ACS Noise Filter Guide - System Center · Microsoft Global Foundation Services ACS Noise Filter Guide PREPARED FOR: - Online Services Security and Compliance PREPARED BY: Secure Vantage

ACS Noise Filter Guide

PREPARED FOR:

Microsoft Global Foundation Services

- Online Services Security

and Compliance

PREPARED BY:

Secure Vantage Technologies, Inc.

2

Confidential & Proprietary Information Copyright © 2010 All Rights Reserved

Use or Disclosure of this data is subject to the restriction on the cover of this document. Copyright © 2010 Secure Vantage Technologies (SVT)

2450 Louisiana Suite 400-166 Houston, TX 77006.

CONFIDENTIAL & PROPRIETARY

The Secure Vantage ® Technologies (“SVT ®”) ACS Noise Filter Guide which follows contains information and data which is privileged, confidential, and/or proprietary to SVT. This information and data is commercially sensitive and/or financial in nature, is not made available for public review, and is submitted on a confidential basis only in response to a specific customer request. The information contained herein is protected, among other things by the Trade Secrets Act, as codified, and any improper use, distribution, or reproduction is specifically prohibited. No license or right of any kind whatsoever is granted to any third party to use the information contained herein unless a written agreement exists between SVT and the third party which desires access to the information. The information contained herein is submitted for purposes of review and evaluation in connection with SVT’s response to the specific request denoted herein. No other use of this document or any portion of the information and data contained herein is permitted without the express written permission of SVT. Under no condition should the information contained herein be provided in any manner whatsoever to any third party without first receiving the express written permission of SVT.

3




1 EXECUTIVE SUMMARY ............................................................................. 6

2 APPROACH ................................................................................................. 7

General Approach to Creating an ACS Noise Filter ................................................................................. 7

3 DIFFERENCE BETWEEN SECURITY EVENT LOG AND ACS FORMATS8

4 IDENTIFY EVENTS TO BE EXCLUDED ................................................... 10

Identify Audit and Corporate Policies ..................................................................................................... 10

Identifying High Volume Events .............................................................................................................. 10

5 NOISE FILTER SYNTAX FORMAT ........................................................... 11

6 APPLYING AN ACS FILTER ..................................................................... 12

Command Syntax ................................................................................................................................... 12

Sample: Loading Filter ............................................................................................................................ 12

7 COMMON NOISE FILTER LISTS .............................................................. 13

Common Security Identifiers ................................................................................................................... 13

Common Event Conditions List .............................................................................................................. 13

Logon Types ........................................................................................................................................... 15

AdtsEvent Details ................................................................................................................................... 15

Audit Record Flags ................................................................................................................................. 16

Example of Adding Common Security Groups to Filters ........................................................................ 16

8 FILTER CREATION BEST PRACTICE ..................................................... 18

Exclusive Filters ...................................................................................................................................... 18

Review Filter Performance ..................................................................................................................... 18

Record the Filter in a Secondary Location ............................................................................................. 18

Include Relevant Events ......................................................................................................................... 18

9 FILTER LIMITATIONS ............................................................................... 19

4




Character Limit........................................................................................................................................ 19

Object Limitation ..................................................................................................................................... 19

WQL is not SQL ...................................................................................................................................... 19

Complexity Limitations ............................................................................................................................ 19

10 SAMPLE NOISE FILTERS ........................................................................ 20

FS1001: Windows Server Essential Filter .............................................................................................. 20

Filter Scope ....................................................................................................................................... 20

Filter Syntax ...................................................................................................................................... 21

FS1002: Windows Server Reasonable Filter .......................................................................................... 22

Filter Scope ....................................................................................................................................... 22

Filter Syntax ...................................................................................................................................... 22

FS1003: Windows Server Rational Filter ................................................................................................ 23

Filter Scope ....................................................................................................................................... 23

Filter Syntax ...................................................................................................................................... 23

FS1004: Windows Server Authentication Computer$ Filter ................................................................... 24

Filter Scope ....................................................................................................................................... 24

Filter Syntax ...................................................................................................................................... 24

FS1005: Service Account Authentication Success Filter ....................................................................... 25

Filter Scope ....................................................................................................................................... 25

Filter Syntax ...................................................................................................................................... 25

FS1006: Base Reporting Filter ............................................................................................................... 26

Filter Syntax ...................................................................................................................................... 26

FS1007: Base Reporting (File Auditing) Filter ........................................................................................ 28

Filter Syntax ...................................................................................................................................... 28

FS1008: Base Reporting (File Auditing & Directory Services) ............................................................... 29

5




Filter Syntax ...................................................................................................................................... 29

FS1009: Base Reporting (File Auditing, Directory Services, All Non-System Logons) Filter ................. 30

Filter Syntax ...................................................................................................................................... 30

11 REFERENCES ........................................................................................... 31

6




1 EXECUTIVE SUMMARY

The Microsoft Audit Collection Services (ACS) collects and stores the Security Event Log from

the Microsoft Windows operating systems. These events provide an audit trail of security related

and system activities for system administrators, security administrators, and internal auditors.

The ACS system can manage a collection rate approaching 6000 transactions per second

(trans/sec), but some information is deemed to have little value from a security standpoint.

If all auditing is enabled on all systems in an Active Directory domain there would be a

tremendous volume of data to sift through to track specific events and sequences. To improve

audit value and reduce the load on the servers and on the network involved, only the necessary

audit settings should be enabled. Additionally, only those events of specific interest should be

forwarded on to Microsoft‟s Audit Collection Service database.

This document provides suggested guidelines for developing a WMI Query Language (WQL) to

remove extraneous data from the ACS stream. The following sections include common sample

queries, guidelines and a general process for creating the ACS Noise filter.

