deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #6737 from MicrosoftDocs/v-smandalika-5694287-B14

Browse Source 
windows - v-smandalika - 5694287
This commit is contained in:
Stephanie Savell 2022-07-25 10:43:01 -05:00 committed by GitHub
commit e17c77ef08
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
30 changed files with 152 additions and 152 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/threat-protection/auditing/event-5070.md
View File

@ -17,7 +17,7 @@ ms.technology: windows-sec
# 5070(S, F): A cryptographic function property modification was attempted.
This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function.
This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This function is a Cryptographic Next Generation (CNG) function.
This event generates when named property for a cryptographic function in an existing CNG context was updated.
@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
- <https://www.microsoft.com/download/details.aspx?id=30688>
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
This event is used for Cryptographic Next Generation (CNG) troubleshooting.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)

22
windows/security/threat-protection/auditing/event-5136.md
View File

@ -27,7 +27,7 @@ This event generates every time an Active Directory object is modified.
To generate this event, the modified object must have an appropriate entry in [SACL](/windows/win32/secauthz/access-control-lists): the “**Write”** action auditing for specific attributes.
For a change operation you will typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.
For a change operation, you'll typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@ -82,13 +82,13 @@ For a change operation you will typically see two 5136 events for one action, wi
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify object” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -142,13 +142,13 @@ For a change operation you will typically see two 5136 events for one action, wi
- We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
- Take first 3 sections a6b34ab5-551b-4626.
- Take first three sections a6b34ab5-551b-4626.
- For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Delete - : b54ab3a61b552646b8ee2b36b3ee6672
- Delete: b54ab3a61b552646b8ee2b36b3ee6672
- Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
@ -180,7 +180,7 @@ For a change operation you will typically see two 5136 events for one action, wi
> **Note**&nbsp;&nbsp;[LDAP Display Name](/windows/win32/adschema/a-ldapdisplayname) is the name used by LDAP clients, such as the ADSI LDAP provider, to read and write the attribute by using the LDAP protocol.
- **Syntax (OID)** \[Type = UnicodeString\]**:** The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax. The syntaxes are not represented as objects in the schema, but they are programmed to be understood by Active Directory. The allowable syntaxes in Active Directory are predefined.
- **Syntax (OID)** \[Type = UnicodeString\]**:** The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax. The syntaxes aren't represented as objects in the schema, but they're programmed to be understood by Active Directory. The allowable syntaxes in Active Directory are predefined.
| OID | Syntax Name | Description |
|----------|--------------------------------------------|----------------------------------------------------------|
@ -189,7 +189,7 @@ For a change operation you will typically see two 5136 events for one action, wi
| 2.5.5.2 | String(Object-Identifier) | The object identifier. |
| 2.5.5.3 | Case-Sensitive String | General String. |
| 2.5.5.4 | CaseIgnoreString(Teletex) | Differentiates uppercase and lowercase. |
| 2.5.5.5 | String(Printable), String(IA5) | Teletex. Does not differentiate uppercase and lowercase. |
| 2.5.5.5 | String(Printable), String(IA5) | Teletex. Doesn't differentiate uppercase and lowercase. |
| 2.5.5.6 | String(Numeric) | Printable string or IA5-String. |
| 2.5.5.7 | Object(DN-Binary) | Both character sets are case-sensitive. |
| 2.5.5.8 | Boolean | A sequence of digits. |
@ -205,7 +205,7 @@ For a change operation you will typically see two 5136 events for one action, wi
> Table 10. LDAP Attribute Syntax OIDs.
- **Value** \[Type = UnicodeString\]: the value which was added or deleted, depending on the **Operation\\Type** field.
- **Value** \[Type = UnicodeString\]: the value that was added or deleted, depending on the **Operation\\Type** field.
**Operation:**
@ -235,4 +235,4 @@ For 5136(S): A directory service object was modified.
- If you need to monitor modifications to specific Active Directory attributes, monitor for **LDAP Display Name** field with specific attribute name.
- It is better to monitor **Operation\\Type = Value Added** events, because you will see the new value of attribute. At the same time you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.
- It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.

