Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

The Snare application has a number of built in Audit Policies with both basic auditing and advanced auditing options. These Audit Policies have been designed to 'trap' certain Security Log event IDs and enable the user to create some of the more common audit policies without having to know which event IDs they require. The details are given below with respect to basic audit policy and advanced audit policy.

Basic Audit Policy

For each high level event, the Windows XP/2003 event IDs will be listed in blue and the Vista/2008/Windows7/Windows8/Windows10/Windows 2012 and above event IDs will be listed in green. As a rule of thumb, to find the equivalent Windows XP/2003 event ID on a newer Windows operating system, just add 4096.

The events will be generated by turning on selected audit categories, on the Windows audit sub-system.

Logon of Logoff.
528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, 541, 542, 543, 544, 545, 546, 547, 551, 552, 672, 673, 674, 675, 676, 677, 678, 680, 681, 682, 683
4624, 4625, 4626, 4627, 4628, 4629, 4630, 4631, 4632, 4633, 4634, 4647, 4648, 4768, 4769, 4770, 4771, 4772, 4773, 4774, 4776, 4777, 4778, 4779, 4800, 4801, 4802, 4803

Access a file or directory.
560, 561, 562, 563, 564, 565, 566, 567, 594, 595
4656, 4657, 4658, 4659, 4660, 4661, 4662, 4663, 4690, 4691

Start or stop a process.
592, 593, 594, 595
4688, 4689, 4690, 4691

Use of user rights.
576, 577, 578, 608, 609
4672, 4673, 4674, 4704, 4705

Account administration.
624, 625, 626, 627, 628, 629, 630, 631, 632, 633, 634, 635, 636, 637, 638, 639, 640, 641, 642, 643, 644, 645, 646, 647, 648, 649, 650, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 661, 662, 663, 664, 665, 666, 667, 668, 669, 670, 671
4720, 4721, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4736, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, 4760, 4761, 4762, 4763, 4764, 4765, 4766, 4767

Change the security policy.
516, 517, 608, 609, 610, 611, 612, 613, 614, 615, 616, 617, 618, 620, 643
104, 1102, 4612, 4613, 4704, 4705, 4706, 4707, 4708, 4709, 4710, 4711, 4712, 4713, 4714, 4716, 4719, 4739

Restart, shutdown and system.
512, 513
4608, 4609

USB Events.
1003,1004,1006,1008,2000,2001,2003,2004,2005,2006,2010,2100,2101,2102,2105,2106,2900,2901,4230,4231,7036
Note: Events 4230 (Device ARRIVED) and 4231 (Device REMOVAL) are Snare specfic IDs. They are not part of the Windows event system.

Filtering Events.
5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159, 5447

Other Object Access Events
4671,4691,5148,5149,4698,4699,4700,4701,4702,5888,5889,5890


The following paragraphs detail the Snare for Windows event IDs for XP/2003 and the categories which they belong to.

