Appendix C - Audit Policies and Security Event IDs


The Snare application has a number of built in Audit Policies with both basic auditing and advanced auditing options. These Audit Policies have been designed to 'trap' certain Security Log event IDs and enable the user to create some of the more common audit policies without having to know which event IDs they require. The details are given below with respect to basic audit policy and advanced audit policy.

Basic Audit Policy

For each high level event, the Windows XP/2003 event IDs will be listed in blue and the Vista/2008/Windows7/Windows8/Windows10/Windows 2012 and above event IDs will be listed in green. As a rule of thumb, to find the equivalent Windows XP/2003 event ID on a newer Windows operating system, just add 4096.

The events will be generated by turning on selected audit categories, on the Windows audit sub-system.

Note: The high level event "Access a file or directory" is not in the agent GUI list. User should/can use the "Any event(s)" option in the GUI to capture the events listed in that category, if required.

Logon of Logoff.
528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, 541, 542, 543, 544, 545, 546, 547, 551, 552, 672, 673, 674, 675, 676, 677, 678, 680, 681, 682, 683
4624, 4625, 4626, 4627, 4628, 4629, 4630, 4631, 4632, 4633, 4634, 4647, 4648, 4768, 4769, 4770, 4771, 4772, 4773, 4774, 4776, 4777, 4778, 4779, 4800, 4801, 4802, 4803

Access a file or directory.
560, 561, 562, 563, 564, 565, 566, 567, 594, 595
4656, 4657, 4658, 4659, 4660, 4661, 4662, 4663, 4690, 4691

Start or stop a process.
592, 593, 594, 595
4688, 4689, 4690, 4691

Use of user rights.
576, 577, 578, 608, 609
4672, 4673, 4674, 4704, 4705

Account administration.
624, 625, 626, 627, 628, 629, 630, 631, 632, 633, 634, 635, 636, 637, 638, 639, 640, 641, 642, 643, 644, 645, 646, 647, 648, 649, 650, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 661, 662, 663, 664, 665, 666, 667, 668, 669, 670, 671
4720, 4721, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4736, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, 4760, 4761, 4762, 4763, 4764, 4765, 4766, 4767

Change the security policy.
516, 517, 608, 609, 610, 611, 612, 613, 614, 615, 616, 617, 618, 620, 643
104, 1102, 4612, 4613, 4704, 4705, 4706, 4707, 4708, 4709, 4710, 4711, 4712, 4713, 4714, 4716, 4719, 4739

Restart, shutdown and system.
512, 513
4608, 4609

USB Events.
1003,1004,1006,1008,2000,2001,2003,2004,2005,2006,2010,2100,2101,2102,2105,2106,2900,2901,4230,4231,7036
Note: Events 4230 (Device ARRIVED) and 4231 (Device REMOVAL) are Snare specfic IDs. They are not part of the Windows event system.

Filtering Events.
5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159, 5447

Other Object Access Events
4671,4691,5148,5149,4698,4699,4700,4701,4702,5888,5889,5890


The following paragraphs detail the Snare for Windows event IDs for XP/2003 and the categories which they belong to.

