Configuration Guide for Windows Event Native SmartConnector
Transcript of Configuration Guide for Windows Event Native SmartConnector
Micro Focus SecurityArcSight ArcSightSoftware Version 820
Configuration Guide for Windows Event NativeSmart Connector
Document Release Date May 2021Software Release Date May 2021
Legal NoticesMicro FocusThe Lawn22-30 Old Bath RoadNewbury Berkshire RG14 1QNUK
httpswwwmicrofocuscom
Copyright Noticecopy Copyright 2021 Micro Focus or one of its affiliates
Confidential computer software Valid license from Micro Focus required for possession use or copying Theinformation contained herein is subject to change without notice
The only warranties for Micro Focus products and services are set forth in the express warranty statementsaccompanying such products and services Nothing herein should be construed as constituting an additional warrantyMicro Focus shall not be liable for technical or editorial errors or omissions contained herein
No portion of this products documentation may be reproduced or transmitted in any form or by any means electronicor mechanical including photocopying recording or information storage and retrieval systems for any purpose otherthan the purchasers internal use without the express written permission of Micro Focus
Notwithstanding anything to the contrary in your license agreement for Micro Focus ArcSight software you mayreverse engineer and modify certain open source components of the software in accordance with the license terms forthose particular components See below for the applicable terms
US Governmental Rights For purposes of your license to Micro Focus ArcSight software ldquocommercial computersoftwarerdquo is defined at FAR 2101 If acquired by or on behalf of a civilian agency the US Government acquires thiscommercial computer software andor commercial computer software documentation and other technical data subjectto the terms of the Agreement as specified in 48 CFR 12212 (Computer Software) and 12211 (Technical Data) of theFederal Acquisition Regulation (ldquoFARrdquo) and its successors If acquired by or on behalf of any agency within theDepartment of Defense (ldquoDODrdquo) the US Government acquires this commercial computer software andorcommercial computer software documentation subject to the terms of the Agreement as specified in 48 CFR2277202-3 of the DOD FAR Supplement (ldquoDFARSrdquo) and its successors This US Government Rights Section 1811 is inlieu of and supersedes any other FAR DFARS or other clause or provision that addresses government rights incomputer software or technical data
Trademark NoticesAdobetrade is a trademark of Adobe Systems Incorporated
Microsoftreg and Windowsreg are US registered trademarks of Microsoft Corporation
UNIXreg is a registered trademark of The Open Group
Documentation UpdatesThe title page of this document contains the following identifying information
l Software Version number
l Document Release Date which changes each time the document is updated
l Software Release Date which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document go to
httpswwwmicrofocuscomsupport-and-servicesdocumentation
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 2 of 349
Support
Phone A list of phonenumbers is available on the Technical SupportPage httpssoftwaresupportsoftwaregrpcomsupport-contact-information
Support Web Site httpssoftwaresupportsoftwaregrpcom
ArcSight Product Documentation httpscommunitysoftwaregrpcomt5ArcSight-Product-Documentationct-pproductdocs
Contact Information
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 3 of 349
ContentsConfiguration Guide for SmartConnector for Microsoft Windows OSs 30
Product Overview 31SmartConnector Features 31
Custom Log Support 32Event Filtering 32Globally Unique Identifier (GUID) 32Host Browsing 32IPv6 32Localization 32
Collect Forwarded Events 33
Configuring Windows 34Enabling Microsoft Windows Event Log Audit Policies 34
Enabling an Auditing Policy on a Local System 34Setting Up an Audit Policy Within a Domain 36Setting Up an Audit Policy for a Domain 37
Setting Up Standard User Accounts 37Standard Domain User Account from Windows Server Domain Controllers 38Standard Domain User Account from Domain Members 38Standard Local User Account from Windows Workgroup Hosts 39Add Security Certifications when Using SSL 39
Example Windows Server 2012 39
Installing the SmartConnector 42Installation Prerequisites 42
Supported Operating Systems for Installation 42System Requirements 42NET Requirements 42
Supported Operating Systems for Event Collection 42Supported Log Parsers 42Supported Applications 43Supported System Events 43Supported Events 43Use of Active Directory Query for Hosts 44
SmartConnector Setup Scenarios 45Before you Begin 45
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 4 of 349
Installation Notes 45Enabling FIPS at the OS Level 46
Installing and Configuring the SmartConnector 46Using SSL for Connection (optional) 52
Installing and Configuring Multiple Connector Instances 52
Log sources and Event Mappings 54Microsoft ADFS 54
Supported Versions 54Configuring Microsoft ADFS Logs 54Event Mappings for Microsoft ADFS 55General 55Event 299 55Event 300 55Event 307 56Event 403 56Event 404 57Event 405 57Event 406 - Windows Server 2016 58Event 406 - Windows Server 2019 58Event 410 59Event 411 59Event 412 60Event 413 60Event 418 61Event 420 61Event 424 61Event 431 62Event 512 62Event 513 63Event 515 63Event 516 63Event 1102 64Event 1200 64Event 1201 64Event 1202 65Event 1203 65Event 1204 65
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 5 of 349
Event 1205 65Event 1206 65Event 1210 65Common Mappings for Events - 1200 1201 1202 1203 1204 1205 1206and 1210 66
Active Directory 68Audit Active Directory Objects in Windows 68
Configure an Audit Policy Setting for a Domain Controller 68Configure Auditing for Specific Active Directory Objects 69Active Directory Event Mappings 71
General Mappings 71NTDS Database Mappings 72
Event 1000 72
Event 1394 72
Event 1404 72
Event 1844 72
Event 2064 73
Event 2065 73
Event 2886 73Windows 2008 NTDS Database Mappings 74
General 74
Event 1000 74
Event 1394 74
Event 1404 74
Event 1844 75
Event 2064 75
Event 2065 75
Event 2886 76General NTDS Mappings 76
Event 1000 76
Event 1004 76
Event 1104 77
Event 1126 77
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 6 of 349
Event 1308 77
Event 1394 78
Event 1463 78
Event 1844 78
Event 1863 79
Event 1864 79
Event 1869 79
Event 1898 80
Event 1925 80
Event 1926 80
Event 2013 81
Event 2014 81
Event 2041 81
Event 2064 81
Event 2087 82
Event 2088 82
Event 2092 83
Event 2886 83Windows 2008 General NTDS Mappings 84
Event 1000 84
Event 1004 84
Event 1104 84
Event 1126 85
Event 1308 85
Event 1394 85
Event 1463 86
Event 1844 86
Event 1863 86
Event 1864 87
Event 1869 87
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 7 of 349
Event 1898 87
Event 1925 88
Event 1926 88
Event 2013 88
Event 2014 89
Event 2041 89
Event 2064 89
Event 2087 90
Event 2088 90
Event 2092 91
Event 2886 91NTDS ISAM Mappings 92
Event 102 92
Event 103 92
Event 300 92
Event 301 92
Event 302 93
Event 609 93
Event 611 93
Event 612 93
Event 614 94
Event 626 94
Event 700 94
Event 701 94
Event 702 95
Event 703 95
Event 704 95Windows 2008 NTDS ISAM Mappings 95
Event 102 95
Event 103 96
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 8 of 349
Event 300 96
Event 301 96
Event 302 96
Event 609 97
Event 611 97
Event 612 97
Event 614 98
Event 626 98
Event 700 98
Event 701 98
Event 702 99
Event 703 99
Event 704 99NTDS KCC Mappings 99
Event 1104 99
Event 1128 100
Event 1308 100
Event 1926 101Windows 2008 NTDS KCC Mappings 101
Event 1104 101
Event 1128 101
Event 1308 102
Event 1926 102Windows 2008 NTDS LDAP Mappings 103
Event 1000 103
Event 1004 103
Event 1126 103
Event 1220 103
Event 1308 104
Event 1394 104
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 9 of 349
Event 1869 104
Event 2087 105
Event 2088 105
Event 2886 106
Event 2887 107NTDS Replication Mappings 107
Event 1188 107
Event 1232 108
Event 1863 108
Event 2087 109
Event 2092 109
Event 2887 110Windows 2008 NTDS Replication Mappings 110
Event 1188 110
Event 1232 111
Event 1863 111
Event 2087 112
Event 2092 112
Event 2887 113NTDS LDAP Mappings 113
1000 113
1004 113
1126 114
1138 114
1139 114
1213 114
1215 115
1216 115
1220 115
1308 115
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 10 of 349
1317 116
1394 116
1535 116
