Upload
hoanghanh
View
219
Download
0
Embed Size (px)
Citation preview
ACS Noise Filter Guide
PREPARED FOR:
Microsoft Global Foundation Services
- Online Services Security
and Compliance
PREPARED BY:
Secure Vantage Technologies, Inc.
2
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
CONFIDENTIAL & PROPRIETARY
The Secure Vantage ® Technologies (“SVT ®”) ACS Noise Filter Guide which follows contains information and data which is privileged, confidential, and/or proprietary to SVT. This information and data is commercially sensitive and/or financial in nature, is not made available for public review, and is submitted on a confidential basis only in response to a specific customer request. The information contained herein is protected, among other things by the Trade Secrets Act, as codified, and any improper use, distribution, or reproduction is specifically prohibited. No license or right of any kind whatsoever is granted to any third party to use the information contained herein unless a written agreement exists between SVT and the third party which desires access to the information. The information contained herein is submitted for purposes of review and evaluation in connection with SVT’s response to the specific request denoted herein. No other use of this document or any portion of the information and data contained herein is permitted without the express written permission of SVT. Under no condition should the information contained herein be provided in any manner whatsoever to any third party without first receiving the express written permission of SVT.
3
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
1 EXECUTIVE SUMMARY ............................................................................. 6
2 APPROACH ................................................................................................. 7
General Approach to Creating an ACS Noise Filter ................................................................................. 7
3 DIFFERENCE BETWEEN SECURITY EVENT LOG AND ACS FORMATS8
4 IDENTIFY EVENTS TO BE EXCLUDED ................................................... 10
Identify Audit and Corporate Policies ..................................................................................................... 10
Identifying High Volume Events .............................................................................................................. 10
5 NOISE FILTER SYNTAX FORMAT ........................................................... 11
6 APPLYING AN ACS FILTER ..................................................................... 12
Command Syntax ................................................................................................................................... 12
Sample: Loading Filter ............................................................................................................................ 12
7 COMMON NOISE FILTER LISTS .............................................................. 13
Common Security Identifiers ................................................................................................................... 13
Common Event Conditions List .............................................................................................................. 13
Logon Types ........................................................................................................................................... 15
AdtsEvent Details ................................................................................................................................... 15
Audit Record Flags ................................................................................................................................. 16
Example of Adding Common Security Groups to Filters ........................................................................ 16
8 FILTER CREATION BEST PRACTICE ..................................................... 18
Exclusive Filters ...................................................................................................................................... 18
Review Filter Performance ..................................................................................................................... 18
Record the Filter in a Secondary Location ............................................................................................. 18
Include Relevant Events ......................................................................................................................... 18
9 FILTER LIMITATIONS ............................................................................... 19
4
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
Character Limit........................................................................................................................................ 19
Object Limitation ..................................................................................................................................... 19
WQL is not SQL ...................................................................................................................................... 19
Complexity Limitations ............................................................................................................................ 19
10 SAMPLE NOISE FILTERS ........................................................................ 20
FS1001: Windows Server Essential Filter .............................................................................................. 20
Filter Scope ....................................................................................................................................... 20
Filter Syntax ...................................................................................................................................... 21
FS1002: Windows Server Reasonable Filter .......................................................................................... 22
Filter Scope ....................................................................................................................................... 22
Filter Syntax ...................................................................................................................................... 22
FS1003: Windows Server Rational Filter ................................................................................................ 23
Filter Scope ....................................................................................................................................... 23
Filter Syntax ...................................................................................................................................... 23
FS1004: Windows Server Authentication Computer$ Filter ................................................................... 24
Filter Scope ....................................................................................................................................... 24
Filter Syntax ...................................................................................................................................... 24
FS1005: Service Account Authentication Success Filter ....................................................................... 25
Filter Scope ....................................................................................................................................... 25
Filter Syntax ...................................................................................................................................... 25
FS1006: Base Reporting Filter ............................................................................................................... 26
Filter Syntax ...................................................................................................................................... 26
FS1007: Base Reporting (File Auditing) Filter ........................................................................................ 28
Filter Syntax ...................................................................................................................................... 28
FS1008: Base Reporting (File Auditing & Directory Services) ............................................................... 29
5
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
Filter Syntax ...................................................................................................................................... 29
FS1009: Base Reporting (File Auditing, Directory Services, All Non-System Logons) Filter ................. 30
Filter Syntax ...................................................................................................................................... 30
11 REFERENCES ........................................................................................... 31
6
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
1 EXECUTIVE SUMMARY
The Microsoft Audit Collection Services (ACS) collects and stores the Security Event Log from
the Microsoft Windows operating systems. These events provide an audit trail of security related
and system activities for system administrators, security administrators, and internal auditors.
The ACS system can manage a collection rate approaching 6000 transactions per second
(trans/sec), but some information is deemed to have little value from a security standpoint.
If all auditing is enabled on all systems in an Active Directory domain there would be a
tremendous volume of data to sift through to track specific events and sequences. To improve
audit value and reduce the load on the servers and on the network involved, only the necessary
audit settings should be enabled. Additionally, only those events of specific interest should be
forwarded on to Microsoft‟s Audit Collection Service database.
This document provides suggested guidelines for developing a WMI Query Language (WQL) to
remove extraneous data from the ACS stream. The following sections include common sample
queries, guidelines and a general process for creating the ACS Noise filter.
7
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
2 APPROACH
General Approach to Creating an ACS Noise Filter
Creating an ACS noise filter involves the following steps:
Identify audit policies and affected systems o This data may be found in the Baseline to Support Audit Requirements
Identify events to be filtered o Audit Policies o High volume events
Determine event specific criteria
Create the ACS noise filter
Apply the filter to the ACS system
8
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
3 DIFFERENCE BETWEEN SECURITY EVENT LOG AND ACS FORMATS
Audit Collection Service stores data in a different format than the Windows Security Event Log.
