Change Auditor 7.3 - Event Reference Guide

Change Auditor Internal Auditing Custom Registry Monitoring Fault Tolerance Local Group Monitoring Local User Monitoring Service Monitoring System Events Threat Detection Events

Log Events

Change Auditor Coordinator Service event log Change Auditor Service event log

Registry events Local Groups events Service events

System Events

Table 7. System events
Event	Description	Severity
Application Event Log Cleared	Created whenever the Application Event log is cleared.	High
Application Event Log Rolled Over	Created when the application event log is rolled over. (Disabled by default)	Medium
Automatic Updates Day Setting Changed	Created when the Automatic Updates day setting is changed.	Medium
Automatic Updates Option Changed	Created when the Automatic Updates option is changed.	Medium
Automatic Updates Time Setting Changed	Created when the Automatic Updates time setting is changed.	Medium
Crash on Audit Fail Policy Changed	Created when the Crash on Audit Fail policy is changed.	Low
Disk Size Changed	Created when the size of the disk that stores the SySvol and DSA Working Directory on the domain controller has been changed. NOTE: This event is only generated when the agent is restarted on the domain controller.	Low
Global Catalog Lookup for Logon Requirement Changed	Created when the GC logon lookup requirement is changed.	Medium
Memory Amount Changed	Created when the physical memory of the DC is changed.	Low
Remote Assistance Invitation Time Unit Changed	Created when the Remote Assistance Invitation Time Unit setting has changed.	Medium
Remote Assistance Invitation Time Value Changed	Created when the Remote Assistance Invitation Time Value setting has changed.	Medium
Remote Assistance Option Changed	Created when the Remote Assistance option setting has changed.	Medium
Remote Assistance Remote Control Option Changed	Created when the Remote Assistance Remote Control option setting has changed.	Medium
Remote Desktop Create Invitations for Only Windows Vista or Later Option Changed	Created when the Remote Desktop Create Invitations for Only Windows Vista or Later option setting has changed.	Medium
Remote Desktop Option Changed	Created when the Remote Desktop option setting has changed.	Medium
Security Audit Log Rolled Over	Created when the security audit log is rolled over. (Disabled by default)	Medium
Security Event Log Cleared	Created when the security event log is cleared (event 517 is encountered).	High
System Event Log Cleared	Created when the system log is cleared using the Clear All Events command in the Event Viewer.	High
System Event Log Rolled Over	Created when the system event log is rolled over. (Disabled by default)	Medium

Threat Detection Events

The Threat Detection event details pane includes a link that opens the Threat Detection dashboard where you can gain more information on the potential threat.

For risky user events, the View risky user details link opens the dashboard on the Users page; for Threat Detection alert events, the View alert details link opens the dashboard on the Alerts page.

Events are written as they are detected on the Threat Detection server. The coordinator checks the Threat Detection server for new events every 20 mins.


	NOTE: For events generated prior to version 7.0.4, critical and high severity in Threat Detection map to High severity in Change Auditor.

For details about using the Threat Detection dashboard see the Change Auditor Threat Detection User Guide.

Table 8. Threat Detection events
Event	Description	Severity
Risky user identified	Created when the Threat Detection server identifies a risky user.	Severity is based on the user severity identified by the Threat Detection server. (Critical, High, Med, Low)
Risky user severity increased	Created when a risky user severity is increased in the Threat Detection server.	Severity is based on the user severity identified by the Threat Detection server. (Critical, High, Med)
Risky user severity decreased	Created when a risky user severity is decreased in the Threat Detection server.	Severity is based on the user severity identified by the Threat Detection server. (High, Med, Low)
Threat Detection alert added	Created when an alert is generated by the Threat Detection server.	Severity is based on the alert severity identified by the Threat Detection server. (Critical, High, Med, Low)
Threat Detection alert marked as "actual risk"	Created when an alert generated by the Threat Detection server is marked as an actual risk.	High
Threat Detection alert marked as "not a risk"	Created when an alert generated by the Threat Detection server is marked as not a risk.	Low

The Threat Detection events includes the following additional information:

Table 9. Event details


Property	Description
Alert name	Name of the alert.
Start time	Date and time the Threat Detection server started processing the alert.
Alert score	The score for the alert as seen when hovering over the alert severity icon in the dashboard. See the Threat Detection User Guide for details on how the alert score is calculated.
Alert severity	The severity of the alert (Critical, High, Medium or Low). See the Threat Detection User Guide for details on how the alert severity is calculated.
Indicator name s	Names of indicators associated with the alert.
User risk score	The risk score for the user. The score is the total of the “contribution to user score” points for each alert assigned to the user.
User severity	The severity that is assigned to the user. See the Threat Detection User Guide for details on how the severity is calculated
Number of alerts	Number of alerts identified for the user.
Contribution to user score	The number of points the alert adds to the user risk score.
Old severity	Value of the existing user severity.
New severity	Value of the new user severity.
Tags	Value that identifies whether the user is an administrator or a watched user.
Comments	Comment displays "NOT_RISK or RISK. This is added when an alert is set to 'not a risk’ or 'actual risk’.

