windows log monitoring
TRANSCRIPT
-
Windows Log Monitoring
Best Practices for Security and Compliance
-
Table of Contents
Introduction ................................................................................................................................................... 3
Overview ....................................................................................................................................................... 4
Major Security Events and Policy Changes .................................................................................................. 6
Major Security Events and Policy Changes Active Directory and Member Server ................................ 6
Active Directory and Member Server Compliance Events of Interest ........................................................... 8
Active Directory General Object Changes ................................................................................................ 8
Active Directory and Local Server Group Member Additions ................................................................... 9
Active Directory and Local Server Group Member Deletions ................................................................. 11
Active Directory and Local Users New or Enabled ................................................................................. 12
Active Directory and Local Users Deleted or Disabled ........................................................................... 13
Active Directory Group Policy Change .................................................................................................... 13
Active Directory Permission Changes ..................................................................................................... 15
Active Directory and Local User Account Lockouts and Password Resets ............................................ 16
Active Directory and Local Server Other Users, Groups and Computers Changes ............................ 17
Authentication and Logons Compliance Events of Interest ........................................................................ 19
Domain Account Authentication .............................................................................................................. 19
Domain Account Authentication Failure Analysis ................................................................................... 20
User Logons by Server Type .................................................................................................................. 21
-
Introduction
This document, and the accompanying document, SecureWorks Audit Policy Configuration, is designed to provide you with greater insight into the Windows logs that need to be collected for security, as well as compliance purposes and how to properly configure your Windows system to log this information. This document is the result of extensive research into the generally accepted best practices for Windows log monitoring performed in conjunction with SecureWorks team of Audit Experts and recognized Windows expert Randy Smith, founder of the Monterey Technology Group and author of Ultimate Windows Security.
The information contained throughout this document will provide you with event IDs and information necessary for optimum Windows security and compliance. In addition to this document, SecureWorks has also tuned our filters to capture the information outlined in this document and has created a suite of reports for you to use to easily view your Windows events. Reports designated as daily should be scheduled by your organization to be run daily for your Windows servers and be reviewed by a member of your team. Reports designated as ad-hoc should be run or scheduled to be run by your organization for periodic review by your team. The Portal also allows you to store the report and digitally sign it for audit purposes. Each event grouping below is mapped to one of the following SecureWorks reports, which can be accessed, ran and scheduled via the Monitoring section of the Report tab in the SecureWorks Client Portal:
Major Security Events and Policy Changes Daily Active Directory and Member Server Compliance Events Daily Active Directory and Member Server Compliance Events Ad Hoc Authentication and Logons Compliance Events of Interest Ad Hoc
-
Overview Windows Event Group Event Codes SecureWorks Report Name
Frequency of Review
Major Security Events and Policy Changes Active Directory and
Member Server
517, 520, 601, 608, 609, 610, 611, 612, 617, 620, 621, 622,
643
Major Security Events and Policy Changes Daily
Daily
Active Directory and Local Server General
Object Changes 565, 566
Active Directory and Member
Server Compliance Events - Daily
Daily
Active Directory and Local Server Group Member Additions