Audit Privilege Use (Success and Failure) will generate:
576;Special privileges assigned to new logo
577;Privileged Service Called
578;Privileged object operation
Audit Process Tracking (Success and Failure) will generate:
592;A new process has been created
593;A process has exited
594;A handle to an object has been duplicated
595;Indirect access to an object has been obtained
Audit System Events (Success and Failure) will generate:
514;An authentication package has been loaded
515;A trusted logon process has registered
516;Loss of some audits;
517;The audit log was cleared
518;A notification package has been loaded
Audit Logon Events (Success and Failure) will generate:
528;A user successfully logged on to a computer
529;The logon attempt was made with an unknown user name or bad password
530;The user account tried to log on outside of the allowed time
531;A logon attempt was made using a disabled account
532;A logon attempt was made using an expired account
533;The user is not allowed to log on at this computer
534;The user attempted to log on with a logon type that is not allowed
535;The password for the specified account has expired
536;The Net Logon service is not active
537;The logon attempt failed for other reasons
538;A user logged off
539;The account was locked out at the time the logon attempt was made
540;Successful Network Logon
541;IPSec security association established
542;IPSec security association ended
543;IPSec security association ended
544;IPSec security association establishment failed
545;IPSec peer authentication failed
546;IPSec security association establishment failed
547;IPSec security association negotiation failed
682;A user has reconnected to a disconnected Terminal Services session
683;A user disconnected a Terminal Services session without logging off
Audit Account Logon Events (Success and Failure) will generate:
672;An authentication service (AS) ticket was successfully issued and validated
673;A ticket granting service (TGS) ticket was granted
674;A security principal renewed an AS ticket or TGS ticket
675;Pre-authentication failed
676;Authentication Ticket Request Failed
677;A TGS ticket was not granted
678;An account was successfully mapped to a domain account
680;Identifies the account used for the successful logon attempt
681;A domain account log on was attempted
682;A user has reconnected to a disconnected Terminal Services session
683;A user disconnected a Terminal Services session without logging off
Audit Object Access (Success and Failure) will generate:
560;Access was granted to an already existing object
561;A handle to an object was allocated
562;A handle to an object was closed
563;An attempt was made to open an object with the intent to delete it
564;A protected object was deleted
565;Access was granted to an already existing object type
566;Object Operation
608;A user right was assigned
Audit Policy Change (Success and Failure) will generate:
609;A user right was removed
610;A trust relationship with another domain was created
611;A trust relationship with another domain was removed
612;An audit policy was changed
613;IPSec policy agent started
614;IPSec policy agent disabled
615;IPSec policy changed
616;IPSec policy agent encountered a potentially serious failure
617;Kerberos policy changed618;Encrypted data recovery policy changed
620;Trusted domain information modified
615;IPSec policy changed
616;IPSec policy agent encountered a potentially serious failure
617;Kerberos policy changed618;Encrypted data recovery policy changed
620;Trusted domain information modified
768;A collision was detected between a namespace element in two forests
Audit Directory Service Access (Success and Failure) will generate:
565;Information about accessed objects in AD
Audit Account Management Events (Success and Failure) will generate:
624;User Account Created
625;User Account Type Change
626;User Account Enabled
627;Password Change Attempted
628;User Account Password Set
629;User Account Disabled
630;User Account Deleted
631;Security Enabled Global Group Created
632;Security Enabled Global Group Member Added
633;Security Enabled Global Group Member Removed
634;Security Enabled Global Group Deleted
635;Security Disabled Local Group Created
636;Security Enabled Local Group Member Added
637;Security Enabled Local Group Member Removed
638;Security Enabled Local Group Deleted
639;Security Enabled Local Group Changed
640;General Account Database Change
641;Security Enabled Global Group Changed
642;User Account Changed
643;Domain Policy Changed
644;User Account Locked Out
645;Computer object added
646;Computer object changed
647;Computer object deleted
648;Security Disabled Local Group Created
649;Security Disabled Local Group Changed
650;Security Disabled Local Group Member Added
651;Security Disabled Local Group Member Removed
652;Security Disabled Local Group Deleted
653;Security Disabled Global Group Created
654;Security Disabled Global Group Changed
655;Security Disabled Global Group Member Added
656;Security Disabled Global Group Member Removed
657;Security Disabled Global Group Deleted
658;Security Enabled Universal Group Created
659;Security Enabled Universal Group Changed
660;Security Enabled Universal Group Member Added
661;Security Enabled Universal Group Member Removed
662;Security Enabled Universal Group Deleted
663;Security Disabled Universal Group Created
664;Security Disabled Universal Group Changed
665;Security Disabled Universal Group Member Added
666;Security Disabled Universal Group Member Removed
667;Security Disabled Universal Group Deleted
668;Group Type Changed
669;Add SID History (Success)
670;Add SID History (Failure)
768;A collision was detected between a namespace element in two forests
Audit Directory Service Access (Success and Failure) will generate:
565;Information about accessed objects in AD
Audit Account Management Events (Success and Failure) will generate:
624;User Account Created
625;User Account Type Change
626;User Account Enabled
627;Password Change Attempted
628;User Account Password Set
629;User Account Disabled
630;User Account Deleted
631;Security Enabled Global Group Created
632;Security Enabled Global Group Member Added
633;Security Enabled Global Group Member Removed
634;Security Enabled Global Group Deleted
635;Security Disabled Local Group Created
636;Security Enabled Local Group Member Added
637;Security Enabled Local Group Member Removed
638;Security Enabled Local Group Deleted
639;Security Enabled Local Group Changed
640;General Account Database Change
641;Security Enabled Global Group Changed
642;User Account Changed
643;Domain Policy Changed
644;User Account Locked Out
645;Computer object added
646;Computer object changed
647;Computer object deleted
648;Security Disabled Local Group Created
649;Security Disabled Local Group Changed
650;Security Disabled Local Group Member Added
651;Security Disabled Local Group Member Removed
652;Security Disabled Local Group Deleted
653;Security Disabled Global Group Created
654;Security Disabled Global Group Changed
655;Security Disabled Global Group Member Added
656;Security Disabled Global Group Member Removed
657;Security Disabled Global Group Deleted
658;Security Enabled Universal Group Created
659;Security Enabled Universal Group Changed
660;Security Enabled Universal Group Member Added
661;Security Enabled Universal Group Member Removed
662;Security Enabled Universal Group Deleted
663;Security Disabled Universal Group Created
664;Security Disabled Universal Group Changed
665;Security Disabled Universal Group Member Added
666;Security Disabled Universal Group Member Removed
667;Security Disabled Universal Group Deleted
668;Group Type Changed
669;Add SID History (Success)
670;Add SID History (Failure)

Advanced Audit Policy


  • No labels