Appendix C - Audit Policies and Security Event IDs
The Snare application has a number of built in Audit Policies with both basic auditing and advanced auditing options. These Audit Policies have been designed to 'trap' certain Security Log event IDs and enable the user to create some of the more common audit policies without having to know which event IDs they require. The details are given below with respect to basic audit policy and advanced audit policy.
Basic Audit Policy
For each high level event, the Windows XP/2003 event IDs will be listed in blue and the Vista/2008/Windows7/Windows8/Windows10/Windows 2012 and above event IDs will be listed in green. As a rule of thumb, to find the equivalent Windows XP/2003 event ID on a newer Windows operating system, just add 4096.
The events will be generated by turning on selected audit categories, on the Windows audit sub-system.
Note: The high level event "Access a file or directory" is not in the agent GUI list. User should/can use the "Any event(s)" option in the GUI to capture the events listed in that category, if required.
Logon of Logoff.
528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, 541, 542, 543, 544, 545, 546, 547, 551, 552, 672, 673, 674, 675, 676, 677, 678, 680, 681, 682, 683
4624, 4625, 4626, 4627, 4628, 4629, 4630, 4631, 4632, 4633, 4634, 4647, 4648, 4768, 4769, 4770, 4771, 4772, 4773, 4774, 4776, 4777, 4778, 4779, 4800, 4801, 4802, 4803
Access a file or directory.
560, 561, 562, 563, 564, 565, 566, 567, 594, 595
4656, 4657, 4658, 4659, 4660, 4661, 4662, 4663, 4690, 4691
Start or stop a process.
592, 593, 594, 595
4688, 4689, 4690, 4691
Use of user rights.
576, 577, 578, 608, 609
4672, 4673, 4674, 4704, 4705
Account administration.
624, 625, 626, 627, 628, 629, 630, 631, 632, 633, 634, 635, 636, 637, 638, 639, 640, 641, 642, 643, 644, 645, 646, 647, 648, 649, 650, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 661, 662, 663, 664, 665, 666, 667, 668, 669, 670, 671
4720, 4721, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4736, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, 4760, 4761, 4762, 4763, 4764, 4765, 4766, 4767
Change the security policy.
516, 517, 608, 609, 610, 611, 612, 613, 614, 615, 616, 617, 618, 620, 643
104, 1102, 4612, 4613, 4704, 4705, 4706, 4707, 4708, 4709, 4710, 4711, 4712, 4713, 4714, 4716, 4719, 4739
Restart, shutdown and system.
512, 513
4608, 4609
USB Events.
1003,1004,1006,1008,2000,2001,2003,2004,2005,2006,2010,2100,2101,2102,2105,2106,2900,2901,4230,4231,7036
Note: Events 4230 (Device ARRIVED) and 4231 (Device REMOVAL) are Snare specfic IDs. They are not part of the Windows event system.
Filtering Events.
5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159, 5447
Other Object Access Events
4671,4691,5148,5149,4698,4699,4700,4701,4702,5888,5889,5890
The following paragraphs detail the Snare for Windows event IDs for XP/2003 and the categories which they belong to.
