立即与支持人员聊天
与支持团队交流

Change Auditor 7.2 - Event Reference Guide

System Events

Table 7. System events

Application Event Log Cleared

Created whenever the Application Event log is cleared.

High

Application Event Log Rolled Over

Created when the application event log is rolled over. (Disabled by default)

Medium

Automatic Updates Day Setting Changed

Created when the Automatic Updates day setting is changed.

Medium

Automatic Updates Option Changed

Created when the Automatic Updates option is changed.

Medium

Automatic Updates Time Setting Changed

Created when the Automatic Updates time setting is changed.

Medium

Crash on Audit Fail Policy Changed

Created when the Crash on Audit Fail policy is changed.

Low

Disk Size Changed

Created when the size of the disk that stores the SySvol and DSA Working Directory on the domain controller has been changed.

Low

Global Catalog Lookup for Logon Requirement Changed

Created when the GC logon lookup requirement is changed.

Medium

Memory Amount Changed

Created when the physical memory of the DC is changed.

Low

Remote Assistance Invitation Time Unit Changed

Created when the Remote Assistance Invitation Time Unit setting has changed.

Medium

Remote Assistance Invitation Time Value Changed

Created when the Remote Assistance Invitation Time Value setting has changed.

Medium

Remote Assistance Option Changed

Created when the Remote Assistance option setting has changed.

Medium

Remote Assistance Remote Control Option Changed

Created when the Remote Assistance Remote Control option setting has changed.

Medium

Remote Desktop Create Invitations for Only Windows Vista or Later Option Changed

Created when the Remote Desktop Create Invitations for Only Windows Vista or Later option setting has changed.

Medium

Remote Desktop Option Changed

Created when the Remote Desktop option setting has changed.

Medium

Security Audit Log Rolled Over

Created when the security audit log is rolled over. (Disabled by default)

Medium

Security Event Log Cleared

Created when the security event log is cleared (event 517 is encountered).

High

System Event Log Cleared

Created when the system log is cleared using the Clear All Events command in the Event Viewer.

High

System Event Log Rolled Over

Created when the system event log is rolled over. (Disabled by default)

Medium

Threat Detection Events

The Threat Detection event details pane includes a link that opens the Threat Detection dashboard where you can gain more information on the potential threat.

For risky user events, the View risky user details link opens the dashboard on the Users page; for Threat Detection alert events, the View alert details link opens the dashboard on the Alerts page.

Events are written as they are detected on the Threat Detection server. The coordinator checks the Threat Detection server for new events every 20 mins.

For details about using the Threat Detection dashboard see the Change Auditor Threat Detection User Guide.

Risky user identified

Created when the Threat Detection server identifies a risky user.

Severity is based on the user severity identified by the Threat Detection server. (Critical, High, Med, Low)

Risky user severity increased

Created when a risky user severity is increased in the Threat Detection server.

Severity is based on the user severity identified by the Threat Detection server. (Critical, High, Med)

Risky user severity decreased

Created when a risky user severity is decreased in the Threat Detection server.

Severity is based on the user severity identified by the Threat Detection server. (High, Med, Low)

Threat Detection alert added

Created when an alert is generated by the Threat Detection server.

Severity is based on the alert severity identified by the Threat Detection server. (Critical, High, Med, Low)

Threat Detection alert marked as "actual risk"

Created when an alert generated by the Threat Detection server is marked as an actual risk.

High

Threat Detection alert marked as "not a risk"

Created when an alert generated by the Threat Detection server is marked as not a risk.

Low

The Threat Detection events includes the following additional information:

Table 9. Event details

Alert name

Name of the alert.

Start time

Date and time the Threat Detection server started processing the alert.

Alert score

The score for the alert as seen when hovering over the alert severity icon in the dashboard. See the Threat Detection User Guide for details on how the alert score is calculated.

Alert severity

The severity of the alert (Critical, High, Medium or Low). See the Threat Detection User Guide for details on how the alert severity is calculated.

Indicator name s

Names of indicators associated with the alert.

User risk score

The risk score for the user. The score is the total of the “contribution to user score” points for each alert assigned to the user.

User severity

The severity that is assigned to the user. See the Threat Detection User Guide for details on how the severity is calculated

Number of alerts

Number of alerts identified for the user.