1655 117
1869 117
2041 117
2087 118
2088 118
2089 119
2886 120
2887 121
2889 121Windows 2012Windows 8 NTDS LDAP Mappings 122
General 122
1000 122
1004 122
1126 122
1138 123
1139 123
1213 123
1215 123
1216 124
1220 124
1308 124
1317 125
1394 125
1535 125
1655 125
1869 126
2041 126
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 11 of 349
2087 126
2088 127
2089 127
2886 128
2887 129
2889 129Local Administrator Password Solution 130
Supported Versions 130Configuring MS Local Administrator Password Solution 130Mappings for Microsoft Local Administrator Password Solution 131
Event 5 131Event 10 131Event 11 131Event 12 131Event 13 132Event 14 132Event 15 132Event 16 132
Microsoft Antimalware Logs 133Supported Versions 133Mappings for Antimalware 133
Event 1000 133Event 1001 134Event 1002 134Event 1005 135Event 1011 135Event 1013 136Event 1116 136Event 1117 137Event 1150 139Event 2000 139Event 2001 140Event 2002 140Event 2010 141Event 2011 141Event 3002 142
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 12 of 349
Event 5000 142Event 5001 142Event 5004 142Event 5007 143Event 5010 143Event 5012 143
Microsoft Windows Defender AntiVirus 143Supported Versions 143Microsoft Windows Defender AntiVirus 144Mappings for Microsoft Windows Defender AntiVirus 144
Event 1000 144Event 1001 145Event 1002 145Event 1009 146Event 1011 147Event 1013 147Event 1015 148Event 1116 149Event 1117 150Event 1150 152Event 1151 152Event 2000 153Event 2001 154Event 2002 154Event 2010 155Event 2011 155Event 2030 156Event 3002 156Event 5000 157Event 5001 157Event 5004 157Event 5007 157Event 5010 157Event 5012 157
Microsoft DNS Server Analytics 158Supported Versions 158Configuring Microsoft DNS Server Analytic Logs 158Mappings for Windows 2008 R2 158
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 13 of 349
General 158Event 20088 158Event 20106 159Event 20184 159Event 20249 159Event 20252 160Event 20255 160Event 20258 160Event 20266 161Event 20271 161Event 20272 161Event 20274 162Event 20275 162
Microsoft Exchange Mailbox Access Auditing 163Configuring Mailbox Access Auditing 163
Enabling Mailbox Access Auditing 163Accessing the Audited Information 166Changing Default Log Storage location 166Excluding Service Accounts 167Device Event Mapping to ArcSight Fields 167
Exchange Events 10100 10101 Mappings 167Exchange Event 10102 Mappings 168Exchange Events 10104 10106 Mappings 169
Exchange Online Message Tracking 170Device Event Mapping to ArcSight Fields 170
Microsoft Exchange Mailbox Store 172Configuring Mailbox Store Auditing 173
Enabling Mailbox Store 173Accessing the Audited Information 174Changing Default Log Storage location 175Excluding Service Accounts 176
Device Event Mapping to ArcSight Fields 177General Exchange Events Mappings 177Exchange Events 1016 Mappings 177
Microsoft Forefront Protection 2010 178Configuring Forefront Protection 178Device Event Mapping to ArcSight Fields 179
Windows 2008 179
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 14 of 349
General 179Event ID 7000 179Event ID 7001 179Event ID 7002 180Event ID 7003 180Event ID 7004 180Event ID 7005 180Event ID 7006 180Event ID 7007 181Event ID 7008 181Event ID 7010 181Event ID 7012 181Event ID 7015 181Event ID 7018 181Event ID 7021 182Event ID 7024 182Event ID 7025 182Event ID 7026 182Event ID 7028 182Event ID 7033 183Event ID 7035 183Event ID 7040 183Event ID 7044 183Event ID 7046 183Event ID 7048 183Event ID 7051 184Event ID 7064 184
FSC Controller 184Event ID 1000 184Event ID 1001 184Event ID 1020 184Event ID 1021 185Event ID 1022 185Event ID 1023 185Event ID 1024 185Event ID 1025 185Event ID 1026 186Event ID 1028 186
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 15 of 349
Event ID 1037 186Event ID 1041 186Event ID 1043 186Event ID 1044 186Event ID 2102 187Event ID 5167 187Event ID 5183 187Event ID 8046 187Event ID 8055 187
FSC Eventing 187Event ID 1075 187Event ID 1076 188
FSC Manual Scanner 188Event ID 1045 188Event ID 1048 188Event ID 1052 188
FSC Scheduled Scanner 188Event ID 2080 188Event ID 2081 189Event ID 3009 189
FSC Realtime Scanner 189Event ID 2000 189Event ID 2001 189
FSC Transport Scanner 189Event ID 2007 189Event ID 2008 190Event ID 3002 190
FSC Monitor 190Event ID 1007 190Event ID 1008 190Event ID 1013 190Event ID 1014 191
FSE On Demand Nav 191Event ID 1049 191Event ID 1050 191
FSE Mail Pickup 191Event ID 1029 191Event ID 1030 191
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 16 of 349
FSE IMC 192Event ID 1002 192Event ID 1003 192
FSE VS API 192Event ID 5066 192
FSC VSS Writer 192Event ID 1094 192Event ID 1095 192
Get Engine Files 193Event ID 2011 193Event ID 2012 193Event ID 2017 193Event ID 2034 193Event ID 2109 194Event ID 6012 194Event ID 6014 194Event ID 6019 195Event ID 6020 195
Microsoft Netlogon 196Supported Versions 196
Configuring Microsoft Netlogon Logs 196Mappings for Microsoft Netlogon 196
General 196Event 5827 197Event 5828 197Event 5829 198Event 5830 198Event 5831 199
Microsoft Network Policy Server 200Supported Versions 200Configuring NPS Logging 200Mappings for Network Policy Server 201
Mappings for Windows 2016 2012 and 8 201General 201Event 13 201Event 25 202Event 4400 202Event 4402 202
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 17 of 349
Event 4405 202Mappings for Windows 2008 R2 203
General 203Event 13 203Event 4400 203Event 4402 203Event 4405 204
Microsoft Service Control Manager 205Supported versions 205Mappings for Windows 2016 2012 8 and 10 205
General 2057000 2057001 2067002 2067003 2067005 2077006 2077007 2077008 2077009 2077010 2077011 2087012 2087015 2087016 2087017 2087018 2087019 2097020 2097021 2097022 2097023 2097024 2107025 2107026 2107027 2107028 2107030 211
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 18 of 349
7031 2117032 2117033 2117034 2127035 2127036 2127037 2127038 2137039 2137040 2137041 2147042 2147043 2147045 215
Microsoft SQL Server Audit 216Supported Versions 216Configuring SQL Server Audit 216Customizing Event Source Mapping 217Microsoft SQL Server Audit Application Event Log Mappings 217
General 217Event 615 217Event 849 217Event 852 217Event 919 218Event 958 218Event 1486 218Event 1814 218Event 1945 219Event 2007 219Event 2812 219Event 3406 220Event 3407 220Event 3408 220Event 3421 220Event 3454 221Event 5084 221Event 5579 221Event 5701 222
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 19 of 349
Event 5703 222Event 6253 222Event 6527 222Event 8128 223Event 9013 223Event 9666 223Event 9688 223Event 9689 223Event 10981 224Event 12288 224Event 12291 224Event 15268 224Event 15457 224Event 15477 225Event 17069 225Event 17101 225Event 17103 225Event 17104 225Event 17107 226Event 17108 226Event 17110 226Event 17111 226Event 17115 226Event 17125 227Event 17126 227Event 17136 227Event 17137 227Event 17147 228Event 17148 228Event 17152 228Event 17162 228Event 17164 229Event 17176 229Event 17177 229Event 17199 230Event 17201 230Event 17550 230Event 17551 230
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 20 of 349
Event 17561 231Event 17656 231Event 17658 231Event 17663 231Event 17811 231Event 18453 232Event 18454 232Event 18456 232Event 18488 233Event 18496 233Event 19030 233Event 19031 233Event 19032 234Event 26018 234Event 26022 234Event 26037 234Event 26048 235Event 26067 235Event 26076 235Event 30090 236Event 33090 236Event 33204 236Event 33205 236Event 33217 237Event 33218 238Event 49903 238Event 49904 238Event 49910 238Event 49916 238Event 49917 239
Microsoft Sysmon 240Supported Versions 240Configuring Microsoft Sysmon Logs 240Mappings for Microsoft Sysmon Logs 241
General 241Event 1 241Event 2 242Event 3 242
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 21 of 349
Event 4 243Event 5 243Event 6 244Event 7 244Event 8 245Event 9 245Event 10 245Event 11 246Event 12 246Event 13 247Event 14 247Event 15 248Event 16 248Event 17 249Event 18 249Event 19 249Event 20 250Event 21 250Event 22 251Event 23 251Event 255 252
User 32 Service 253Supported Versions 253Configuring Remote Access 253Mappings for Windows 2008 R2 253
General 253Event 1074 254
Microsoft Windows AppLocker 255Supported Versions 255Configuring Microsoft Windows AppLocker 255Mappings for Microsoft Windows AppLocker 255
Event 8001 255Event 8002 256Event 8003 256Event 8004 257Event 8005 257Event 8006 258Event 8007 258
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 22 of 349
Microsoft Windows ESENT 259Supported Versions 259Mappings for Microsoft Windows ESENT Logs 259
