Breadcrumbs

Audit Classifications


The following tables provide Audit classification information. This table lists descriptions and examples.

Classification

Description

Examples Of

Startup and Shutdown

Logs reporting on activity pertaining to the starting and stopping of a system, device, application, or other relevant object.

Server or provider Services, Daemons, Windows Services.

Critical Service – prevent network access; related to infrastructure service, security or auditing, authentication, accessibility (most likely due to shutdown caused by failures)

  • System Started

  • System Rebooted

  • Audit Process Started

  • IPSEC Agent Started

  • HTTPD Service Started

  • SQL Server Service  Stopped

  • Unexpectedly

  • Anti Virus Stopped

Configuration

Logs reporting on activity pertaining to the state or configuration of a system where not related to a Policy.

Critical Service – changes to devices that can prevent network access; are related to infrastructure service, security or auditing, authentication, accessibility

Ensure the following have RR = 0 -- Normal Registry and Active Directory modifications

  • Software installed

  • Configuration changed

  • Software removed

  • Anti Virus Scheduled Scan deleted

  • Service Startup configuration changes

  • Active Directory Configuration changed (rr=3)

  • Active Directory Content changed (rr=0)

  • Enabling / Disabling Services and or Protocols

Policy

Logs reporting on activity pertaining to the policy of a network, system, device, or other relevant object. Includes configuration changes related to a Policy

In general, most of the Policy changes will be set to RR=3 & forwarded as it will be difficult to know if it is a user level change.

  • Domain Policy changed

  • Audit Policy set

  • Access Control Policy changed

  • Content Management modified

  • User Level/Workstation Level

  • Policy changed (Screensaver settings)

Account Created

Logs reporting on activity related to user or system/computer account creation.

  • User account/group created

Account
Modified

Logs reporting on the modification of a user or group outside granting/revoking access. No group level or access level changes.

  • User account properties (for example, name) changed

  • Password changed

Account Deleted

Logs reporting on activity related to user or system/computer account deletion.

  • User account/group deleted

Access Granted

Logs reporting on activity related to granting of access rights and privileges.

User account was modified to grant access on a permanent state.

  • User added to group

  • Access to file granted

  • Access to program granted

  • Administrator role granted

  • Backup role granted

Access Revoked

Logs reporting on activity related to revocation of access rights and privileges.

  • User removed from group

  • Access to file revoked

  • Access to program revoked

  • Administrator role revoked

  • Backup role revoked

Authentication Success

Logs reporting success user and system authentication activity.  User or system gaining access through any method of authentication.

  • User logged on locally

  • User logged on remotely

  • User VPN’s in

  • Program or system authenticated locally/remotely

Authentication Failure

Logs reporting failed user and system authentication activity.  Due to bad credentials or unauthorized attempt (user not allowed to log in)

  • User login failed

  • VPN login failed

  • Program or system authentication failed

Access Success

Logs reporting successful read, write, or execute access on files, programs, and other relevant objects.

Client Applications, Desktop Applications, Scripts

  • File read

  • File modified

  • File deleted

  • Program executed

Access
Failure

Logs reporting failed read, write, or execute access on files, programs, and other relevant objects. Client Applications, Desktop Applications, Scripts

  • Unauthorized file read attempt

  • Unauthorized file modification attempt

  • Unauthorized file deletion attempt

  • Unauthorized program execution attempt

Other Audit Success

Logs reporting on successful audited activity not otherwise classifiable.

  • Successful authentication/authorization

  • Kerberos ticket exchange messages

  • Successful Credential Passing

Other Audit Failure

Logs reporting on failed audited activity not otherwise classifiable.

  • Failed authentication/authorization Kerberos ticket exchange messages

Other Audit

Logs reporting on audited activity not otherwise classifiable.

 

Audit Classification Defaults

This table gives Audit Classification defaults for Risk Rating (RR), Event Forwarding, and LogMart Forwarding.

Classification

Default Risk Rating *

Default Event Forwarding **

Default LogMart Forwarding

Startup and Shutdown

0 / 3 (Critical Service)

If RR > 0

If RR > 0

Configuration

2

Yes

Yes

Policy

2

Yes

Yes

Account Created

3

Yes

Yes

Account Modified

1

Yes

Yes

Account Deleted

0

Yes

Yes

Access Granted

3 / 5 if admin privilege granted

Yes

Yes

Access Revoked

0

No

Yes

Authentication Success

0 / 1 if privileged user

If RR > 0

Yes

Authentication Failure

0

Yes

Yes

Access Success

0

No

Yes

Access Failure

1

Yes

Yes

Other Audit Success

0

No

No

Other Audit Failure

1

Yes

Yes

Other Audit

0

No

No

* This is the usual Risk Rating assigned to a Common Event associated with this classification.  However, Risk Ratings varies by Common Event within the same classification.  This value is a general default, not strictly enforced.

** This is the default setting for forwarding the log to the Platform Manager assigned to a Common Event associated with this classification.