Contribution to user score

The number of points the alert adds to the user risk score.

Old severity

Value of the existing user severity.

New severity

Value of the new user severity.

Tags

Value that identifies whether the user is an administrator or a watched user.

Comments

Comment displays "NOT_RISK or RISK. This is added when an alert is set to 'not a risk’ or 'actual risk’.

Log Events

When event logging for Change Auditor is enabled, internal Change Auditor events will be written to a Windows event log, named Change Auditor Coordinator Service event log. In addition, when event logging for Registry, Service and/or Local Account is enabled in Change Auditor, related events will be written to the Change Auditor Service event log. These log events can then be gathered by InTrust and Quest Knowledge Portal for further processing and reporting.

The tables in this chapter list the log events captured by the different event logs when the corresponding event logging is enabled. They are listed in numeric order by event ID based on the event log to which they are recorded:

Change Auditor Coordinator Service event log

The following internal Change Auditor events are recorded to the Change Auditor Coordinator Service event log when Change Auditor event logging is enabled.

101

Agent configuration assignment changed

102

Agent configuration added

103

Agent configuration removed

104

Agent configuration forwarding interval changed

105

Agent configuration retry interval changed

106

Agent configuration polling interval changed

107

Agent configuration max events per connection changed

108

Agent configuration connection days changed

109

Agent configuration connection from time changed

110

File system auditing template added to agent configuration

111

File system auditing template removed from agent configuration

112

Agent configuration renamed

113

Registry auditing template added to agent configuration

114

Registry auditing template removed from agent configuration

115

Excluded account template added to agent configuration

116

Excluded account template removed from agent configuration

127

Service auditing template added to agent configuration

128

Service auditing template removed from agent configuration

129

File system protection template added to agent configuration

130

File system protection template removed from agent configuration

131

Agent configuration file system auditing changed

132

Agent configuration file system auditing delay changed

133

Agent configuration connection to time changed

134

SQL auditing template added to agent configuration

135

SQL auditing template removed from agent configuration

136

Agent configuration AD Query auditing results changed

137

Agent configuration AD Query auditing elapsed changed

138

Agent configuration AD Query auditing delay changed

139

Event logging changed

140

Alert History purge changed

141

Agent configuration exchange auditing delay changed

143

Agent configuration agent load threshold changed

154

Communications port between coordinator and agent has changed

155

An Azure web application has been created on Azure tenant

156

The Azure web application in auditing template was modified

157

The Azure web application and the Change Auditor agent used in auditing template were modified or reset