Audit Privilege Use (Success and Failure) will generate:
576;Special privileges assigned to new logo
577;Privileged Service Called
578;Privileged object operation
Audit Process Tracking (Success and Failure) will generate:
592;A new process has been created
593;A process has exited
594;A handle to an object has been duplicated
595;Indirect access to an object has been obtained
Audit System Events (Success and Failure) will generate:
514;An authentication package has been loaded
515;A trusted logon process has registered
516;Loss of some audits;
517;The audit log was cleared
518;A notification package has been loaded
Audit Logon Events (Success and Failure) will generate:
528;A user successfully logged on to a computer
529;The logon attempt was made with an unknown user name or bad password
530;The user account tried to log on outside of the allowed time
531;A logon attempt was made using a disabled account
532;A logon attempt was made using an expired account
533;The user is not allowed to log on at this computer
534;The user attempted to log on with a logon type that is not allowed
535;The password for the specified account has expired
536;The Net Logon service is not active
537;The logon attempt failed for other reasons
538;A user logged off
539;The account was locked out at the time the logon attempt was made
540;Successful Network Logon
541;IPSec security association established
542;IPSec security association ended
543;IPSec security association ended
544;IPSec security association establishment failed
545;IPSec peer authentication failed
546;IPSec security association establishment failed
547;IPSec security association negotiation failed
682;A user has reconnected to a disconnected Terminal Services session
683;A user disconnected a Terminal Services session without logging off
Audit Account Logon Events (Success and Failure) will generate:
672;An authentication service (AS) ticket was successfully issued and validated
673;A ticket granting service (TGS) ticket was granted
674;A security principal renewed an AS ticket or TGS ticket
675;Pre-authentication failed
676;Authentication Ticket Request Failed
677;A TGS ticket was not granted
678;An account was successfully mapped to a domain account
680;Identifies the account used for the successful logon attempt
681;A domain account log on was attempted
682;A user has reconnected to a disconnected Terminal Services session
683;A user disconnected a Terminal Services session without logging off
Audit Object Access (Success and Failure) will generate:
560;Access was granted to an already existing object
561;A handle to an object was allocated
562;A handle to an object was closed
563;An attempt was made to open an object with the intent to delete it
564;A protected object was deleted
565;Access was granted to an already existing object type
566;Object Operation
608;A user right was assigned
Audit Policy Change (Success and Failure) will generate:
609;A user right was removed
610;A trust relationship with another domain was created
611;A trust relationship with another domain was removed
612;An audit policy was changed
613;IPSec policy agent started
614;IPSec policy agent disabled
615;IPSec policy changed
616;IPSec policy agent encountered a potentially serious failure
617;Kerberos policy changed618;Encrypted data recovery policy changed
620;Trusted domain information modified
615;IPSec policy changed
616;IPSec policy agent encountered a potentially serious failure
617;Kerberos policy changed618;Encrypted data recovery policy changed
620;Trusted domain information modified
768;A collision was detected between a namespace element in two forests
Audit Directory Service Access (Success and Failure) will generate:
565;Information about accessed objects in AD
Audit Account Management Events (Success and Failure) will generate:
624;User Account Created
625;User Account Type Change
626;User Account Enabled
627;Password Change Attempted
628;User Account Password Set
629;User Account Disabled
630;User Account Deleted
631;Security Enabled Global Group Created
632;Security Enabled Global Group Member Added
633;Security Enabled Global Group Member Removed
634;Security Enabled Global Group Deleted
635;Security Disabled Local Group Created
636;Security Enabled Local Group Member Added
637;Security Enabled Local Group Member Removed
638;Security Enabled Local Group Deleted