The Security Event Log stores values in series of incrementing parameters named Parameter1,
Parameter2, Parameter3, etc. As the data is stored in ACS, the information is transformed by
ACS into fields in the dvAll view.
During this data transformation process, the ACS system stores some of the parameter values in
String fields and some in the Header fields. String fields are named String01, String02, etc. The
header values are prefixed with Header, Primary, Client, and Target.
Although all Security Event Log data is captured and stored in ACS, there is no direct correlation
between the position of Parameters in the Security Event Log and their stored location in the
ACS database. The best process for identifying the parameters in ACS is to generate the event in
the Security Event Log and then find the corresponding event in the ACS system.
Figure 1 shows a sample of how the event viewer and string details have been mapped to an ACS
event. Please note how String01 in the ACS event was originally Parameter09 from the Event
Details as shown in the Event Viewer. The EventSchema.xml provides the mappings and
conversions for all Events.
9
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
Figure 1: ACS to Security Event Log Mapping
Note when comparing events in a local Security Event Viewer and those in ACS it‟s important to
understand both sources contain the same raw data but store and display the information slightly
differently. The Events Details from the Event Viewer and ACS Strings will rarely match in
ordering, i.e. Param01 will not equal String01 in ACS.
10
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
4 IDENTIFY EVENTS TO BE EXCLUDED
A key aspect of noise filter creation is to identify the events to exclude from the system. This section provides a guideline for identifying events to exclude. Two primary steps in this process are:
Identify audit and corporate policies,
Identifying high volume events.
Identify Audit and Corporate Policies
The creation of any filter must support the objectives of any regulatory or corporate policies. The exclusion of any events may impact the ability to meet these policies. Before creating any filters, it is necessary to understand how removing the specific events will affect the ability meet these requirements.
Identifying High Volume Events
High volume events can be identified by through two processes. The first is through the Secure Vantage Integrity Manager product. Customers may leverage the following query to identify high volume events:
SELECT [EventId], [S/F], count(*) FROM AdtServer.dvHeader GROUP BY [EventId], [S/F]
11
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
5 NOISE FILTER SYNTAX FORMAT
The ACS noise filter syntax follows the following format:
SELECT * FROM AdtsEvent WHERE conditionals
The default filter query is:
SELECT * FROM AdtsEvent
When creating conditional operators for the query, the string value portions require being
enclosed within single quotes („) and not double quotes (“).
12
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
6 APPLYING AN ACS FILTER
To apply filter to an ACS Filter, the user must sign on to the server containing the ACS
Collector. The following steps will allow the user to access the collector:
1. Open a Command Prompt* 2. Navigate to the following directory within the command prompt:
C:\Windows\System32\Security\AdtServer 3. Execute the following command:
AdtAdmin.exe –setquery –query:”Select * from AdtsEvent” *On Windows 2008 Servers the user will require the command console to run with elevated privileges.
The query portion of the AdtAdmin command must be placed within double quotes. Samples of
valid queries are included at the end of this document.
Command Syntax
AdtAdmin.exe /SetQuery [/Collector:CollectorName] /Query:QuerySyntax
Sample: Loading Filter
adtadmin /setquery /collector:"Collector Name" /query:"SELECT *
FROM AdtsEvent WHERE NOT(EventId=551 OR EventId=562 OR EventId=573 OR EventId=577 OR
EventId=578 OR EventId=697 OR (EventId>=594 AND EventId<=597) OR (EventId>=768 AND
EventId<=771) OR (EventId>=832 AND EventId<=841))"
13
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
7 COMMON NOISE FILTER LISTS
Common Security Identifiers
Multiple ways exists for accounts to sign on to Micorosoft Windows. Some events will record
the account in one format, while another event will record the account in a different format.
Between the events, however, there is one unique field which remains identical: the Security
Identifier. It is recommended that filters reference accounts by Security Identifier when feasible.
Security identifiers for common accounts are included below:
Account Security Identifier
Local System S-1-5-18
Local Service S-1-5-19
Network Service S-1-5-20 Table 1: Common Security Identifier Values
Common Event Conditions List
The following list of events is commonly generated by the Microsoft Windows Operating
System. The list presented here is not a complete list of events generated, only those most
commonly found.
Event Id1 Name Common Condition Description
538, 4634 User Logoff Logon Type = 3 and User Name contains $
This event only indicates the time a user or system account logs off. This does not mean the user actually stopped using the system, only that a connection to the system was closed.
528, 540, 4624
User Logon Where User Name contains $ or = X
Some Service and System accounts generate excessive activity while doing normal approved activities. Filtering these accounts can greatly reduce load when collecting successful logon events. Consider adding Event 538/4634 and 680/4776 if not already filtering those events.
551, 4647 User logoff initiated
n/a The event indicates the user initiated a logoff, but does not indicate the user successfully logged off the system. To record successful logoffs, review event 538/4634.
560, 4656 Object Open Various This event tracks both successful and failure object events. Object Open events may create many events and activating this audit policy may require careful filtering.
562, 4658 Object Handle Closed
n/a Handle close events record when an object is closed. This can identify how long an object
14
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
was opened, but contains no other information of use.
565, 4661 Object Open (Active Directory)
Various Event 565/4661 identifies accesses to Active Directory monitored objects similar to event 560/4656.
571 Client Context deleted by Authorization Manager.
n/a Event 571 is normally found when Authorization Manager (AzMan) is active and in use. Windows 2008 event
573 Process generates nonsystem audit
n/a Event 573 is normally found when Authorization Manager (AzMan) is active and in use.
577, 578, 4673, 4674
Privilege Use Events
n/a Privilege Use events may generate large quantities of activity. When activated, filtering on this object may require special consideration.
