | Meaning | Typical Impact |
|---|---|---|
| BLOCK | Adds a scoped Windows Firewall block rule for a port or executable. | Usually reversible and preferred before killing a process. |
| TERMINATE | Stops one selected PID. | Immediate process interruption. Use only when blocking is not enough. |
| LOG OFF | Signs out a selected non-current Windows session. | Disconnects the session and may close user applications. |
| CHANGE | Applies a configuration control, such as disabling RDP exposure. | Changes system behavior until reversed or reconfigured. |
Keyboard Behavior
When a row is selected, pressing Enter opens a confirmation dialog for that exact row. Nothing is applied unless the operator confirms with Yes.
Snapshot First
For active incidents, click Save Snapshot First before applying containment. This preserves a point-in-time JSON and text report for later review.
9. Break Glass
Break Glass is for broad emergency controls. It is intentionally separate from Incident Control because it can affect many sessions, ports, processes, or settings at once.
Use Break Glass when the host is actively exposed, precision controls are not enough, or the operator needs to buy time quickly.
10. Vulnerability Center
The Vulnerability Center connects local software inventory, running binaries, known vulnerable products, and live exposure. It helps separate patch work from containment work.
Findings
Shows vulnerabilities detected or inferred from installed/running software and known affected products.
Hardening Plan
Converts vulnerability context into durable hardening, patching, and containment recommendations.
Safe Contain Top Finding
Chooses a scoped firewall containment action where available. It does not broadly terminate processes or apply Break Glass controls.
11. Network Control
Network Control is the live network activity workspace. It combines connections, network-active processes, and process trust scoring.
| Nested Tab | What It Shows |
|---|---|
| Connections | TCP/UDP endpoints in a netstat-style view, including local/remote addresses and states. |
| Processes | Network-active process owners, signer status, PIDs, paths, and exact block/close controls. |
| Process Trust | Ranks executables by exposure and trust signals. Higher score means review sooner, not automatic guilt. |
Live Refresh
Refreshes sockets, active connections, process owners, signer status, and executable metadata without running the full audit.
12. Listeners
A listener is a socket waiting for inbound connections. DENSHI PRO prioritizes all-interface exposure, unsigned owners, unknown owners, and third-party processes.
Use the selectable listener list to block a port with confirmation. Blocking a listener port adds a Windows Firewall inbound rule. It does not terminate the owning process.
13. Evidence and Timeline
Host Evidence
Includes Event Logs, Registry startup persistence, and Terminal Sessions. These sections are meant to explain what Windows reported and what requires operator review.
Exfiltration
Shows USN journal availability, audited read indicators where available, and shell artifacts such as Recent Files and Jump Lists.
Evidence Timeline
Merges logons, sessions, listeners, startup clues, connection activity, file-access indicators, and DENSHI actions into one review path.
14. System Hardening
System Hardening provides baseline controls with preview, apply, enforce, and rollback-aware behavior.
| Mode | Use Case |
|---|---|
| Preview Baseline | Shows what would change before making changes. |
| Apply | Applies selected hardening controls. |
| Enforce Level | Applies the chosen level and restores managed controls that no longer belong to it. |
| Restore | Uses a managed pre-change snapshot when available. |
Common Controls
- Enable Windows Firewall baseline.
- Disable SMB1.
- Disable AutoRun.
- Disable Guest account.
- Enable PowerShell script block logging.
- Optionally enable PowerShell transcription.
15. Reports and Snapshots
Export Report
Exports the latest audit to text or JSON. Text reports are readable by operators. JSON reports are better for parsing or archiving structured evidence.
Save Snapshot
Creates a point-in-time incident package under the default export directory. Use snapshots before containment, before Break Glass, and before major hardening changes.
Recommended naming pattern: DENSHI-Report-HOSTNAME-YYYYMMDD-HHMMSS.txt DENSHI-Incident-HOSTNAME-YYYYMMDD-HHMMSS.json
16. Safety Model
DENSHI PRO separates precise controls from broad controls.
- Precise controls target one port, executable path, PID, session, or setting.
- Break Glass controls can affect many parts of the host at once.
- Hardening controls are durable posture changes, not emergency response by themselves.
17. Troubleshooting
| Symptom | Likely Cause | What To Do |
|---|---|---|
| Audit takes longer than expected | Windows event log, security posture, or network inventory query is slow. | Use a smaller Hours window, reduce event IDs, or use Live Refresh for network-only updates. |
| No vulnerability matches | Database cache may be old or local product/version match is incomplete. | Update Database, rerun Audit, then review local software inventory. |
| Incident Control has no rows | The latest audit did not generate exact controls. | Run Audit again, check Listeners and Network Control, or use System Hardening for durable posture. |
| Terminate is not offered | The process is Microsoft-signed, protected, system-critical, or unsafe to one-click kill. | Use Block Port or Block App if available, or investigate manually. |
| Text reports are large | The audit found many events, connections, artifacts, or vulnerabilities. | Use tabs for triage and export full reports for archival review. |
18. Glossary
| Term | Definition |
|---|---|
| Listener | A socket waiting for inbound connections, such as TCP/445 on all interfaces. |
| All interfaces | A listener bound to 0.0.0.0 or ::, meaning it may accept traffic on multiple local addresses. |
| Incident Control | The precise containment queue generated from the latest audit state. |
| Break Glass | Broad emergency containment actions for active incidents. |
| USN Journal | NTFS change journal metadata. It proves change tracking exists but does not prove file reads. |
| Event 4663 | Windows Security event that can show object access when auditing is enabled. |
| Rollback snapshot | Pre-change state captured so managed hardening can be restored where supported. |