632,636,650,655,660,665
Active Directory and Member
Server Compliance Events - Daily
Daily
Active Directory and Local Server Group Member Deletions
633,637,651,656,661,666
Active Directory and Member
Server Compliance Events - Daily
Daily
Active Directory and Local Users New or
Enabled 624,642,626
Active Directory and Member
Server Compliance Events - Daily
Daily
Active Directory and Local Users Deleted or
Disabled 629,630,642
Active Directory and Member
Server Compliance Events - Daily
Daily
Active Directory Group Policy Change 565,566
Active Directory and Member
Server Compliance Events - Daily
Daily
Active Directory and Local Server Permission
Changes 565,566,560
Active Directory and Member
Server Compliance Events - Daily
Daily
Active Directory and Local User Account
Lockouts and Password Resets
642, 644, 671, 627,628
Active Directory and Member
Server Compliance Events of Interest
Ad Hoc
Ad Hoc
Active Directory and Local Server Other Users, Groups and
Computers Changes
642, 685, 635, 631, 658, 648, 653, 663, 641, 639, 659, 649, 654, 664, 638, 634, 662, 652, 657, 667, 668, 645,646, 647
Active Directory and Member
Server Compliance Events Ad
Hoc
Ad Hoc
Domain Account Authentication 672
Authentication and Logons Compliance Events of
Interest Ad Hoc
Ad Hoc
-
Windows Log Group Event Codes SecureWorks Report Name Frequency of Review
Domain Account Authentication Failure
Analysis 672, 675, 676, 681
Authentication and Logons Compliance Events of
Interest Ad Hoc
Ad Hoc
User Failed Logons by Server Type
529, 530, 531, 532, 533, 534, 535, 536, 537,539
Authentication and Logons Compliance Events of
Interest Ad Hoc
Ad Hoc
-
Major Security Events and Policy Changes
Major Security Events and Policy Changes Active Directory and Member Server
Audit Policy Requirements Category: Account Management, System Events, Privilege Use, Policy Change Type: Success Role: Member Servers and Domain Controllers SecureWorks Report:
o Pre-Built Report Section: Monitoring o Report Name: Major Security Events and Policy Changes Daily
Log Information to Aggregate Computer Computer
Event\Change
Event ID
Event\Change Performed By:
517 Security log cleared Client User Name:\Client User Domain:
520 System time changed
Previous Time:7:09:19 PM 8/5/2004
New Time:7:10:18 PM 8/5/2004
Client User Name:\Client User Domain:
601 Attempt to install service
Name: SNMPTRAP
Success/Failure
By:
User Name: \ Domain:
608 User Right Assigned
User Right: SeUndockPrivilege
Assigned To: Domain\User
Assigned By:
User Name: \
Domain:
609 User Right Removed
User Right: SeUndockPrivilege
Removed From: Domain\User
Assigned By:
User Name: \
Domain:
610
New Trusted Domain
Domain:
Established By:
User
Performed By
-
Trust Type:
Translation guidance:
Field Value Display
directions
1 1 - Trusted (the domain where this event was logged accepts the identity of users of the new domain)
2 2 - Trusting ( (the new domain accepts the identity of users of the domain where this event was logged)
3 3 - 2-way (mutual trust)
type See: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/microsoft_domaintruststatus.asp
And: http://msdn2.microsoft.com/en-us/library/system.directoryservices.activedirectory.trusttype.aspx
Name: \
Domain:
611
Trusted Domain Removed
Domain:
Established By:
User Name: \
Domain:
620 Trusted Domain Information Modified
Domain:
Modified By:
User Name: \
Domain:
612 Audit Policy Changed
Server:Name\Domain
New Policy: SuccessFailure + +Logon/Logoff + +Object Access + +Privilege Use - -Account Management + +Policy Change + +System - -Detailed Tracking + +Directory Service Access + +Account Logon
n/a
617 Kerberos Policy Changed n/a
-
Domain:
Change:
--' means no changes, otherwise each change is shown as: : ()) KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0x9ef7800000000 (none);
621 System Security Access Granted
Account: Domain\User
Access: SeRemoteInteractiveLogonRight
n/a
622 System Security Access Removed
Account: Domain\User
Access: SeRemoteInteractiveLogonRight
n/a
643 Domain Policy Changed
Domain:
Changed By:
User Name: \
Domain:
Interpretation Entries in this group indicate major changes to the security configuration of the indicated server or a high security event such as the security log being cleared.
Recommended Usage and Response The Major Security Events and Policy Changes Daily report should be generated for each server administrator filtered on the servers under his/her care. Run daily for evidence of intrusions, misconfigurations or unauthorized changes and review with signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Verify that all entries correspond to legitimate actions by authorized administrators.
Documentation This group contains Event IDs: 517, 520, 601, 608, 609, 610, 611, 612, 617, 620, 621, 622 and 643.