14
windows/security/threat-protection/auditing/event-5137.md
View File

@ -76,13 +76,13 @@ This event only generates if the parent object has a particular entry in its [SA
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create object” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -136,13 +136,13 @@ This event only generates if the parent object has a particular entry in its [SA
- We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
- Take first 3 sections a6b34ab5-551b-4626.
- Take first three sections a6b34ab5-551b-4626.
- For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Delete - : b54ab3a61b552646b8ee2b36b3ee6672
- Delete: b54ab3a61b552646b8ee2b36b3ee6672
- Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
@ -182,4 +182,4 @@ For 5137(S): A directory service object was created.
- If you need to monitor creation of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor all new group policy objects creations: **groupPolicyContainer** class.
- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5137](event-5137.md). There is no reason to audit all creation events for all types of Active Directory objects; find the most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only (user, computer, group, etc.).
- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5137](event-5137.md). There's no reason to audit all creation events for all types of Active Directory objects; find the most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only (user, computer, group, etc.).

16
windows/security/threat-protection/auditing/event-5138.md
View File

@ -77,13 +77,13 @@ This event only generates if the container to which the Active Directory object
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested that the object be undeleted or restored. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested that the object be undeleted or restored. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** name of account that requested that the object be undeleted or restored.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -105,7 +105,7 @@ This event only generates if the container to which the Active Directory object
**Object:**
- **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will points to [Active Directory Recycle Bin](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392261(v=ws.10)) folder, in case if it was restored from it.
- **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will point to [Active Directory Recycle Bin](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392261(v=ws.10)) folder, in case if it was restored from it.
> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
>
@ -139,13 +139,13 @@ This event only generates if the container to which the Active Directory object
- We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
- Take first 3 sections a6b34ab5-551b-4626.
- Take first three sections a6b34ab5-551b-4626.
- For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Delete - : b54ab3a61b552646b8ee2b36b3ee6672
- Delete: b54ab3a61b552646b8ee2b36b3ee6672
- Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
@ -185,4 +185,4 @@ For 5138(S): A directory service object was undeleted.
- If you need to monitor undelete operations (restoration) of Active Directory objects with specific classes, monitor for **Class** field with specific class name.
- It may be a good idea to monitor all undelete events, because the operation is not performed very often. Confirm that there is a reason for the object to be undeleted.
- It may be a good idea to monitor all undelete events, because the operation isn't performed often. Confirm that there's a reason for the object to be undeleted.

14
windows/security/threat-protection/auditing/event-5139.md
View File

@ -77,13 +77,13 @@ This event only generates if the destination object has a particular entry in it
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “move object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “move object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “move object” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -139,13 +139,13 @@ This event only generates if the destination object has a particular entry in it
- We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
- Take first 3 sections a6b34ab5-551b-4626.
- Take first three sections a6b34ab5-551b-4626.
- For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Delete - : b54ab3a61b552646b8ee2b36b3ee6672
- Delete: b54ab3a61b552646b8ee2b36b3ee6672
- Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
@ -185,4 +185,4 @@ For 5139(S): A directory service object was moved.
- If you need to monitor movement of Active Directory objects with specific classes, monitor for **Class** field with specific class name.
- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5139](event-5139.md). There is no reason to audit all movement events for all types of Active Directory objects, you need to find the most important locations (organizational units, folders, etc.) and monitor for movement of specific classes only to these locations (user, computer, group, etc.).
- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5139](event-5139.md). There's no reason to audit all movement events for all types of Active Directory objects, you need to find the most important locations (organizational units, folders, etc.) and monitor for movement of specific classes only to these locations (user, computer, group, etc.).