Audit Privilege Use (Success and Failure) will generate:
576;Special privileges assigned to new logo
577;Privileged Service Called
578;Privileged object operation
Audit Process Tracking (Success and Failure) will generate:
592;A new process has been created
593;A process has exited
594;A handle to an object has been duplicated
595;Indirect access to an object has been obtained
Audit System Events (Success and Failure) will generate:
514;An authentication package has been loaded
515;A trusted logon process has registered
516;Loss of some audits;
517;The audit log was cleared
518;A notification package has been loaded
Audit Logon Events (Success and Failure) will generate:
528;A user successfully logged on to a computer
529;The logon attempt was made with an unknown user name or bad password
530;The user account tried to log on outside of the allowed time
531;A logon attempt was made using a disabled account
532;A logon attempt was made using an expired account
533;The user is not allowed to log on at this computer
534;The user attempted to log on with a logon type that is not allowed
535;The password for the specified account has expired
536;The Net Logon service is not active
537;The logon attempt failed for other reasons
538;A user logged off
539;The account was locked out at the time the logon attempt was made
540;Successful Network Logon
541;IPSec security association established
542;IPSec security association ended
543;IPSec security association ended
544;IPSec security association establishment failed
545;IPSec peer authentication failed
546;IPSec security association establishment failed
547;IPSec security association negotiation failed
682;A user has reconnected to a disconnected Terminal Services session
683;A user disconnected a Terminal Services session without logging off
Audit Account Logon Events (Success and Failure) will generate:
672;An authentication service (AS) ticket was successfully issued and validated
673;A ticket granting service (TGS) ticket was granted
674;A security principal renewed an AS ticket or TGS ticket
675;Pre-authentication failed
676;Authentication Ticket Request Failed
677;A TGS ticket was not granted
678;An account was successfully mapped to a domain account
680;Identifies the account used for the successful logon attempt
681;A domain account log on was attempted
682;A user has reconnected to a disconnected Terminal Services session
683;A user disconnected a Terminal Services session without logging off
Audit Object Access (Success and Failure) will generate:
560;Access was granted to an already existing object
561;A handle to an object was allocated
562;A handle to an object was closed
563;An attempt was made to open an object with the intent to delete it
564;A protected object was deleted
565;Access was granted to an already existing object type
566;Object Operation
608;A user right was assigned
Audit Policy Change (Success and Failure) will generate:
609;A user right was removed
610;A trust relationship with another domain was created
611;A trust relationship with another domain was removed
612;An audit policy was changed
613;IPSec policy agent started
614;IPSec policy agent disabled
615;IPSec policy changed
616;IPSec policy agent encountered a potentially serious failure
617;Kerberos policy changed618;Encrypted data recovery policy changed
620;Trusted domain information modified
615;IPSec policy changed
616;IPSec policy agent encountered a potentially serious failure
617;Kerberos policy changed618;Encrypted data recovery policy changed
620;Trusted domain information modified
768;A collision was detected between a namespace element in two forests
Audit Directory Service Access (Success and Failure) will generate:
565;Information about accessed objects in AD
Audit Account Management Events (Success and Failure) will generate:
624;User Account Created
625;User Account Type Change
626;User Account Enabled
627;Password Change Attempted
628;User Account Password Set
629;User Account Disabled
630;User Account Deleted
631;Security Enabled Global Group Created
632;Security Enabled Global Group Member Added
633;Security Enabled Global Group Member Removed
634;Security Enabled Global Group Deleted
635;Security Disabled Local Group Created
636;Security Enabled Local Group Member Added
637;Security Enabled Local Group Member Removed
638;Security Enabled Local Group Deleted
639;Security Enabled Local Group Changed
640;General Account Database Change
641;Security Enabled Global Group Changed
642;User Account Changed
643;Domain Policy Changed
644;User Account Locked Out
645;Computer object added
646;Computer object changed
647;Computer object deleted
648;Security Disabled Local Group Created
649;Security Disabled Local Group Changed
650;Security Disabled Local Group Member Added
651;Security Disabled Local Group Member Removed
652;Security Disabled Local Group Deleted
653;Security Disabled Global Group Created
654;Security Disabled Global Group Changed
655;Security Disabled Global Group Member Added
656;Security Disabled Global Group Member Removed
657;Security Disabled Global Group Deleted
658;Security Enabled Universal Group Created
659;Security Enabled Universal Group Changed
660;Security Enabled Universal Group Member Added
661;Security Enabled Universal Group Member Removed
662;Security Enabled Universal Group Deleted
663;Security Disabled Universal Group Created
664;Security Disabled Universal Group Changed
665;Security Disabled Universal Group Member Added
666;Security Disabled Universal Group Member Removed
667;Security Disabled Universal Group Deleted
668;Group Type Changed
669;Add SID History (Success)
670;Add SID History (Failure)
768;A collision was detected between a namespace element in two forests
Audit Directory Service Access (Success and Failure) will generate:
565;Information about accessed objects in AD
Audit Account Management Events (Success and Failure) will generate:
624;User Account Created
625;User Account Type Change
626;User Account Enabled
627;Password Change Attempted
628;User Account Password Set
629;User Account Disabled
630;User Account Deleted
631;Security Enabled Global Group Created
632;Security Enabled Global Group Member Added
633;Security Enabled Global Group Member Removed
634;Security Enabled Global Group Deleted
635;Security Disabled Local Group Created
636;Security Enabled Local Group Member Added
637;Security Enabled Local Group Member Removed
638;Security Enabled Local Group Deleted
639;Security Enabled Local Group Changed
640;General Account Database Change
641;Security Enabled Global Group Changed
642;User Account Changed
643;Domain Policy Changed
644;User Account Locked Out
645;Computer object added
646;Computer object changed
647;Computer object deleted
648;Security Disabled Local Group Created
649;Security Disabled Local Group Changed
650;Security Disabled Local Group Member Added
651;Security Disabled Local Group Member Removed
652;Security Disabled Local Group Deleted
653;Security Disabled Global Group Created
654;Security Disabled Global Group Changed
655;Security Disabled Global Group Member Added
656;Security Disabled Global Group Member Removed
657;Security Disabled Global Group Deleted
658;Security Enabled Universal Group Created
659;Security Enabled Universal Group Changed
660;Security Enabled Universal Group Member Added
661;Security Enabled Universal Group Member Removed
662;Security Enabled Universal Group Deleted
663;Security Disabled Universal Group Created
664;Security Disabled Universal Group Changed
665;Security Disabled Universal Group Member Added
666;Security Disabled Universal Group Member Removed
667;Security Disabled Universal Group Deleted
668;Group Type Changed
669;Add SID History (Success)
670;Add SID History (Failure)

