Windows Event Logs

Windows Event Log Rules allow customers to choose and filter on specific Event Log crtieria for monitoring, archiving or BOTH

When archiving data, the SQL Table Prefix should be kept as {default} (which is ARGSOFT_COMPLIANCE_), and archives all Security Logs into various audit tables

All other Event Logs are archived into the ARGSOFT_COMPLIANCE_LOG_ARCHIVE table

Argent for Compliance comes with General Best Practice Rules that can be modified or copied:

EVT_APPLICATION_LOG_CONTAINS_ERROR

Windows Application Log Contains ‘Error’

Description:

This Rule automates alerting when an Application Log contains records marked “Error”, regardless of case

This Rule is an essential compliance Rule as third-party applications may be suffering security- or compliance-related errors

EVT_APPLICATION_LOG_CONTAINS_CRITICAL

Windows Application Log Contains ‘Critical’

Description:

This Rule automates alerting when an Application Log contains records marked “Critical”, regardless of case

This Rule is an essential compliance Rule as third-party applications may be suffering security- or compliance-related errors

EVT_SECURITY_LOG_HAS_BEEN_CLEARED

Windows Security Log Has Been Cleared

Description:

This Rule automates alerting when a Windows Security Log has been cleared on a production server

Clearing the Windows Security Log is the best way hackers and other unauthorized users cover their tracks

Because of the common security hack, the Windows Security Log on ALL production Windows servers must be monitored and alerts automatically sent by Argent

A common trick used by hackers is to do this unauthorized clearing at midnight Saturday to try to blend in with legitimate weekly housekeeping

Internal Codes:

W2003: 517

W2008: 1102

EVT_SECURITY_LOG_STOPPED_LOGGING

Windows Security Log Stopped Logging

Description:

This Rule automates alerting when a Windows Security Log stops logging

There are a number of reasons that logging to a Windows Security Log may stop – human intervention is required to determine the appropriate corrective action

It can sometimes be as simple as an incorrectly set disk space limit

Or it may be internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some records

Flooding a Windows Security Log is one of the best way hackers and other unauthorized users cover their tracks – if the log is full no additional logging can occur

Because of the common security hack, the Windows Security Log on ALL production Windows servers must be monitored and alerts automatically sent by Argent

Internal Codes:

W2003: 516, 521

W2008: 4612

EVT_SECURITY_LOG_HACKER_ATTACK

Possible Hacker Attack

Description:

This Rule automates alerting if a Windows Security Log contain more than 10 occurrences of ‘Logon Failure – Unknown user name or bad password’ since the last check

The presence of a few 529 or 4625 records is completely normal – users sometimes have fat fingers

But there are six 4625 records on Monday, and nine 4625 records on Tuesday, but six million 4625 records on Wednesday, then this indicates a hacker attack, likely brute force dictionary

Tip: The filter should be set to monitor only specific user accounts for failures — those with powerful system privileges such as Domain Admin accounts

Internal Codes:

W2003: 529

W2008: 4625

EVT_SECURITY_LOG_ACCESS_GRANTED

System Security Access Granted

Description:

This Rules automates alerting if a Security Log contains more than 10 occurrences since the last check

System Security Access was granted in the Logon Rights under “Access this computer from the network” or “Logon as a Service”

The presence of a few of these records is completely normal – granting or removing security rights is normal

But there are six records on Monday, and nine records on Tuesday, but six million records on Wednesday, then this indicates a hacker attack

Most servers are setup to allow only a limited number of accounts for service tasks

Any changes to this setup may affect the health and stability of the server itself

Internal Codes:

W2003: 621

W2008: 4717

EVT_SECURITY_LOG_ACCESS_REMOVED

System Security Access Removed

Description:

This Rules automates alerting if a Security Log contains more than 10 occurrences since the last check

System Security Access was removed in the Logon Rights under “Access this computer from the network” or “Logon as a Service”

The presence of a few of these records is completely normal – granting or removing security rights is normal

But there are six records on Monday, and nine records on Tuesday, but six million records on Wednesday, then this indicates a hacker attack

Most servers are setup to allow only a limited number of accounts for service tasks

Any changes to this setup may affect the health and stability of the server itself

Internal Codes:

W2003: 622

W2008: 4718

EVT_SECURITY_LOG_RIGHTS_GRANTED

User Rights Granted

Description:

This Rule automates alerting if a Windows Security Log contains more than 10 occurrences since the last check

This event is generated when a user right is granted

A “User Right” refers to items such as “Act As Part of the Operating System”, “Create a pagefile”, “Manage Auditing and Security Log”, etc

The presence of a few of these records is completely normal – granting or removing security rights is normal

But there are six records on Monday, and nine records on Tuesday, but six million records on Wednesday, then this indicates a hacker attack

Internal Codes:

W2003: 608

W2008: 4704

EVT_SECURITY_LOG_RIGHTS_REMOVED

User Rights Removed

Description:

This Rule automates alerting if a Windows Security Log contains more than 10 occurrences since the last check

This event is generated when a user right is removed

A “User Right” refers to items such as “Act As Part of the Operating System”, “Create a pagefile”, “Manage Auditing and Security Log”, etc

The presence of a few of these records is completely normal – granting or removing security rights is normal

But there are six records on Monday, and nine records on Tuesday, but six million records on Wednesday, then this indicates a hacker attack

Internal Codes:

W2003: 609

W2008: 4705

EVT_SECURITY_LOG_CONTAINS_ERROR

Window System Log Contains ‘Error’

Description:

This Rule automates alerting if the Windows System Log contains ANY Event Logs marked as “Error”, regardless of case

Trying to break or forcible disable the Windows System Log is generally a first step a hacker takes when breaking into a production server – if there is no evidence trail it is far more difficult to detect and diagnose a hacker attack

EVT_SECURITY_LOG_CONTAINS_CRITICAL

Window System Log Contains ‘Critical’

Description:

This Rule automates alerting if the Windows System Log contains ANY Event Logs marked as “Critical”, regardless of case

Trying to break or forcible disable the Windows System Log is generally a first step a hacker takes when breaking into a production server – if there is no evidence trail it is far more difficult to detect and diagnose a hacker attack