diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md index 5763a4dba1..f21b182de2 100644 --- a/windows/security/threat-protection/auditing/event-5070.md +++ b/windows/security/threat-protection/auditing/event-5070.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5070(S, F): A cryptographic function property modification was attempted. -This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This function is a Cryptographic Next Generation (CNG) function. This event generates when named property for a cryptographic function in an existing CNG context was updated. @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md index 2d8d45b93a..26b6d241f5 100644 --- a/windows/security/threat-protection/auditing/event-5136.md +++ b/windows/security/threat-protection/auditing/event-5136.md @@ -27,7 +27,7 @@ This event generates every time an Active Directory object is modified. To generate this event, the modified object must have an appropriate entry in [SACL](/windows/win32/secauthz/access-control-lists): the “**Write”** action auditing for specific attributes. -For a change operation you will typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value. +For a change operation, you'll typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -82,13 +82,13 @@ For a change operation you will typically see two 5136 events for one action, wi **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify object” operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -142,13 +142,13 @@ For a change operation you will typically see two 5136 events for one action, wi - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672 - - Take first 3 sections a6b34ab5-551b-4626. + - Take first three sections a6b34ab5-551b-4626. - - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 + - For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 - - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 + - Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 - - Delete - : b54ab3a61b552646b8ee2b36b3ee6672 + - Delete: b54ab3a61b552646b8ee2b36b3ee6672 - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72 @@ -180,7 +180,7 @@ For a change operation you will typically see two 5136 events for one action, wi > **Note**  [LDAP Display Name](/windows/win32/adschema/a-ldapdisplayname) is the name used by LDAP clients, such as the ADSI LDAP provider, to read and write the attribute by using the LDAP protocol. -- **Syntax (OID)** \[Type = UnicodeString\]**:** The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax. The syntaxes are not represented as objects in the schema, but they are programmed to be understood by Active Directory. The allowable syntaxes in Active Directory are predefined. +- **Syntax (OID)** \[Type = UnicodeString\]**:** The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax. The syntaxes aren't represented as objects in the schema, but they're programmed to be understood by Active Directory. The allowable syntaxes in Active Directory are predefined. | OID | Syntax Name | Description | |----------|--------------------------------------------|----------------------------------------------------------| @@ -189,7 +189,7 @@ For a change operation you will typically see two 5136 events for one action, wi | 2.5.5.2 | String(Object-Identifier) | The object identifier. | | 2.5.5.3 | Case-Sensitive String | General String. | | 2.5.5.4 | CaseIgnoreString(Teletex) | Differentiates uppercase and lowercase. | -| 2.5.5.5 | String(Printable), String(IA5) | Teletex. Does not differentiate uppercase and lowercase. | +| 2.5.5.5 | String(Printable), String(IA5) | Teletex. Doesn't differentiate uppercase and lowercase. | | 2.5.5.6 | String(Numeric) | Printable string or IA5-String. | | 2.5.5.7 | Object(DN-Binary) | Both character sets are case-sensitive. | | 2.5.5.8 | Boolean | A sequence of digits. | @@ -205,7 +205,7 @@ For a change operation you will typically see two 5136 events for one action, wi > Table 10. LDAP Attribute Syntax OIDs. -- **Value** \[Type = UnicodeString\]: the value which was added or deleted, depending on the **Operation\\Type** field. +- **Value** \[Type = UnicodeString\]: the value that was added or deleted, depending on the **Operation\\Type** field. **Operation:** @@ -235,4 +235,4 @@ For 5136(S): A directory service object was modified. - If you need to monitor modifications to specific Active Directory attributes, monitor for **LDAP Display Name** field with specific attribute name. -- It is better to monitor **Operation\\Type = Value Added** events, because you will see the new value of attribute. At the same time you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value. \ No newline at end of file +- It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md index f5b8f335af..0a90a9f3a9 100644 --- a/windows/security/threat-protection/auditing/event-5137.md +++ b/windows/security/threat-protection/auditing/event-5137.md @@ -76,13 +76,13 @@ This event only generates if the parent object has a particular entry in its [SA **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested the “create object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested the “create object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create object” operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -136,13 +136,13 @@ This event only generates if the parent object has a particular entry in its [SA - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672 - - Take first 3 sections a6b34ab5-551b-4626. + - Take first three sections a6b34ab5-551b-4626. - - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 + - For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 - - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 + - Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 - - Delete - : b54ab3a61b552646b8ee2b36b3ee6672 + - Delete: b54ab3a61b552646b8ee2b36b3ee6672 - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72 @@ -182,4 +182,4 @@ For 5137(S): A directory service object was created. - If you need to