General 259Event Id 102 259Event Id 103 260Event Id 105 260Event Id 224 260Event Id 225 260Event Id 300 261Event Id 301 261Event Id 302 261Event Id 325 261Event Id 326 262Event Id 327 262Event Id 330 262Event Id 335 263Event Id 455 263Event Id 641 263
Microsoft Windows BITS Client Logs 264Supported Versions 264Mappings for Microsoft Windows BITS Client 264
General 264Event ID 3 264Event ID 4 265Event ID 59 265Event ID 60 266Event ID 61 267
Microsoft Windows Event 268Supported Versions 268Configuring Windows Update Client 268
Windows Update Client 269Supported Versions 269
Configuring Windows Update Client 269Mappings for Windows-WindowsUpdateClient 270
General 270Event 16 270Event 17 270
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 23 of 349
Event 18 270Event 19 271Event 20 271Event 21 271Event 22 272Event 27 272Event 28 272Event 43 272Event 44 272
Microsoft Windows WMI Activity Trace 274Supported Versions 274Mappings for Microsoft Windows WMI Activity Trace 274
Event 11 274Microsoft Windows WMI Analytic and Operational 276
Supported Versions 276Mappings for WMI Analytics Opereations 276
Mappings for Microsoft Windows WinRM Analytic 276Event 788 276Event 789 277Event 1050 277Event 1295 277
Mappings for Microsoft Windows WinRM Operational 277Event 6 277Event 11 278Event 15 278Event 142 278Event 161 278Event 162 279Event 169 279Event 81 279Event 82 279
Microsoft WINS Server 280Supported versions 280Configuring WINS 280Windows 2016 2012 and 8 281
General 2814097 2814098 281
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 24 of 349
4119 2814143 2824178 2824179 2824180 2824181 2824224 2834252 2834253 2834309 2834318 2834325 2834326 2844329 2844330 2844337 2845001 2845002 284
Oracle Audit 285Configuring Auditing 285Enabling Auditing 285Auditing Administrative Users 285Device Event Mapping to ArcSight Fields 286
Oracle Windows Event Log Mappings to ArcSight ESM Fields 286Event ID 4 286Event ID 5 286Event ID 8 286Event ID 12 287
Oracle Audit SYSDBA Event Mappings to ArcSight ESM Fields 287Event ID 34 287
Oracle Audit Trail Event Mappings to ArcSight ESM Fields 288Event ID 34 288
Oracle Unified Audit Trail Event Mappings to ArcSight ESM Fields 289Event ID 36 289
Powershell 290Configuring Auditing for Specific Powershell Objects 290Mappings for PowerShell Events 292
General Mappings 292
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 25 of 349
Windows PowerShell Mappings 292Event 400 403 292Event 500 501 293Event 600 293Event 800 294
Windows Microsoft-Windows-PowerShellOperational Mappings 295Event 4100 295Event 4103 295Event 4104 296Event 4105 296Event 8193 297Event 8194 297Event 8195 297Event 8196 12039 297Event 8197 298Event 24577 298Event 24579 298Event 24580 298Event 24581 298Event 24582 299Event 24583 299Event 24584 299Event 24592 299Event 24593 299Event 24594 299Event 24595 300Event 24596 300Event 24597 300Event 24598 300Event 24599 301Event 40961 301Event 40962 301Event 53249 301Event 53250 301Event 53504 302
Remote Access 303Supported Versions 303Configuring Remote Access 303
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 26 of 349
Mappings for Remote Access Events 303Mappings for Windows 2016 2012 2012 R2 8 and 10 304
General 30420088 30420106 30420169 30420184 30520249 30520252 30520255 30620258 30620266 30620271 30720272 30720274 30820275 308
Mappings for Windows 2008 R2 309General 309Event 20088 309Event 20106 309Event 20184 309Event 20249 310Event 20252 310Event 20255 310Event 20258 311Event 20266 311Event 20271 311Event 20272 312Event 20274 312Event 20275 313
Collecting Forwarded Events 314Event Collector for Windows Event Forwarding 314Source Hosts Windows OS Version 314
Additional Connector Configurations 317Configuring Custom Logs and Filtering 317
Configuring Filter 318Specifying Custom Log Names 319
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 27 of 349
Configuring the Host Browsing Thread Sleep Time 320Creating a Source Hosts File 321Collecting Events from the Event Log 321
Configuring Advanced Options 323Accessing Advanced Parameters 323Advanced Container Configuration Properties 323Advanced Common Configuration Parameters 324Advanced Configuration Parameters per Host 325Advanced Configuration Parameters for SID and GUID Translation 325
Customizing Event Source Mapping 325Creating an Override Map File 326Customizing Event Parsing in a Clustered Environment 326
Creating Custom Parsers for System and Application Events 328Before Creating a Parser 328Creating and Deploying Your Own Parser 329Customizing Localization Support for the Native Connector 333
Troubleshooting 336Parameters not functioning as expected 336Log message for resource adjustment 336A Non-administrator User Is Unable to Run Windows Native Connector andthe Log File Has Permission Error 336
Appendix A Types of Internal Events 338Specific Windows Security Event Mappings 338
General 338104 3381100 3391101 3391102 3391104 3391105 339
Collector Connected 340Collector Disconnected 340Collector Down 341Collector Configuration Accepted 341
Collector Status for ldquoCollector Configuration Acceptedrdquo 341Host Status for ldquoCollector Configuration Acceptedrdquo 342
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 28 of 349
Event Log Status for ldquoCollector Configuration Acceptedrdquo 342Collector Status Updated 343
Collector Status for ldquoCollector Status Updatedrdquo 343Host Status for ldquoCollector Status Updatedrdquo 343Event Log Status for ldquoCollector Status Updatedrdquo 344
Collector Event Collection Started 344Collector Status for ldquoCollector Collection Startedrdquo 344Host Status for ldquoCollector Collection Startedrdquo 345Event Log Status for ldquoCollector Collection Startedrdquo 345
Collector Up 346
Appendix B Microsoft Windows Event Log Native Connector and UnifiedFeatures Comparison 347
Windows Event Log - Native and Unified Connector Features 347SmartConnector for Windows Event Log - Native Limitations 348
Send Documentation Feedback 349
Configuration Guide for Windows Event Native Smart Connector
Micro Focus ArcSight (820) Page 29 of 349
Configuration Guide for SmartConnector forMicrosoft Windows OSsArcSight SmartConnectors intelligently collect a large amount of heterogeneous raw event datafrom security devices in an enterprise network process the data into ArcSight security eventsand transport data to destination devices
To collect events from Microsoft Windows OSs use the ArcSight SmartConnector for WindowsEvent Log - Native which supports event collection from log sources such as SysmonPowershell etc
This guide provides a high level overview of ArcSight SmartConnector for Windows Event Log -Native
Intended Audience
This guide provides information for IT administrators who are responsible for managing theArcSight SmartConnectors
Additional Documentation
The ArcSight SmartConnectors documentation library includes the following resources
l Installation Guide for ArcSight SmartConnectors which provides detailed information aboutinstalling SmartConnectors
l Configuration Guides for ArcSight SmartConnectors which provides information aboutconfiguring SmartConnectorss to collect events from different sources
l Release Notes for ArcSight SmartConnectors which provides information about the latestrelease
For the most recent version of this guide and other ArcSight SmartConnector documentationresources visit the documentation site for ArcSight SmartConnectors
Contact Information
We want to hear your comments and suggestions about this book and the other documentationincluded with this product You can use the comment on this topic link at the bottom of eachpage of the online documentation or send an email to Documentation-Feedbackmicrofocuscom
For specific product issues contact Micro Focus Customer Care
Configuration Guide for SmartConnector for Microsoft Windows OSs Page 30 of 349
Product OverviewThe SmartConnector for Microsoft Windows Event Log ndash Native can connect to local or remotemachines inside a single domain or from multiple domains to retrieve events from all types ofevent logs It can collect events from
ArcSightSmartConnectors provide easy scalable audit-quality collection of all logs from allevent-generating sources across the enterprise for real-time and forensic analysis TheArcSight is optimized for a large number of hosts