201

Audit event severity changed

202

Audit event description changed

203

Audit event enabled

204

Audit event disabled

205

Audit event results changed

301

Monitoring point added

302

Monitoring point removed

303

Attribute added to monitoring

304

Attribute removed from monitoring

305

Group added to ‘Member of Group’ monitoring

306

Group removed from ‘Member of Group’ monitoring

307

Attribute severity changed

308

Monitoring scope enabled

309

Monitoring scope disabled

310

Active Directory protection template added

311

Active Directory protection template removed

312

Active Directory protection template enabled

313

Active Directory protection template disabled

314

Object added to Active Directory protection template

315

Object removed from Active Directory protection template

316

Protection enabled for Active Directory object

317

Protection disabled for Active Directory object

318

Override account added to Active Directory protection template

319

Override account removed from Active Directory protection template

320

Attribute added to Active Directory protection

321

Attribute removed from Active Directory protection

322

Object changed in Active Directory protection template

323

Active Directory protection template changed

324

Administration account added to Active Directory protection template

325

Administration account removed from Active Directory protection template

326

Administration account added to Group Policy protection template

327

Administration account removed from Group Policy protection template

401

ADAM monitoring point added

402

ADAM monitoring point removed

403

Attribute added to ADAM monitoring

404

Attribute removed from ADAM monitoring

405

ADAM attribute severity changed

406

ADAM monitoring scope enabled

407

ADAM monitoring scope disabled

408

ADAM protection template added

409

ADAM protection template removed

410

ADAM protection template enabled

411

ADAM protection template disabled

412

Object added to ADAM protection template

413

Object removed from ADAM protection template

414

Protection enabled for ADAM object

415

Protection disabled for ADAM object

416

Override account added to ADAM protection template

417

Override account removed from ADAM protection template

418

Attribute added to ADAM protection

419

Attribute removed from ADAM protection

420

Object changed in ADAM protection template

421

ADAM protection template changed

422

Override accounts ADAM protection template Allow

423

Override accounts ADAM protection template Deny

501

SMTP alerting enabled

502

SMTP alerting disabled

503

SMTP alerting server changed

504

SMTP alerting from address changed

505

SMTP alerting email format changed

506

SMTP alerting server authentication enabled

507

SMTP alerting server authentication disabled

508

SMTP alerting server username changed

509

SMTP alerting server password changed

510

Email Subject changed

511

Email Reply To changed

512

Group membership expansion changed

513

Refresh frequency for group membership changed

514

Refresh frequency for the list of expanded groups changed

515

The number of groups to expand per cycle changed

516

Group added for group membership expansion

517

Group removed form group membership expansion

518

Agent Heartbeat Check Minutes changed

519

Agent Heartbeat Check enabled

520

Agent Heartbeat Check disabled

521

Smtp Ssl enabled

522

Smtp Ssl disabled

523

Exchange Host changed

524

Exchange Email changed

525

Exchange Authorization enabled

526

Exchange Account changed

527

Exchange Password changed

528

Exchange Authorization disabled

529

Exchange Version changed

604

Public user alert enabled

605

Public user alert disabled

606

Public user alert changed

607

Public user search changed

608

Public user search deleted

609

Public user search modified

610

Public report enabled

611

Public report disabled

613

Private user alert disabled

615

Private report disabled

640

Public user search moved

641

Public user search folder deleted

642

Public user search folder moved

643

Public user alert deleted

644

Public user alert moved

645

Public user search folder renamed

646

Public user alert created

701

File system auditing template added

702

File system auditing template removed

703

File system path changed in auditing template

704

File system path added to auditing template

705

File system path removed from auditing template

706

Process added to file system auditing

707

Process removed from file system auditing

709

File system auditing template enabled

710

File system auditing template disabled

711

Auditing enabled for file system path

712

Auditing disabled for file system path

713

File system protection template added

714

File system protection template removed

715

File system path changed in protection template

716

File system path added to protection template

717

File system path removed from protection template

718

Protection enabled for file system path

719

Protection disabled for file system path

720

File system protection template enabled

721

File system protection template disabled

722

Override account added to file system protection template

723

Override account removed from file system protection template

724

Override accounts file system protection template Allow

725

Override accounts file system protection template Deny

726

Override accounts Active Directory protection template Allow

727

Override accounts Active Directory protection template Deny

801

Registry auditing template added

802

Registry auditing template removed

803

Registry object changed in auditing template

804

Registry object added to auditing template

805

Registry object removed from auditing template

806

Auditing enabled for registry object

807

Auditing disabled for registry object

808

Registry auditing template enabled

809

Registry auditing template disabled

901

Group Policy protection template added

902

Group Policy protection template removed

903

Group Policy protection template enabled

904

Group Policy protection template disabled

905

Group Policy added to protection template

906

Group Policy removed from protection template

907

Protection for Group Policy enabled

908

Protection form Group Policy disabled

909

Override account added to Group Policy protection template

910

Override account removed from Group Policy protection template

911

Group Policy changed in protection template

912

Override accounts Group Policy protection template Allow

913

Override accounts Group Policy protection template Deny

1001

Excluded account template added

1002

Excluded account template removed

1003

Excluded account added to exclusion accounts list

1004

Excluded account removed from exclusion accounts list

1005

Excluded account event class added to monitoring

1006

Excluded account event class removed from monitoring

1007

Excluded account facility added to monitoring

1008

Excluded account facility removed from monitoring

1101

Service auditing template added

1102

Service auditing template removed

1103

Service added to auditing template

1104

Service removed from auditing template

1105

Auditing enabled for service

1106

Auditing disabled for service

1107

Service auditing template enabled

1108

Service auditing template disabled

1109

Service auditing template changed

1110

Auditing enabled for SQL instance

1111

Auditing disabled for SQL instance

1112

SQL auditing template enabled

1113

SQL auditing template disabled

1115

SQL auditing template added

1116

SQL auditing template removed

1118

SQL instance added

1119

SQL instance removed

1120

SQL event added

1121

SQL event removed

1122

SQL filter added

1123

SQL filter removed

1124

Active Directory Federation Services auditing template added

1125

Active Directory Federation Services auditing template removed

1126

Active Directory Federation Services auditing template enabled

1127

Active Directory Federation Services auditing template disabled

1128

Active Directory Federation Services sign-in auditing enabled

1129

Active Directory Federation Services sign-in auditing disabled

1130

Active Directory Federation Services auditing template added to agent configuration