594, 595, 4690
Process Tracking events
n/a Process tracking events allow users to track which applications are accessed by user and the system accounts. However, these events generate large quantities of activity and turning the Detailed Tracking audit policy on should be reviewed.
596, 597, 4692, 4693, 4694, 4695
Indirect access to an object was obtained
DPAPI Backup and recovery operations. Normally these operations do not need to be tracked.
624, 4720 User Account Created where New Account Name ends with ‘$’
A domain user has created or connected a new computer account to the domain. This may be normal activity if users have this right.
627, 4723 Change Password Attempt where User equals ‘System’ and Target Account Name equals ‘TsInternetUser’ and Caller User Name ends with ‘$’
This is normal behavior of a computer that runs Terminal Services.
672, 673, 674, 675, 676, 4768, 4769, 4770, 4771, 4772
Kerberos AS Ticket Events
Where User Name contains $ Windows Computers generate many Kerberos events as the system checks for group policy updates and other information in the Active Directory.
1 Windows 2003 Security Events generally have values between 500 and 700. Windows 2008 Security Events generally have values
greater than 4000.
Table 2: Common Events
15
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
Logon Types
The logon events use various logon types which can be useful in filtering out undesirable events.
These types are summarized below:
Logon
Value
Logon
Type Description
2 Interactive User logged onto the computer directly.
3 Network An account or computer logged on to this computer through the network.
4 Batch When a process executes on behalf of a user without their direct intervention the
server will use the Batch logon type.
5 Service Created when the Service Control Manager signs starts a service.
7 Unlock This workstation was unlocked.
8 NetworkCleartext An account logged on through the network, but the password was not hashed
before passing to the authentication package.
9 NewCredentials A caller cloned its current token and specified new credentials for outbound
connections. The new logon session has the same local identity, but uses different
credentials for other network connections.
10 RemoteInteractive Occurs when a user logs on to the computer using Terminal Services or Remote
Desktop.
11 CachedInteractive A network account logged on to the computer, but the computer used previously
cached credentials to verify the account. A domain controller was not contacted
during this log on process.
Table 3: Logon Type Values
AdtsEvent Details
The table below describes the available fields in the AdtsEvent object.
Field Name Type Description Sample
EventID uint32 Event Id is the Windows Security Log Event Number 528
SequenceNo uint32 Dynamic Value, do not filter on this field 1056403
Flags uint32 See AuditRecordFlags enumeration below 0x01
Type uint32 8=success, 16=failure, all ACS Events 4=info 8
Category uint32 Category ID 7
CreationTime uint64 FILETIME, UTC, time audit was created 8/5/2008 9:14:56 PM
CollectionTime uint64 FILETIME, UTC, time audit arrived at AdtServer 8/5/2008 9:14:58 PM
AgentMachine String Name of machine that sent the event MMS2008\SQL2005$
EventMachine String Name of machine in event header SQL2005
Log String Log where Event originated Security
Source String Log Source where Event originated Security
16
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
HeaderSid String User SID in Header of Event S-1-5-21-3936682612-
297840751-2861477581-500
HeaderUser String User Name in Header of Event Administrator
HeaderDomain String User Domain in Header of Event MMS2008
PrimarySid String Primary User SID in Event Details S-1-5-21-1468679-
3930941156-3931375250-1020
PrimaryUser String Primary User Name in Header of Event test41
PrimaryDomain String Primary User Domain in Header of Event SQL2005
PrimaryLogonId unint64 Primary User LogonID in Event Details 0
ClientSid String Client User SID in Event Details S-1-5-21-3936682612-297840751-
2861477581-500
ClientUser String Client User Name in Header of Event Administrator
ClientDomain String Client User Domain in Header of Event MMS2008
ClientLogonId unint64 Client User LogonID in Event Details 541879972
TargetSid String Target SID in details of Event S-1-5-32-547
TargetUser String Target Name in details of Event Power User
TargetDomain String Target Domain in details of Event Builtin
String01 through
String22
String Event detail attributes Varies
Table 4: AdtsEvent Object Field Description
Audit Record Flags
The ACS system generates various events during its collection process. These audit record flags
are not stored with the ACS records, but may assist in identifying any issues with the event
collection system.
Flag Name Description
0x00 arfNone No description
0x01 arfRealTime Event was collected in real time, not from backlog at forwarder connect
0x02 arfTruncated Event strings truncated
0x04 arfPseudo Event is an ACS intrinsic event (e.g. gap detected), not an event log event
0x08 arfUnknown No transformation information available for this event
0x10 arfCorrupt Event is corrupt
Table 5: ACS Error Codes
Example of Adding Common Security Groups to Filters
The following filter applies a common security group filter to an ACS filter.
Event 560/4565
These events collect file and folder access attempts. This can result in system accounts
generating additional activity which is not desirable. The following filter conditions may remove
this undesirable information.
17
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
SELECT * FROM AdtsEvent WHERE NOT ((EventId=560 AND (HeaderSid = ‘S-1-5-18’ OR HeaderSid = ‘S-1-5-19’)) OR (EventId=4565 AND (PrimarySid = ‘S-1-5-18’ OR PrimarySid = ‘S-1-5-19’)))
18
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
8 FILTER CREATION BEST PRACTICE
Creating a filter requires an investment in time and effort. In general, however a well-designed
filter will follow the following guidelines and the reasons why they form best practice:
Exclusive Filters
Exclusive filters include the NOT operator immediately after the WHERE clause. Exclusive filters
identify the specific items the system is not to collect, allowing all other items to pass into ACS.
Inclusive filters allow only data which passes the select criteria into the ACS system.
Given the volume of events in ACS and the style of security data collected, it is recommended to
use exclusive filters.
Review Filter Performance
After applying a filter, it is vital the data in the ACS database be reviewed to ensure the filter is
functioning properly. In production systems this may be problematic as the creation of events
may not be under the control of the person implementing the filter, but normally a review after a
single day of activity is gathered is sufficient to determine the filter is functioning properly or
not.
