Audit Classifications

Startup and Shutdown

Logs reporting on activity pertaining to the starting and stopping of a system, device, application, or other relevant object.

Server or provider Services, Daemons, Windows Services.

Critical Service – prevent network access; related to infrastructure service, security or auditing, authentication, accessibility (most likely due to shutdown caused by failures)

• System Started
• System Rebooted
• Audit Process Started
• IPSEC Agent Started
• HTTPD Service Started
• SQL Server Service  Stopped
• Unexpectedly
• Anti Virus Stopped

Configuration

Logs reporting on activity pertaining to the state or configuration of a system where not related to a Policy.

Critical Service – changes to devices that can prevent network access; are related to infrastructure service, security or auditing, authentication, accessibility

Ensure the following have RR = 0 -- Normal Registry and Active Directory modifications

• Software installed
• Configuration changed
• Software removed
• Anti Virus Scheduled Scan deleted
• Service Startup configuration changes
• Active Directory Configuration changed (rr=3)
• Active Directory Content changed (rr=0)
• Enabling / Disabling Services and or Protocols

Policy

Logs reporting on activity pertaining to the policy of a network, system, device, or other relevant object. Includes configuration changes related to a Policy

In general, most of the Policy changes will be set to RR=3 & forwarded as it will be difficult to know if it is a user level change.

• Domain Policy changed
• Audit Policy set
• Access Control Policy changed
• Content Management modified
• User Level/Workstation Level
• Policy changed (Screensaver settings)

• User account/group created

• User account properties (for example, name) changed
• Password changed

• User account/group deleted

Access Granted

Logs reporting on activity related to granting of access rights and privileges.

User account was modified to grant access on a permanent state.

• User added to group
• Access to file granted
• Access to program granted
• Administrator role granted
• Backup role granted

Access Revoked

Logs reporting on activity related to revocation of access rights and privileges.

• User removed from group
• Access to file revoked
• Access to program revoked
• Administrator role revoked
• Backup role revoked

Authentication Success

Logs reporting success user and system authentication activity.  User or system gaining access through any method of authentication.

• User logged on locally
• User logged on remotely
• User VPN’s in
• Program or system authenticated locally/remotely

Authentication Failure

Logs reporting failed user and system authentication activity.  Due to bad credentials or unauthorized attempt (user not allowed to log in)

• User login failed
• VPN login failed
• Program or system authentication failed

Access Success

Logs reporting successful read, write, or execute access on files, programs, and other relevant objects.

Client Applications, Desktop Applications, Scripts

• File read
• File modified
• File deleted
• Program executed

Access
Failure

Logs reporting failed read, write, or execute access on files, programs, and other relevant objects. Client Applications, Desktop Applications, Scripts

• Unauthorized file read attempt
• Unauthorized file modification attempt
• Unauthorized file deletion attempt
• Unauthorized program execution attempt

Other Audit Success

Logs reporting on successful audited activity not otherwise classifiable.

• Successful authentication/authorization
• Kerberos ticket exchange messages
• Successful Credential Passing

Other Audit Failure

Logs reporting on failed audited activity not otherwise classifiable.

• Failed authentication/authorization Kerberos ticket exchange messages

Other Audit

Logs reporting on audited activity not otherwise classifiable.