1131

Active Directory Federation Services auditing template removed from agent configuration

1132

Active Directory Federation Services configuration changes auditing enabled

1133

Active Directory Federation Services configuration changes auditing disabled

1302

Agent service has reached a critical load

1303

Agent service has more than 100 events waiting

1304

Agent service has returned to normal operations

1401

Exchange mailbox added to monitoring

1402

Exchange mailbox removed from monitoring

1403

Exchange mailbox attribute changed

1404

Exchange protection template added

1405

Exchange protection template removed

1406

Exchange protection template enabled

1407

Exchange protection template disabled

1408

Exchange container added to protection template

1409

Exchange container removed from protection template

1410

Protection for Exchange container enabled

1411

Protection for Exchange container disabled

1412

Override account added to Exchange protection template

1413

Override account removed from Exchange protection template

1414

AD query container added

1415

AD query container removed

1416

AD query container enabled

1417

AD query container disabled

1419

Exchange mailbox enabled

1420

Exchange mailbox disabled

1430

Change Auditor Agent started

1431

Change Auditor Agent stopped

1432

Change Auditor Agent restarted

1433

Change Auditor Agent set uninstalled

1434

Change Auditor Coordinator set uninstalled

1435

Override accounts Exchange protection template Allow

1436

Override accounts Exchange protection template Deny

1440

Exchange user defined shared mailbox added

1441

Exchange user defined shared mailbox removed

1442

Exchange user defined shared mailbox attribute changed

1443

Exchange user defined shared mailbox enabled

1444

Exchange user defined shared mailbox disabled

1445

Exchange shared mailbox auto detection enabled

1446

Exchange shared mailbox auto detection disabled

1600

User added

1601

User deleted

1602

User restored

1603

License properties set

1604

User password reset

1605

User password changed

1606

User license changed

1607

User updated

1608

Force change user password property set

1609

User AccountEnabled property changed

1610

User AssignedLicense property changed

1611

User AssignedPlan property changed

1612

User Mobile property changed

1613

User OtherMail property changed

1614

User StrongAuthenticationMethod property changed

1615

User StrongAuthenticationUserDetails property changed

1616

User TelephoneNumber property changed

1617

User LicenseAssignmentDetail property changed

1618

User OtherMobile property changed

1619

User StrongAuthenticationRequirement property changed

1620

User StrongAuthenticationPhoneApp detail property changed

1621

User AlternativeSecurityId property changed

1622

User PreferredDataLocation property changed

1623

User ProxyAddresses property changed

1624

User UserPrincipalName property changed

1625

User UserState property changed

1626

User UserStateChangedOn property changed

1627

User UserType property changed

1628

User StsRefreshTokensValidFrom property changed

1629

User MSExchRemoteRecipientType property changed

1630

Update user credentials

1631

Azure Active Directory - User event

1632

Group added

1633

Group updated

1634

Group deleted

1635

Group member added

1636

Member added to group

1637

Group member removed

1638

Member removed from group

1639

Group owner added

1640

Owner added to group

1641

Group owner removed

1642

Owner removed from group

1643

Set group to be managed by user

1644

Set group license

1645

Azure Active Directory - Group event

1646

Group Description property changed

1647

Group DisplayName property changed

1648

Group GroupType property changed

1649

Group IsPublic property changed

1650

Group MailNickName property changed

1651

Group SecurityEnabled property changed

1652

Group MembershipRule property changed

1653

Group MembershipRuleProcessingState property changed

1654

Service principal added

1655

Service principal removed

1656

Service principal credentials added

1657

Service principal credentials removed

1658

Delegation entry added

1659

Delegation entry updated

1660

Delegation entry removed

1661

Add owner to application

1662

Azure Active Directory - Application event

1663

Role member added

1664

Role assigned to member

1665

Role member removed

1666

Role removed from member

1667

Eligible member added to role

1668

Role assigned to eligible member

1669

Eligible member removed from role

1670

Role removed from eligible member

