User Documentation
  • Product Information
    • Overview
    • Architecture
    • Security
    • Key Features
    • Supported Systems
    • Comparison
  • Installation
    • Download VirtualMetric
    • Install a VirtualMetric Server
    • Activate Product
    • Update From Previous Versions
    • Uninstall VirtualMetric
  • Releases
    • Version 8.0.3
  • Server Pre-Configuration
    • Windows
    • VMware
    • Linux
    • Bare Metal Hardware
  • Settings
    • Users
      • User Operations
        • Add New User
        • Edit User
        • Device Permissions
        • Login as Other User
        • Remove User
      • User Group Operations
        • Add New User Group
        • Assign Member
        • Device Permission
        • Edit User Group
        • Remove User Group
      • API Users Operations
        • Add New API User
        • Edit API User
        • Device Permission
        • Remove API User
      • Organization Operations
        • Add New Organization
        • Edit Organization
        • Device Permission
        • Login as Other Organization
        • Remove Organization
      • Credential Store
        • Add New Credential Store
        • Edit Credential Store
        • Remove Credential Store
      • Group Based AD Authentication
    • Devices
      • Server Operations
        • Add New Server
        • Assign Module
        • Edit Server
        • Remove Server
        • Restore Server
        • Connectivity Issues
        • Bulk Update
      • Cluster Operations
        • Add New Cluster
        • Assign Module
        • Sync a Cluster
        • Edit Cluster
        • Remove Cluster
        • Connectivity Issues
        • Bulk Update
      • Workstation Operations
        • Add New Workstation
        • Edit Workstation
        • Remove Workstation
      • Manager Operations
        • Add New Manager
        • Assign Module
        • Sync Manager
        • Edit Manager
        • Remove Manager
        • Connectivity Issues
        • Bulk Update
      • Network Devices Operations
        • Add Network Device
        • Edit Network Device
        • Remove Network Device
        • Connectivity Issues
        • Bulk Update
      • Trigger Operations
        • Add New Trigger
        • Assign Server
        • Edit Trigger
        • Change API User
        • Change Service User
        • Remove Trigger
        • Enable Debug
      • Device Group Operations
        • Add New Device Group
        • Assign Member
        • Edit Device Group
        • Remove Device Group
      • Datacenter Operations
        • Add New Datacenter
        • Assign Member
        • Edit Datacenter
        • Remove Datacenter
      • Permission Operations
        • Add/Remove Permission
    • Listeners
      • Listener Operations
        • Add a New Listener
          • Add a Syslog Listener
          • Add a Flow Endpoints
          • Add a eStreamer
          • Add a TFTP Listener
          • Add a TCP Listener
          • Add a UDP Listener
          • Add a HTTP Listener
          • Add a SMTP Listener
          • Add a SNMP Trap Listener
          • Add a Redis Consumer
          • Add a Kafka Consumer
          • Add a RabbitMQ Consumer
          • Add a NATS Consumer
        • Edit Listener
        • Remove Listener
    • Services
      • Location Operations
        • Add new Location
        • Edit Location
        • Remove Location
      • Web Sites Operations
        • Add new Website
        • Assign Location
        • Edit Web Sites
        • Remove Web Sites
      • DNS Operations
        • Add new DNS
        • Edit DNS
        • Remove DNS
      • ICMP Operations
        • Add new ICMP
        • Edit ICMP
        • Remove ICMP
      • IPAM Operations
        • Add new IPAM
        • Edit IPAM
        • Remove IPAM
      • TCP Operations
        • Add new TCP
        • Edit TCP
        • Remove TCP
      • Database Operations
        • Add new Database
        • Edit Database
        • Remove Database
    • Notifications
      • Rules Operations
        • Add new Rules
        • Edit Rule
        • Adding Dependency
        • Filtering Rules
        • Assign Action
        • Remove Rule
      • Knowledge Base Operations
        • Add new Knowledge Base
        • Edit Knowledge Base
        • Remove Knowledge Base
      • Action Operations
        • Add new Action
        • Testing Action
        • Edit Action
        • Remove Action
      • Scheduled Report Operation
        • Edit Scheduled Report
        • Remove Scheduled Report
      • STMP Settings
      • SMS Settings
    • Collectors
      • Definitions Operations
      • Module Defaults Operations
      • Device Bindings Operations
    • Logs
      • Definitions Operations
        • Understand Definition Fields
        • Edit Definition
        • Bulk Update
        • Reset Definition
      • Custom Definition Operations
        • Add Custom Definition
        • Edit Custom Definition
        • Remove Custom Definition
      • Module Defaults
        • Assign Definition
        • Reset Module Defaults
      • Device Bindings
        • Assign Definition
        • Reset Device Bindings
    • Statistics
      • Logging Types
        • Understanding Logging Types
        • Edit Logging Type
        • Reset Logging Type
      • System Counters
        • Understanding System Counter
        • Edit System Counter
        • Reset System Counter
      • Custom Counters
        • Understanding Custom Counter
        • Edit Custom Counter
        • Reset Custom Counter
    • Systems
      • System Logs
      • System Health
      • Advanced Settings
    • Azure Active Directory Integration
  • Dashboard
    • Main Page
    • Login
    • Layout and Common Functions
    • Calculation of Recommendations
    • Add New Widget
    • Edit Widget
    • Charts
    • White Labeling
  • Devices
    • Layout and Common Functions
  • Analytics
    • Layout and Common Functions
  • Modules and Audit
    • VirtualMetric Modules
      • Bare Metal
      • Microsoft Hyper-V
      • VMware
      • Microsoft IIS
      • Microsoft SQL
      • Microsoft Storage Spaces
      • Active Directory User Permissions
    • Audit Configuration
Powered by GitBook
On this page
  • Windows Defender
  • Windows Firewall
  • Object Access
  • File Change Tracking
  1. Modules and Audit

