Audit Configuration
You can easily change default settings of following audit reports:
Windows Defender
Windows Firewall
Object Access
File Change Tracking
Best Practice Analyzer
User Authentication
In this section, you will see configuration settings for these audit reports.
Windows Defender
In order to enable Windows Defender reports, please make sure that Collector ID: 137 is enabled.
Windows Defender Collector (ID: 137)
If Windows Defender collector is enabled, VirtualMetric also tracks Windows Event Logs for Windows Defender activities. VirtualMetric collects following events of Windows Defender:
Windows Defender: Scan (ID: 82)
Group | Event ID | Message |
---|---|---|
Windows Defender: Scan | 1000 | An antimalware scan started. |
Windows Defender: Scan | 1001 | An antimalware scan finished. |
Windows Defender: Scan | 1002 | An antimalware scan was stopped before it finished. |
Windows Defender: Scan | 1003 | An antimalware scan was paused. |
Windows Defender: Scan | 1004 | An antimalware scan was resumed. |
Windows Defender: Scan | 1005 | An antimalware scan started. |
Windows Defender: Action (ID: 83)
Group | Event ID | Message |
---|---|---|
Windows Defender: Action | 1007 | The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. |
Windows Defender: Action | 1008 | The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. |
Windows Defender: Action | 1117 | The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. |
Windows Defender: Action | 1118 | The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. |
Windows Defender: Action | 1119 | The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message. |
Windows Defender: Detection (ID: 84)
Group | Event ID | Message |
---|---|---|
Windows Defender: Detection | 1006 | The antimalware engine found malware or other potentially unwanted software. |
Windows Defender: Detection | 1015 | The antimalware platform detected suspicious behavior. |
Windows Defender: Detection | 1116 | The antimalware platform detected malware or other potentially unwanted software. |
Windows Defender: Quarantine (ID: 86)
Group | Event ID | Message |
---|---|---|
Windows Defender: Quarantine | 1009 | The antimalware platform restored an item from quarantine. |
Windows Defender: Quarantine | 1010 | The antimalware platform could not restore an item from quarantine. |
Windows Defender: Quarantine | 1011 | The antimalware platform deleted an item from quarantine. |
Windows Defender: Quarantine | 1012 | The antimalware platform could not delete an item from quarantine. |
Please make sure that these Event Log definitions are also enabled. You can always customize these settings to filter Windows Defender events.
Windows Firewall
In order to enable Windows Firewall reports, please make sure that Collector ID: 54 is enabled.
Windows Firewall Log Collector (ID: 54)
If Windows Firewall Log collector is enabled, VirtualMetric uses Windows Firewall Log file or Security Audit events to collect Windows Firewall activities. VirtualMetric collects following events of Windows Defender:
Windows Firewall Settings
With default settings, VirtualMetric collects firewall logs via Windows Firewall log file.
If you want to enable file logging on Windows Firewall, go to Windows Firewall for configuration.
Right click on Windows Firewall title, and click Properties.
Click on Customize for logging properties.
Choose Yes for logging dropped packets. You can also enable logging of successful connections if you need it.
After these changes, VirtualMetric will start reading Windows Firewall log file via Inventory Collector. You can also switch collector mode to "Event" for real time collection. Go to collector definition settings and change mode to Event:
To activate event logging for Windows Firewall, you should make changes on Local Group Policy settings.
Open Local Group Policy and go to Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
Make sure that Success and Failure events are selected.
VirtualMetric collects following events of Windows Firewall:
Filtering Platform Connection - Permitted (ID: 88)
Group | Event ID | Message |
---|---|---|
Filtering Platform Connection: Permitted | 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. |
Filtering Platform Connection: Permitted | 5156 | The Windows Filtering Platform has permitted a connection. |
Filtering Platform Connection: Permitted | 5158 | The Windows Filtering Platform has permitted a bind to a local port. |
Filtering Platform Packet Drop (ID: 92)
Group | Event ID | Message |
---|---|---|
Filtering Platform Packet Drop | 5152 | The Windows Filtering Platform blocked a packet. |
Filtering Platform Packet Drop | 5153 | A more restrictive Windows Filtering Platform filter has blocked a packet. |
DDoS Analyzer (ID: 94)
Group | Event ID | Message |
---|---|---|
DDoS Analyzer | 5148 | The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. |
DDoS Analyzer | 5149 | The DoS attack has subsided and normal processing is being resumed. |
Please make sure that these Event Log definitions are also enabled. You can always customize these settings to filter Windows Firewall events.