The infrastructure provided with the SmartConnector for Microsoft Windows Event Log ndashNative (Windows Event Log ndash Native) has been improved to deliver critical features such asOperational Windows Event Logs and event collection and event filtering from IPv6 hosts Itleverages the native technology on the Microsoft platform and provides the best support forWindows event features and capabilities (including collection for all log types)
The Security events are not audited by default You must specify the type of security events tobe audited
There are following types for default Windows event logs
l Application log (tracks events that occur in a registered application)
l Security log (tracks security changes and possible breaches in security)
l System log (tracks system events)
The connector consists of the following major components
l SmartConnector framework-based event processor
l The Windows API application which collects events from Microsoft Windows Event Logs
l A Message Queue that facilitates communication between the previous two components
The Windows API event collection and the Message Queue are started by the connector at thetime of connector setup and at the start of the connector process
For SmartConnector security event mappings to ArcSight data fields see SmartConnector forMicrosoft Windows Event Log ndash Native Windows Security Event Mappings
SmartConnector FeaturesSmartConnector capabilities include real-time event collection and processing as well as dataenrichment (normalization categorization Common Event Format (CEF) aggregation andfiltering) and efficiency (caching batching compression and bandwidth management) Formore information about SmartConnector capabilities in general see SmartConnector FeaturesSpecific features of the Windows Event Log ndash Native connector are described n the followingsections
Product Overview Page 31 of 349
Custom Log Support
Event collection from non-administrative operational or custom logs is provided
Event Filtering
Filters that apply at the time of event collection from the event source to the connector aresupported With this support events in which you have no interest can be filtered out makingbetter use of resources
Globally Unique Identifier (GUID)
Supports translation and mapping of the GUID (also known as UUID) within a forest (A forest isa complete instance of Active Directory) The connector can perform GUID translation forGUIDs within a forest by querying the Global Catalog Server The Active Directory parametersare used for Global Catalog Server The connector is not configured to translate GUIDs bydefault See ldquoAdvanced Configuration Parameters for SID and GUID Translationrdquo for moreinformation about enabling GUID translation Global Catalog and Active Directory must be onthe same machine
Host Browsing
Host browsing is used when hosts are added during installation using Active DirectoryNotification is sent to a destination when a new host is added to Active Directory
IPv6
Supports event collection from IPv6 hosts and parsing of IPv6 events
Localization
The Windows Event Log ndash Native connector supports security event localization for thefollowing languages
Language Locale Encoding
French fr_CA UTF-8
Japanese ja_JP Shift_JIS
Chinese Simplified zh_CN GB2312
Chinese Traditional zh_TW Big5
Configuration Guide for Windows Event Native Smart Connector
Custom Log Support Page 32 of 349
The locale and encoding can be specified for the eventname field during SmartConnectorinstallation See Configuring Multiple Host Parameters For localization of other languagessee Customizing Localization Support for the Native Connector
Collect Forwarded EventsThe connector has the ability to read events forwarded to a Windows Event Collector hostWindows Event Collection is a Microsoft capability that lets a Windows host collect events frommultiple sources Collecting forwarded events is different than the traditional event collectionbecause the events are collected from multiple sources
With Microsoft Windows Event Collector (WEC) you can subscribe to receive and store eventson a local computer (event collector) that are forwarded from any number of remotecomputers (event sources) Before using this feature refer to Microsoft Windowsdocumentation to know more about Windows Event Collector functionality To configure theconnector to collect forwarded events see Collecting Forwarded Events
Configuration Guide for Windows Event Native Smart Connector
Collect Forwarded Events Page 33 of 349
Configuring WindowsYou must enable the appropriate auditing policies on Windows servers from which theconnector collects information and also setup standard user accounts This section has thefollowing information
Enabling Microsoft Windows Event Log Audit PoliciesBecause event information generated by Windows servers is based on the auditing policies thatare enabled make sure that appropriatete auditing policies are enabled on Windows serversfrom which the connector collect information By default none of the Windows auditingfeatures are enabled
Auditing events consumes system resources such as memory processing power and diskspace Auditing an excessive number of events can dramatically slow down your servers
Note You must be logged on as an administrator or a member of the Administrators group to setup audit policies If your computer is connected to a network network policy settings might alsoprevent you from setting up audit policies
The method used to create an audit policy varies depending on whether the policy is beingcreated on a member server a domain controller or a stand-alone server
l To configure a domain controller member server or workstation use Active DirectoryUsers and Computers
l To configure a system that does not participate in a domain use Local Security Settings
This section has the following information
Enabling an Auditing Policy on a Local SystemTo establish an audit policy on a local system
Configuration Guide for Windows Event Native Smart Connector
Configuring Windows Page 34 of 349
1 Select Start gt Control Panel gt Administrative Tools gt Local Security Policy
2 Double-click on Local Policy in the Security Settings tree to expand it
3 Select Audit Policy from the tree Doing so reveals the auditing information for thatsystem
4 To enable auditing for any of the areas double-click on the type of audit A dialog boxsimilar to the following is displayed letting you choose to perform a Success or a Failureaudit (or both) on that type of event
Configuration Guide for Windows Event Native Smart Connector
Enabling an Auditing Policy on a Local System Page 35 of 349
Note To audit objects such as the Registry printers files or folders select the ObjectAccess option Otherwise when you attempt to enable auditing for these objects an erroris displayed instructing you to make the necessary adjustments to the local audit policy (orin the case of a domain environment to the domain audit policy)
After you have enabled auditing go through the system and fine-tune the type of events thatwill be audited in each category
Setting Up an Audit Policy Within a DomainTo set up an audit policy for a domain controller
1 Choose Start gt Programs gt Administrative Tools gt Active Directory Users andComputers
2 Navigate through the console tree to the domain you want to work with Expand thedomain
3 Beneath the domain you will see a Computers object and a Domain Controllers objectSelect the appropriate object for your system and right-click on Domain Controllers TheDomain Controllers properties sheet is displayed
Configuration Guide for Windows Event Native Smart Connector
Setting Up an Audit Policy Within a Domain Page 36 of 349
4 Select the Group Policy tab Select the group policy to which you want to apply the auditpolicy and click Edit
5 Navigate through the tree to Default Domain Controllers Policy gt ComputerConfiguration gt Windows Settings gt Security Settings Local Policies gt Audit Policy
6 When you select Audit Policy a list of audit events is displayed in the right pane To audita group of events double-click on the group a dialog box is displayed that lets you enableSuccess Failure or both audits for that group of events
After enabling auditing for a group of events fine-tune the exact events you want to audit
Setting Up an Audit Policy for a DomainTo set up auditing for all computers under a domain
1 Click Start gt Administrative Tools gt Domain Security Policy
2 Open Default Domain Security Settings