Advanced Audit Policy (Licence Feature)

Administrators can use this advanced audit policy setting to select only the behaviors that they want to monitor. Different events will be generated by turning on different sub-categories.  The list of event ids and their details can be found here https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings. Some additional details on other events that Microsoft recommend to monitor is as follows https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor.  However, the built-in default audit policies and the captured event ids that come with advanced auditing options are given below.

Default advanced audit policies

Meaning of different color ids   (Editing continuing ........)

Black = only in default advanced audit policy

Green =both in basic and advanced default audit policies

Red =  high volume event both in basic and advanced default audit policies

Blue = high volume event only in default advanced audit policies

Advanced Default 

Audit Policies

Enabled

Categories

Enabled Sub-categoriesCaptured Event id / Filtered Event idsEvent Type(s)Log Source(s)Criticality

Recommended

Alert Level 

Comments
AdvObjective1

System

Logon/Logoff

Policy Change

Account Management

Object Access

System Integrity.Success,

Other LogonLogoff Events.Success,

Certification Services.Success,

Audit Policy Change.Success,

User Account Management.Success,

User Account Management.Failure,

Special Logon.Success

104, 1102 , 4618, 4649, 4719, 4765,  4766, 4794,  4897, 4964, 5124,


 

Success
Failure
Error
Information
Warning
Critical
SecurityHigh

Snare = Critical

Syslog = Critical

CEF = 10

LEEF = 10

Event Volume = Low
AdvObjective2System

IPSec Driver.Success

IPSec Driver.Failure

Other System Events.Success

Other System Events.Failure

System Integrity.Failure

4960, 4961, 4962, 4963, 4965, 5480, 5483, 5484, 8485, 5027, 5028, 5029, 5030, 5035, 5037, 5038



Success
Failure
Error
Information
Warning
Critical

Security

Medium

Snare = Warning

Syslog = Warning

CEF = 8

LEEF = 8

Event Volume = Low
AdvObjective3Policy Change

Authentication Policy Change.Success

Authorization Policy Change.Success

Audit Policy Change.Success

Other Policy Change Events.Success

4706, 4713, 4714, 4715, 4716, 4739, 4865, 4866, 4867, 4906, 4907, 4908, 4912, 6145