Object Access
In order to enable Object Access Auditing reports, please make sure that Collector ID: 144 is enabled.
Windows Object Access Audit Collector (ID: 144)
To activate event logging for Object Access Auditing, you should make changes on Local Group Policy settings.
Open Local Group Policy and go to Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
Make sure that Success and Failure events are selected.
For test purposes, go to Properties of the sensitive file.
Switch to Security tab and click on Advanced button.
Switch to Auditing tab and click on Add button.
Click on Select a principal and type Everyone and click OK button.
Select All for type, and switch Advanced Mode. Select the events for logging and click OK button.
Click Apply and click OK button to save changes.
VirtualMetric collects following events of Object Access Auditing:
Object Access Auditing (ID: 95)
Object Access Auditing (ID: 96)
Group | Event ID | Message |
---|---|---|
Object Access Auditing | 4656 / 560 | A handle to an object was requested. |
Object Access Auditing | 4658 / 562 | The handle to an object was closed. |
Object Access Auditing | 4659 / 563 | A handle to an object was requested with intent to delete. |
Object Access Auditing | 4660 / 564 | An object was deleted. |
Object Access Auditing | 4661 / 565 | A handle to an object was requested. |
Object Access Auditing | 4662 / 566 | An operation was performed on an object. |
Object Access Auditing | 4663 / 567 | An attempt was made to access an object. |
Object Access Auditing | 4664 / 568 | An attempt was made to create a hard link. |
Please make sure that these Event Log definitions are also enabled. You can always customize these settings to filter Object Access events. You can log following audit types via VirtualMetric:
Access Type | Enabled? | Description |
---|---|---|
ReadData | ✓ | The right to read the corresponding file data. |
ListDirectory | ✓ | The right to list the contents of the directory. |
WriteData | ✓ | The right to write data to the file. |
AddFile | ✓ | The right to create a file in the directory. |
AppendData | ✓ | The right to append data to the file. |
AddSubdirectory | ✓ | The right to create a subdirectory. |
ReadEA | ✖︎ | The right to read extended file attributes. |
WriteEA | ✖︎ | The right to write extended file attributes. |
Execute | ✓ | The right to execute the file. |
Traverse | ✓ | The right to traverse the directory. |
DeleteChild | ✓ | The right to delete a directory and all the files it contains, including read-only files. |
ReadAttributes | ✖︎ | The right to read file attributes. |
WriteAttributes | ✖︎ | The right to write file attributes. |
ReadMemory | ✖︎ | The right to read process memory. |
DELETE | ✓ | The right to delete the object. |
READ_CONTROL | ✖︎ | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). |
WRITE_DAC | ✓ | The right to modify the discretionary access control list (DACL) in the object's security descriptor. |
WRITE_OWNER | ✓ | The right to change the owner in the object's security descriptor. |
SYNCHRONIZE | ✖︎ | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. |
ACCESS_SYS_SEC | ✖︎ | The ACCESS_SYS_SEC access right controls the ability to get or set the SACL in an object's security descriptor. |
With default settings, VirtualMetric uses following audit types in collector settings:
If you want to enable extra access types, you can modify collector settings.
After modifying accessmode
options, you can click Submit button to apply changes.
File Change Tracking
In order to enable Windows File Change Tracking reports, please make sure that Collector ID: 139 is enabled. Windows File Change Tracking Collector (ID: 139)
By default, VirtualMetric uses following white list and black list to filter file changes:
If you clear these settings, VirtualMetric logs all file changes. You can use extensionBlackList
to filter some file extensions like .log or .evtx etc. You can also add some file type extensions to always log via extensionWhiteList
setting. If you want to set these lists, you can modify collector settings.
After modifying options, you can click Submit button to apply changes.
Last updated