7




2 APPROACH

General Approach to Creating an ACS Noise Filter

Creating an ACS noise filter involves the following steps:

Identify audit policies and affected systems o This data may be found in the Baseline to Support Audit Requirements

Identify events to be filtered o Audit Policies o High volume events

Determine event specific criteria

Create the ACS noise filter

Apply the filter to the ACS system

8




3 DIFFERENCE BETWEEN SECURITY EVENT LOG AND ACS FORMATS

Audit Collection Service stores data in a different format than the Windows Security Event Log.

The Security Event Log stores values in series of incrementing parameters named Parameter1,

Parameter2, Parameter3, etc. As the data is stored in ACS, the information is transformed by

ACS into fields in the dvAll view.

During this data transformation process, the ACS system stores some of the parameter values in

String fields and some in the Header fields. String fields are named String01, String02, etc. The

header values are prefixed with Header, Primary, Client, and Target.

Although all Security Event Log data is captured and stored in ACS, there is no direct correlation

between the position of Parameters in the Security Event Log and their stored location in the

ACS database. The best process for identifying the parameters in ACS is to generate the event in

the Security Event Log and then find the corresponding event in the ACS system.

Figure 1 shows a sample of how the event viewer and string details have been mapped to an ACS

event. Please note how String01 in the ACS event was originally Parameter09 from the Event

Details as shown in the Event Viewer. The EventSchema.xml provides the mappings and

conversions for all Events.

9




Figure 1: ACS to Security Event Log Mapping

Note when comparing events in a local Security Event Viewer and those in ACS it‟s important to

understand both sources contain the same raw data but store and display the information slightly

differently. The Events Details from the Event Viewer and ACS Strings will rarely match in

ordering, i.e. Param01 will not equal String01 in ACS.

10




4 IDENTIFY EVENTS TO BE EXCLUDED

A key aspect of noise filter creation is to identify the events to exclude from the system. This section provides a guideline for identifying events to exclude. Two primary steps in this process are:

Identify audit and corporate policies,

Identifying high volume events.

Identify Audit and Corporate Policies

The creation of any filter must support the objectives of any regulatory or corporate policies. The exclusion of any events may impact the ability to meet these policies. Before creating any filters, it is necessary to understand how removing the specific events will affect the ability meet these requirements.

Identifying High Volume Events

High volume events can be identified by through two processes. The first is through the Secure Vantage Integrity Manager product. Customers may leverage the following query to identify high volume events:

SELECT [EventId], [S/F], count(*) FROM AdtServer.dvHeader GROUP BY [EventId], [S/F]

11




5 NOISE FILTER SYNTAX FORMAT

The ACS noise filter syntax follows the following format:

SELECT * FROM AdtsEvent WHERE conditionals

The default filter query is:

SELECT * FROM AdtsEvent

When creating conditional operators for the query, the string value portions require being

enclosed within single quotes („) and not double quotes (“).

12




6 APPLYING AN ACS FILTER

To apply filter to an ACS Filter, the user must sign on to the server containing the ACS

Collector. The following steps will allow the user to access the collector:

1. Open a Command Prompt* 2. Navigate to the following directory within the command prompt:

C:\Windows\System32\Security\AdtServer 3. Execute the following command:

AdtAdmin.exe –setquery –query:”Select * from AdtsEvent” *On Windows 2008 Servers the user will require the command console to run with elevated privileges.

The query portion of the AdtAdmin command must be placed within double quotes. Samples of

valid queries are included at the end of this document.

Command Syntax

AdtAdmin.exe /SetQuery [/Collector:CollectorName] /Query:QuerySyntax

Sample: Loading Filter

adtadmin /setquery /collector:"Collector Name" /query:"SELECT *

FROM AdtsEvent WHERE NOT(EventId=551 OR EventId=562 OR EventId=573 OR EventId=577 OR

EventId=578 OR EventId=697 OR (EventId>=594 AND EventId<=597) OR (EventId>=768 AND

EventId<=771) OR (EventId>=832 AND EventId<=841))"

13




7 COMMON NOISE FILTER LISTS

Common Security Identifiers

Multiple ways exists for accounts to sign on to Micorosoft Windows. Some events will record

the account in one format, while another event will record the account in a different format.

Between the events, however, there is one unique field which remains identical: the Security

Identifier. It is recommended that filters reference accounts by Security Identifier when feasible.

Security identifiers for common accounts are included below:

Account Security Identifier

Local System S-1-5-18

Local Service S-1-5-19

Network Service S-1-5-20 Table 1: Common Security Identifier Values

Common Event Conditions List

The following list of events is commonly generated by the Microsoft Windows Operating

System. The list presented here is not a complete list of events generated, only those most

commonly found.

Event Id1 Name Common Condition Description

538, 4634 User Logoff Logon Type = 3 and User Name contains $

This event only indicates the time a user or system account logs off. This does not mean the user actually stopped using the system, only that a connection to the system was closed.

528, 540, 4624

User Logon Where User Name contains $ or = X

Some Service and System accounts generate excessive activity while doing normal approved activities. Filtering these accounts can greatly reduce load when collecting successful logon events. Consider adding Event 538/4634 and 680/4776 if not already filtering those events.

551, 4647 User logoff initiated

n/a The event indicates the user initiated a logoff, but does not indicate the user successfully logged off the system. To record successful logoffs, review event 538/4634.

560, 4656 Object Open Various This event tracks both successful and failure object events. Object Open events may create many events and activating this audit policy may require careful filtering.

562, 4658 Object Handle Closed

n/a Handle close events record when an object is closed. This can identify how long an object

14




was opened, but contains no other information of use.

565, 4661 Object Open (Active Directory)

Various Event 565/4661 identifies accesses to Active Directory monitored objects similar to event 560/4656.

