Eventlog
Introduction
The Eventlog guest probes uses WMI to to monitor Microsoft Windows eventlog's.
Features
- Specific eventID's
- Predefined security IDS's
Deployment
The eventlog probe can easily be deployed using our appliance manager.
Probe configuration
Deployment of the eventlog probe is the simulair to deploying the WMI probe as it is in essence an extension of the WMI probe.
- Address
-
Address of the eventlog host you want to query, in most cases this is the same address as used for the WMI probe.
- Local conguration
-
In most scenarios setting this to
wmiis fine as this is the default section for WMI credentials. See our credentials documentation for more advanced implementation scenarios.
Additional information
Security eventlog ID's monitored
| ID | Description |
|---|---|
| 4624 | Successful account log on |
| 4625 | Failed account log on |
| 4634 | An account logged off |
| 4648 | A logon attempt was made with explicit credentials |
| 4719 | System audit policy was changed. |
| 4964 | A special group has been assigned to a new log on |
| 1102 | Audit log was cleared. This can relate to a potential attack |
| 4720 | A user account was created |
| 4722 | A user account was enabled |
| 4723 | An attempt was made to change the password of an account |
| 4725 | A user account was disabled |
| 4728 | A user was added to a privileged global group |
| 4732 | A user was added to a privileged local group |
| 4756 | A user was added to a privileged universal group |
| 4738 | A user account was changed |
| 4740 | A user account was locked out |
| 4767 | A user account was unlocked |
| 4735 | A privileged local group was modified |
| 4737 | A privileged global group was modified |
| 4755 | A privileged universal group was modified |
| 4772 | A Kerberos authentication ticket request failed |
| 4777 | The domain controller failed to validate the credentials of an account. |
| 4782 | Password hash an account was accessed |
| 4616 | System time was changed |
| 4657 | A registry value was changed |
| 4697 | An attempt was made to install a service |
| 4698 | A scheduled task was created |
| 4699 | A scheduled task was deleted |
| 4700 | A scheduled task was enabled |
| 4701 | A scheduled task was disabled |
| 4702 | A scheduled task was updated |
| 4946 | A rule was added to the Windows Firewall exception list |
| 4947 | A rule was modified in the Windows Firewall exception list |
| 4950 | A setting was changed in Windows Firewall |
| 4954 | Group Policy settings for Windows Firewall has changed |
| 5025 | The Windows Firewall service has been stopped |
| 5031 | Windows Firewall blocked an application from accepting incoming traffic |
| 5152 | A network packet was blocked by Windows Filtering Platform |
| 5153 | A network packet was blocked by Windows Filtering Platform |
| 5155 | Windows Filtering Platform blocked an application or service from listening on a port |
| 5157 | Windows Filtering Platform blocked a connection |
| 5447 | A Windows Filtering Platform filter was changed |
| 4663 | Attempt made to access object |
| 4688 | A new process has been created |
| 4670 | Permissions on an object were changed |
| 4672 | Special privileges assigned to new logon |