12
windows/security/threat-protection/auditing/event-5140.md
View File

@ -78,13 +78,13 @@ This event generates once per session, when first access attempt was made.
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested access to network share object.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -120,7 +120,7 @@ This event generates once per session, when first access attempt was made.
- ::1 or 127.0.0.1 means localhost.
- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port which was used from remote or local machine to request the access.
- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port that was used from remote or local machine to request the access.
- 0 for local access attempts.
@ -134,7 +134,7 @@ This event generates once per session, when first access attempt was made.
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. Has always “**0x1**” value for this event.
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event.
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event.
## Security Monitoring Recommendations
@ -144,9 +144,9 @@ For 5140(S, F): A network share object was accessed.
- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event<b>.</b> For example, you could monitor share **C$** on domain controllers.
- Monitor this event if the **Network Information\\Source Address** is not from your internal IP range.
- Monitor this event if the **Network Information\\Source Address** isn't from your internal IP range.
- Monitor this event if the **Network Information\\Source Address** should not be able to connect with the specific computer (**Computer:**).
- Monitor this event if the **Network Information\\Source Address** shouldn't be able to connect with the specific computer (**Computer:**).
- If you need to monitor access attempts to local shares from a specific IP address (“**Network Information\\Source Address”)**, use this event.

14
windows/security/threat-protection/auditing/event-5141.md
View File

@ -77,13 +77,13 @@ This event only generates if the deleted object has a particular entry in its [S
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -137,13 +137,13 @@ This event only generates if the deleted object has a particular entry in its [S
- We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
- Take first 3 sections a6b34ab5-551b-4626.
- Take first three sections a6b34ab5-551b-4626.
- For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Delete - : b54ab3a61b552646b8ee2b36b3ee6672
- Delete: b54ab3a61b552646b8ee2b36b3ee6672
- Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
@ -193,4 +193,4 @@ For 5141(S): A directory service object was deleted.
- If you need to monitor deletion of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor for group policy objects deletions: **groupPolicyContainer** class.
- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects which should not be deleted, monitor for their deletion.
- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects that shouldn't be deleted, monitor for their deletion.

20
windows/security/threat-protection/auditing/event-5143.md
View File

@ -78,13 +78,13 @@ This event generates every time network share object was modified.
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify network share object” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -120,9 +120,9 @@ This event generates every time network share object was modified.
<img src="images/advanced-sharing.png" alt="Advanced Sharing illustration" width="300" height="319" />
- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it isn't set.
- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it isn't set.
- **Old MaxUsers** \[Type = HexInt32\]: old hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited.
@ -155,7 +155,7 @@ This event generates every time network share object was modified.
| "AU" | Authenticated users | "LG" | Local guest |
| "BA" | Built-in administrators | "LS" | Local service account |
| "BG" | Built-in guests | "SY" | Local system |
| "BO" | Backup operators | "NU" | Network logon user |
| "BO" | Backup operators | "NU" | Network sign-in user |
| "BU" | Built-in users | "NO" | Network configuration operators |
| "CA" | Certificate server administrators | "NS" | Network service account |
| "CG" | Creator group | "PO" | Printer operators |
@ -167,7 +167,7 @@ This event generates every time network share object was modified.
| "DU" | Domain users | "RC" | Restricted code |
| "EA" | Enterprise administrators | "SA" | Schema administrators |
| "ED" | Enterprise domain controllers | "SO" | Server operators |
| "WD" | Everyone | "SU" | Service logon user |
| "WD" | Everyone | "SU" | Service sign-in user |
- *G*: = Primary Group.
- *D*: = DACL Entries.
@ -187,7 +187,7 @@ Example: D:(A;;FA;;;WD)
"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Isn't also set.
"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
@ -213,7 +213,7 @@ Example: D:(A;;FA;;;WD)
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
@ -224,7 +224,7 @@ Example: D:(A;;FA;;;WD)
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
| Value | Description | Value | Description |
|----------------------------|---------------------------------|----------------------|--------------------------|
@ -246,7 +246,7 @@ Example: D:(A;;FA;;;WD)
- object\_guid: N/A
- inherit\_object\_guid: N/A
- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above.
For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.