Success
Failure
Error
Information
Warning
Critical
SecurityMedium

Snare = Warning

Syslog = Warning

CEF = 8

LEEF = 8

Event Volume = Low
AdvObjective4Account Management

User Account Management.Success

User Account Management.Failure

Security Group Management.Success

4724, 4727, 4731, 4735, 4737, 4754, 4755, 4764,  4780, 5376, 5377 


Success
Failure
Error
Information
Warning
Critical
SecurityMedium

Snare = Warning

Syslog = Warning

CEF = 8

LEEF = 8

Event Volume = Low
AdvObjective5Logon/Logoff

Logon.Success

IPSec Main Mode.Success

IPSec Quick Mode.Success

IPSec Extended Mode.Success

Network Policy Server.Success

4675, 4976, 4977, 4978, 4983, 4984, 5453, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280


Success
Failure
Error
Information
Warning
Critical
SecurityMedium

Snare = Warning

Syslog = Warning

CEF = 8

LEEF = 8

Event Volume = Low
AdvObjective6

Object Access


Certification Services.Success

4868, 4870, 4882, 4885, 4890, 4892, 4896, 5120, 5121, 5122, 5123 

Success
Failure
Error
Information
Warning
ActivityTracing
Critical
Verbose
SecurityMedium

Snare = Information

Syslog = Info

CEF = 3

LEEF = 3

Event volume: Low to medium on servers that provide AD CS role services.
AdvObjective7Detail Tracking

Process Creation.Success

Process Termination.Success

DPAPI Activity.Success

DPAPI Activity.Failure

4688, 4689, 4692, 4693, 4696

Success
Failure
Error
Information
Warning
Critical
SecurityMedium

Snare = Clear

Syslog = Debug

CEF = 0

LEEF = 1

Event Volume = Low
AdvObjective8Account Logon

Credential Validation.Success

Credential Validation.Failure

Kerberos Authentication Service.Success

Kerberos Authentication Service.Failure

Kerberos Service Ticket Operations.Success

Kerberos Service Ticket Operations.Failure

4768, 4769, 4770, 4771, 4772, 4773, 4774, 4775, 4776, 4777

Success
Failure
Error
Information
Warning
Critical
SecurityLow/information

Snare = Information

Syslog = Info

CEF = 3

LEEF = 3

Event Volume = Low
AdvObjective9Account Management

User Account Management.Success

User Account Management.Failure

Computer Account Management.Success

Computer Account Management.Failure

Security Group Management.Success

Security Group Management.Failure

Distribution Group Management.Success

Application Group Management.Success

Other Account Management Events.Success

Other Account Management Events.Failure

4720, 4722, 4723, 4725, 4726, 4728, 4729, 4730, 4732, 4733, 4734, 4738, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4756, 4757, 4758, 4759, 4760, 4761, 4762, 4763, 4767, 4781, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4792, 4793, 4798, 4799


Success
Failure
Error
Information
Warning
Critical
SecurityLow/information

Snare = Information

Syslog = Info

CEF = 3

LEEF = 3

Event Volume = Low
AdvObjective10Logon/Logoff

Account Lockout.Success

Account Lockout.Failure

Logon.Success

Logon.Failure

Logoff.Success

Other Logon/Logoff Events.Success

Other Logon/Logoff Events.Failure

Special Logon.Success

Special Logon.Failure

Group Membership.Success

4624, 4625, 4627, 4634, 4647, 4648, 4672, 4675, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632

Success
Failure
Error
Information
Warning
Critical
SecurityLow/information

Snare = Information

Syslog = Info

CEF = 3

LEEF = 3



Event Volume :

4672:

  • Low on a client computer.

  • Medium on a domain controllers or network servers.

AdvObjective11Policy Change

Authentication Policy Change.Success

Audit Policy Change.Success

Audit Policy Change.Failure

Filtering Platform Policy Change.Success

Filtering Platform Policy Change.Failure

Other Policy Change Events.Success

Other Policy Change Events.Failure

Authorization Policy Change.Success

MPSSVC Rule-Level Policy Change.Success

MPSSVC Rule-Level Policy Change.Failure

4707, 4709, 4710, 4711, 4712, 4714, 4717, 4718, 4817, 4864, 4902, 4904, 4905, 5040, 5041, 5042, 5043, 5044, 5045, 5046, 5047, 5048, 5440, 5441, 5442, 5443, 5444, 5446, 5448, 5449, 5450, 5456, 5458, 5459, 5460, 5461, 5462, 5463, 5464, 5465, 5466, 5467, 5468, 5471, 5472, 5473, 5474, 5477