3 Expand Security Settings if it is not already open
4 Expand Local Policy and double-click on Audit Policy A list of audit events is displayed inthe right pane
5 To audit a group of events double-click on the group a dialog box is displayed that lets youenable Success Failure or both audits for that group of events
Setting Up Standard User AccountsThe connector does not require domain administrator privileges to collect Security events fromWindows hosts Event Log Reader privilege is required for system and custom application eventcollection including Forwarded Events Collection
To configure the SmartConnector for Microsoft Windows Event Log ndash Native to use a StandardUser account to collect Security events only from the target hosts follow the steps provided inthe following sections
These steps describe how to configure and assign the privileges by creating a single useraccount such as arcsight You can also create a group of users instead and follow the samesteps provided for the configuration assigning all the minimum privileges to the user groupinstead of the single user
Configuration Guide for Windows Event Native Smart Connector
Setting Up an Audit Policy for a Domain Page 37 of 349
Note Sometimes although we have assigned appropriate privileges to the standard user therecould be other policies in your environment preventing the user account from accessing thesecurity event logs You can start identifying this problem by checking Settings gt Control Panel gtAdministrative Tools gt Local Security Policy gt Security Settings gt Local Policies gt Securityoptions There are many security policies defined that would require investigation however onepolicy to check right away is the Network Access Sharing and security model for local accountsMake sure this is set to Classic ndash local users authenticate as themselves
Standard Domain User Account fromWindows Server DomainControllersOn the Windows Server Domain Controller
1 Go to Settings gt Control Panel gt Administrative Tools gt Active Directory Users andComputers gt ltDomain of interestgt gt Users
2 Create a new Domain User such as arcsight
3 Go to Settings gt Control Panel gt Administrative Tools gt Active Directory Users andComputers gt ltDomain of interestgt gt Builtin
4 Open the properties of the security principal Event Log Readers
5 From the Members tab add the new Domain User arcsight to this security principal
6 This Group Policy can take some time to take effect To enable the policy immediately runthis command from the Windows Server Domain Controller and the Windows DomainMember command prompts
GPUpdate Force
This command will update any modifications you have made to any group policy not justthis one
Standard Domain User Account from Domain MembersOn the Windows Server Domain Controller
1 Go to Settings gt Control Panel gt Administrative Tools gt Active Directory Users andComputers gt ltDomain of interestgt gt Users
2 Create a new Domain User such as arcsight
3 Go to Settings gt Control Panel gt Administrative Tools gt Group Policy Management gtDefault Domain Policy gt Computer Configuration gt Policies gt Windows Settings gtSecurity Settings gt Local Policies gt User Rights Assignment
4 Open the Manage auditing and security log policy
Configuration Guide for Windows Event Native Smart Connector
Standard Domain User Account from Windows Server Domain Controllers Page 38 of 349
5 Enable Define these Policy Settings and add this new Domain User arcsight to thispolicy
6 This Group Policy can take some time to take effect To enable the policy immediately runthis command from the Windows Server Domain Controller and the Windows DomainMember command prompts
GPUpdate Force
Note This command will update modifications to any group policy you have made not just thisone
Standard Local User Account fromWindows Workgroup HostsOn the Windows Workgroup host
1 Go to Settings gt Control Panel gt Administrative Tools gt Computer Management gtSystem Tools gt Local Users and Groups gt Users
2 Create a new Local User such as arcsight
3 Go to Settings gt Control Panel gt Administrative Tools gt Computer Management gtSystem Tools gt Local Users and Groups gt Groups
4 Open the Event Log Readers group and add this new Local User arcsight to this group
5 Go to Settings gt Control Panel gt Administrative Tools gt Local Security Policy gt SecuritySettings gt Local Policies gt Security Options
6 Open the Network access Sharing and security model for local accounts policy
7 Set this policy to the option Classic ndash local users authenticate as themselves
Add Security Certifications when Using SSLIf you choose to use SSL as the connection protocol security certificates for both the WindowsDomain Controller Service and for the Active Directory Server are required Installing a validcertificate on a domain controller permits the LDAP service to listen for and automaticallyaccept SSL connections for both LDAP and global catalog traffic
The certificates will be imported to the connectorrsquos certificate store during the connectorinstallation process See step 3 of the installation procedure for instructions
Procedures for Windows 2012 are shown steps could vary with different Windows versions Forother Windows versions see Microsoftrsquos documentation for complete information
Example Windows Server 2012
The following steps assume Windows Server 2012 as the operating system
Configuration Guide for Windows Event Native Smart Connector
Standard Local User Account from Windows Workgroup Hosts Page 39 of 349
To export the certificates
1 From the Windows Start menu select Administrative Tools
2 Select and double-click Certification Authority one or more Domain Certificate Authorityservers are shown
3 Select the Domain Certificate Authority server for the domain to which the ActiveDirectory server belongs right-click and select Properties to open the Properties window
4 Click View Certificate
5 Click the Details tab and Copy to Filehellip
Configuration Guide for Windows Event Native Smart Connector
Example Windows Server 2012 Page 40 of 349
6 Follow the steps in the Certificate Export Wizard to complete the export
Configuration Guide for Windows Event Native Smart Connector
Example Windows Server 2012 Page 41 of 349
Installing the SmartConnectorThis section has the following information
Installation Prerequisites
Supported Operating Systems for Installation
System Requirements
This connecter can be installed on only one of the following supported Microsoft Windows 64-bit platforms
l Microsoft Windows Server 2012
l Microsoft Windows Server 2012 R2 Standard
l Microsoft Windows Server 2016
l Microsoft Windows Server 2019 ()
l Microsoft Windows 10
NET Requirements
l NET 452 46 461 or 472
Supported Operating Systems for Event CollectionArcSight supports Windows Event Log Security System and Application event collection fromhosts running the following Microsoft OS versions
l Microsoft Windows Server 2012
l Microsoft Windows Server 2012 R2
l Microsoft Windows Server 2016
l Microsoft Windows Server 2019 ()
l Microsoft Windows 10
It also supports events forwarded from source hosts to a Windows Event Collector (WEC)
Supported Log ParsersThe SmartConnector supports parsing for the following logs
Configuration Guide for Windows Event Native Smart Connector
Installing the SmartConnector Page 42 of 349
l Security
l System
l Application (event header)
l Forwarded Events (for forwarded security system and application (event Header) events
Supported ApplicationsParser support for the following application events is provided
l Microsoft Active Directory
l Microsoft Exchange Access Auditing
l Microsoft SQL Server Audit
l Microsoft Local Administrator Password Solution (LAPS)
l Microsoft Windows Powershell
l Microsoft Windows BITS Client
l Microsoft Windows ESENT
l Oracle Audit
l Symantec Mail Security for Exchange
Supported System EventsParser support for the following system events is provided
l Microsoft Network Policy Server
l Microsoft Remote Access
l Microsoft Service Control Manager
l Microsoft WINS Server
l Microsoft Windows WindowsUpdateClient
Supported EventsWindows Event Log supports parsing for
Event Type Event Header Event Description
Security yes yes
Application yes no
Configuration Guide for Windows Event Native Smart Connector
Supported Applications Page 43 of 349
Event Type Event Header Event Description
System (Service Control Managerand WINS event sources)
yes yes