Active Directory and Member Server Compliance Events of Interest
Active Directory General Object Changes
Audit Policy Requirements
-
Category: Directory Service Type: Success Role: Domain Controllers (only DCs report 566 or 565) SecureWorks Report:
o Pre-Built Report Section: Monitoring o Report Name: Active Directory and Member Server Compliance Events - Daily
Log Information to Aggregate Type Object Type:
o domainDNS = Domain o organizationalUnit = OU o groupPolicyContainer = GPO
Operation Object Type If present in description Column contents
Any WRITE_DAC Changed permissions
Delete Tree Deleted along with all child objects
DELETE Deleted
organizationalUnit,
domainDNS or site
Write Property and gPList GPO options or links modified
Write Property and gPOptions
GPO options or links modified
groupPolicyContainer Write Property and version modified
Changed by [Caller Domain:]\[Caller User Name:]
Interpretation This group documents changes made to AD objects.
Event Codes of Interest 565 and 566.
Recommended Report Review and Response Run the Active Directory and Member Server Compliance Events-Daily report daily and as needed for ad hoc research/analysis. Reports should be reviewed with signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived.
Active Directory and Local Server Group Member Additions
Audit Policy Requirements Category: Account Management Type: Success Role: Domain Controllers SecureWorks Report:
o Pre-Built Report Section: Monitoring o Report Name: Active Directory and Member Server Compliance Events - Daily
-
Log Information to Aggregate Group domain Target Domain
Group name Target Account Name
Type Security if Security Enabled in description or if event ID: 636, 632, 660
Distribution if Security Disabled in description or if event ID: 650, 655, 665
New Member Member Name:
Added by Caller Domain:\Caller User Name:
Interpretation If groups Type is security, the New Member now has access to any objects where Group is granted permissions and will receive email sent to Group. If Groups Type is distribution the New Member will receive email sent to Group.
These logs document new members added to security and distribution groups in Active Directory and Local Servers. AD and Local Server groups are increasingly being used as the basis for controlling access to privileged information and transactions in databases and applications so AD and Local groups and user activity is usually significant even in the unlikely scenario that no significant information is stored on Windows file servers. Distribution groups are important to monitor since they are often used to deliver confidential email.
Recommended Usage and Response The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Check for inappropriate or unauthorized group membership changes.
Documentation There are 3 scopes of member groups. A groups scope limits where the group can be granted access and who the group can have as members. These events are collected from domain controllers.
Scope Explanation Event ID
Security Distribution
Domain Local As a Domain Local group, Group is limited to objects in the local domain. Membership in Group cannot result in access to objects in other domains.
636 650
Global As a Global group, Group may have access to objects in local domain and any other trusting domain inside or outside the forest. Membership in Group may result in access to objects in other domains.
632 655
Universal As a Universal group, Group may have access to objects in local domain and any other trusting domain inside or outside the forest. Membership in Group may result in access to objects in other domains.
660 665
-
Active Directory and Local Server Group Member Deletions
Audit Policy Requirements Category: Account Management Type: Success Role: Domain Controllers SecureWorks Report:
o Pre-Built Report Section: Monitoring o Report Name: Active Directory and Member Server Compliance Events - Daily
Log Information to Aggregate Group domain Target Domain
Group name Target Account Name
Type Security event ID: 637, 633, 661
Distribution event ID: 651, 656, 666
Scope Domain Local, Global and Universal
Member Member Name:
Deleted by Caller Domain:\Caller User Name:
Interpretation If groups Type is security, the Member no longer has access to any objects where Group is granted permissions and will no longer receive email sent to Group. If Groups Type is distribution the New Member will no longer receive email sent to Group.
These logs document members removed from security and distribution groups in Active Directory and Local Servers. AD groups are increasingly being used as the basis for controlling access to privileged information and transactions in databases and applications so AD and Local server groups and user activity is usually significant even in the unlikely scenario that no significant information is stored on Windows file servers. Distribution groups are important to monitor since they are often used to email confidential email.
Recommended Usage and Response The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Provides documentation that group membership was revoked in connection with job changes, etc.
Documentation There are 3 scopes of groups. A groups scope limits where the group can be granted access and who the group can have as members. These events are collected from domain controllers.
Scope Explanation Event ID
Security Distribution
Domain Local As a Domain Local group, Group is limited to objects in the local domain. Membership in Group cannot result in access to objects in other domains.