Success
Failure
Error
Information
Warning
Critical
SecurityLow/information

Snare = Priority

Syslog = Warning

CEF = 5

LEEF = 5

Event Volume = Low





AdvObjective12Policy Change

Authentication Policy Change.Success

Audit Policy Change.Success

Audit Policy Change.Failure

Filtering Platform Policy Change.Success

Filtering Platform Policy Change.Failure

Other Policy Change Events.Success

Other Policy Change Events.Failure

Authorization Policy Change.Success

MPSSVC Rule-Level Policy Change.Success

MPSSVC Rule-Level Policy Change.Failure

4670, 4703, 4704, 4705, 4819, 4826, 4909, 4910, 4911, 4913, 4944, 4945, 4946, 4947, 4948, 4949, 4950, 4951, 4952, 4953, 4954, 4956, 4957, 4958, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070, 5447, 6144


Success
Failure
Error
Information
Warning
Critical
SecurityLow/information

Snare = Priority

Syslog = Warning

CEF = 5

LEEF = 5

Event Volume = Low


*5447 is high volume in different testing 



AdvObjective13Privilege Use

Non-Sensitive Privilege Use.,Success

Non-Sensitive Privilege Use.Failure

4673, 4674


Success
Failure
Information
Warning
Critical
SecurityLow/information

Snare = Information

Syslog = Info

CEF = 3

LEEF = 3

Event volume: Very High.

Both sub-categories log the same events


AdvObjective14System

IPsec Driver.Success

IPsec Driver.Failure

Other System Events.Success

Other System Events .Failure

Security State Change.Success

Security State Change.Failure

Security System Extension.Success

Security System Extension.Failure

System Integrity.Success

System Integrity.Failure

4608, 4609, 4610, 4611, 4612, 4614, 4615, 4616, 4621, 4622, 4697, 4816, 5024, 5025, 5032, 5033, 5034, 5056, 5057, 5058, 5059, 5060, 5061, 5062, 5478, 5479, 6281, 6400, 6401, 6402, 6403, 6404, 6405, 6406, 6407, 6408, 6409, 6410




Success
Failure
Error
Information
Warning
Critical
System
Application
Active Directory Service
Domain Name Server
DFS-Replication
Custom
Low/information

Snare = Information

Syslog = Info

CEF = 3

LEEF = 3

Event Volume = Low
AdvObjective15

Object Access


Other Object Access Events.Success

Other Object Access Events.Failure

Handle Manipulation.Success

File Share.Success

File Share.Failure

Kernel Object.Success

Kernel Object.Failure

Registry.Success

Registry.Failure

4656, 4657, 4658, 4659, 4660, 4661, 4663, 4671, 4690, 4691, 4698, 4699, 4700, 4701, 4702, 5140, 5142, 5143, 5144, 5148, 5149, 5168, 5888, 5889, 5890

     





Success
Failure
Error
Information
Warning
ActivityTracing
Critical
Verbose
SecurityLow/information

Snare = Warning

Syslog = Warning

CEF = 5

LEEF = 5

Event Volume:

 Medium(4657)

Others:

  • High on file servers.

  • High on domain controllers because of SYSVOL network access required by Group Policy.

  • Low on member servers and workstations.

*4671 generate regardless of the settings

AdvObjective16


NoneNoneAny EventsSuccess

Failure

Error

Information

Warning

Critical
System

Application

Active Directory Service

Domain Name Server

DFS-Replication

Custom

Windows Forwarded Events (WECAgent Only)

Snare = Information

Syslog = Info

CEF = 3

LEEF = 3


24Tu

Tuning notes:

  • For some systems Objective 15 might create some additional noise with the object registry events 4663 and 4658 being very chatty. If these events pose a significant load and you need to reduce your EPS then you can disable these object event types, but this will come at the expense of some lost forensics of registry accesses.