Other System events (includingRemote Access and NPS)
yes no
Support is provided for a Flex-Connector-like framework that lets you create and deploy your own parsers toparse the event description for all system and application events See ldquoCreate and Deploy Parsers for Systemand Application Eventsrdquo for more information See ldquoLog Parser Supportrdquo for application and system eventsalready supported
Use of Active Directory Query for HostsAn Active Directory query can be used to populate or update collection end points or specifythe Windows OS version of source hosts for forwarded events if collected from the WindowsEvent Collector The connector discovers and retrieves information about the hosts registeredin an Active Directory The host information includes the DNS name along with its operatingsystem version Whe n new hosts are registered in an Active Directory while the connector isrunning it sends an internal event notifying the user of the newly discovered host
Configuration Guide for Windows Event Native Smart Connector
Use of Active Directory Query for Hosts Page 44 of 349
SmartConnector Setup ScenariosThe following examples describe some typical setup scenarios For configuration details seeSee ldquoConfigure the Connectorrdquo
l Scenario 1 - Collect Application Security and System Logs for the Local Host You selectlocal host logs on the first configuration window with no remote hosts no custom logs orevent filters and no Windows Event Forwarding configuration Locale and encoding of thelocal host are automatically detected and configured by the connector thereforeconfiguration of these values for the local host is not necessary
l Scenario 2 - Collect Application Security and System Logs from Remote Hosts fromOne Domain and Enter the Hosts Manually In this scenario you can collect logs fromremote hosts and add the host entries manually You can either add a table parameter in theentry window that is displayed or import a csv file containing host information Howeverwhen importing make sure your local host is in the csv file if you intend to collect eventsfrom the local host as the content from the imported file replaces the existing hostinformation
l Scenorio 3 - Collect Application Security and System logs from Hosts Recorded inActive Directory Collect logs from a host recorded in Active Directory The table parameterentry window is then displayed where you can make configuration selections for each host
l Scenario 4 - Collect Forwarded Events or Other WEC Logs from Local Or Remote HostsWith any of the previous scenarios to collect Forwarded Events or other WEC logs from thelocal host (or remote hosts) a window is displayed where you can specify the name of a csvfile containing the source hosts names and Windows OS versions for the hosts after makingconfiguration selections for your hosts on the table parameter entry window
Before you BeginThe following items are required when installing this SmartConnector
l Local access to the machine where the SmartConnector will be installed
l Administrator passwords to the machine
Installation Notesl Install this SmartConnector only on 64-bit Windows platforms See ldquoOperating Systems
Support for Event Collection
l It is not possible to upgrade from the Microsoft Windows Event Log -- Unified connector tothe Microsoft Windows Event Log -- Native connector
Configuration Guide for Windows Event Native Smart Connector
SmartConnector Setup Scenarios Page 45 of 349
l Parser overrides that exist for the Windows Event Log ndash Unified connector must be modifiedfor use with the Windows Event Log ndash Native connector
l If you use Forwarded Event Collection the full computer name and OS version of sourcehosts must be available for use either through Active Directory or a source hosts file in csvformat
Enabling FIPS at the OS Level1 From the Windows Start menu select Run
2 Enter gpeditmsc
3 In the Group Policy Editor navigate to Computer Configuration gt Windows Settings gtSecurity Settings gt Local Policies gt Security Options
4 In the right pane locate and click the ldquoSystem cryptography Use FIPS compliant5algorithms for encryption hashing and signingrdquo setting
5 Set to Enabled and click OK
6 Restart the computer
Installing and Configuring the SmartConnectorFor additional information about installing the SmartConnectors see the ArcSightSmartConnector Installation and User Guide
To install and configure the Windows Event Log - Native SmartConnector
1 Start the installation process
2 Follow the instructions to add the required details to complete the installation of coresoftware
3 After the installation completes to configure the connector you can either click Next orrun the ltArcSightSmartConnectors_installDirectorygtcurrentbinrunagentsetupbat file
4 Select the relevant Global Parameters the click Next
5 From the Type drop-down selectMicrosoft Windows Event Log - Native as the type ofconnector then click Next
6 In the Configure Parameters window specify the following information
a Select logs for event collection
l The Security log System log and Application log options are selected by defaultSee ldquoLog Parser Supportrdquo for a list of supported application and system events Formore information about the type of logs to select for different log sources see
Configuration Guide for Windows Event Native Smart Connector
Enabling FIPS at the OS Level Page 46 of 349
Selecting the Type of Logs for Event Collection
l Custom Log Select this option to collect custom logs For more information seeConfiguring Custom Logs and Filtering
l ForwardedEvents Log If you select this option you can collect events forwardedfrom a source host to any log type on the collector machine to which the connectorhas access
Note Security events cannot be forwarded to the Security event log on a collectormachine but can be forwarded to other log types
b If you selected the ForwardedEvents Log option the Windows OS version of the eventsource host is not populated automatically in the normalized events To populate thisvalue you must either provide the Windows OS version or configure the ActiveDirectory If both Active Directory and Windows OS version is available from the sourcehost file then value from Active Directory takes precedence Select any of thefollowing options to specify the Windows OS version for the hosts from which you wantto collect events
l Use file for OS version Select this option to supply the name of the source hosts ina file If you select this option you will be prompted to specify the file details
l Use Active Directory for OS version Select this option then the connectorretrieves the host details from the configured Active Directory to identify the eventsource host Windows version information Newly discovered hosts are added to thelookup automatically without having to reconfigure the connector itself
For the connector to be able to browse the Active Directory to retrieve source hostWindows version information it must be placed within the same forest as the ActiveDirectory
If you select this option you will be prompted to enter your domain credentials andActive Directory parameter information in the next screen
l Do not use any source for Windows OS version Select this option to not providean Active Directory query or a CSV file to list all hosts involved in events forwardingalong with their Windows OS version If you select this option no Windows OSversion will be displayed in the event headers from the forwarding host
c Select one or many of the following parameters to add hosts for event collection
l Use Common Domain Credentials Select this option to specify common domaincredentials
l Use Active Directory Select this option to use the host information (host name andversion) from the configured Active Directory to identify the event source hostWindows version information
l Enter Manually Select this option to manually specify all the host details
Configuration Guide for Windows Event Native Smart Connector
Installing and Configuring the SmartConnector Page 47 of 349
7 Click Next
8 One or more of the following screens will be displayed depending on your selections in theprevious window
a WEF Source Hosts File Name If you selected ForwardedEvents log or Use file for OSversion options in the previous window then you are prompted to enter the name ofthe file that contains the source host information This window is also displayed if youhave selected Is WEC for any hosts in the table parameter window For forwardedevent collection specify only the Event Collector hosts