571 Client Context deleted by Authorization Manager.

n/a Event 571 is normally found when Authorization Manager (AzMan) is active and in use. Windows 2008 event

573 Process generates nonsystem audit

n/a Event 573 is normally found when Authorization Manager (AzMan) is active and in use.

577, 578, 4673, 4674

Privilege Use Events

n/a Privilege Use events may generate large quantities of activity. When activated, filtering on this object may require special consideration.

594, 595, 4690

Process Tracking events

n/a Process tracking events allow users to track which applications are accessed by user and the system accounts. However, these events generate large quantities of activity and turning the Detailed Tracking audit policy on should be reviewed.

596, 597, 4692, 4693, 4694, 4695

Indirect access to an object was obtained

DPAPI Backup and recovery operations. Normally these operations do not need to be tracked.

624, 4720 User Account Created where New Account Name ends with ‘$’

A domain user has created or connected a new computer account to the domain. This may be normal activity if users have this right.

627, 4723 Change Password Attempt where User equals ‘System’ and Target Account Name equals ‘TsInternetUser’ and Caller User Name ends with ‘$’

This is normal behavior of a computer that runs Terminal Services.

672, 673, 674, 675, 676, 4768, 4769, 4770, 4771, 4772

Kerberos AS Ticket Events

Where User Name contains $ Windows Computers generate many Kerberos events as the system checks for group policy updates and other information in the Active Directory.

1 Windows 2003 Security Events generally have values between 500 and 700. Windows 2008 Security Events generally have values

greater than 4000.

Table 2: Common Events

15




Logon Types

The logon events use various logon types which can be useful in filtering out undesirable events.

These types are summarized below:

Logon

Value

Logon

Type Description

2 Interactive User logged onto the computer directly.

3 Network An account or computer logged on to this computer through the network.

4 Batch When a process executes on behalf of a user without their direct intervention the

server will use the Batch logon type.

5 Service Created when the Service Control Manager signs starts a service.

7 Unlock This workstation was unlocked.

8 NetworkCleartext An account logged on through the network, but the password was not hashed

before passing to the authentication package.

9 NewCredentials A caller cloned its current token and specified new credentials for outbound

connections. The new logon session has the same local identity, but uses different

credentials for other network connections.

10 RemoteInteractive Occurs when a user logs on to the computer using Terminal Services or Remote

Desktop.

11 CachedInteractive A network account logged on to the computer, but the computer used previously

cached credentials to verify the account. A domain controller was not contacted

during this log on process.

Table 3: Logon Type Values

AdtsEvent Details

The table below describes the available fields in the AdtsEvent object.

Field Name Type Description Sample

EventID uint32 Event Id is the Windows Security Log Event Number 528

SequenceNo uint32 Dynamic Value, do not filter on this field 1056403

Flags uint32 See AuditRecordFlags enumeration below 0x01

Type uint32 8=success, 16=failure, all ACS Events 4=info 8

Category uint32 Category ID 7

CreationTime uint64 FILETIME, UTC, time audit was created 8/5/2008 9:14:56 PM

CollectionTime uint64 FILETIME, UTC, time audit arrived at AdtServer 8/5/2008 9:14:58 PM

AgentMachine String Name of machine that sent the event MMS2008\SQL2005$

EventMachine String Name of machine in event header SQL2005

Log String Log where Event originated Security

Source String Log Source where Event originated Security

16




HeaderSid String User SID in Header of Event S-1-5-21-3936682612-

297840751-2861477581-500

HeaderUser String User Name in Header of Event Administrator

HeaderDomain String User Domain in Header of Event MMS2008

PrimarySid String Primary User SID in Event Details S-1-5-21-1468679-

3930941156-3931375250-1020

PrimaryUser String Primary User Name in Header of Event test41

PrimaryDomain String Primary User Domain in Header of Event SQL2005

PrimaryLogonId unint64 Primary User LogonID in Event Details 0

ClientSid String Client User SID in Event Details S-1-5-21-3936682612-297840751-

2861477581-500

ClientUser String Client User Name in Header of Event Administrator

ClientDomain String Client User Domain in Header of Event MMS2008

ClientLogonId unint64 Client User LogonID in Event Details 541879972

TargetSid String Target SID in details of Event S-1-5-32-547

TargetUser String Target Name in details of Event Power User

TargetDomain String Target Domain in details of Event Builtin

String01 through

String22

String Event detail attributes Varies

Table 4: AdtsEvent Object Field Description

Audit Record Flags

The ACS system generates various events during its collection process. These audit record flags

are not stored with the ACS records, but may assist in identifying any issues with the event

collection system.

Flag Name Description

0x00 arfNone No description

0x01 arfRealTime Event was collected in real time, not from backlog at forwarder connect

0x02 arfTruncated Event strings truncated

0x04 arfPseudo Event is an ACS intrinsic event (e.g. gap detected), not an event log event

0x08 arfUnknown No transformation information available for this event

0x10 arfCorrupt Event is corrupt

Table 5: ACS Error Codes

Example of Adding Common Security Groups to Filters

The following filter applies a common security group filter to an ACS filter.

Event 560/4565

These events collect file and folder access attempts. This can result in system accounts

generating additional activity which is not desirable. The following filter conditions may remove

this undesirable information.

17




SELECT * FROM AdtsEvent WHERE NOT ((EventId=560 AND (HeaderSid = ‘S-1-5-18’ OR HeaderSid = ‘S-1-5-19’)) OR (EventId=4565 AND (PrimarySid = ‘S-1-5-18’ OR PrimarySid = ‘S-1-5-19’)))

18




8 FILTER CREATION BEST PRACTICE

Creating a filter requires an investment in time and effort. In general, however a well-designed

filter will follow the following guidelines and the reasons why they form best practice:

Exclusive Filters

Exclusive filters include the NOT operator immediately after the WHERE clause. Exclusive filters

identify the specific items the system is not to collect, allowing all other items to pass into ACS.

