Windows Event Logs
Windows Event Log Rules allow customers to choose and filter on specific Event Log crtieria for monitoring, archiving or BOTH
When archiving data, the SQL Table Prefix should be kept as {default} (which is ARGSOFT_COMPLIANCE_), and archives all Security Logs into various audit tables
All other Event Logs are archived into the ARGSOFT_COMPLIANCE_LOG_ARCHIVE table
Argent for Compliance comes with General Best Practice Rules that can be modified or copied:
EVT_APPLICATION_LOG_CONTAINS_ERROR
Windows Application Log Contains ‘Error’
Description:
This Rule automates alerting when an Application Log contains records marked “Error”, regardless of case
This Rule is an essential compliance Rule as third-party applications may be suffering security- or compliance-related errors
EVT_APPLICATION_LOG_CONTAINS_CRITICAL
Windows Application Log Contains ‘Critical’
Description:
This Rule automates alerting when an Application Log contains records marked “Critical”, regardless of case
This Rule is an essential compliance Rule as third-party applications may be suffering security- or compliance-related errors
EVT_SECURITY_LOG_HAS_BEEN_CLEARED
Windows Security Log Has Been Cleared
Description:
This Rule automates alerting when a Windows Security Log has been cleared on a production server
Clearing the Windows Security Log is the best way hackers and other unauthorized users cover their tracks
Because of the common security hack, the Windows Security Log on ALL production Windows servers must be monitored and alerts automatically sent by Argent
A common trick used by hackers is to do this unauthorized clearing at midnight Saturday to try to blend in with legitimate weekly housekeeping
Internal Codes:
W2003: 517
W2008: 1102
EVT_SECURITY_LOG_STOPPED_LOGGING
Windows Security Log Stopped Logging
Description:
This Rule automates alerting when a Windows Security Log stops logging
There are a number of reasons that logging to a Windows Security Log may stop – human intervention is required to determine the appropriate corrective action
It can sometimes be as simple as an incorrectly set disk space limit
Or it may be internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some records
Flooding a Windows Security Log is one of the best way hackers and other unauthorized users cover their tracks – if the log is full no additional logging can occur
Because of the common security hack, the Windows Security Log on ALL production Windows servers must be monitored and alerts automatically sent by Argent
Internal Codes:
W2003: 516, 521
W2008: 4612
EVT_SECURITY_LOG_HACKER_ATTACK
Possible Hacker Attack
Description:
This Rule automates alerting if a Windows Security Log contain more than 10 occurrences of ‘Logon Failure – Unknown user name or bad password’ since the last check
The presence of a few 529 or 4625 records is completely normal – users sometimes have fat fingers
But there are six 4625 records on Monday, and nine 4625 records on Tuesday, but six million 4625 records on Wednesday, then this indicates a hacker attack, likely brute force dictionary
Tip: The filter should be set to monitor only specific user accounts for failures — those with powerful system privileges such as Domain Admin accounts
Internal Codes:
W2003: 529
W2008: 4625
EVT_SECURITY_LOG_ACCESS_GRANTED
System Security Access Granted
Description:
This Rules automates alerting if a Security Log contains more than 10 occurrences since the last check
System Security Access was granted in the Logon Rights under “Access this computer from the network” or “Logon as a Service”
The presence of a few of these records is completely normal – granting or removing security rights is normal
But there are six records on Monday, and nine records on Tuesday, but six million records on Wednesday, then this indicates a hacker attack
Most servers are setup to allow only a limited number of accounts for service tasks
Any changes to this setup may affect the health and stability of the server itself
Internal Codes:
W2003: 621
W2008: 4717
EVT_SECURITY_LOG_ACCESS_REMOVED
System Security Access Removed
Description:
This Rules automates alerting if a Security Log contains more than 10 occurrences since the last check
System Security Access was removed in the Logon Rights under “Access this computer from the network” or “Logon as a Service”
The presence of a few of these records is completely normal – granting or removing security rights is normal
But there are six records on Monday, and nine records on Tuesday, but six million records on Wednesday, then this indicates a hacker attack
Most servers are setup to allow only a limited number of accounts for service tasks
Any changes to this setup may affect the health and stability of the server itself
Internal Codes:
W2003: 622
W2008: 4718
EVT_SECURITY_LOG_RIGHTS_GRANTED
User Rights Granted
Description:
This Rule automates alerting if a Windows Security Log contains more than 10 occurrences since the last check
This event is generated when a user right is granted
A “User Right” refers to items such as “Act As Part of the Operating System”, “Create a pagefile”, “Manage Auditing and Security Log”, etc
The presence of a few of these records is completely normal – granting or removing security rights is normal
But there are six records on Monday, and nine records on Tuesday, but six million records on Wednesday, then this indicates a hacker attack
Internal Codes:
W2003: 608
W2008: 4704
EVT_SECURITY_LOG_RIGHTS_REMOVED
User Rights Removed
Description:
This Rule automates alerting if a Windows Security Log contains more than 10 occurrences since the last check
This event is generated when a user right is removed
A “User Right” refers to items such as “Act As Part of the Operating System”, “Create a pagefile”, “Manage Auditing and Security Log”, etc
The presence of a few of these records is completely normal – granting or removing security rights is normal
But there are six records on Monday, and nine records on Tuesday, but six million records on Wednesday, then this indicates a hacker attack
Internal Codes:
W2003: 609
W2008: 4705
EVT_SECURITY_LOG_CONTAINS_ERROR
Window System Log Contains ‘Error’
Description:
This Rule automates alerting if the Windows System Log contains ANY Event Logs marked as “Error”, regardless of case
Trying to break or forcible disable the Windows System Log is generally a first step a hacker takes when breaking into a production server – if there is no evidence trail it is far more difficult to detect and diagnose a hacker attack
EVT_SECURITY_LOG_CONTAINS_CRITICAL
Window System Log Contains ‘Critical’
Description:
This Rule automates alerting if the Windows System Log contains ANY Event Logs marked as “Critical”, regardless of case
Trying to break or forcible disable the Windows System Log is generally a first step a hacker takes when breaking into a production server – if there is no evidence trail it is far more difficult to detect and diagnose a hacker attack