Log Events

When event logging for Change Auditor is enabled, internal Change Auditor events will be written to a Windows event log, named Change Auditor Coordinator Service event log. In addition, when event logging for Registry, Service and/or Local Account is enabled in Change Auditor, related events will be written to the Change Auditor Service event log. These log events can then be gathered by InTrust for further processing and reporting.


	NOTE: To enable event logging, select Event Logging on the Agent Configuration page (Administration Tasks tab), and select the type of event logging to enable.

The tables in this chapter list the log events captured by the different event logs when the corresponding event logging is enabled. They are listed in numeric order by event ID based on the event log to which they are recorded:

•

Change Auditor Coordinator Service event log

•

Change Auditor Service event log

Change Auditor Coordinator Service event log

The following internal Change Auditor events are recorded to the Change Auditor Coordinator Service event log when Change Auditor event logging is enabled.

Table 10. Change Auditor Coordinator Service event log events
Event ID	Description
101	Agent configuration assignment changed
102	Agent configuration added
103	Agent configuration removed
104	Agent configuration forwarding interval changed
105	Agent configuration retry interval changed
106	Agent configuration polling interval changed
107	Agent configuration max events per connection changed
108	Agent configuration connection days changed
109	Agent configuration connection from time changed
110	File system auditing template added to agent configuration
111	File system auditing template removed from agent configuration
112	Agent configuration renamed
113	Registry auditing template added to agent configuration
114	Registry auditing template removed from agent configuration
115	Excluded account template added to agent configuration
116	Excluded account template removed from agent configuration
127	Service auditing template added to agent configuration
128	Service auditing template removed from agent configuration
129	File system protection template added to agent configuration
130	File system protection template removed from agent configuration
131	Agent configuration file system auditing changed
132	Agent configuration file system auditing delay changed
133	Agent configuration connection to time changed
134	SQL auditing template added to agent configuration
135	SQL auditing template removed from agent configuration
136	Agent configuration AD Query auditing results changed
137	Agent configuration AD Query auditing elapsed changed
138	Agent configuration AD Query auditing delay changed
139	Event logging changed
140	Alert History purge changed
141	Agent configuration exchange auditing delay changed
143	Agent configuration agent load threshold changed
154	Communications port between coordinator and agent has changed
155	An Azure web application has been created on Azure tenant
156	The Azure web application in auditing template was modified
157	The Azure web application and the Change Auditor agent used in auditing template were modified or reset
201	Audit event severity changed
202	Audit event description changed
203	Audit event enabled
204	Audit event disabled
205	Audit event results changed
301	Monitoring point added
302	Monitoring point removed
303	Attribute added to monitoring
304	Attribute removed from monitoring
305	Group added to ‘Member of Group’ monitoring
306	Group removed from ‘Member of Group’ monitoring
307	Attribute severity changed
308	Monitoring scope enabled
309	Monitoring scope disabled
310	Active Directory protection template added
311	Active Directory protection template removed
312	Active Directory protection template enabled
313	Active Directory protection template disabled
314	Object added to Active Directory protection template
315	Object removed from Active Directory protection template
316	Protection enabled for Active Directory object
317	Protection disabled for Active Directory object
318	Override account added to Active Directory protection template
319	Override account removed from Active Directory protection template
320	Attribute added to Active Directory protection
321	Attribute removed from Active Directory protection
322	Object changed in Active Directory protection template
323	Active Directory protection template changed
324	Administration account added to Active Directory protection template
325	Administration account removed from Active Directory protection template
326	Administration account added to Group Policy protection template
327	Administration account removed from Group Policy protection template
401	ADAM monitoring point added
402	ADAM monitoring point removed
403	Attribute added to ADAM monitoring
404	Attribute removed from ADAM monitoring
405	ADAM attribute severity changed
406	ADAM monitoring scope enabled
407	ADAM monitoring scope disabled
408	ADAM protection template added
409	ADAM protection template removed
410	ADAM protection template enabled