Inclusive filters allow only data which passes the select criteria into the ACS system.

Given the volume of events in ACS and the style of security data collected, it is recommended to

use exclusive filters.

Review Filter Performance

After applying a filter, it is vital the data in the ACS database be reviewed to ensure the filter is

functioning properly. In production systems this may be problematic as the creation of events

may not be under the control of the person implementing the filter, but normally a review after a

single day of activity is gathered is sufficient to determine the filter is functioning properly or

not.

Record the Filter in a Secondary Location

Once created, the filter should be archived to a controlled and backed up data repository to

ensure disaster recovery should the ACS system or network cause unplanned outages.

Additionally, keeping a second copy of the query allows for a quick restore to a previous known

configuration should a recently applied query not behave as anticipated.

Include Relevant Events

It is inefficient, and unnecessary, to filter out events which are not being generated. A Noise

filter performs a line by line comparison of the incoming data stream. This comparison could

negatively impact the performance of the system if it is checking for events which are not being

collected by audit policy.

Ideally, proper analysis of the ACS data will group the events into three categories:

High volume events which must be filtered

Events which must not be filtered

Low volume events which may be filtered.

Focusing on filtering high volume events will keep the machines tuned and ACS running

optimally while providing sufficient audit criteria.

19




9 FILTER LIMITATIONS

WMI and ACS have limitations related to them which may affect filter creation. This section

identifies some limitations and the specifics of them where they are known:

Character Limit

The system may accept a query 4800 characters in length. This is the maximum potential

character limit. Due to required characters, command prompt executable length, and system

limitations, the actual limit may be shorter than 4800 characters.

Object Limitation

WQL will accept close to a 500 object limit. An “object” may be loosely defined as a single

occurrence of a „field‟ in the WHERE clause. However, as the complexity of the query increases,

it has been observed that the object limit tends to decrease.

WQL is not SQL

WQL provides many similar functions and structurally the syntax resembles a SQL or T-SQL

command. However, WQL does not provide full SQL functionality. In particular, WQL does

not provide:

Advanced Text manipulation (Left, Right, Substring, etc.)

„Joining‟ of objects

„Subselect‟ statements

Complexity Limitations

WQL has limits on the complexity of the „WHERE clause‟ allowed. These limits are undefined,

but it is known that too many “AND” and “OR” keywords may cause the filter to not function.

Fortunately, this simply results in the system accepting all data as if the filter was not present.

Unfortunately, no outward indication the system has reached this limit is provided when the filter

is applied. The only true test is to review the data after filter creation and ensure it behaves as

expected.

20




10 SAMPLE NOISE FILTERS

This section provides some sample filters for commonly used objectives. Before applying any of

these filters it is necessary to ensure these filters will meet specific corporate goals.

FS1001: Windows Server Essential Filter

The Windows Server Essential filter provides a basic filter set that should be considered in any

ACS environment if applicable based on audit policy. Additionally, the filters may require some

modification based on the specific objectives.

Filter Scope

Event1 Description Filter Rationale

551, 4647 User initiates logoff Event 538/4647 confirms

logoff, use instead if you want

to collect logoffs.

562, 4658 A handle to an object closed Always records a success

5732 Process generates nonsystem audit event with

Authorization Application Programming Interface

(AuthZ API)

MS defined Typical Behavior

577, 578,

4673, 4674

Privilege service called, privileged object

operation

Very high volume events that

provide little information to act

upon or understand in most

cases.

594 , 4690 A handle to an object was duplicated An object already successfully

opened (event id 560/4565) was

duplicated with no change to

access.

595 Indirect access to an object was obtained MS Reported Event similar to

event 594/4690

596 Backup of data protection master key Occurs every 90 days

automatically with default

settings

597 Recovery of data protection master key This message is logged for

informational purposes only per

MS.

697 Password policy checking API called Generated when “enforced

password policy” is checked on

SQL Server 2005 running on

Windows 2003

7682 Forest namespace collision MS defined Not Security

Related

769, 770, 771 Trusted forest information added, deleted or

modified

Normal operations of inter-

forest trusts. Not to be confused

with addition, deletion, or

modification of the trust itself.

832 - 8412 Various Active Directory replication issues MS defined no security

implications

21




1Not all Windows 2003 events were identified to have a Windows 2008 equivalent

2 http://technet.microsoft.com/en-us/library/cc875806.aspx

Filter Syntax

SELECT * FROM AdtsEvent WHERE NOT (EventId=551 OR EventId=4647 OR EventId=562 OR EventId=4658 OR EventId=573 OR EventId=577 OR EventId=4673 OR EventId=578 OR EventId=4674 OR EventId=697 OR EventId=562 OR (EventId>=594 AND EventId<=597) OR EventId=4690 OR (EventId>=768 AND EventId<=771) OR (EventId>=832 AND EventId<=841))

http://technet.microsoft.com/en-us/library/cc875806.aspx

22




FS1002: Windows Server Reasonable Filter

The Windows Server Reasonable filters provide an extension to the essentials that is acceptable

to most environments and reduces considerable noise.

Filter Scope

Event Condition Filter Rationale

538, 4634 User initiates logoff This event only indicates the time a user initiates logoff or

the when the system initiates logoff. This does not mean

the user actually stopped using the system.

672, 4772,

4768

Kerberos AS Ticket

Request

If you collect logon events 528, 540 and 4624 from all

computers, this event only adds data that a Kerberos Ticket

Granting Ticket was granted. As there must still be a

service ticket granted (event 673, 4769, 4773) for any

access to occur, this event may be redundant. Please note

this event can be associated with smart card logons if

applicable.