Record the Filter in a Secondary Location
Once created, the filter should be archived to a controlled and backed up data repository to
ensure disaster recovery should the ACS system or network cause unplanned outages.
Additionally, keeping a second copy of the query allows for a quick restore to a previous known
configuration should a recently applied query not behave as anticipated.
Include Relevant Events
It is inefficient, and unnecessary, to filter out events which are not being generated. A Noise
filter performs a line by line comparison of the incoming data stream. This comparison could
negatively impact the performance of the system if it is checking for events which are not being
collected by audit policy.
Ideally, proper analysis of the ACS data will group the events into three categories:
High volume events which must be filtered
Events which must not be filtered
Low volume events which may be filtered.
Focusing on filtering high volume events will keep the machines tuned and ACS running
optimally while providing sufficient audit criteria.
19
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
9 FILTER LIMITATIONS
WMI and ACS have limitations related to them which may affect filter creation. This section
identifies some limitations and the specifics of them where they are known:
Character Limit
The system may accept a query 4800 characters in length. This is the maximum potential
character limit. Due to required characters, command prompt executable length, and system
limitations, the actual limit may be shorter than 4800 characters.
Object Limitation
WQL will accept close to a 500 object limit. An “object” may be loosely defined as a single
occurrence of a „field‟ in the WHERE clause. However, as the complexity of the query increases,
it has been observed that the object limit tends to decrease.
WQL is not SQL
WQL provides many similar functions and structurally the syntax resembles a SQL or T-SQL
command. However, WQL does not provide full SQL functionality. In particular, WQL does
not provide:
Advanced Text manipulation (Left, Right, Substring, etc.)
„Joining‟ of objects
„Subselect‟ statements
Complexity Limitations
WQL has limits on the complexity of the „WHERE clause‟ allowed. These limits are undefined,
but it is known that too many “AND” and “OR” keywords may cause the filter to not function.
Fortunately, this simply results in the system accepting all data as if the filter was not present.
Unfortunately, no outward indication the system has reached this limit is provided when the filter
is applied. The only true test is to review the data after filter creation and ensure it behaves as
expected.
20
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
10 SAMPLE NOISE FILTERS
This section provides some sample filters for commonly used objectives. Before applying any of
these filters it is necessary to ensure these filters will meet specific corporate goals.
FS1001: Windows Server Essential Filter
The Windows Server Essential filter provides a basic filter set that should be considered in any
ACS environment if applicable based on audit policy. Additionally, the filters may require some
modification based on the specific objectives.
Filter Scope
Event1 Description Filter Rationale
551, 4647 User initiates logoff Event 538/4647 confirms
logoff, use instead if you want
to collect logoffs.
562, 4658 A handle to an object closed Always records a success
5732 Process generates nonsystem audit event with
Authorization Application Programming Interface
(AuthZ API)
MS defined Typical Behavior
577, 578,
4673, 4674
Privilege service called, privileged object
operation
Very high volume events that
provide little information to act
upon or understand in most
cases.
594 , 4690 A handle to an object was duplicated An object already successfully
opened (event id 560/4565) was
duplicated with no change to
access.
595 Indirect access to an object was obtained MS Reported Event similar to
event 594/4690
596 Backup of data protection master key Occurs every 90 days
automatically with default
settings
597 Recovery of data protection master key This message is logged for
informational purposes only per
MS.
697 Password policy checking API called Generated when “enforced
password policy” is checked on
SQL Server 2005 running on
Windows 2003
7682 Forest namespace collision MS defined Not Security
Related
769, 770, 771 Trusted forest information added, deleted or
modified
Normal operations of inter-
forest trusts. Not to be confused
with addition, deletion, or
modification of the trust itself.
832 - 8412 Various Active Directory replication issues MS defined no security
implications
21
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
1Not all Windows 2003 events were identified to have a Windows 2008 equivalent
2 http://technet.microsoft.com/en-us/library/cc875806.aspx
Filter Syntax
SELECT * FROM AdtsEvent WHERE NOT (EventId=551 OR EventId=4647 OR EventId=562 OR EventId=4658 OR EventId=573 OR EventId=577 OR EventId=4673 OR EventId=578 OR EventId=4674 OR EventId=697 OR EventId=562 OR (EventId>=594 AND EventId<=597) OR EventId=4690 OR (EventId>=768 AND EventId<=771) OR (EventId>=832 AND EventId<=841))
22
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
FS1002: Windows Server Reasonable Filter
The Windows Server Reasonable filters provide an extension to the essentials that is acceptable
to most environments and reduces considerable noise.
Filter Scope
Event Condition Filter Rationale
538, 4634 User initiates logoff This event only indicates the time a user initiates logoff or
the when the system initiates logoff. This does not mean
the user actually stopped using the system.
672, 4772,
4768
Kerberos AS Ticket
Request
If you collect logon events 528, 540 and 4624 from all
computers, this event only adds data that a Kerberos Ticket
Granting Ticket was granted. As there must still be a
service ticket granted (event 673, 4769, 4773) for any
access to occur, this event may be redundant. Please note
this event can be associated with smart card logons if
applicable.
680,
4776
Account Logon If you collect logon events 528, 540 and 4624 from all
computers, this event only records validation of the
account credentials. Separate logon events record what the
user accessed; this event may be redundant.
Filter Syntax
SELECT * FROM AdtsEvent WHERE NOT (EventId=538 OR EventId=4634 OR EventId=672 OR EventId=4772 OR EventId=4768 OR EventId=680 OR EventId=4776)
23
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
FS1003: Windows Server Rational Filter
The Windows Server Rational filters go beyond raw event ID filtering to provide target filtering.
These can be used when applicable. Note the Account Management events, and more
specifically the 637 event, do not occur as frequently as other event types like Logon/Logoff.