411	ADAM protection template disabled
412	Object added to ADAM protection template
413	Object removed from ADAM protection template
414	Protection enabled for ADAM object
415	Protection disabled for ADAM object
416	Override account added to ADAM protection template
417	Override account removed from ADAM protection template
418	Attribute added to ADAM protection
419	Attribute removed from ADAM protection
420	Object changed in ADAM protection template
421	ADAM protection template changed
422	Override accounts ADAM protection template Allow
423	Override accounts ADAM protection template Deny
501	SMTP alerting enabled
502	SMTP alerting disabled
503	SMTP alerting server changed
504	SMTP alerting from address changed
505	SMTP alerting email format changed
506	SMTP alerting server authentication enabled
507	SMTP alerting server authentication disabled
508	SMTP alerting server username changed
509	SMTP alerting server password changed
510	Email Subject changed
511	Email Reply To changed
512	Group membership expansion changed
513	Refresh frequency for group membership changed
514	Refresh frequency for the list of expanded groups changed
515	The number of groups to expand per cycle changed
516	Group added for group membership expansion
517	Group removed form group membership expansion
518	Agent Heartbeat Check Minutes changed
519	Agent Heartbeat Check enabled
520	Agent Heartbeat Check disabled
521	Smtp Ssl enabled
522	Smtp Ssl disabled
523	Exchange Host changed
524	Exchange Email changed
525	Exchange Authorization enabled
526	Exchange Account changed
527	Exchange Password changed
528	Exchange Authorization disabled
529	Exchange Version changed
604	Public user alert enabled
605	Public user alert disabled
606	Public user alert changed
607	Public user search changed
608	Public user search deleted
609	Public user search modified
610	Public report enabled
611	Public report disabled
613	Private user alert disabled
615	Private report disabled
640	Public user search moved
641	Public user search folder deleted
642	Public user search folder moved
643	Public user alert deleted
644	Public user alert moved
645	Public user search folder renamed
646	Public user alert created
701	File system auditing template added
702	File system auditing template removed
703	File system path changed in auditing template
704	File system path added to auditing template
705	File system path removed from auditing template
706	Process added to file system auditing
707	Process removed from file system auditing
709	File system auditing template enabled
710	File system auditing template disabled
711	Auditing enabled for file system path
712	Auditing disabled for file system path
713	File system protection template added
714	File system protection template removed
715	File system path changed in protection template
716	File system path added to protection template
717	File system path removed from protection template
718	Protection enabled for file system path
719	Protection disabled for file system path
720	File system protection template enabled
721	File system protection template disabled
722	Override account added to file system protection template
723	Override account removed from file system protection template
724	Override accounts file system protection template Allow
725	Override accounts file system protection template Deny
726	Override accounts Active Directory protection template Allow
727	Override accounts Active Directory protection template Deny
801	Registry auditing template added
802	Registry auditing template removed
803	Registry object changed in auditing template
804	Registry object added to auditing template
805	Registry object removed from auditing template
806	Auditing enabled for registry object
807	Auditing disabled for registry object
808	Registry auditing template enabled
809	Registry auditing template disabled
901	Group Policy protection template added
902	Group Policy protection template removed
903	Group Policy protection template enabled
904	Group Policy protection template disabled
905	Group Policy added to protection template
906	Group Policy removed from protection template
907	Protection for Group Policy enabled
908	Protection form Group Policy disabled
909	Override account added to Group Policy protection template
910	Override account removed from Group Policy protection template
911	Group Policy changed in protection template
912	Override accounts Group Policy protection template Allow
913	Override accounts Group Policy protection template Deny
1001	Excluded account template added
1002	Excluded account template removed
1003	Excluded account added to exclusion accounts list
1004	Excluded account removed from exclusion accounts list
1005	Excluded account event class added to monitoring
1006	Excluded account event class removed from monitoring
1007	Excluded account facility added to monitoring
1008	Excluded account facility removed from monitoring
1101	Service auditing template added
1102	Service auditing template removed
1103	Service added to auditing template
1104	Service removed from auditing template