680,

4776

Account Logon If you collect logon events 528, 540 and 4624 from all

computers, this event only records validation of the

account credentials. Separate logon events record what the

user accessed; this event may be redundant.

Filter Syntax

SELECT * FROM AdtsEvent WHERE NOT (EventId=538 OR EventId=4634 OR EventId=672 OR EventId=4772 OR EventId=4768 OR EventId=680 OR EventId=4776)

23




FS1003: Windows Server Rational Filter

The Windows Server Rational filters go beyond raw event ID filtering to provide target filtering.

These can be used when applicable. Note the Account Management events, and more

specifically the 637 event, do not occur as frequently as other event types like Logon/Logoff.

Therefore, filtering event 637 may simply add complexity to your filter without reducing much

„Noise‟ in the scheme of things (depending on your audit policy).

Filter Scope

Event1 Condition Filter Rationale

571 Client Context deleted by Authorization Manager.

Normal activity where

Authorization Manager is active

and in use.

624, 4720 User Account Created where New Account Name

ends with „$‟

A domain user has created or

connected a new computer

account to the domain. This

may be normal activity if users

have this right.

627, 4723 Change Password Attempt where User equals

„System‟ and Target Account Name equals

„TsInternetUser‟ and Caller User Name ends with

„$‟

This is normal behavior of a

computer that runs Terminal

Services.


Filter Syntax

SELECT * FROM AdtsEvent WHERE NOT (EventId=571 OR ((TargetUser LIKE '%$%') AND (EventId=624 OR EventId = 4720)) OR ((HeaderUser='System' AND ClientUser like '%$%' And TargetUser = 'TsInternetUser') AND (EventId=627 OR EventId=4723)))

24




FS1004: Windows Server Authentication Computer$ Filter

The Windows Server Authentication Computer$ filter is for common computer account logon

traffic.

Filter Scope


538, 540,

4624, 4634

Where Logon Type = 3

and User Name contains

$

Windows Computers generate many logon/logoff events

on DCs as they frequently check for group policy updates

and query other information in AD. Please note Filter Set

1002 already excludes event 538/4634.

672, 673,

674, 675,

676, 4768,

4769, 4770,

4771, 4772

Where User Name

contains $

Windows Computers generate many Kerberos events as

they frequently check for group policy updates and query

other information in AD. Please note Filter Set 1002

already excludes event 672, 4768 and 4772.


Filter Syntax

SELECT * FROM AdtsEvent WHERE NOT (((EventId = 538 OR EventId = 540 OR EventId=4624 OR EventId=4634) AND (String01 = ‘3’) AND HeaderUser like '%$%')) OR (ClientUser LIKE '%$%' AND (EventId = 672 OR EventId = 673 OR EventId=674 OR EventId=675 OR EventId=676 OR EventId = 4768 OR EventId=4769 OR EventId=4770 OR EventId=4771 OR EventId=4772)))

25




FS1005: Service Account Authentication Success Filter

The Service Account Authentication Success filter provides an example of how to filter specific

user accounts or patterns within a user account name like admin or sys on logon. These are

commonly used to filter service and system accounts that run on all systems frequently, such as

antivirus or backup programs. Please note this is for „Success‟ activity only; all Logon failure

activity should be collected.

Filter Scope

Event Condition Filter Rationale

528, 540,

4624

Where User Name

contains $ or = X

Some Service and System accounts generate excessive

activity while doing normal approved activities. Filtering

these accounts can greatly reduce load when collecting

successful logon events. Consider adding Event 538/4634

and 680/4776 if not already filtering those events.

Filter Syntax

SELECT * FROM AdtsEvent WHERE NOT ((HEADERUSER LIKE '%ADM_%' OR HEADERUSER LIKE '%SYS_%') AND (EventID = 528 OR EventID = 540 OR EventID = 4624))

26




FS1006: Base Reporting Filter

The Base Reporting Filter excludes items which some organizations do not require reporting.

This filter is useful for removing entire categories of events when, for some reason or other, it is

desirable to keep the audit policies, but not report on the events.

The Base Reporting Filter removes the following items:


All Object Access Events

(560, 561, 562, 563, 564, 567, 4656,

4657, 4658, 4659, 4660, 4661, 4663,

4664, 4665, 4666, 4667, 4668, 4670,

4671, 4685, 4690, 4691, 4698, 4699,

4700, 4701, 4702, 4868, 4869, 4870,

4871, 4872, 4873, 4874, 4875, 4876,

4877, 4878, 4879, 4880, 4881, 4882,

4883, 4884, 4885, 4886, 4887, 4888,

4889, 4890, 4891, 4892, 4893, 4894,

4895, 4896, 4897, 4898, 4899, 4900,

4985, 5031, 5120, 5140, 5142, 5143,

5144, 5145, 5148, 5149, 5150, 5151,

5152, 5153, 5154, 5155, 5156, 5157,

5158, 5159, 5168, 5888, 5889)

None Removal of all events of the Object

Access category

All Detailed Tracking Events (592,

593, 594, 595, 600, 601, 602, 861,

4688, 4689, 4692, 4693, 4694, 4695,

4696, 4816, 5712)

None Removal of all events of the Detailed

Tracking Access category

All Directory Services Access

Events (565, 566, 4661, 4662, 4928,

4929, 4930, 4931, 4932, 4933, 4934,

4935, 4936, 4937, 5136, 5137, 5138,

5139, 5141)