Therefore, filtering event 637 may simply add complexity to your filter without reducing much
„Noise‟ in the scheme of things (depending on your audit policy).
Filter Scope
Event1 Condition Filter Rationale
571 Client Context deleted by Authorization Manager.
Normal activity where
Authorization Manager is active
and in use.
624, 4720 User Account Created where New Account Name
ends with „$‟
A domain user has created or
connected a new computer
account to the domain. This
may be normal activity if users
have this right.
627, 4723 Change Password Attempt where User equals
„System‟ and Target Account Name equals
„TsInternetUser‟ and Caller User Name ends with
„$‟
This is normal behavior of a
computer that runs Terminal
Services.
1Not all Windows 2003 events were identified to have a Windows 2008 equivalent
Filter Syntax
SELECT * FROM AdtsEvent WHERE NOT (EventId=571 OR ((TargetUser LIKE '%$%') AND (EventId=624 OR EventId = 4720)) OR ((HeaderUser='System' AND ClientUser like '%$%' And TargetUser = 'TsInternetUser') AND (EventId=627 OR EventId=4723)))
24
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
FS1004: Windows Server Authentication Computer$ Filter
The Windows Server Authentication Computer$ filter is for common computer account logon
traffic.
Filter Scope
Event1 Condition Filter Rationale
538, 540,
4624, 4634
Where Logon Type = 3
and User Name contains
$
Windows Computers generate many logon/logoff events
on DCs as they frequently check for group policy updates
and query other information in AD. Please note Filter Set
1002 already excludes event 538/4634.
672, 673,
674, 675,
676, 4768,
4769, 4770,
4771, 4772
Where User Name
contains $
Windows Computers generate many Kerberos events as
they frequently check for group policy updates and query
other information in AD. Please note Filter Set 1002
already excludes event 672, 4768 and 4772.
1Not all Windows 2003 events were identified to have a Windows 2008 equivalent
Filter Syntax
SELECT * FROM AdtsEvent WHERE NOT (((EventId = 538 OR EventId = 540 OR EventId=4624 OR EventId=4634) AND (String01 = ‘3’) AND HeaderUser like '%$%')) OR (ClientUser LIKE '%$%' AND (EventId = 672 OR EventId = 673 OR EventId=674 OR EventId=675 OR EventId=676 OR EventId = 4768 OR EventId=4769 OR EventId=4770 OR EventId=4771 OR EventId=4772)))
25
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
FS1005: Service Account Authentication Success Filter
The Service Account Authentication Success filter provides an example of how to filter specific
user accounts or patterns within a user account name like admin or sys on logon. These are
commonly used to filter service and system accounts that run on all systems frequently, such as
antivirus or backup programs. Please note this is for „Success‟ activity only; all Logon failure
activity should be collected.
Filter Scope
Event Condition Filter Rationale
528, 540,
4624
Where User Name
contains $ or = X
Some Service and System accounts generate excessive
activity while doing normal approved activities. Filtering
these accounts can greatly reduce load when collecting
successful logon events. Consider adding Event 538/4634
and 680/4776 if not already filtering those events.
Filter Syntax
SELECT * FROM AdtsEvent WHERE NOT ((HEADERUSER LIKE '%ADM_%' OR HEADERUSER LIKE '%SYS_%') AND (EventID = 528 OR EventID = 540 OR EventID = 4624))
26
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
FS1006: Base Reporting Filter
The Base Reporting Filter excludes items which some organizations do not require reporting.
This filter is useful for removing entire categories of events when, for some reason or other, it is
desirable to keep the audit policies, but not report on the events.
The Base Reporting Filter removes the following items:
Event1 Condition Filter Rationale
All Object Access Events
(560, 561, 562, 563, 564, 567, 4656,
4657, 4658, 4659, 4660, 4661, 4663,
4664, 4665, 4666, 4667, 4668, 4670,
4671, 4685, 4690, 4691, 4698, 4699,
4700, 4701, 4702, 4868, 4869, 4870,
4871, 4872, 4873, 4874, 4875, 4876,
4877, 4878, 4879, 4880, 4881, 4882,
4883, 4884, 4885, 4886, 4887, 4888,
4889, 4890, 4891, 4892, 4893, 4894,
4895, 4896, 4897, 4898, 4899, 4900,
4985, 5031, 5120, 5140, 5142, 5143,
5144, 5145, 5148, 5149, 5150, 5151,
5152, 5153, 5154, 5155, 5156, 5157,
5158, 5159, 5168, 5888, 5889)
None Removal of all events of the Object
Access category
All Detailed Tracking Events (592,
593, 594, 595, 600, 601, 602, 861,
4688, 4689, 4692, 4693, 4694, 4695,
4696, 4816, 5712)
None Removal of all events of the Detailed
Tracking Access category
All Directory Services Access
Events (565, 566, 4661, 4662, 4928,
4929, 4930, 4931, 4932, 4933, 4934,
4935, 4936, 4937, 5136, 5137, 5138,
5139, 5141)
None Removal of all events of the Directory
Services Access Category
Logon/Logoff Events (528, 529,
530, 531, 532, 533, 534, 535, 536,
537, 538, 539, 540, 551, 552, 682,
683, 4624, 4625, 4634, 4647, 4648,
4650, 4651, 4652, 4653, 4654, 4655,
4672, 4778, 4779, 4800, 4801, 4802,
4803, 4964, 4976, 4977, 4978, 4979,