1105	Auditing enabled for service
1106	Auditing disabled for service
1107	Service auditing template enabled
1108	Service auditing template disabled
1109	Service auditing template changed
1110	Auditing enabled for SQL instance
1111	Auditing disabled for SQL instance
1112	SQL auditing template enabled
1113	SQL auditing template disabled
1115	SQL auditing template added
1116	SQL auditing template removed
1118	SQL instance added
1119	SQL instance removed
1120	SQL event added
1121	SQL event removed
1122	SQL filter added
1123	SQL filter removed
1124	Active Directory Federation Services auditing template added
1125	Active Directory Federation Services auditing template removed
1126	Active Directory Federation Services auditing template enabled
1127	Active Directory Federation Services auditing template disabled
1128	Active Directory Federation Services sign-in auditing enabled
1129	Active Directory Federation Services sign-in auditing disabled
1130	Active Directory Federation Services auditing template added to agent configuration
1131	Active Directory Federation Services auditing template removed from agent configuration
1132	Active Directory Federation Services configuration changes auditing enabled
1133	Active Directory Federation Services configuration changes auditing disabled
1302	Agent service has reached a critical load
1303	Agent service has more than 100 events waiting
1304	Agent service has returned to normal operations
1401	Exchange mailbox added to monitoring
1402	Exchange mailbox removed from monitoring
1403	Exchange mailbox attribute changed
1404	Exchange protection template added
1405	Exchange protection template removed
1406	Exchange protection template enabled
1407	Exchange protection template disabled
1408	Exchange container added to protection template
1409	Exchange container removed from protection template
1410	Protection for Exchange container enabled
1411	Protection for Exchange container disabled
1412	Override account added to Exchange protection template
1413	Override account removed from Exchange protection template
1414	AD query container added
1415	AD query container removed
1416	AD query container enabled
1417	AD query container disabled
1419	Exchange mailbox enabled
1420	Exchange mailbox disabled
1430	Change Auditor Agent started
1431	Change Auditor Agent stopped
1432	Change Auditor Agent restarted
1433	Change Auditor Agent set uninstalled
1434	Change Auditor Coordinator set uninstalled
1435	Override accounts Exchange protection template Allow
1436	Override accounts Exchange protection template Deny
1440	Exchange user defined shared mailbox added
1441	Exchange user defined shared mailbox removed
1442	Exchange user defined shared mailbox attribute changed
1443	Exchange user defined shared mailbox enabled
1444	Exchange user defined shared mailbox disabled
1445	Exchange shared mailbox auto detection enabled
1446	Exchange shared mailbox auto detection disabled
1600	User added
1601	User deleted
1602	User restored
1603	License properties set
1604	User password reset
1605	User password changed
1606	User license changed
1607	User updated
1608	Force change user password property set
1609	User AccountEnabled property changed
1610	User AssignedLicense property changed
1611	User AssignedPlan property changed
1612	User Mobile property changed
1613	User OtherMail property changed
1614	User StrongAuthenticationMethod property changed
1615	User StrongAuthenticationUserDetails property changed
1616	User TelephoneNumber property changed
1617	User LicenseAssignmentDetail property changed
1618	User OtherMobile property changed
1619	User StrongAuthenticationRequirement property changed
1620	User StrongAuthenticationPhoneApp detail property changed
1621	User AlternativeSecurityId property changed
1622	User PreferredDataLocation property changed
1623	User ProxyAddresses property changed
1624	User UserPrincipalName property changed
1625	User UserState property changed
1626	User UserStateChangedOn property changed
1627	User UserType property changed
1628	User StsRefreshTokensValidFrom property changed
1629	User MSExchRemoteRecipientType property changed
1630	Update user credentials
1631	Azure Active Directory - User event
1632	Group added
1633	Group updated
1634	Group deleted
1635	Group member added
1636	Member added to group
1637	Group member removed
1638	Member removed from group
1639	Group owner added
1640	Owner added to group
1641	Group owner removed
1642	Owner removed from group
1643	Set group to be managed by user
1644	Set group license
1645	Azure Active Directory - Group event
1646	Group Description property changed
1647	Group DisplayName property changed
1648	Group GroupType property changed
1649	Group IsPublic property changed
1650	Group MailNickName property changed
1651	Group SecurityEnabled property changed
1652	Group MembershipRule property changed
1653	Group MembershipRuleProcessingState property changed
1654	Service principal added
1655	Service principal removed
1656	Service principal credentials added
1657	Service principal credentials removed
1658	Delegation entry added
1659	Delegation entry updated