None Removal of all events of the Directory

Services Access Category

Logon/Logoff Events (528, 529,

530, 531, 532, 533, 534, 535, 536,

537, 538, 539, 540, 551, 552, 682,

683, 4624, 4625, 4634, 4647, 4648,

4650, 4651, 4652, 4653, 4654, 4655,

4672, 4778, 4779, 4800, 4801, 4802,

4803, 4964, 4976, 4977, 4978, 4979,

4980, 4981, 4982, 4983, 4984, 5451,

5452, 5453, 5632, 5633, 6272, 6273,

6274, 6275, 6276, 6277, 6278, 6279,

6280)

All Successful

Logon events and

Logon/Logoff

System Accounts

All Successful Logon events and

Logon/Logoff System Accounts


Filter Syntax

SELECT * FROM AdtsEvent WHERE NOT (((Type=8 AND (HeaderSid='S-1-5-18' OR HeaderSid='S-1-5-19' OR HeaderSid='S-1-5-20' OR HeaderUser like '$')) AND (EventId=528 OR EventId=529 OR EventId=530 OR

27




EventId=531 OR EventId=532 OR EventId=533 OR EventId=534 OR EventId=535 OR EventId=536 OR EventId=537 OR EventId=538 OR EventId=539 OR EventId=540 OR EventId=551 OR EventId=552 OR EventId=672 OR EventId=673 OR EventId=674 OR EventId=675 OR EventId=676 OR EventId=677 OR EventId=678 OR EventId=679 OR EventId=680 OR EventId=681 OR EventId=682 OR EventId=683 OR EventId=4624 OR EventId=4625 OR EventId=4634 OR EventId=4647 OR EventId=4648 OR EventId=4650 OR EventId=4651 OR EventId=4652 OR EventId=4653 OR EventId=4654 OR EventId=4655 OR EventId=4672 OR EventId=4768 OR EventId=4769 OR EventId=4770 OR EventId=4771 OR EventId=4772 OR EventId=4773 OR EventId=4774 OR EventId=4775 OR EventId=4776 OR EventId=4777 OR EventId=4778 OR EventId=4779 OR EventId=4800 OR EventId=4801 OR EventId=4802 OR EventId=4803 OR EventId=4964 OR EventId=4976 OR EventId=4977 OR EventId=4978 OR EventId=4979 OR EventId=4980 OR EventId=4981 OR EventId=4982 OR EventId=4983 OR EventId=4984 OR EventId=5451 OR EventId=5452 OR EventId=5453 OR EventId=5632 OR EventId=5633 OR EventId=6272 OR EventId=6273 OR EventId=6274 OR EventId=6275 OR EventId=6276 OR EventId=6277 OR EventId=6278 OR EventId=6279 OR EventId=6280)) OR EventId=560 OR EventId=561 OR EventId=562 OR EventId=563 OR EventId=564 OR EventId=565 OR EventId=567 OR EventId=4656 OR EventId=4657 OR EventId=4658 OR EventId=4659 OR EventId=4660 OR EventId=4661 OR EventId=4663 OR EventId=4664 OR EventId=4665 OR EventId=4666 OR EventId=4667 OR EventId=4668 OR EventId=4670 OR EventId=4671 OR EventId=4685 OR EventId=4690 OR EventId=4691 OR EventId=4698 OR EventId=4699 OR EventId=4700 OR EventId=4701 OR EventId=4702 OR EventId=4868 OR EventId=4869 OR EventId=4870 OR EventId=4871 OR EventId=4872 OR EventId=4873 OR EventId=4874 OR EventId=4875 OR EventId=4876 OR EventId=4877 OR EventId=4878 OR EventId=4879 OR EventId=4880 OR EventId=4881 OR EventId=4882 OR EventId=4883 OR EventId=4884 OR EventId=4885 OR EventId=4886 OR EventId=4887 OR EventId=4888 OR EventId=4889 OR EventId=4890 OR EventId=4891 OR EventId=4892 OR EventId=4893 OR EventId=4894 OR EventId=4895 OR EventId=4896 OR EventId=4897 OR EventId=4898 OR EventId=4899 OR EventId=4900 OR EventId=4985 OR EventId=5031 OR EventId=5120 OR EventId=5140 OR EventId=5142 OR EventId=5143 OR EventId=5144 OR EventId=5145 OR EventId=5148 OR EventId=5149 OR EventId=5150 OR EventId=5151 OR EventId=5152 OR EventId=5153 OR EventId=5154 OR EventId=5155 OR EventId=5156 OR EventId=5157 OR EventId=5158 OR EventId=5159 OR EventId=5168 OR EventId=5888 OR EventId=5889 OR EventId=592 OR EventId=593 OR EventId=594 OR EventId=595 OR EventId=600 OR EventId=601 OR EventId=602 OR EventId=861 OR EventId=4688 OR EventId=4689 OR EventId=4692 OR EventId=4693 OR EventId=4694 OR EventId=4695 OR EventId=4696 OR EventId=4816 OR EventId=5712 OR EventId=565 OR EventId=566 OR EventId=4661 OR EventId=4662 OR EventId=4928 OR EventId=4929 OR EventId=4930 OR EventId=4931 OR EventId=4932 OR EventId=4933 OR EventId=4934 OR EventId=4935 OR EventId=4936 OR EventId=4937 OR EventId=5136 OR EventId=5137 OR EventId=5138 OR EventId=5139 OR EventId=5141)

28




FS1007: Base Reporting (File Auditing) Filter

The Base Reporting Filter with File Auditing builds on the Base Reporting Filter. This version is

useful in situations where the user wants to track file auditing events in addition to the base

reporting logo failure events.