639;Security Enabled Local Group Changed
640;General Account Database Change
641;Security Enabled Global Group Changed
642;User Account Changed
643;Domain Policy Changed
644;User Account Locked Out
645;Computer object added
646;Computer object changed
647;Computer object deleted
648;Security Disabled Local Group Created
649;Security Disabled Local Group Changed
650;Security Disabled Local Group Member Added
651;Security Disabled Local Group Member Removed
652;Security Disabled Local Group Deleted
653;Security Disabled Global Group Created
654;Security Disabled Global Group Changed
655;Security Disabled Global Group Member Added
656;Security Disabled Global Group Member Removed
657;Security Disabled Global Group Deleted
658;Security Enabled Universal Group Created
659;Security Enabled Universal Group Changed
660;Security Enabled Universal Group Member Added
661;Security Enabled Universal Group Member Removed
662;Security Enabled Universal Group Deleted
663;Security Disabled Universal Group Created
664;Security Disabled Universal Group Changed
665;Security Disabled Universal Group Member Added
666;Security Disabled Universal Group Member Removed
667;Security Disabled Universal Group Deleted
668;Group Type Changed
669;Add SID History (Success)
670;Add SID History (Failure)
768;A collision was detected between a namespace element in two forests
Audit Directory Service Access (Success and Failure) will generate:
565;Information about accessed objects in AD
Audit Account Management Events (Success and Failure) will generate:
624;User Account Created
625;User Account Type Change
626;User Account Enabled
627;Password Change Attempted
628;User Account Password Set
629;User Account Disabled
630;User Account Deleted
631;Security Enabled Global Group Created
632;Security Enabled Global Group Member Added
633;Security Enabled Global Group Member Removed
634;Security Enabled Global Group Deleted
635;Security Disabled Local Group Created
636;Security Enabled Local Group Member Added
637;Security Enabled Local Group Member Removed
638;Security Enabled Local Group Deleted
639;Security Enabled Local Group Changed
640;General Account Database Change
641;Security Enabled Global Group Changed
642;User Account Changed
643;Domain Policy Changed
644;User Account Locked Out
645;Computer object added
646;Computer object changed
647;Computer object deleted
648;Security Disabled Local Group Created
649;Security Disabled Local Group Changed
650;Security Disabled Local Group Member Added
651;Security Disabled Local Group Member Removed
652;Security Disabled Local Group Deleted
653;Security Disabled Global Group Created
654;Security Disabled Global Group Changed
655;Security Disabled Global Group Member Added
656;Security Disabled Global Group Member Removed
657;Security Disabled Global Group Deleted
658;Security Enabled Universal Group Created
659;Security Enabled Universal Group Changed
660;Security Enabled Universal Group Member Added
661;Security Enabled Universal Group Member Removed
662;Security Enabled Universal Group Deleted
663;Security Disabled Universal Group Created
664;Security Disabled Universal Group Changed
665;Security Disabled Universal Group Member Added
666;Security Disabled Universal Group Member Removed
667;Security Disabled Universal Group Deleted
668;Group Type Changed
669;Add SID History (Success)
670;Add SID History (Failure)
Advanced Audit Policy (Licence Feature)
Administrators can use this advanced audit policy setting to select only the behaviors that they want to monitor. Different events will be generated by turning on different sub-categories. The list of event ids and their details can be found here https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings. Some additional details on other events that Microsoft recommend to monitor is as follows https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor. However, the built-in default audit policies and the captured event ids that come with advanced auditing options are given below.
Default advanced audit policies
Meaning of different color ids (Editing continuing ........)
Black = only in default advanced audit policy
Green =both in basic and advanced default audit policies
Red = high volume event both in basic and advanced default audit policies
Blue = high volume event only in default advanced audit policies