1660	Delegation entry removed
1661	Add owner to application
1662	Azure Active Directory - Application event
1663	Role member added
1664	Role assigned to member
1665	Role member removed
1666	Role removed from member
1667	Eligible member added to role
1668	Role assigned to eligible member
1669	Eligible member removed from role
1670	Role removed from eligible member
1671	Role enabled
1672	Batch invites uploaded
1673	Batch invites proceeded
1674	External user invited
1675	External user invite redeemed
1676	External user added to group
1677	External user assigned to application
1678	Viral tenant created
1679	Viral user created
1680	Azure Active Directory - B2B event
1681	Partner added to company
1682	Partner removed from company
1683	Domain added to company
1684	Domain removed from company
1685	Domain updated
1686	Domain authentication set
1687	Domain federation settings set
1688	Domain verified
1689	Domain verified by email
1690	DirSyncEnabled flag set on company
1691	Password policy set
1692	Company information set
1693	Company contact information set
1694	Azure Active Directory - Directory event
1695	Azure Active Directory - Policy event
1696	Azure Active Directory - Resource event
1697	Azure Active Directory - Administrative Units event
1698	Azure Active Directory - Role event
1699	Azure Active Directory audit event
1700	Successful Azure Active Directory sign-in
1701	Failed Azure Active Directory sign-in
1702	Azure Active Directory sign-in event
1703	Active risk event detected
1704	Closed risk event detected
1705	Active risk event status changed to closed
1706	Closed risk event status changed to active
2001	NetApp auditing template added
2002	NetApp auditing template removed
2003	NetApp path changed in auditing template
2004	NetApp path added to auditing template
2005	NetApp path removed from auditing template
2006	Agent added to NetApp auditing template
2007	Agent removed from NetApp auditing template
2009	NetApp auditing template enabled
2010	NetApp auditing template disabled
2011	Auditing enabled for NetApp path
2012	Auditing disabled for NetApp path
2101	EMC auditing template added
2102	EMC auditing template removed
2103	EMC path changed in auditing template
2104	EMC path added to auditing template
2105	EMC path removed from auditing template
2106	Agent added to EMC auditing template
2107	Agent removed from EMC auditing template
2108	EMC auditing cepp.conf changed
2109	EMC auditing template enabled
2110	EMC auditing template disabled
2111	Auditing enabled for EMC path
2112	Auditing disabled for EMC path
2301	SharePoint auditing template added
2302	SharePoint auditing template removed
2303	Agent added to SharePoint auditing template
2304	Agent removed from SharePoint auditing template
2305	SharePoint auditing template enabled
2306	SharePoint auditing template disabled
2307	Auditing enabled for SharePoint path
2308	Auditing disabled for SharePoint path
2309	SharePoint path changed in auditing template
2310	SharePoint path added to auditing template
2311	SharePoint path removed from auditing template
2312	SharePoint event added
2313	SharePoint event removed
2314	SharePoint facility added
2315	SharePoint facility removed
2316	SQL facility added
2317	SQL facility removed
2601	Office 365 Exchange Online auditing template added
2602	Office 365 Exchange Online auditing template removed
2609	Office 365 Exchange Online auditing template enabled
2610	Office 365 Exchange Online auditing template disabled
2611	Office 365 Exchange Online auditing template was modified
2801	FluidFS auditing template added
2802	FluidFS auditing template removed
2803	FluidFS volume changed in auditing template
2804	FluidFS volume added to auditing template
2805	FluidFS volume removed from auditing template
2806	Agent added to FluidFS auditing template
2807	Agent removed for FluidFS auditing template
2809	FluidFS auditing template enabled
2810	FluidFS auditing template disabled
2811	Auditing enabled for FluidFS volume
2812	Auditing disabled for FluidFS volume
2901	Skype for Business auditing template added
2902	Skype for Business auditing template modified
2903	Skype for Business auditing template removed
2904	Skype for Business auditing template enabled
2905	Skype for Business auditing template disabled
3101	Azure Active Directory auditing template was added
3102	Azure Active Directory auditing template was modified
3103	Azure Active Directory auditing template was removed
3104	Azure Active Directory auditing template was enabled
3105	Azure Active Directory auditing template was disabled
9901	SDK Facility added
9902	SDK Facility removed
9903	SDK Facility modified
9904	SDK Event Class added
9905	SDK Event Class removed
9906	SDK Event Class modified
9907	SDK Agent added
9908	SDK Machine added

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación

Seleccione su producto:

Con el fin de ofrecerle un mejor servicio, complete el campo Motivo del chat:

Soluciones recomendadas para su problema

Change Auditor 7.3 - Event Reference Guide

System Events

Threat Detection Events

Log Events

Change Auditor Coordinator Service event log