Audit Configuration

PreviousActive Directory User Permissions

Last updated 6 months ago

You can easily change the default settings for the following audit reports:

  • Windows Defender

  • Windows Firewall

  • Object Access

  • File Change Tracking

  • Best Practice Analyzer

  • User Authentication

In this section, we will discuss the configuration for these audit reports.

Windows Defender

In order to enable Windows Defender reports, make sure that Collector ID: 137 is enabled.

Windows Defender Collector (ID: 137)

If the Windows Defender collector is enabled, VirtualMetric also tracks Windows Event Logs for Windows Defender activities. VirtualMetric collects the following events:

Windows Defender: Scan (ID: 82)

Group
Event ID
Message

Windows Defender: Scan

1000

An antimalware scan started.

Windows Defender: Scan

1001

An antimalware scan finished.

Windows Defender: Scan

1002

An antimalware scan was stopped before it finished.

Windows Defender: Scan

1003

An antimalware scan was paused.

Windows Defender: Scan

1004

An antimalware scan was resumed.

Windows Defender: Scan

1005

An antimalware scan started.

Windows Defender: Action (ID: 83)

Group
Event ID
Message

Windows Defender: Action

1007

The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.

Windows Defender: Action

1008

The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.

Windows Defender: Action

1117

The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.

Windows Defender: Action

1118

The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.

Windows Defender: Action

1119

The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.

Windows Defender: Detection (ID: 84)

Group
Event ID
Message

Windows Defender: Detection

1006

The antimalware engine found malware or other potentially unwanted software.

Windows Defender: Detection

1015

The antimalware platform detected suspicious behavior.

Windows Defender: Detection

1116

The antimalware platform detected malware or other potentially unwanted software.

Windows Defender: Quarantine (ID: 86)

Group
Event ID
Message

Windows Defender: Quarantine

1009

The antimalware platform restored an item from quarantine.

Windows Defender: Quarantine

1010

The antimalware platform could not restore an item from quarantine.

Windows Defender: Quarantine

1011

The antimalware platform deleted an item from quarantine.

Windows Defender: Quarantine

1012

The antimalware platform could not delete an item from quarantine.

Make sure that these Event Log definitions are also enabled. You can always customize these settings to filter Windows Defender events.

Windows Firewall

In order to enable Windows Firewall reports, make sure that Collector ID: 54 is enabled.

Windows Firewall Log Collector (ID: 54)

If the Windows Firewall Log collector is enabled, VirtualMetric uses the Windows Firewall Log file or Security Audit events to collect Windows Firewall activities. VirtualMetric collects the following events:

Windows Firewall Settings

With the default settings, VirtualMetric collects firewall logs via the Windows Firewall log file.

mode=file

If you want to enable file logging on Windows Firewall, go to Windows Firewall, right click on Windows Firewall, and click Properties.

Click Customize for the logging properties.

Choose Yes for logging dropped packets. You can also enable logging of successful connections if they are needed.

After making these changes, VirtualMetric will start reading the Windows Firewall log file via the Inventory Collector. You can also switch the collector mode to Event for real time collection. Go to the collector definition settings and change the mode to Event:

mode=event

To activate event logging for Windows Firewall, you must make some changes on the Local Group Policy settings. Open Local Group Policy and go to Windows Settings -> Security Settings -> Local Policies -> Audit Policy.

Make sure that bot Success and Failure events are selected.

VirtualMetric collects the following events of Windows Firewall:

Filtering Platform Connection - Permitted (ID: 88)

Group
Event ID
Message

Filtering Platform Connection: Permitted

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Filtering Platform Connection: Permitted

5156

The Windows Filtering Platform has permitted a connection.