b Device Details Collection The first row displays selections from the initial parameterentry window for the local host Click Add to manually add a host or click Import toselect a csv file to import host information Make sure that there is a carriage return(only one CR) at the last entry in the csv file Else the import fails
If you have added hosts for which you decide not to collect events you can use thecheckbox in the leftmost column to deselect rows in the table
Parameter Description
Host Name Host name or IP address of the targetWindows host
Domain Name Name of the domain to which the host belongs If you are using a Domain Useraccount for a target host or using Active Directory fill in the Domain Name fieldThis must be a name not an IP address for the OS version to be resolved
User Name Name of the user account with adequate privileges to collect Windows eventsfrom the target host This will be the user name only without the domain
Password Password for the user specified in User Name
Windows Version Select the Microsoft Operating System version this host is running
Is WEC If you selected Indicates that this is a WEC server on the initial configurationpage this selection is already checked for the local host
Security Select for security events to be collected from this host This log is automaticallyselected for all hosts
System Select for system events to be collected from this host
Application Select for application events to be collected from the Common ApplicationEvent Log of this host
ForwardedEvents Select for events to be collected from the ForwardedEvents log of this host
Custom Event Logs Specify the custom application log names separated by a comma (such asldquoExchange Auditing Directory Servicerdquo) For Windows Event Collectorservers use HardwareEvents See ldquoInstalling and Configuring theSmartConnector on page 46rdquo for more information
Configuration Guide for Windows Event Native Smart Connector
Installing and Configuring the SmartConnector Page 48 of 349
Parameter Description
Filter This is a filter you can get from the Microsoft event viewer when you want tocollect particular events You can copy the filter text to this field For moreinformation see ldquoConfigure a Filterrdquo
Locale Enter the value for your locale or accept the United States English default en_US Leave this field blank if you want the connector for the local host toautomatically determine the correct Locale value
Values are
n French Canadian fr_CA
n Japanese ja_JP
n Simplified Chinese zh_CN
n Traditional Chinese zh_TW
n United States English (the default) en_US
For localization of other languages see ldquoCustomize Localization Support for theNative Connectorrdquo on page 39
Encoding Enter the encoding value for the language used to send localized log events oraccept the United States English default en_US This value cannot be determinedautomatically Select from the following values
n French Canadian fr_CA
n Japanese Shift_JIS
n Simplified Chinese GB2312
n Traditional Chinese zh_TW
n United States English (the default) UTF-8
For localization of other languages see ldquoCustomize Localization Support for theNative Connectorrdquo on page 39
c Domain Credentials If you selected Use common domain credentials option in theprevious window then you are prompted to specify the following details
Note
l A Domain User Name and Domain User Password is not required if you areperforming local event collection
l If the hosts Domain parameters are the same as Active Directory then you do nothave to enter both The information will be taken from the Active Directory Domainand credentials
Configuration Guide for Windows Event Native Smart Connector
Installing and Configuring the SmartConnector Page 49 of 349
Parameter Description
Domain Name Enter the name of the domain to which the host belongs Work grouphosts and stand-alone hosts can be added manually on the tableparameters entry window
Domain User Name Enter the name of the user account with adequate privileges to collectWindows events from the target host It is assumed that the AD serveris located on the domain server and can be accessed with the domainuser and password
Domain User Password Enter the password for the user specified in the Domain User Namefield
d Active Directory Parameters If you selected Use common domain credentials optionin the previous window then you are prompted to specify the following details
Note
l A Domain User Name and Domain User Password is not required if you areperforming local event collection
l If the hosts Domain parameters are the same as Active Directory then you do nothave to enter both The information will be taken from the Active Directory Domainand credentials
l If GUID translation is enabled then the Active Directory Domain and credentials areused You must provide the complete domain name including any qualifiers suchas com
Parameter Description
Active DirectoryDomain
Enter the name of the Active Directory domain to which the host belongs
Active Directory UserName
Enter the name of the user account with adequate privileges to collectWindows events from the target host It is assumed that the AD server islocated on the domain server and can be accessed with the domain user andpassword
Active Directory UserPassword
Enter the password for the user specified in the Active Directory User Namefield
Active DirectoryServer
Enter the Active Directory Host Name or IP address required forauthentication to the Microsoft Active Directory for the host browsingfeature
Configuration Guide for Windows Event Native Smart Connector
Installing and Configuring the SmartConnector Page 50 of 349
Parameter Description
Active Directory Filter Enter the Active Directory Filter required for automatic host browsing tofilter hosts by name operating system and creation time
The query can contain attributes for Common Names (cn) Operating System(operatingsystem) and Creation Time (whencreated) in YYMMDDHHmmSSformat where YY=Last two digits of the year MM=Month DD=Date HH=Hoursmm=Minutes SS=Seconds in 24-hour format
The query can also contain wildcard characters () to match the attributes todifferent values
Active Directory Filter examples
To create hosts after and inclusive of a particular time point set filter to(amp(cn=)(operatingsystem=)(whencreatedgt=YYMMDDHHmmSSZ))
To create hosts between and inclusive of two time points set filter to
(amp(cn=)(operatingsystem=)(whencreatedgt=YYMMDDHHmmSS)(whencreatedlt=YYMMDDHHmmSS))
Active DirectoryProtocol
Select whether the protocol to be used is non_ssl (the default value) or SSLFor SSL protocol be sure to import the Active Directory security certificate tothe connector before starting the connector
Use Active Directoryhost results for
For WEF Only If you selected ldquoUse Active Directory for OSVersionrdquo on theinitial configuration window the list of hosts retrieved from Active Directoryis used to determine the Windows OS version for the WEF source hostsWhen For WEF Only is selected the result of the query will not populate thetable of hosts on the table parameter entry window
For initial installationMerge Hosts and Replace Hosts act the same becauseonly the local host is present and preserved If you selected Use ActiveDirectory on the initial configuration screen under Parameters to add hostsfor event collection or you are modifying parameters to add hosts thefollowing applies
WhenMerge Hosts is selected Active Directory is used to retrieve the hostsfor collection (and can also be used for Windows Event Forwarding if WECservers are present and Use file for OS is not selected on the initialconfiguration screen) The original host is not replaced and all otherpreconfigured hosts are preserved Hosts are added from the list retrievedfrom Active Directory with Security events selected by default If duplicatesare found the existing host entry is not overwritten
When Replace Hosts is chosen Active Directory is used to retrieve the hostsfor collection (and can also be used for Windows Event Forwarding whenWEC servers are present and Use file for OS is not selected on the initialconfiguration screen) The local host is not replaced but all other hostspreconfigured are replaced with those retrieved from Active Directory withSecurity events selected by default