1671

Role enabled

1672

Batch invites uploaded

1673

Batch invites proceeded

1674

External user invited

1675

External user invite redeemed

1676

External user added to group

1677

External user assigned to application

1678

Viral tenant created

1679

Viral user created

1680

Azure Active Directory - B2B event

1681

Partner added to company

1682

Partner removed from company

1683

Domain added to company

1684

Domain removed from company

1685

Domain updated

1686

Domain authentication set

1687

Domain federation settings set

1688

Domain verified

1689

Domain verified by email

1690

DirSyncEnabled flag set on company

1691

Password policy set

1692

Company information set

1693

Company contact information set

1694

Azure Active Directory - Directory event

1695

Azure Active Directory - Policy event

1696

Azure Active Directory - Resource event

1697

Azure Active Directory - Administrative Units event

1698

Azure Active Directory - Role event

1699

Azure Active Directory audit event

1700

Successful Azure Active Directory sign-in

1701

Failed Azure Active Directory sign-in

1702

Azure Active Directory sign-in event

1703

Active risk event detected

1704

Closed risk event detected

1705

Active risk event status changed to closed

1706

Closed risk event status changed to active

2001

NetApp auditing template added

2002

NetApp auditing template removed

2003

NetApp path changed in auditing template

2004

NetApp path added to auditing template

2005

NetApp path removed from auditing template

2006

Agent added to NetApp auditing template

2007

Agent removed from NetApp auditing template

2009

NetApp auditing template enabled

2010

NetApp auditing template disabled

2011

Auditing enabled for NetApp path

2012

Auditing disabled for NetApp path

2101

EMC auditing template added

2102

EMC auditing template removed

2103

EMC path changed in auditing template

2104

EMC path added to auditing template

2105

EMC path removed from auditing template

2106

Agent added to EMC auditing template

2107

Agent removed from EMC auditing template

2108

EMC auditing cepp.conf changed

2109

EMC auditing template enabled

2110

EMC auditing template disabled

2111

Auditing enabled for EMC path

2112

Auditing disabled for EMC path

2301

SharePoint auditing template added

2302

SharePoint auditing template removed

2303

Agent added to SharePoint auditing template

2304

Agent removed from SharePoint auditing template

2305

SharePoint auditing template enabled

2306

SharePoint auditing template disabled

2307

Auditing enabled for SharePoint path

2308

Auditing disabled for SharePoint path

2309

SharePoint path changed in auditing template

2310

SharePoint path added to auditing template

2311

SharePoint path removed from auditing template

2312

SharePoint event added

2313

SharePoint event removed

2314

SharePoint facility added

2315

SharePoint facility removed

2316

SQL facility added

2317

SQL facility removed

2601

Office 365 Exchange Online auditing template added

2602

Office 365 Exchange Online auditing template removed

2609

Office 365 Exchange Online auditing template enabled

2610

Office 365 Exchange Online auditing template disabled

2611

Office 365 Exchange Online auditing template was modified

2801

FluidFS auditing template added

2802

FluidFS auditing template removed

2803

FluidFS volume changed in auditing template

2804

FluidFS volume added to auditing template

2805

FluidFS volume removed from auditing template

2806

Agent added to FluidFS auditing template

2807

Agent removed for FluidFS auditing template

2809

FluidFS auditing template enabled

2810

FluidFS auditing template disabled

2811

Auditing enabled for FluidFS volume

2812

Auditing disabled for FluidFS volume

2901

Skype for Business auditing template added

2902

Skype for Business auditing template modified

2903

Skype for Business auditing template removed

2904

Skype for Business auditing template enabled

2905

Skype for Business auditing template disabled

3101

Azure Active Directory auditing template was added

3102

Azure Active Directory auditing template was modified

3103

Azure Active Directory auditing template was removed

3104

Azure Active Directory auditing template was enabled

3105

Azure Active Directory auditing template was disabled

9901

SDK Facility added

9902

SDK Facility removed

9903

SDK Facility modified

9904

SDK Event Class added

9905

SDK Event Class removed

9906

SDK Event Class modified

9907

SDK Agent added

9908

SDK Machine added

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级