This filter removes the following items:



593, 594, 595, 600, 601, 602, 861,

4688, 4689, 4692, 4693, 4694, 4695,

4696, 4816, 5712)

None Removal of all events of the

Detailed Tracking Access

category

All Directory Services Access

Events (565, 566, 4661, 4662, 4928,

4929, 4930, 4931, 4932, 4933, 4934,

4935, 4936, 4937, 5136, 5137, 5138,

5139, 5141)


Directory Services Access

Category


530, 531, 532, 533, 534, 535, 536,

537, 538, 539, 540, 551, 552, 682,

683, 4624, 4625, 4634, 4647, 4648,

4650, 4651, 4652, 4653, 4654, 4655,

4672, 4778, 4779, 4800, 4801, 4802,

4803, 4964, 4976, 4977, 4978, 4979,

4980, 4981, 4982, 4983, 4984, 5451,

5452, 5453, 5632, 5633, 6272, 6273,

6274, 6275, 6276, 6277, 6278, 6279,

6280)

Type=8 AND

(HeaderSid='S-1-5-18' OR

HeaderSid='S-1-5-19' OR


HeaderUser like '$'))

All Successful Logon events

and Logon/Logoff System

Accounts Type=8 indicates

successful events.


Filter Syntax

SELECT * FROM AdtsEvent WHERE NOT (((Type=8 AND (HeaderSid='S-1-5-18' OR HeaderSid='S-1-5-19' OR HeaderSid='S-1-5-20' OR HeaderUser like '$')) AND (EventId=528 OR EventId=529 OR EventId=530 OR EventId=531 OR EventId=532 OR EventId=533 OR EventId=534 OR EventId=535 OR EventId=536 OR EventId=537 OR EventId=538 OR EventId=539 OR EventId=540 OR EventId=551 OR EventId=552 OR EventId=672 OR EventId=673 OR EventId=674 OR EventId=675 OR EventId=676 OR EventId=677 OR EventId=678 OR EventId=679 OR EventId=680 OR EventId=681 OR EventId=682 OR EventId=683 OR EventId=4624 OR EventId=4625 OR EventId=4634 OR EventId=4647 OR EventId=4648 OR EventId=4650 OR EventId=4651 OR EventId=4652 OR EventId=4653 OR EventId=4654 OR EventId=4655 OR EventId=4672 OR EventId=4768 OR EventId=4769 OR EventId=4770 OR EventId=4771 OR EventId=4772 OR EventId=4773 OR EventId=4774 OR EventId=4775 OR EventId=4776 OR EventId=4777 OR EventId=4778 OR EventId=4779 OR EventId=4800 OR EventId=4801 OR EventId=4802 OR EventId=4803 OR EventId=4964 OR EventId=4976 OR EventId=4977 OR EventId=4978 OR EventId=4979 OR EventId=4980 OR EventId=4981 OR EventId=4982 OR EventId=4983 OR EventId=4984 OR EventId=5451 OR EventId=5452 OR EventId=5453 OR EventId=5632 OR EventId=5633 OR EventId=6272 OR EventId=6273 OR EventId=6274 OR EventId=6275 OR EventId=6276 OR EventId=6277 OR EventId=6278 OR EventId=6279 OR EventId=6280)) OR EventId=592 OR EventId=593 OR EventId=594 OR EventId=595 OR EventId=600 OR EventId=601 OR EventId=602 OR EventId=861 OR EventId=4688 OR EventId=4689 OR EventId=4692 OR EventId=4693 OR EventId=4694 OR EventId=4695 OR EventId=4696 OR EventId=4816 OR EventId=5712 OR EventId=565 OR EventId=566 OR EventId=4661 OR EventId=4662 OR EventId=4928 OR EventId=4929 OR EventId=4930 OR EventId=4931 OR EventId=4932 OR EventId=4933 OR EventId=4934 OR EventId=4935 OR EventId=4936 OR EventId=4937 OR EventId=5136 OR EventId=5137 OR EventId=5138 OR EventId=5139 OR EventId=5141)

29




FS1008: Base Reporting (File Auditing & Directory Services)

This extension of the Base Reporting filter includes File Auditing and Directory Service level

events. Directory Service events useful for tracking Active Directory and Group Policy Objects.



593, 594, 595, 600, 601, 602, 861,

4688, 4689, 4692, 4693, 4694, 4695,

4696, 4816, 5712)



category


530, 531, 532, 533, 534, 535, 536,

537, 538, 539, 540, 551, 552, 682,

683, 4624, 4625, 4634, 4647, 4648,

4650, 4651, 4652, 4653, 4654, 4655,

4672, 4778, 4779, 4800, 4801, 4802,

4803, 4964, 4976, 4977, 4978, 4979,

4980, 4981, 4982, 4983, 4984, 5451,

5452, 5453, 5632, 5633, 6272, 6273,

6274, 6275, 6276, 6277, 6278, 6279,

6280)

Type=8 AND







Accounts Type=8 indicates

successful events.