30
windows/security/threat-protection/auditing/event-5145.md
View File

@ -78,13 +78,13 @@ This event generates every time network share object (file or folder) was access
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested access to network share object.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -120,7 +120,7 @@ This event generates every time network share object (file or folder) was access
- ::1 or 127.0.0.1 means localhost.
- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port which was used from remote or local machine to request the access.
- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port that was used from remote or local machine to request the access.
- 0 for local access attempts.
@ -136,7 +136,7 @@ This event generates every time network share object (file or folder) was access
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights.
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**.
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**.
## Table of file access codes
@ -144,10 +144,10 @@ This event generates every time network share object (file or folder) was access
|-----------------------------------------------------------|----------------------------|---------------|
| ReadData (or ListDirectory) | 0x1,<br>%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.<br>**ListDirectory -** For a directory, the right to list the contents of the directory. |
| WriteData (or AddFile) | 0x2,<br>%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).<br>**AddFile -** For a directory, the right to create a file in the directory. |
| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,<br>%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). <br>**AddSubdirectory -** For a directory, the right to create a subdirectory.<br>**CreatePipeInstance -** For a named pipe, the right to create a pipe. |
| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,<br>%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations won't overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). <br>**AddSubdirectory -** For a directory, the right to create a subdirectory.<br>**CreatePipeInstance -** For a named pipe, the right to create a pipe. |
| ReadEA | 0x8,<br>%%4419 | The right to read extended file attributes. |
| WriteEA | 0x10,<br>%%4420 | The right to write extended file attributes. |
| Execute/Traverse | 0x20,<br>%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.<br>**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**&thinsp; [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE**&thinsp; [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information. |
| Execute/Traverse | 0x20,<br>%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.<br>**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**&thinsp; [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE**&thinsp; [access right](/windows/win32/secauthz/access-rights-and-access-masks). For more information, see the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights). |
| DeleteChild | 0x40,<br>%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
| ReadAttributes | 0x80,<br>%%4423 | The right to read file attributes. |
| WriteAttributes | 0x100,<br>%%4424 | The right to write file attributes. |
@ -155,7 +155,7 @@ This event generates every time network share object (file or folder) was access
| READ\_CONTROL | 0x20000,<br>%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). |
| WRITE\_DAC | 0x40000,<br>%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. |
| WRITE\_OWNER | 0x80000,<br>%%1540 | The right to change the owner in the object's security descriptor |
| SYNCHRONIZE | 0x100000,<br>%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. |
| SYNCHRONIZE | 0x100000,<br>%%1541 | The right to use the object for synchronization. This right enables a thread to wait until the object is in the signaled state. Some object types don't support this access right. |
| ACCESS\_SYS\_SEC | 0x1000000,<br>%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. |
> <span id="_Ref433878809" class="anchor"></span>Table 13. File access codes.
@ -193,7 +193,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
| "AU" | Authenticated users | "LG" | Local guest |
| "BA" | Built-in administrators | "LS" | Local service account |
| "BG" | Built-in guests | "SY" | Local system |
| "BO" | Backup operators | "NU" | Network logon user |
| "BO" | Backup operators | "NU" | Network sign-in user |
| "BU" | Built-in users | "NO" | Network configuration operators |
| "CA" | Certificate server administrators | "NS" | Network service account |
| "CG" | Creator group | "PO" | Printer operators |
@ -205,7 +205,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
| "DU" | Domain users | "RC" | Restricted code |
| "EA" | Enterprise administrators | "SA" | Schema administrators |
| "ED" | Enterprise domain controllers | "SO" | Server operators |
| "WD" | Everyone | "SU" | Service logon user |
| "WD" | Everyone | "SU" | Service sign-in user |
- *G*: = Primary Group.
- *D*: = DACL Entries.
@ -225,7 +225,7 @@ Example: D:(A;;FA;;;WD)
"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Isn't also set.
"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
@ -251,7 +251,7 @@ Example: D:(A;;FA;;;WD)
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
@ -262,7 +262,7 @@ Example: D:(A;;FA;;;WD)
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
| Value | Description | Value | Description |
|----------------------------|---------------------------------|----------------------|--------------------------|
@ -284,7 +284,7 @@ Example: D:(A;;FA;;;WD)
- object\_guid: N/A
- inherit\_object\_guid: N/A
- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above.
For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.
@ -294,9 +294,9 @@ For 5145(S, F): A network share object was checked to see whether client can be
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Monitor this event if the **Network Information\\Source Address** is not from your internal IP range.
- Monitor this event if the **Network Information\\Source Address** isn't from your internal IP range.
- Monitor this event if the **Network Information\\Source Address** should not be able to connect with the specific computer (**Computer:**).
- Monitor this event if the **Network Information\\Source Address** shouldn't be able to connect with the specific computer (**Computer:**).
- If you have critical files or folders on specific network shares, for which you need to monitor access attempts (Success and Failure), monitor for specific **Share Information\\Share Name** and **Share Information\\Relative Target Name**.