637 651
Global As a Global group, Group may have access to objects in local domain and any other trusting domain inside or outside the forest. Membership in Group may result in
633 656
-
access to objects in other domains.
Universal As a Universal group, Group may have access to objects in local domain and any other trusting domain inside or outside the forest. Membership in Group may result in access to objects in other domains.
661 666
Active Directory and Local Users New or Enabled
Audit Policy Requirements Category: Account Management Type: Success Role: Domain Controllers SecureWorks Report:
o Pre-Built Report Section: Monitoring o Report Name: Active Directory and Member Server Compliance Events - Daily
Log Information to Aggregate Operation Criteria
event ID 624
event ID 642
event ID 626
User Account
Operation User Account
New New Account Domain:\New Account Name:
Enabled Target Domain\Target Account Name:
Performed by
Caller Domain:\Caller User Name:
Interpretation This event group documents new AD and Local Member Server user accounts or users previously disabled that are now enabled.
Recommended Usage and Response The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. Verify new user accounts correspond to new hires and check for accounts of terminated employees that have been mistakenly enabled. Enabled user accounts except in connection with return from sabbatical should be fairly infrequent; investigate.
Documentation This group is based on event ID 626 and 624 in Windows 2003; 642 and 624 in Windows 2000.
-
Active Directory and Local Users Deleted or Disabled
Audit Policy Requirements Category: Account Management Type: Success Role: Domain Controllers SecureWorks Report:
o Pre-Built Report Section: Monitoring o Report Name: Active Directory and Member Server Compliance Events - Daily
Log Information to Aggregate Operation Criteria Operation
event ID 630 Deleted
642 where Account Disabled within description Disabled
629
User Account Target Account Name:\Target Domain:
Performed by Caller Domain:\Caller User Name:
Interpretation This event group documents AD and Local Member Server user account deletions or accounts previously enabled that are now disabled.
Recommended Usage and Response The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived. This report provides documentation that account access was revoked in connection with terminations, etc.
Documentation This group is based on event ID 629 and 630 in Windows 2003; 642 and 630 in Windows 2000.
Active Directory Group Policy Change
Audit Policy Requirements Category: Directory Service Type: Success Role: Domain Controllers SecureWorks Report:
o Pre-Built Report Section: Monitoring o Report Name: Active Directory and Member Server Compliance Events - Daily
Log Information to Aggregate
-
Type Object Type:
o domainDNS = Domain o organizationalUnit = OU o groupPolicyContainer = GPO o site = Site
Name
Operation
Case Object Name Operation
1 (Object Type: is organizationalUnit or domainDNS or site)
and (Properties: includes gPList or gPOptions)
and (Accesses: includes Write Property)
Object Name: Group Policy links or options changed
2 Object Type: is groupPolicyContainer
and (Properties: includes version)
and (Accesses: includes Write Property)
Object Name: GPO modified
3 Object Type: is groupPolicyContainer
and Accesses: includes WRITE_DAC
Object Name: GPO permissions modified
4 Object Type: is groupPolicyContainer
And (Accesses: includes DELETE)
Object Name: GPO deleted
5 Object Type: is container
and (Accesses: includes Create Child)
and Properties: includes groupPolicyContainer
Object Name: GPO created
Changed by Caller Domain:\Caller User Name:
Interpretation This event group documents all group policy related changes:
New, Changed and Deleted GPOs Changes to the Group Policy properties tab of Sites, Domains and Organizational Units
Recommended Usage and Response The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived.
-
Check for inappropriate or unauthorized group policy changes. Mistaken modifications to group policy can impact thousands of users and computers. Change control and change audit trail are crucial to limiting group policy risk. Changes to group policy objects can also adversely reconfigure security settings or policies opening the organization to intrusion or system abuse.
Documentation This group is based on event IDs 566 and 565.
Active Directory Permission Changes
Audit Policy Requirements Category: Directory Service Type: Success Role: Domain Controllers SecureWorks Report:
o Pre-Built Report Section: Monitoring o Report Name: Active Directory and Member Server Compliance Events - Daily
Log Information to Aggregate
Note Enable auditing at root of domain for Everyone, All objects, Success, Change Permissions. This is already the default on Windows 2000 DCs but not on Windows 2003 DCs.