Filter Syntax

SELECT * FROM AdtsEvent WHERE NOT (((Type = 8 AND (HeaderSid='S-1-5-18' OR HeaderSid='S-1-5-19' OR HeaderSid='S-1-5-20' OR HeaderUser like '$')) AND (EventId=528 OR EventId=529 OR EventId=530 OR EventId=531 OR EventId=532 OR EventId=533 OR EventId=534 OR EventId=535 OR EventId=536 OR EventId=537 OR EventId=538 OR EventId=539 OR EventId=540 OR EventId=551 OR EventId=552 OR EventId=672 OR EventId=673 OR EventId=674 OR EventId=675 OR EventId=676 OR EventId=677 OR EventId=678 OR EventId=679 OR EventId=680 OR EventId=681 OR EventId=682 OR EventId=683 OR EventId=4624 OR EventId=4625 OR EventId=4634 OR EventId=4647 OR EventId=4648 OR EventId=4650 OR EventId=4651 OR EventId=4652 OR EventId=4653 OR EventId=4654 OR EventId=4655 OR EventId=4672 OR EventId=4768 OR EventId=4769 OR EventId=4770 OR EventId=4771 OR EventId=4772 OR EventId=4773 OR EventId=4774 OR EventId=4775 OR EventId=4776 OR EventId=4777 OR EventId=4778 OR EventId=4779 OR EventId=4800 OR EventId=4801 OR EventId=4802 OR EventId=4803 OR EventId=4964 OR EventId=4976 OR EventId=4977 OR EventId=4978 OR EventId=4979 OR EventId=4980 OR EventId=4981 OR EventId=4982 OR EventId=4983 OR EventId=4984 OR EventId=5451 OR EventId=5452 OR EventId=5453 OR EventId=5632 OR EventId=5633 OR EventId=6272 OR EventId=6273 OR EventId=6274 OR EventId=6275 OR EventId=6276 OR EventId=6277 OR EventId=6278 OR EventId=6279 OR EventId=6280)) OR EventId=565 OR EventId=566 OR EventId=4661 OR EventId=4662 OR EventId=4928 OR EventId=4929 OR EventId=4930 OR EventId=4931 OR EventId=4932 OR EventId=4933 OR EventId=4934 OR EventId=4935 OR EventId=4936 OR EventId=4937 OR EventId=5136 OR EventId=5137 OR EventId=5138 OR EventId=5139 OR EventId=5141)

30




FS1009: Base Reporting (File Auditing, Directory Services, All Non-System Logons) Filter

A common request is to include successful Logon/Logoff events. Although not recommended

due to the volume of logon activity generated, the FS1009 filter will exclude the largest volume

events (Detailed Tracking Events) and system generated Logon/Logoff event.



593, 594, 595, 600, 601, 602, 861,

4688, 4689, 4692, 4693, 4694, 4695,

4696, 4816, 5712)



category


530, 531, 532, 533, 534, 535, 536,

537, 538, 539, 540, 551, 552, 682,

683, 4624, 4625, 4634, 4647, 4648,

4650, 4651, 4652, 4653, 4654, 4655,

4672, 4778, 4779, 4800, 4801, 4802,

4803, 4964, 4976, 4977, 4978, 4979,

4980, 4981, 4982, 4983, 4984, 5451,

5452, 5453, 5632, 5633, 6272, 6273,

6274, 6275, 6276, 6277, 6278, 6279,

6280)







Accounts

Filter Syntax

SELECT * FROM AdtsEvent WHERE NOT (((HeaderSid='S-1-5-18' OR HeaderSid='S-1-5-19' OR HeaderSid='S-1-5-20' OR HeaderUser like '$') AND (EventId=528 OR EventId=529 OR EventId=530 OR EventId=531 OR EventId=532 OR EventId=533 OR EventId=534 OR EventId=535 OR EventId=536 OR EventId=537 OR EventId=538 OR EventId=539 OR EventId=540 OR EventId=551 OR EventId=552 OR EventId=672 OR EventId=673 OR EventId=674 OR EventId=675 OR EventId=676 OR EventId=677 OR EventId=678 OR EventId=679 OR EventId=680 OR EventId=681 OR EventId=682 OR EventId=683 OR EventId=4624 OR EventId=4625 OR EventId=4634 OR EventId=4647 OR EventId=4648 OR EventId=4650 OR EventId=4651 OR EventId=4652 OR EventId=4653 OR EventId=4654 OR EventId=4655 OR EventId=4672 OR EventId=4768 OR EventId=4769 OR EventId=4770 OR EventId=4771 OR EventId=4772 OR EventId=4773 OR EventId=4774 OR EventId=4775 OR EventId=4776 OR EventId=4777 OR EventId=4778 OR EventId=4779 OR EventId=4800 OR EventId=4801 OR EventId=4802 OR EventId=4803 OR EventId=4964 OR EventId=4976 OR EventId=4977 OR EventId=4978 OR EventId=4979 OR EventId=4980 OR EventId=4981 OR EventId=4982 OR EventId=4983 OR EventId=4984 OR EventId=5451 OR EventId=5452 OR EventId=5453 OR EventId=5632 OR EventId=5633 OR EventId=6272 OR EventId=6273 OR EventId=6274 OR EventId=6275 OR EventId=6276 OR EventId=6277 OR EventId=6278 OR EventId=6279 OR EventId=6280)) OR EventId=565 OR EventId=566 OR EventId=4661 OR EventId=4662 OR EventId=4928 OR EventId=4929 OR EventId=4930 OR EventId=4931 OR EventId=4932 OR EventId=4933 OR EventId=4934 OR EventId=4935 OR EventId=4936 OR EventId=4937 OR EventId=5136 OR EventId=5137 OR EventId=5138 OR EventId=5139 OR EventId=5141)

31




11 REFERENCES

Microsoft Microsoft Windows Events

http://support.microsoft.com/kb/947226

ACS Administration

http://technet.microsoft.com/en-us/library/bb309436.aspx

Well-known security identifiers


WMI and SQL (WQL)

http://msdn.microsoft.com/en-us/library/aa394552(v=VS.85).aspx

Auditing Security Events

http://msdn.microsoft.com/en-us/library/ms731669.aspx

Description of Security Events in Windows Vista and in Windows 2008



EventId List

http://www.eventid.net


http://technet.microsoft.com/en-us/library/bb309436.aspx


http://msdn.microsoft.com/en-us/library/aa394552(v=VS.85).aspx

http://msdn.microsoft.com/en-us/library/ms731669.aspx



http://www.eventid.net/

Documents

ACS Noise Filter Guide - System Center · Microsoft Global Foundation Services ACS Noise Filter Guide PREPARED FOR: - Online Services Security and Compliance PREPARED BY: Secure Vantage