4
windows/security/threat-protection/auditing/event-5148.md
View File

@ -17,9 +17,9 @@ ms.technology: windows-sec
# 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack starts or was detected.
In most circumstances, this event occurs rarely. It's designed to be generated when an ICMP DoS attack starts or was detected.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)

4
windows/security/threat-protection/auditing/event-5149.md
View File

@ -17,9 +17,9 @@ ms.technology: windows-sec
# 5149(F): The DoS attack has subsided and normal processing is being resumed.
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack ended.
In most circumstances, this event occurs rarely. It's designed to be generated when an ICMP DoS attack ends.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)

12
windows/security/threat-protection/auditing/event-5152.md
View File

@ -109,7 +109,7 @@ This event is generated for every received network packet.
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the packet.
@ -123,7 +123,7 @@ This event is generated for every received network packet.
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to send the packet.
@ -167,20 +167,20 @@ For 5152(F): The Windows Filtering Platform blocked a packet.
- If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
- Check that **Source Address** is one of the addresses assigned to the computer.
- If the computer or device should not have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
- If the computer or device shouldn't have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in **Destination Address**.
- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list.
- If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in **“Destination Address”** that aren't in the allowlist.
- If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”**
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”

10
windows/security/threat-protection/auditing/event-5154.md
View File

@ -95,10 +95,10 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
- IPv6 Address
- :: - all IP addresses in IPv6 format
s
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number that was requested for listening by application.
@ -112,7 +112,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
**Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesnt match any filters you will get value **0** in this field.
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesnt match any filters you'll get value **0** in this field.
To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
@ -128,7 +128,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
- If you have an “allow list” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
- If you've an “allowlist” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
- If a certain application is allowed to listen only on specific port numbers, monitor this event for **“Application Name”** and **“Network Information\\Source Port**.**”**
@ -138,7 +138,7 @@ For 5154(S): The Windows Filtering Platform has permitted an application or serv
- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”

10
windows/security/threat-protection/auditing/event-5155.md
View File

@ -17,7 +17,7 @@ ms.technology: windows-sec
# 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system will not generate Event 5155 by itself.
By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system won't generate Event 5155 by itself.
You can add your own filters using the WFP APIs to block listen to reproduce this event: <https://msdn.microsoft.com/library/aa364046(v=vs.85).aspx>.
@ -72,7 +72,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/
**Application Information**:
- **Process ID** \[Type = Pointer\]: Hexadecimal Process ID (PID) of the process which was permitted to bind to the local port. The PID is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
- **Process ID** \[Type = Pointer\]: Hexadecimal Process ID (PID) of the process that was permitted to bind to the local port. The PID is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
@ -100,7 +100,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** The port number used by the application.
@ -126,7 +126,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/
**Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: A unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding to an application, and if this application doesnt match any filters, you will get a 0 value in this field.
- **Filter Run-Time ID** \[Type = UInt64\]: A unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding to an application, and if this application doesnt match any filters, you'll get a 0 value in this field.
To find a specific Windows Filtering Platform filter by ID, you need to execute the following command: **netsh wfp show filters**. As a result of this command, a **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**&lt;filterId&gt;**), for example:
@ -134,7 +134,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, you need to execute the following command: **netsh wfp show state**. As result of this command, a **wfpstate.xml** file will be generated. You need to open this file and find the specific substring with the required layer ID (**&lt;layerId&gt;**), for example:
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, you need to execute the following command: **netsh wfp show state**. As a result of this command, a **wfpstate.xml** file will be generated. You need to open this file and find the specific substring with the required layer ID (**&lt;layerId&gt;**), for example:
<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />

12
windows/security/threat-protection/auditing/event-5156.md
View File

@ -109,7 +109,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** port number from which the connection was initiated.
@ -123,7 +123,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Destination Port** \[Type = UnicodeString\]**:** port number where the connection was received.
@ -167,20 +167,20 @@ For 5156(S): The Windows Filtering Platform has permitted a connection.
- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
- Check that “**Source Address”** is one of the addresses assigned to the computer.
- If the computer or device should not have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
- If the computer or device shouldn't have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that aren't in the allowlist.
- If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”**
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”