Advanced Default Audit Policies | Enabled Categories | Enabled Sub-categories | Captured Event id / Filtered Event ids | Event Type(s) | Log Source(s) | Criticality | Recommended Alert Level | Comments |
---|---|---|---|---|---|---|---|---|
AdvObjective1 | System Logon/Logoff Policy Change Account Management Object Access | System Integrity.Success, Other LogonLogoff Events.Success, Certification Services.Success, Audit Policy Change.Success, User Account Management.Success, User Account Management.Failure, Special Logon.Success | 104, 1102 , 4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124,
| Success Failure Error Information Warning Critical | Security | High | Snare = Critical Syslog = Critical CEF = 10 LEEF = 10 | Event Volume = Low |
AdvObjective2 | System | IPSec Driver.Success IPSec Driver.Failure Other System Events.Success Other System Events.Failure System Integrity.Failure | 4960, 4961, 4962, 4963, 4965, 5480, 5483, 5484, 8485, 5027, 5028, 5029, 5030, 5035, 5037, 5038 | Success Failure Error Information Warning Critical | Security | Medium | Snare = Warning Syslog = Warning CEF = 8 LEEF = 8 | Event Volume = Low |
AdvObjective3 | Policy Change | Authentication Policy Change.Success Authorization Policy Change.Success Audit Policy Change.Success Other Policy Change Events.Success | 4706, 4713, 4714, 4715, 4716, 4739, 4865, 4866, 4867, 4906, 4907, 4908, 4912, 6145 | Success Failure Error Information Warning Critical | Security | Medium | Snare = Warning Syslog = Warning CEF = 8 LEEF = 8 | Event Volume = Low |
AdvObjective4 | Account Management | User Account Management.Success User Account Management.Failure Security Group Management.Success | 4724, 4727, 4731, 4735, 4737, 4754, 4755, 4764, 4780, 5376, 5377 | Success Failure Error Information Warning Critical | Security | Medium | Snare = Warning Syslog = Warning CEF = 8 LEEF = 8 | Event Volume = Low |
AdvObjective5 | Logon/Logoff | Logon.Success IPSec Main Mode.Success IPSec Quick Mode.Success IPSec Extended Mode.Success Network Policy Server.Success | 4675, 4976, 4977, 4978, 4983, 4984, 5453, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280 | Success Failure Error Information Warning Critical | Security | Medium | Snare = Warning Syslog = Warning CEF = 8 LEEF = 8 | Event Volume = Low |
AdvObjective6 | Object Access | Certification Services.Success | 4868, 4870, 4882, 4885, 4890, 4892, 4896, 5120, 5121, 5122, 5123 | Success Failure Error Information Warning ActivityTracing Critical Verbose | Security | Medium | Snare = Information Syslog = Info CEF = 3 LEEF = 3 | Event volume: Low to medium on servers that provide AD CS role services. |
AdvObjective7 | Detail Tracking | Process Creation.Success Process Termination.Success DPAPI Activity.Success DPAPI Activity.Failure | 4688, 4689, 4692, 4693, 4696 | Success Failure Error Information Warning Critical | Security | Medium | Snare = Clear Syslog = Debug CEF = 0 LEEF = 1 | Event Volume = Low |
AdvObjective8 | Account Logon | Credential Validation.Success Credential Validation.Failure Kerberos Authentication Service.Success Kerberos Authentication Service.Failure Kerberos Service Ticket Operations.Success Kerberos Service Ticket Operations.Failure | 4768, 4769, 4770, 4771, 4772, 4773, 4774, 4775, 4776, 4777 | Success Failure Error Information Warning Critical | Security | Low/information | Snare = Information Syslog = Info CEF = 3 LEEF = 3 | Event Volume = Low |
AdvObjective9 | Account Management | User Account Management.Success User Account Management.Failure Computer Account Management.Success Computer Account Management.Failure Security Group Management.Success Security Group Management.Failure Distribution Group Management.Success Application Group Management.Success Other Account Management Events.Success Other Account Management Events.Failure | 4720, 4722, 4723, 4725, 4726, 4728, 4729, 4730, 4732, 4733, 4734, 4738, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4756, 4757, 4758, 4759, 4760, 4761, 4762, 4763, 4767, 4781, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4792, 4793, 4798, 4799 | Success Failure Error Information Warning Critical | Security | Low/information | Snare = Information Syslog = Info CEF = 3 LEEF = 3 | Event Volume = Low |