4980, 4981, 4982, 4983, 4984, 5451,
5452, 5453, 5632, 5633, 6272, 6273,
6274, 6275, 6276, 6277, 6278, 6279,
6280)
All Successful
Logon events and
Logon/Logoff
System Accounts
All Successful Logon events and
Logon/Logoff System Accounts
1Not all Windows 2003 events were identified to have a Windows 2008 equivalent
Filter Syntax
SELECT * FROM AdtsEvent WHERE NOT (((Type=8 AND (HeaderSid='S-1-5-18' OR HeaderSid='S-1-5-19' OR HeaderSid='S-1-5-20' OR HeaderUser like '$')) AND (EventId=528 OR EventId=529 OR EventId=530 OR
27
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
EventId=531 OR EventId=532 OR EventId=533 OR EventId=534 OR EventId=535 OR EventId=536 OR EventId=537 OR EventId=538 OR EventId=539 OR EventId=540 OR EventId=551 OR EventId=552 OR EventId=672 OR EventId=673 OR EventId=674 OR EventId=675 OR EventId=676 OR EventId=677 OR EventId=678 OR EventId=679 OR EventId=680 OR EventId=681 OR EventId=682 OR EventId=683 OR EventId=4624 OR EventId=4625 OR EventId=4634 OR EventId=4647 OR EventId=4648 OR EventId=4650 OR EventId=4651 OR EventId=4652 OR EventId=4653 OR EventId=4654 OR EventId=4655 OR EventId=4672 OR EventId=4768 OR EventId=4769 OR EventId=4770 OR EventId=4771 OR EventId=4772 OR EventId=4773 OR EventId=4774 OR EventId=4775 OR EventId=4776 OR EventId=4777 OR EventId=4778 OR EventId=4779 OR EventId=4800 OR EventId=4801 OR EventId=4802 OR EventId=4803 OR EventId=4964 OR EventId=4976 OR EventId=4977 OR EventId=4978 OR EventId=4979 OR EventId=4980 OR EventId=4981 OR EventId=4982 OR EventId=4983 OR EventId=4984 OR EventId=5451 OR EventId=5452 OR EventId=5453 OR EventId=5632 OR EventId=5633 OR EventId=6272 OR EventId=6273 OR EventId=6274 OR EventId=6275 OR EventId=6276 OR EventId=6277 OR EventId=6278 OR EventId=6279 OR EventId=6280)) OR EventId=560 OR EventId=561 OR EventId=562 OR EventId=563 OR EventId=564 OR EventId=565 OR EventId=567 OR EventId=4656 OR EventId=4657 OR EventId=4658 OR EventId=4659 OR EventId=4660 OR EventId=4661 OR EventId=4663 OR EventId=4664 OR EventId=4665 OR EventId=4666 OR EventId=4667 OR EventId=4668 OR EventId=4670 OR EventId=4671 OR EventId=4685 OR EventId=4690 OR EventId=4691 OR EventId=4698 OR EventId=4699 OR EventId=4700 OR EventId=4701 OR EventId=4702 OR EventId=4868 OR EventId=4869 OR EventId=4870 OR EventId=4871 OR EventId=4872 OR EventId=4873 OR EventId=4874 OR EventId=4875 OR EventId=4876 OR EventId=4877 OR EventId=4878 OR EventId=4879 OR EventId=4880 OR EventId=4881 OR EventId=4882 OR EventId=4883 OR EventId=4884 OR EventId=4885 OR EventId=4886 OR EventId=4887 OR EventId=4888 OR EventId=4889 OR EventId=4890 OR EventId=4891 OR EventId=4892 OR EventId=4893 OR EventId=4894 OR EventId=4895 OR EventId=4896 OR EventId=4897 OR EventId=4898 OR EventId=4899 OR EventId=4900 OR EventId=4985 OR EventId=5031 OR EventId=5120 OR EventId=5140 OR EventId=5142 OR EventId=5143 OR EventId=5144 OR EventId=5145 OR EventId=5148 OR EventId=5149 OR EventId=5150 OR EventId=5151 OR EventId=5152 OR EventId=5153 OR EventId=5154 OR EventId=5155 OR EventId=5156 OR EventId=5157 OR EventId=5158 OR EventId=5159 OR EventId=5168 OR EventId=5888 OR EventId=5889 OR EventId=592 OR EventId=593 OR EventId=594 OR EventId=595 OR EventId=600 OR EventId=601 OR EventId=602 OR EventId=861 OR EventId=4688 OR EventId=4689 OR EventId=4692 OR EventId=4693 OR EventId=4694 OR EventId=4695 OR EventId=4696 OR EventId=4816 OR EventId=5712 OR EventId=565 OR EventId=566 OR EventId=4661 OR EventId=4662 OR EventId=4928 OR EventId=4929 OR EventId=4930 OR EventId=4931 OR EventId=4932 OR EventId=4933 OR EventId=4934 OR EventId=4935 OR EventId=4936 OR EventId=4937 OR EventId=5136 OR EventId=5137 OR EventId=5138 OR EventId=5139 OR EventId=5141)
28
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
FS1007: Base Reporting (File Auditing) Filter
The Base Reporting Filter with File Auditing builds on the Base Reporting Filter. This version is
useful in situations where the user wants to track file auditing events in addition to the base
reporting logo failure events.
This filter removes the following items:
Event1 Condition Filter Rationale
All Detailed Tracking Events (592,
593, 594, 595, 600, 601, 602, 861,
4688, 4689, 4692, 4693, 4694, 4695,
4696, 4816, 5712)
None Removal of all events of the
Detailed Tracking Access
category
All Directory Services Access
Events (565, 566, 4661, 4662, 4928,
4929, 4930, 4931, 4932, 4933, 4934,
4935, 4936, 4937, 5136, 5137, 5138,
5139, 5141)
None Removal of all events of the
Directory Services Access
Category
Logon/Logoff Events (528, 529,
530, 531, 532, 533, 534, 535, 536,
537, 538, 539, 540, 551, 552, 682,
683, 4624, 4625, 4634, 4647, 4648,
4650, 4651, 4652, 4653, 4654, 4655,
4672, 4778, 4779, 4800, 4801, 4802,
4803, 4964, 4976, 4977, 4978, 4979,
4980, 4981, 4982, 4983, 4984, 5451,
5452, 5453, 5632, 5633, 6272, 6273,
6274, 6275, 6276, 6277, 6278, 6279,
6280)
Type=8 AND
(HeaderSid='S-1-5-18' OR
HeaderSid='S-1-5-19' OR
HeaderSid='S-1-5-20' OR
HeaderUser like '$'))
All Successful Logon events
and Logon/Logoff System
Accounts Type=8 indicates
successful events.