12
windows/security/threat-protection/auditing/event-5157.md
View File

@ -109,7 +109,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the connection.
@ -123,7 +123,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to initiate connection.
@ -167,20 +167,20 @@ For 5157(F): The Windows Filtering Platform has blocked a connection.
- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
- Check that “**Source Address”** is one of the addresses assigned to the computer.
- If the\` computer or device should not have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
- If the\` computer or device shouldn't have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that aren't in the allowlist.
- If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”**
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”

10
windows/security/threat-protection/auditing/event-5158.md
View File

@ -90,7 +90,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
**Network Information:**
- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application was bind the port.
- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application was bound the port.
- IPv4 Address
@ -100,7 +100,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** port number which application was bind.
@ -126,7 +126,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
**Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesnt match any filters, you will get value 0 in this field.
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesnt match any filters, you'll get value 0 in this field.
To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
@ -144,7 +144,7 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port
- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
@ -152,6 +152,6 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port
- If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”**
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 6 or 17.
- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 6 or 17.
- If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”

6
windows/security/threat-protection/auditing/event-5159.md
View File

@ -98,7 +98,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** the port number used by the application.
@ -124,7 +124,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
**Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesnt match any filters, you will get value 0 in this field.
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesnt match any filters, you'll get value 0 in this field.
To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find the specific substring with the required filter ID (**&lt;filterId&gt;**)**,** for example:
@ -138,4 +138,4 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
## Security Monitoring Recommendations
- There is no recommendation for this event in this document.
- There's no recommendation for this event in this document.

12
windows/security/threat-protection/auditing/event-5632.md
View File

@ -85,7 +85,7 @@ It typically generates when network adapter connects to new wireless network.
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which 802.1x authentication request was made.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -125,16 +125,16 @@ You can see interfaces GUID using the following commands:
- **Reason Code** \[Type = UnicodeString\]**:** contains Reason Text (explanation of Reason Code) and Reason Code for wireless authentication results. See more information about reason codes for wireless authentication here: <https://msdn.microsoft.com/library/windows/desktop/dd877212(v=vs.85).aspx>, <https://technet.microsoft.com/library/cc727747(v=ws.10).aspx>.
- **Error Code** \[Type = HexInt32\]**:** there is no information about this field in this document.
- **Error Code** \[Type = HexInt32\]**:** there's no information about this field in this document.
- **EAP Reason Code** \[Type = HexInt32\]**:** there is no information about this field in this document. See additional information here: <https://technet.microsoft.com/library/dd197570(v=ws.10).aspx>.
- **EAP Reason Code** \[Type = HexInt32\]**:** there's no information about this field in this document. See additional information here: <https://technet.microsoft.com/library/dd197570(v=ws.10).aspx>.
- **EAP Root Cause String** \[Type = UnicodeString\]**:** there is no information about this field in this document.
- **EAP Root Cause String** \[Type = UnicodeString\]**:** there's no information about this field in this document.
- **EAP Error Code** \[Type = HexInt32\]**:** there is no information about this field in this document.
- **EAP Error Code** \[Type = HexInt32\]**:** there's no information about this field in this document.
## Security Monitoring Recommendations
For 5632(S, F): A request was made to authenticate to a wireless network.
- There is no recommendation for this event in this document.
- There's no recommendation for this event in this document.

4
windows/security/threat-protection/auditing/event-6144.md
View File

@ -25,7 +25,7 @@ ms.technology: windows-sec
This event generates every time settings from the “Security Settings” section in the group policy object are applied successfully to a computer, without any errors. This event generates on the target computer itself.
It is a routine event which shows you the list of Group Policy Objects that include “Security Settings” policies, and that were applied to the computer.
It's a routine event that shows you the list of Group Policy Objects that include “Security Settings” policies, and that were applied to the computer.
This event generates every time Group Policy is applied to the computer.
@ -82,7 +82,7 @@ You can find specific GROUP\_POLICY\_GUID using **Get-GPO** PowerShell cmdlet wi
For 6144(S): Security policy in the group policy objects has been applied successfully.
- If you have a pre-defined list of Group Policy Objects which contain Security Settings and must be applied to specific computers, then you can compare the list from this event with your list and in case of any difference trigger an alert.
- If you have a pre-defined list of Group Policy Objects that contain Security Settings and must be applied to specific computers, then you can compare the list from this event with your list and if there's any difference, you must trigger an alert.
- This event is mostly an informational event.