monitor creation of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor all new group policy objects creations: **groupPolicyContainer** class. -- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5137](event-5137.md). There is no reason to audit all creation events for all types of Active Directory objects; find the most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only (user, computer, group, etc.). \ No newline at end of file +- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5137](event-5137.md). There's no reason to audit all creation events for all types of Active Directory objects; find the most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only (user, computer, group, etc.). \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md index 93dac293aa..0757dcd92c 100644 --- a/windows/security/threat-protection/auditing/event-5138.md +++ b/windows/security/threat-protection/auditing/event-5138.md @@ -77,13 +77,13 @@ This event only generates if the container to which the Active Directory object **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested that the object be undeleted or restored. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested that the object be undeleted or restored. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** name of account that requested that the object be undeleted or restored. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -105,7 +105,7 @@ This event only generates if the container to which the Active Directory object **Object:** -- **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will points to [Active Directory Recycle Bin](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392261(v=ws.10)) folder, in case if it was restored from it. +- **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will point to [Active Directory Recycle Bin](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392261(v=ws.10)) folder, in case if it was restored from it. > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas. > @@ -139,13 +139,13 @@ This event only generates if the container to which the Active Directory object - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672 - - Take first 3 sections a6b34ab5-551b-4626. + - Take first three sections a6b34ab5-551b-4626. - - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 + - For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 - - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 + - Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 - - Delete - : b54ab3a61b552646b8ee2b36b3ee6672 + - Delete: b54ab3a61b552646b8ee2b36b3ee6672 - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72 @@ -185,4 +185,4 @@ For 5138(S): A directory service object was undeleted. - If you need to monitor undelete operations (restoration) of Active Directory objects with specific classes, monitor for **Class** field with specific class name. -- It may be a good idea to monitor all undelete events, because the operation is not performed very often. Confirm that there is a reason for the object to be undeleted. \ No newline at end of file +- It may be a good idea to monitor all undelete events, because the operation isn't performed often. Confirm that there's a reason for the object to be undeleted. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md index 00145f3a61..eabd06efdf 100644 --- a/windows/security/threat-protection/auditing/event-5139.md +++ b/windows/security/threat-protection/auditing/event-5139.md @@ -77,13 +77,13 @@ This event only generates if the destination object has a particular entry in it **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested the “move object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested the “move object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “move object” operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -139,13 +139,13 @@ This event only generates if the destination object has a particular entry in it - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672 - - Take first 3 sections a6b34ab5-551b-4626. + - Take first three sections a6b34ab5-551b-4626. - - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 + - For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 - - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 + - Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 - - Delete - : b54ab3a61b552646b8ee2b36b3ee6672 + - Delete: b54ab3a61b552646b8ee2b36b3ee6672 - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72 @@ -185,4 +185,4 @@ For 5139(S): A directory service object was moved. - If you need to monitor movement of Active Directory objects with specific classes, monitor for **Class** field with specific class name. -- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5139](event-5139.md). There is no reason to audit all movement events for all types of Active Directory objects, you need to find the most important locations (organizational units, folders, etc.) and monitor for movement of specific classes only to these locations (user, computer, group, etc.). \ No newline at end of file +- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5139](event-5139.md). There's no reason to audit all movement events for all types of Active Directory objects, you need to find the most important locations (organizational units, folders, etc.) and monitor for movement of specific classes only to these locations (user, computer, group, etc.). \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md index 067637aa9b..b5ae516ec7 100644 --- a/windows/security/threat-protection/auditing/event-5140.md +++ b/windows/security/threat-protection/auditing/event-5140.md @@ -78,13 +78,13 @@ This event generates once per session, when first access attempt was made. **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested access to network share object. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -120,7 +120,7 @@ This event generates once per session, when first access attempt was made. - ::1 or 127.0.0.1 means localhost. -- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port which was used from remote or local machine to request the access. +- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port that was used from remote or local machine to request the access. - 0 for local access attempts. @@ -134,7 +134,7 @@ This event generates once per session, when first access attempt was made. - **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. Has always “**0x1**” value for this event. -- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event. +- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event. ## Security Monitoring Recommendations @@ -144,9 +144,9 @@ For 5140(S, F): A network share object was accessed. - If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor share **C$** on domain controllers. -- Monitor this event if the **Network Information\\Source Address** is not from your internal IP range. +- Monitor this event if the **Network Information\\Source Address** isn't from your internal IP range. -- Monitor this event if the **Network Information\\Source Address** should not be able to connect with the specific computer (**Computer:**). +- Monitor this event if the **Network Information\\Source Address** shouldn't be able to connect with the specific computer (**Computer:**). - If you need to monitor access attempts to local shares from a specific IP address (“**Network Information\\Source Address”)**, use this event. diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md index f69e095286..e63227b1ad 100644 --- a/windows/security/threat-protection/auditing/event-5141.md +++ b/windows/security/threat-protection/auditing/event-5141.md @@ -77,13 +77,13 @@ This event only generates if the deleted object has a particular entry in its [S **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -137,13 +137,13 @@ This event only generates if the deleted object has a particular entry in its [S - We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672 - - Take first 3 sections a6b34ab5-551b-4626. + - Take first three sections a6b34ab5-551b-4626. - - For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 + - For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646 - - Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 + - Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672 - - Delete - : b54ab3a61b552646b8ee2b36b3ee6672 + - Delete: b54ab3a61b552646b8ee2b36b3ee6672 - Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72 @@ -193,4 +193,4 @@ For 5141(S): A directory service object was deleted. - If you need to monitor deletion of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor for group policy objects deletions: **groupPolicyContainer** class. -- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects which should not be deleted, monitor for their deletion. \ No newline at end of file +- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects that shouldn't be deleted, monitor for their deletion. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index 636a19a1bd..e533127f2a 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -78,13 +78,13 @@ This event generates every time network share object was modified. **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify network share object” operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -120,9 +120,9 @@ This event generates every time network share object was modified. Advanced Sharing illustration -- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it is not set. +- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it isn't set. -- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it is not set. +- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it isn't set. - **Old MaxUsers** \[Type = HexInt32\]: old hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited. @@ -155,7 +155,7 @@ This event generates every time network share object was modified. | "AU" | Authenticated users | "LG" | Local guest | | "BA" | Built-in administrators | "LS" | Local service account | | "BG" | Built-in guests | "SY" | Local system | -| "BO" | Backup operators | "NU" | Network logon user | +| "BO" | Backup operators | "NU" | Network sign-in user | | "BU" | Built-in users | "NO" | Network configuration operators | | "CA" | Certificate server administrators | "NS" | Network service account | | "CG" | Creator group | "PO" | Printer operators | @@ -167,7 +167,7 @@ This event generates every time network share object was modified. | "DU" | Domain users | "RC" | Restricted code | | "EA" | Enterprise administrators | "SA" | Schema administrators | | "ED" | Enterprise domain controllers | "SO" | Server operators | -| "WD" | Everyone | "SU" | Service logon user | +| "WD" | Everyone | "SU" | Service sign-in user | - *G*: = Primary Group. - *D*: = DACL Entries. @@ -187,7 +187,7 @@ Example: D:(A;;FA;;;WD) "P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked. -"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set. +"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Isn't also set. "AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object. @@ -213,7 +213,7 @@ Example: D:(A;;FA;;;WD) "CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE. -"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE. +"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE. "NP" - NO PROPAGATE: only immediate children inherit this ace. @@ -224,7 +224,7 @@ Example: D:(A;;FA;;;WD) "SA" - SUCCESSFUL ACCESS AUDIT "FA" - FAILED ACCESS AUDIT -- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. +- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. | Value | Description | Value | Description | |----------------------------|---------------------------------|----------------------|--------------------------| @@ -246,7 +246,7 @@ Example: D:(A;;FA;;;WD) - object\_guid: N/A - inherit\_object\_guid: N/A -- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. +- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above. For more information about SDDL syntax, see these articles: , .