1Not all Windows 2003 events were identified to have a Windows 2008 equivalent
Filter Syntax
SELECT * FROM AdtsEvent WHERE NOT (((Type=8 AND (HeaderSid='S-1-5-18' OR HeaderSid='S-1-5-19' OR HeaderSid='S-1-5-20' OR HeaderUser like '$')) AND (EventId=528 OR EventId=529 OR EventId=530 OR EventId=531 OR EventId=532 OR EventId=533 OR EventId=534 OR EventId=535 OR EventId=536 OR EventId=537 OR EventId=538 OR EventId=539 OR EventId=540 OR EventId=551 OR EventId=552 OR EventId=672 OR EventId=673 OR EventId=674 OR EventId=675 OR EventId=676 OR EventId=677 OR EventId=678 OR EventId=679 OR EventId=680 OR EventId=681 OR EventId=682 OR EventId=683 OR EventId=4624 OR EventId=4625 OR EventId=4634 OR EventId=4647 OR EventId=4648 OR EventId=4650 OR EventId=4651 OR EventId=4652 OR EventId=4653 OR EventId=4654 OR EventId=4655 OR EventId=4672 OR EventId=4768 OR EventId=4769 OR EventId=4770 OR EventId=4771 OR EventId=4772 OR EventId=4773 OR EventId=4774 OR EventId=4775 OR EventId=4776 OR EventId=4777 OR EventId=4778 OR EventId=4779 OR EventId=4800 OR EventId=4801 OR EventId=4802 OR EventId=4803 OR EventId=4964 OR EventId=4976 OR EventId=4977 OR EventId=4978 OR EventId=4979 OR EventId=4980 OR EventId=4981 OR EventId=4982 OR EventId=4983 OR EventId=4984 OR EventId=5451 OR EventId=5452 OR EventId=5453 OR EventId=5632 OR EventId=5633 OR EventId=6272 OR EventId=6273 OR EventId=6274 OR EventId=6275 OR EventId=6276 OR EventId=6277 OR EventId=6278 OR EventId=6279 OR EventId=6280)) OR EventId=592 OR EventId=593 OR EventId=594 OR EventId=595 OR EventId=600 OR EventId=601 OR EventId=602 OR EventId=861 OR EventId=4688 OR EventId=4689 OR EventId=4692 OR EventId=4693 OR EventId=4694 OR EventId=4695 OR EventId=4696 OR EventId=4816 OR EventId=5712 OR EventId=565 OR EventId=566 OR EventId=4661 OR EventId=4662 OR EventId=4928 OR EventId=4929 OR EventId=4930 OR EventId=4931 OR EventId=4932 OR EventId=4933 OR EventId=4934 OR EventId=4935 OR EventId=4936 OR EventId=4937 OR EventId=5136 OR EventId=5137 OR EventId=5138 OR EventId=5139 OR EventId=5141)
29
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
FS1008: Base Reporting (File Auditing & Directory Services)
This extension of the Base Reporting filter includes File Auditing and Directory Service level
events. Directory Service events useful for tracking Active Directory and Group Policy Objects.
Event1 Condition Filter Rationale
All Detailed Tracking Events (592,
593, 594, 595, 600, 601, 602, 861,
4688, 4689, 4692, 4693, 4694, 4695,
4696, 4816, 5712)
None Removal of all events of the
Detailed Tracking Access
category
Logon/Logoff Events (528, 529,
530, 531, 532, 533, 534, 535, 536,
537, 538, 539, 540, 551, 552, 682,
683, 4624, 4625, 4634, 4647, 4648,
4650, 4651, 4652, 4653, 4654, 4655,
4672, 4778, 4779, 4800, 4801, 4802,
4803, 4964, 4976, 4977, 4978, 4979,
4980, 4981, 4982, 4983, 4984, 5451,
5452, 5453, 5632, 5633, 6272, 6273,
6274, 6275, 6276, 6277, 6278, 6279,
6280)
Type=8 AND
(HeaderSid='S-1-5-18' OR
HeaderSid='S-1-5-19' OR
HeaderSid='S-1-5-20' OR
HeaderUser like '$'))
All Successful Logon events
and Logon/Logoff System
Accounts Type=8 indicates
successful events.