Domain Convert DC= components of Object Name: to DNS equivalent. DC=acme,DC=com becomes acme.com
Type Object Type:
domainDNS = Domain
organizationalUnit = OU
groupPolicyContainer = GPO
otherwise use actual value
Operation
Name
Object Name
Changed by Caller Domain:\Caller User Name:
Interpretation This group documents changes to permissions on objects in Active Directory. Permission changes are usually the result of delegating administrative authority. Active Directory does not report the content of the changes only that the change occurred.
Recommended Usage and Response The Active Directory and Member Server Compliance Events-Daily report should be reviewed daily and signoff via digital signature through the portal, email acknowledgement or physical signature. Signed reports should be archived.
Check for inappropriate delegation of authority. Delegation of control is important in AD in order to follow least privilege but could result in inappropriate authority being granted if not executed properly. Since
-
Active Directory does not report the content of the changes only that the change occurred you must review the ACLs of the affected objects.
Documentation This group is based on event ID 560, 565 and 566.
Active Directory and Local User Account Lockouts and Password Resets
Audit Policy Requirements Category: Account Management Type: Success Role: Domain Controllers SecureWorks Report:
o Pre-Built Report Section: Monitoring o Report Name: Active Directory and Member Server Compliance Events Ad Hoc
Log Information to Aggregate Operation Operation OS Criteria
Locked 2000 event ID 644
2003
Unlocked 2000 642 where unlocked within description
2003 671
Password Reset
2000 627 where Target different than Caller
2003 628
User Account Target Account ID:
Performed by Caller Domain:\Caller User Name:
n/a for 644
Interpretation This group documents AD and Local Member Server account lockouts, subsequent unlocks and password resets by an administrator or someone delegated that authority.
Recommended Usage and Response Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as needed. Verify password resets correspond to authentic calls to the help desk by user whos forgotten his password. Verify account unlock and password reset requests are properly authenticated by help desk.
Having authority to reset passwords allows the holder to impersonate other users. Periodically auditing password resets provides a deterrent control.
Documentation This group is based on event ID 642, 644, 671, 627 and 628.
-
Active Directory and Local Server Other Users, Groups and Computers Changes
Audit Policy Requirements Category: Account Management Type: Success Role: Domain controllers. Recognize DCs where Target Name: does not equal Computer SecureWorks Report:
o Pre-Built Report Section: Monitoring o Report Name: Active Directory and Member Server Compliance Events Ad Hoc
Log Information to Aggregate Object Type Operation Column Definition Selection Criteria
User
For user changes its important to distinguish whether 624 is from a 2000 or 2003 computer. Since many 642s in 2003 are redundant because of other specific event IDs. To determine OS version:
Windows 2000: Changed Attributes will not be present in description
Windows 2003: Changed Attributes is present in description
General change
On Windows 2000
642 - First insertion string from description. Some account changes generate 642 with first insertion string empty. In such cases display Not specified
On Windows 2003
MS removed the first insertion string and replaced with Changed Attributes. Display attribute name/value pairs for which there is a value
For example, for the example event below you would display:
Password Last Set: 8/1/2006 12:15:10 PM Some account changes generate 642 where no attributes are listed as changed. In such cases display Not specified
Example event: Event Type: Success Audit Event Source: Security Event Category: Account Management Event ID: 642 Date: 8/1/2006 Time: 12:15:10 PM User: S3DGROUP\radmin Computer: A4 Description: User Account Changed: Target Account Name:
Event ID 642
To determine OS version:
Windows 2000: Changed Attributes will not be present in description
Windows 2003: Changed Attributes is present in description
First check if 642 matches criteria for one of the other operations in this table. If so its a specific change not a general change.
Windows logs multiple 642s sometimes in relation to one operation from the point of view of the administrator.
Windows logs multiple 642s in conjunction with new user accounts (624).
Windows also logs 642s that are redundant because of event IDs that document specific actions such as password resets, enabling/disabling accounts, etc.