AdvObjective10 | Logon/Logoff | Account Lockout.Success Account Lockout.Failure Logon.Success Logon.Failure Logoff.Success Other Logon/Logoff Events.Success Other Logon/Logoff Events.Failure Special Logon.Success Special Logon.Failure Group Membership.Success | 4624, 4625, 4627, 4634, 4647, 4648, 4672, 4675, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632 | Success Failure Error Information Warning Critical | Security | Low/information | Snare = Information Syslog = Info CEF = 3 LEEF = 3 | Event Volume : 4672:
|
AdvObjective11 | Policy Change | Authentication Policy Change.Success Audit Policy Change.Success Audit Policy Change.Failure Filtering Platform Policy Change.Success Filtering Platform Policy Change.Failure Other Policy Change Events.Success Other Policy Change Events.Failure Authorization Policy Change.Success MPSSVC Rule-Level Policy Change.Success MPSSVC Rule-Level Policy Change.Failure | 4707, 4709, 4710, 4711, 4712, 4714, 4717, 4718, 4817, 4864, 4902, 4904, 4905, 5040, 5041, 5042, 5043, 5044, 5045, 5046, 5047, 5048, 5440, 5441, 5442, 5443, 5444, 5446, 5448, 5449, 5450, 5456, 5458, 5459, 5460, 5461, 5462, 5463, 5464, 5465, 5466, 5467, 5468, 5471, 5472, 5473, 5474, 5477 | Success Failure Error Information Warning Critical | Security | Low/information | Snare = Priority Syslog = Warning CEF = 5 LEEF = 5 | Event Volume = Low |
AdvObjective12 | Policy Change | Authentication Policy Change.Success Audit Policy Change.Success Audit Policy Change.Failure Filtering Platform Policy Change.Success Filtering Platform Policy Change.Failure Other Policy Change Events.Success Other Policy Change Events.Failure Authorization Policy Change.Success MPSSVC Rule-Level Policy Change.Success MPSSVC Rule-Level Policy Change.Failure | 4670, 4703, 4704, 4705, 4819, 4826, 4909, 4910, 4911, 4913, 4944, 4945, 4946, 4947, 4948, 4949, 4950, 4951, 4952, 4953, 4954, 4956, 4957, 4958, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070, 5447, 6144 | Success Failure Error Information Warning Critical | Security | Low/information | Snare = Priority Syslog = Warning CEF = 5 LEEF = 5 | Event Volume = Low *5447 is high volume in different testing |
AdvObjective13 | Privilege Use | Non-Sensitive Privilege Use.,Success Non-Sensitive Privilege Use.Failure | 4673, 4674 | Success Failure Information Warning Critical | Security | Low/information | Snare = Information Syslog = Info CEF = 3 LEEF = 3 | Event volume: Very High. Both sub-categories log the same events |
AdvObjective14 | System | IPsec Driver.Success IPsec Driver.Failure Other System Events.Success Other System Events .Failure Security State Change.Success Security State Change.Failure Security System Extension.Success Security System Extension.Failure System Integrity.Success System Integrity.Failure | 4608, 4609, 4610, 4611, 4612, 4614, 4615, 4616, 4621, 4622, 4697, 4816, 5024, 5025, 5032, 5033, 5034, 5056, 5057, 5058, 5059, 5060, 5061, 5062, 5478, 5479, 6281, 6400, 6401, 6402, 6403, 6404, 6405, 6406, 6407, 6408, 6409, 6410 | Success Failure Error Information Warning Critical | System Application Active Directory Service Domain Name Server DFS-Replication Custom | Low/information | Snare = Information Syslog = Info CEF = 3 LEEF = 3 | Event Volume = Low |
AdvObjective15 | Object Access | Other Object Access Events.Success Other Object Access Events.Failure Handle Manipulation.Success File Share.Success File Share.Failure Kernel Object.Success Kernel Object.Failure Registry.Success Registry.Failure | 4656, 4657, 4658, 4659, 4660, 4661, 4663, 4671, 4690, 4691, 4698, 4699, 4700, 4701, 4702, 5140, 5142, 5143, 5144, 5148, 5149, 5168, 5888, 5889, 5890
| Success Failure Error Information Warning ActivityTracing Critical Verbose | Security | Low/information | Snare = Warning Syslog = Warning CEF = 5 LEEF = 5 | Event Volume: Medium(4657) Others:
*4671 generate regardless of the settings |
AdvObjective16 | None | None | Any Events | Success Failure Error Information Warning Critical | System Application Active Directory Service Domain Name Server DFS-Replication Custom Windows Forwarded Events (WECAgent Only) | Snare = Information Syslog = Info CEF = 3 LEEF = 3 |
24Tu
Tuning notes:
- For some systems Objective 15 might create some additional noise with the object registry events 4663 and 4658 being very chatty. If these events pose a significant load and you need to reduce your EPS then you can disable these object event types, but this will come at the expense of some lost forensics of registry accesses.