Filter Syntax
SELECT * FROM AdtsEvent WHERE NOT (((Type = 8 AND (HeaderSid='S-1-5-18' OR HeaderSid='S-1-5-19' OR HeaderSid='S-1-5-20' OR HeaderUser like '$')) AND (EventId=528 OR EventId=529 OR EventId=530 OR EventId=531 OR EventId=532 OR EventId=533 OR EventId=534 OR EventId=535 OR EventId=536 OR EventId=537 OR EventId=538 OR EventId=539 OR EventId=540 OR EventId=551 OR EventId=552 OR EventId=672 OR EventId=673 OR EventId=674 OR EventId=675 OR EventId=676 OR EventId=677 OR EventId=678 OR EventId=679 OR EventId=680 OR EventId=681 OR EventId=682 OR EventId=683 OR EventId=4624 OR EventId=4625 OR EventId=4634 OR EventId=4647 OR EventId=4648 OR EventId=4650 OR EventId=4651 OR EventId=4652 OR EventId=4653 OR EventId=4654 OR EventId=4655 OR EventId=4672 OR EventId=4768 OR EventId=4769 OR EventId=4770 OR EventId=4771 OR EventId=4772 OR EventId=4773 OR EventId=4774 OR EventId=4775 OR EventId=4776 OR EventId=4777 OR EventId=4778 OR EventId=4779 OR EventId=4800 OR EventId=4801 OR EventId=4802 OR EventId=4803 OR EventId=4964 OR EventId=4976 OR EventId=4977 OR EventId=4978 OR EventId=4979 OR EventId=4980 OR EventId=4981 OR EventId=4982 OR EventId=4983 OR EventId=4984 OR EventId=5451 OR EventId=5452 OR EventId=5453 OR EventId=5632 OR EventId=5633 OR EventId=6272 OR EventId=6273 OR EventId=6274 OR EventId=6275 OR EventId=6276 OR EventId=6277 OR EventId=6278 OR EventId=6279 OR EventId=6280)) OR EventId=565 OR EventId=566 OR EventId=4661 OR EventId=4662 OR EventId=4928 OR EventId=4929 OR EventId=4930 OR EventId=4931 OR EventId=4932 OR EventId=4933 OR EventId=4934 OR EventId=4935 OR EventId=4936 OR EventId=4937 OR EventId=5136 OR EventId=5137 OR EventId=5138 OR EventId=5139 OR EventId=5141)
30
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
FS1009: Base Reporting (File Auditing, Directory Services, All Non-System Logons) Filter
A common request is to include successful Logon/Logoff events. Although not recommended
due to the volume of logon activity generated, the FS1009 filter will exclude the largest volume
events (Detailed Tracking Events) and system generated Logon/Logoff event.
Event1 Condition Filter Rationale
All Detailed Tracking Events (592,
593, 594, 595, 600, 601, 602, 861,
4688, 4689, 4692, 4693, 4694, 4695,
4696, 4816, 5712)
None Removal of all events of the
Detailed Tracking Access
category
Logon/Logoff Events (528, 529,
530, 531, 532, 533, 534, 535, 536,
537, 538, 539, 540, 551, 552, 682,
683, 4624, 4625, 4634, 4647, 4648,
4650, 4651, 4652, 4653, 4654, 4655,
4672, 4778, 4779, 4800, 4801, 4802,
4803, 4964, 4976, 4977, 4978, 4979,
4980, 4981, 4982, 4983, 4984, 5451,
5452, 5453, 5632, 5633, 6272, 6273,
6274, 6275, 6276, 6277, 6278, 6279,
6280)
(HeaderSid='S-1-5-18' OR
HeaderSid='S-1-5-19' OR
HeaderSid='S-1-5-20' OR
HeaderUser like '$'))
All Successful Logon events
and Logon/Logoff System
Accounts
Filter Syntax
SELECT * FROM AdtsEvent WHERE NOT (((HeaderSid='S-1-5-18' OR HeaderSid='S-1-5-19' OR HeaderSid='S-1-5-20' OR HeaderUser like '$') AND (EventId=528 OR EventId=529 OR EventId=530 OR EventId=531 OR EventId=532 OR EventId=533 OR EventId=534 OR EventId=535 OR EventId=536 OR EventId=537 OR EventId=538 OR EventId=539 OR EventId=540 OR EventId=551 OR EventId=552 OR EventId=672 OR EventId=673 OR EventId=674 OR EventId=675 OR EventId=676 OR EventId=677 OR EventId=678 OR EventId=679 OR EventId=680 OR EventId=681 OR EventId=682 OR EventId=683 OR EventId=4624 OR EventId=4625 OR EventId=4634 OR EventId=4647 OR EventId=4648 OR EventId=4650 OR EventId=4651 OR EventId=4652 OR EventId=4653 OR EventId=4654 OR EventId=4655 OR EventId=4672 OR EventId=4768 OR EventId=4769 OR EventId=4770 OR EventId=4771 OR EventId=4772 OR EventId=4773 OR EventId=4774 OR EventId=4775 OR EventId=4776 OR EventId=4777 OR EventId=4778 OR EventId=4779 OR EventId=4800 OR EventId=4801 OR EventId=4802 OR EventId=4803 OR EventId=4964 OR EventId=4976 OR EventId=4977 OR EventId=4978 OR EventId=4979 OR EventId=4980 OR EventId=4981 OR EventId=4982 OR EventId=4983 OR EventId=4984 OR EventId=5451 OR EventId=5452 OR EventId=5453 OR EventId=5632 OR EventId=5633 OR EventId=6272 OR EventId=6273 OR EventId=6274 OR EventId=6275 OR EventId=6276 OR EventId=6277 OR EventId=6278 OR EventId=6279 OR EventId=6280)) OR EventId=565 OR EventId=566 OR EventId=4661 OR EventId=4662 OR EventId=4928 OR EventId=4929 OR EventId=4930 OR EventId=4931 OR EventId=4932 OR EventId=4933 OR EventId=4934 OR EventId=4935 OR EventId=4936 OR EventId=4937 OR EventId=5136 OR EventId=5137 OR EventId=5138 OR EventId=5139 OR EventId=5141)
31
Confidential & Proprietary Information Copyright © 2010 All Rights Reserved
Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)
2450 Louisiana Suite 400-166 Houston, TX 77006.
11 REFERENCES
Microsoft Microsoft Windows Events
http://support.microsoft.com/kb/947226
ACS Administration
http://technet.microsoft.com/en-us/library/bb309436.aspx
Well-known security identifiers
http://support.microsoft.com/kb/243330
WMI and SQL (WQL)
http://msdn.microsoft.com/en-us/library/aa394552(v=VS.85).aspx
Auditing Security Events
http://msdn.microsoft.com/en-us/library/ms731669.aspx
Description of Security Events in Windows Vista and in Windows 2008
http://support.microsoft.com/kb/947226
http://technet.microsoft.com/en-us/library/cc875806.aspx
EventId List
http://www.eventid.net