-
gthomas Target Domain: S3DGROUP Target Account ID: S3DGROUP\gthomas Caller User Name: radmin Caller Domain: S3DGROUP Caller Logon ID: (0x0,0x34495) Privileges: - Changed Attributes: Sam Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 8/1/2006 12:15:10 PM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - Sid History: - Logon Hours: -
Renamed From: [Old Account Name: ] To: [New Account Name:]
685
Group Created Created 635, 631, 658, 648, 653, 663
Changed Changed
Sam Account Name:- Sid History:-
641, 639, 659, 649, 654, 664
Deleted Deleted 638, 634, 662, 652, 657, 667
Group Type Changed
Group Type Changed From: [Security/Distribution] To: [Local/Global/Universal]
Security if Security Enabled in description
Distribution if Security Disabled in description
668
Computer Created Created 645
Changed See General Change column definition for User
646
-
Deleted Deleted 647
Other Information
Domain [Target Account Domain:]
Object [Target Account Domain:]\ [Target Account Name:]
Type: Use Object Type column in table above
Performed by [Caller Domain:]\[Caller User Name:]
n/a for Account Locked operations 644
Interpretation
This group documents all other changes to users, groups and computers including new and deleted objects. Sometimes Windows fails to report exactly what was changed which is reflected by Not specified.
Recommended Usage and Response
Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as needed. Provide as needed to IT Audit to demonstrate compliance with account management procedures.
Documentation
This group is based on event ID 642, 685, 635, 631, 658, 648, 653, 663, 641, 639, 659, 649, 654, 664, 638, 634, 662, 652, 657, 667, 668, 645,646 and 647.
Authentication and Logons Compliance Events of Interest
Domain Account Authentication
Audit Policy Requirements Category: Account Logon Type: Success Role: Domain Controllers SecureWorks Report:
o Pre-Built Report Section: Monitoring o Report Name: Authentication and Logons Compliance Events of Interest Ad Hoc
Log Information to Aggregate Authentication Type Authentication Type: (success)
672 = Kerberos TGT,
Account Domain:\User Name:
Server Event 672: Computer.
Interpretation
-
This group documents all authentications to domain controllers by users. Note that whenever such a user logs onto their own workstation or member server, this will generate a Network logon to a DC since the users workstation must access the domain controller under the users credentials to apply Group Policy\User Configuration.
Recommended Usage and Response Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as needed.
Documentation This group is based on event ID 672.
Domain Account Authentication Failure Analysis
Audit Policy Requirements Category: Account Logon Type: Failure Role: Domain Controllers SecureWorks Report:
o Pre-Built Report Section: Monitoring o Report Name: Authentication and Logons Compliance Events of Interest Ad Hoc
Log Information to Aggregate Account Domain:\User Name:
Reason See http://ultimatewindowssecurity.com/kerberrors.html for Kerberos errors
See http://ultimatewindowssecurity.com/ntlmerrors.html for NTLM errors
Domain Controller Computer name from event header
Workstation Event 681: Workstation: or Worktation Name:
Event 672, 675,676: Client Address:
Authentication Protocol Event 681: NTLM
Event 672, 675,676: Kerberos
Interpretation This group documents all authentication failures to domain controllers by users. Note that whenever such a user logs onto their own workstation or member server, this will generate a Network logon to a DC since the users workstation must access the domain controller under the users credentials to apply Group Policy\User Configuration.
Recommended Usage and Response Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as needed.
-
Documentation This group is based on event ID 672, 675, 676 and 681.
User Logons by Server Type Category: Logon/Logoff Type: Failure Role: Servers SecureWorks Report:
o Pre-Built Report Section: Monitoring o Report Name: Authentication and Logons Compliance Events of Interest Ad Hoc
Log Information to Aggregate Logon Type Logon Type: %4
See http://ultimatewindowssecurity.com/logontypes.html for translation
Domain:\User Name User Name: %1 Domain: %2
Server Computer.
Process Logon Process
ID Logon ID (optional)
Success/Failure EventType from header
If failure, fill in failure reason based on event ID
Interpretation This group documents all logons to monitored servers.
Recommended Usage and Response Run the Active Directory and Member Server Compliance EventsAd Hoc report periodically and as needed.
Documentation This group is based on event ID 529 through 540, excluding 538.