6
windows/security/threat-protection/auditing/event-6145.md
View File

@ -25,7 +25,7 @@ ms.technology: windows-sec
This event generates every time settings from the “Security Settings” section in the group policy object are applied to a computer with one or more errors. This event generates on the target computer itself.
This event generates, for example, if the [SID](/windows/win32/secauthz/security-identifiers) of a security principal which was included in one of the Group Policy settings cannot be resolved or translated to the real account name.
This event generates, for example, if the [SID](/windows/win32/secauthz/security-identifiers) of a security principal which was included in one of the Group Policy settings can't be resolved or translated to the real account name.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@ -66,7 +66,7 @@ This event generates, for example, if the [SID](/windows/win32/secauthz/security
***Field Descriptions:***
**Error Code** \[Type = UInt32\]: specific error code which shows the error which happened during Group Policy processing. You can find the meaning of specific error code here: <https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx>. For example, error code 1332 means that “no mapping between account names and security IDs was done”.
**Error Code** \[Type = UInt32\]: specific error code that shows the error that happened during Group Policy processing. You can find the meaning of specific error code here: <https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx>. For example, error code 1332 means that “no mapping between account names and security IDs was done”.
**GPO List** \[Type = UnicodeString\]: the list of Group Policy Objects that include “Security Settings” policies, and that were applied with errors to the computer. The format of the list item is: “GROUP\_POLICY\_GUID GROUP\_POLICY\_NAME”.
@ -80,7 +80,7 @@ You can find specific GROUP\_POLICY\_GUID using **Get-GPO** PowerShell cmdlet wi
For 6145(F): One or more errors occurred while processing security policy in the group policy objects.
- This event indicates that Group Policy Objects which were applied to the computer or device had some errors during processing. If you see this event, we recommend checking settings in the GPOs from **GPO List** and resolving the cause of the errors.
- This event indicates that Group Policy Objects that were applied to the computer or device had some errors during processing. If you see this event, we recommend checking settings in the GPOs from **GPO List** and resolving the cause of the errors.
- If you have a pre-defined list of Group Policy Objects that contain Security Settings and that must be applied to specific computers, check this event to see if errors occurred when the Security Settings were applied. If so, you can review the error codes and investigate the cause of the failure.

12
windows/security/threat-protection/auditing/event-6281.md
View File

@ -1,6 +1,6 @@
---
title: 6281(F) Code Integrity determined that the page hashes of an image file are not valid. (Windows 10)
description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file are not valid.
title: 6281(F) Code Integrity determined that the page hashes of an image file aren't valid. (Windows 10)
description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file aren't valid.
ms.pagetype: security
ms.prod: m365-security
ms.mktglfcycl: deploy
@ -14,16 +14,16 @@ ms.author: dansimp
ms.technology: windows-sec
---
# 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
# 6281(F): Code Integrity determined that the page hashes of an image file aren't valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it's loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
This event generates when [code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error.
This event generates when [code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) determined that the page hashes of an image file aren't valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)

4
windows/security/threat-protection/auditing/event-6405.md
View File

@ -19,7 +19,7 @@ ms.technology: windows-sec
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
@ -35,4 +35,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
- There is no recommendation for this event in this document.
- There's no recommendation for this event in this document.

4
windows/security/threat-protection/auditing/event-6406.md
View File

@ -19,7 +19,7 @@ ms.technology: windows-sec
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
@ -37,4 +37,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
- There is no recommendation for this event in this document.
- There's no recommendation for this event in this document.

6
windows/security/threat-protection/auditing/event-6407.md
View File

@ -1,6 +1,6 @@
---
title: 6407(-) 1%. (Windows 10)
description: Describes security event 6407(-) 1%. This is a BranchCache event, which is outside the scope of this document.
description: Describes security event 6407(-) 1%. This event is a BranchCache event, which is outside the scope of this document.
ms.pagetype: security
ms.prod: m365-security
ms.mktglfcycl: deploy
@ -19,7 +19,7 @@ ms.technology: windows-sec
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
@ -35,4 +35,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
- There is no recommendation for this event in this document.
- There's no recommendation for this event in this document.