Filtering Platform Connection: Permitted

5158

The Windows Filtering Platform has permitted a bind to a local port.

Filtering Platform Packet Drop (ID: 92)

Group
Event ID
Message

Filtering Platform Packet Drop

5152

The Windows Filtering Platform blocked a packet.

Filtering Platform Packet Drop

5153

A more restrictive Windows Filtering Platform filter has blocked a packet.

DDoS Analyzer (ID: 94)

Group
Event ID
Message

DDoS Analyzer

5148

The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.

DDoS Analyzer

5149

The DoS attack has subsided and normal processing is being resumed.

Make sure that these Event Log definitions are also enabled. You can always customize these settings to filter Windows Firewall events.

Object Access

In order to enable Object Access Auditing reports, make sure that Collector ID: 144 is enabled.

Windows Object Access Audit Collector (ID: 144)

To activate event logging for Object Access Auditing, you must make some changes on the Local Group Policy settings. Open Local Group Policy and go to Windows Settings -> Security Settings -> Local Policies -> Audit Policy.

Make sure that both Success and Failure events are selected.

For test purposes, go to Properties of the sensitive file.

Switch to the Security tab and click the Advanced button.

Switch to the Auditing tab and click the Add button.

Click on Select a principal, type Everyone, and click the OK button.

Select All for type, and switch to Advanced Mode. Select the events for logging, and click the OK button.

Click Apply and then the OK button to save the changes.

VirtualMetric collects the following events of Object Access Auditing:

Object Access Auditing (ID: 95)

Object Access Auditing (ID: 96)

Group
Event ID
Message

Object Access Auditing

4656 / 560

A handle to an object was requested.

Object Access Auditing

4658 / 562

The handle to an object was closed.

Object Access Auditing

4659 / 563

A handle to an object was requested with intent to delete.

Object Access Auditing

4660 / 564

An object was deleted.

Object Access Auditing

4661 / 565

A handle to an object was requested.

Object Access Auditing

4662 / 566

An operation was performed on an object.

Object Access Auditing

4663 / 567

An attempt was made to access an object.

Object Access Auditing

4664 / 568

An attempt was made to create a hard link.

Make sure that these Event Log definitions are also enabled. You can always customize these settings to filter Object Access events. You can log the following audit types via VirtualMetric:

Access Type
Enabled?
Description

ReadData

✓

The right to read the corresponding file data.

ListDirectory

✓

The right to list the contents of the directory.

WriteData

✓

The right to write data to the file.

AddFile

✓

The right to create a file in the directory.

AppendData

✓

The right to append data to the file.

AddSubdirectory

✓

The right to create a subdirectory.

ReadEA

✖︎

The right to read extended file attributes.

WriteEA

✖︎

The right to write extended file attributes.

Execute

✓

The right to execute the file.

Traverse

✓

The right to traverse the directory.

DeleteChild

✓

The right to delete a directory and all the files it contains, including read-only files.

ReadAttributes

✖︎

The right to read file attributes.

WriteAttributes

✖︎

The right to write file attributes.

ReadMemory

✖︎

The right to read process memory.

DELETE

✓

The right to delete the object.

READ_CONTROL

✖︎

The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL).

WRITE_DAC

✓

The right to modify the discretionary access control list (DACL) in the object's security descriptor.

WRITE_OWNER

✓

The right to change the owner in the object's security descriptor.

SYNCHRONIZE

✖︎

The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.

ACCESS_SYS_SEC

✖︎

The ACCESS_SYS_SEC access right controls the ability to get or set the SACL in an object's security descriptor.

With the default settings, VirtualMetric uses the following audit types in the collector settings:

accessmode=ReadData,ListDirectory,WriteData,WRITE_DAC,WRITE_OWNER,AddFile,AppendData,AddSubdirectory,Execute,Traverse,DeleteChild,DELETE

If you want to enable other access types, you can modify the collector settings. After modifying the accessmode options, click the Submit button to apply the changes.

File Change Tracking

In order to enable Windows File Change Tracking reports, make sure that Collector ID: 139 is enabled.

Windows File Change Tracking Collector (ID: 139)

By default, VirtualMetric uses the following white list and the black list to filter file changes:

extensionWhiteList=.ps1,.vbs,.exe&extensionBlackList=.log,.evtx

If you clear these settings, VirtualMetric logs all file changes. You can use extensionBlackList to filter some file extensions like .log or .evtx etc. You can also add some file type extensions to always log via the extensionWhiteList setting. If you want to set these lists, you can modify the collector settings.

After modifying the options, click the Submit button to apply the changes.