8
windows/security/threat-protection/auditing/event-6410.md
View File

@ -1,6 +1,6 @@
---
title: 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. (Windows 10)
description: Describes security event 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process.
title: 6410(F) Code integrity determined that a file doesn't meet the security requirements to load into a process. (Windows 10)
description: Describes security event 6410(F) Code integrity determined that a file doesn't meet the security requirements to load into a process.
ms.pagetype: security
ms.prod: m365-security
ms.mktglfcycl: deploy
@ -17,11 +17,11 @@ ms.technology: windows-sec
# 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process.
[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it's loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
This event generates due to writable [shared sections](/previous-versions/windows/desktop/cc307397(v=msdn.10)) being present in a file image.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)

4
windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
View File

@ -23,9 +23,9 @@ ms.technology: windows-sec
This topic for the IT professional describes the Advanced Security Audit policy setting, **File System (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the file system for an entire computer.
If you select the **Configure security** check box on the policys property page, you can add a user or group to the global SACL. This enables you to define computer system access control lists (SACLs) per object type for the file system. The specified SACL is then automatically applied to every file system object type.
If you select the **Configure security** check box on the policys property page, you can add a user or group to the global SACL. This user/group addition enables you to define computer system access control lists (SACLs) per object type for the file system. The specified SACL is then automatically applied to every file system object type.
If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL.
If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This SACL (of such a constitution) means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL.
This policy setting must be used in combination with the **File System** security policy setting under Object Access. For more information, see [Audit File System](audit-file-system.md).
## Related topics

2
windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
View File

@ -23,7 +23,7 @@ ms.technology: windows-sec
This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
Central access policies and rules determine access permissions for files on multiple file servers, so it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They are stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for potential changes in security auditing and to verify that policies are being enforced.
Central access policies and rules determine access permissions for files on multiple file servers, so it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They're stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for potential changes in security auditing and to verify that policies are being enforced.
Follow the procedures in this article to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you've configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (demonstration steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).

8
windows/security/threat-protection/auditing/monitor-claim-types.md
View File

@ -1,6 +1,6 @@
---
title: Monitor claim types (Windows 10)
description: Learn how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.
description: Learn how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options.
ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439
ms.reviewer:
ms.author: dansimp
@ -21,11 +21,11 @@ ms.technology: windows-sec
# Monitor claim types
This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.
This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options.
Claim types are one of the basic building blocks of Dynamic Access Control. Claim types can include attributes such as the departments in an organization or the levels of security clearance that apply to classes of users. You can use security auditing to track whether claims are added, modified, enabled, disabled, or deleted.
Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic
Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic
Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
@ -36,7 +36,7 @@ Access Control in your network, see [Deploy a Central Access Policy (Demonstrati
2. In Server Manager, point to **Tools**, and then click **Group Policy Management**.
3. In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**.
4. Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**.
5. Select the **Configure the following audit events** check box, select the **Success** check box (andthe **Failure** check box, if desired), and then click **OK**.
5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
After you configure settings to monitor changes to claim types in AD DS, verify that the changes are being monitored.

6
windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
View File

@ -1,6 +1,6 @@
---
title: Monitor resource attribute definitions (Windows 10)
description: Learn how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
description: Learn how to monitor changes to resource attribute definitions when you're using advanced security auditing options to monitor dynamic access control objects.
ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de
ms.reviewer:
ms.author: dansimp
@ -21,12 +21,12 @@ ms.technology: windows-sec
# Monitor resource attribute definitions
This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
This topic for the IT professional describes how to monitor changes to resource attribute definitions when you're using advanced security auditing options to monitor dynamic access control objects.
Resource attribute definitions define the basic properties of resource attributes, such as what it means for a resource to be defined as “high business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container. Changes to these definitions could significantly change the protections that govern a resource, even if the resource attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object.
For information about monitoring changes to the resource attributes that apply to files, see [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md).
Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.