9 Select a destination then configure the destination parameters
Configuration Guide for Windows Event Native Smart Connector
Installing and Configuring the SmartConnector Page 51 of 349
10 Specify a name for the connector
11 Select whether you want to run the connector as a service or in the standalone mode
12 Complete the installation process
Using SSL for Connection (optional)
If you are using SSL for connector connection follow these steps
To import the certificates to the connectorrsquos certificate store click Cancel to exit the wizard
1 From $ARCSIGHT_HOMEcurrentbin execute the keytool application to import the twocertificates (see ldquoAdd Security Certifications when Using SSLrdquo earlier in this guide)
arcsight agent keytoolgui
The graphical interface asks you to open a keystore
2 Select jrelibsecuritycacerts then select import cert to import your certificateVerify that the correct certificate has been imported
3 When prompted Trust this certificate click Yes
Repeat this process for the second certificate
4 Save the keystore
5 Verify the imported certificates by entering this command from$ARCSIGHT_HOMEcurrentbin
arcsight agent keytool -list -store clientcerts
The new certificates are listed
6 Return to the configuration wizard by entering the following command from $ARCSIGHT_HOMEcurrentbin
runagentsetup
Installing and Configuring Multiple Connector InstancesFollow these steps to install and run another instance of the connector on the source host
1 Install the core connector software then exit the wizard
2 Go to the installation directory For example$ARCSIGHT_HOMEArcSightSmartConnectorscurrent
3 From the $ARCSIGHT_HOMEcurrentuseragent directory edit the agentpropertiesfile
Configuration Guide for Windows Event Native Smart Connector
Using SSL for Connection (optional) Page 52 of 349
4 Select a valid TCP port value for the mqserverlistenerport property The valuecannot be used by another instance of the connector Range can be a value from 1 to65535 the default value is 61616
5 Add the parameter and value for the mqserverlistenerport property
6 In the $ARCSIGHT_HOMEcurrentuseragentwinc directory create a configini filewith the following contents
mqserverhostname=localhostmqprotocol=tcpmqserverport=ltvalid tcp portgt
The mqserverport value in this file should match the one configured inagentproperties
7 Launch the setup wizard by running runagentsetup from the $ARCSIGHT_HOMEcurrentbin directory
Notes
l When running the configuration wizard the following warning message might be logged asthe event listener starts to send the heartbeat before it is assigned to RemoteAgentId
[updateHeartbeat]RemoteAgentId unspecified Ignoring the heartbeat
l The connector will not run if the value of mqserverport is not unique for each instance ofthe Native Windows Event Log installed on the same box It will indicate that the port isalready in use
l Resource consumption increases as the number of connector instances increase so thisconstraint may limit the number of instances you use in your enterprise
Configuration Guide for Windows Event Native Smart Connector
Installing and Configuring Multiple Connector Instances Page 53 of 349
Log sources and Event MappingsThis section provides information about the following supported log sources and EventMappings to ArcSight fields
Microsoft ADFSActive Directory Federation Service (ADFS) is a software component in Windows Server 2012Windows Server 2016 and Windows Server 2019 It contains Active Directory FederationServer Federation Server Proxy and ADFS Web Server
ADFS provides the following services
l Single Sign-On (SSO) ADFS provides SSO authorization to users who want to accessapplications in different networks or organizations It provides SSO access to internet-facingapplications or services
l Identity Federation (Identity Management) This provides the digital identity to the usersand allows to centralize it This helps to maintain security and rights across security andenterprise boundaries
Supported Versionsl Microsoft Windows Server 2012
l Microsoft Windows Server 2012 R2
l Microsoft Windows Server 2016
l Microsoft Windows Server 2019
The SmartConnector for Microsoft Windows Event Log ndash Windows Security Event Mappingsdocument provides main mappings for the Windows Event Log SmartConnectors The fieldmappings listed in this document are specifically for Microsoft Remote Access
Configuring Microsoft ADFS LogsFor information about configuring Microsoft ADFS events logsseehttpsadfshelpmicrosoftcomAdfsEventViewerGetAdfsEventList in the Microsoft TechNetLibrary
Configuration Guide for Windows Event Native Smart Connector
Log sources and Event Mappings Page 54 of 349
Event Mappings for Microsoft ADFS
General
ArcSight Field Vendor Field
Device Product ADFS Auditing
Device Vendor Microsoft
Event 299
ArcSight Field Vendor Field
Destination DNS Domain 3 (Relying Party)
Device Custom String 1 2 (Activity ID)
Device Custom String 1 Label Activity ID
Device Custom String 4 1 (Instance ID)
Device Custom String 4 Label Instance ID
Message __concatenate(A token was successfully issued for the relying party 3)
Name A token was successfully issued for relying party
Event 300
ArcSight Field Vendor Field
Device Custom String 1 1 (Activity ID)
Device Custom String 1 Label Activity ID
Device Custom String 5 2 (Request type)
Device Custom String 5 Label Request Type
Device Custom String 6 3 (Exception details)
Device Custom String 6 Label Exception details
Message The Federation Service failed to issue a token as a result of an error duringprocessing of the WS-Trust request
Name Federation Service failed to issue a token as a result of an error
Source Nt Domain __extractNTDomain(3)
Source User Name __extractNTUser(3)
Configuration Guide for Windows Event Native Smart Connector
Event Mappings for Microsoft ADFS Page 55 of 349
Event 307
ArcSight Field Vendor Field
Device Custom String 4 1
Device Custom String 4 Label Instance ID
Name Federation service configuration was changed
Source Nt Domain __extractNTDomain(3)
Source User Name __extractNTUser(3)
Event 403
ArcSight Field Vendor Field
Destination Address 9 (Local IP)
Destination Dns Domain 14
Destination Port 8 (Local Port)
Device Custom Date 1 3
Device Custom Date 1 Label Request Time
Device Custom Number 1 11
Device Custom Number 1 Label Content Length
Device Custom String 1 2
Device Custom String 1 Label Activity ID
Device Custom String 4 1
Device Custom String 4 Label Instance ID
Device Custom String 6 16
Device Custom String 6 Label Proxy DNS name
End Time 3
Name An HTTP request was received
Old File Hash __concatenate(Through Proxy15)
Old File Id __concatenate(Caller Identity12)
Old File Type __concatenate(Certificate Identity13)
Request Client Application 10 (User Agent)
Configuration Guide for Windows Event Native Smart Connector
Event 307 Page 56 of 349
Request Method 5 (HTTP Method)
Request Url File Name 6 (Url Absolute Path)
Request Url Query 7 (Query string)
Source Address 4
Start Time 3
Event 404
ArcSight Field Vendor Field
Device Custom Date 1 3
Device Custom Date 1 Label Response Time
Device Custom String 1 2
Device Custom String 1 Label Activity ID
Device Custom String 4 1
Device Custom String 4 Label Instance ID
Device Custom String 5 5
Device Custom String 5 Label Status Description
End Time 3
Event Outcome 4
Name An HTTP response was dispatched
Event 405
ArcSight Field Vendor Field
Destination Host Name 3
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Message __concatenate(Password change succeeded for following user2)
Name Password change succeeded
Source Nt Domain __extractNTDomain(2)
Source User Name __extractNTUser(2)
Configuration Guide for Windows Event Native Smart Connector
Event 404 Page 57 of 349
Event 406 - Windows Server 2016
ArcSight Field Vendor Field
Destination Host Name 3
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Message __concatenate(Password change failed for following user2)
Name Password change failed
Reason 4
Source Nt Domain __extractNTDomain(2)
Source User Name __extractNTUser(2)
Event 406 - Windows Server 2019
ArcSight Field Vendor Field
Destination Host Name 4
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Device Custom String 4 3
Device Custom String 4 Label Device Certificate
Message __concatenate(Password change failed for following user2)
Name Password change failed
Reason 5
Source Address 6
Source Nt Domain __extractNTDomain(2)
Source User Name __extractNTUser(2)
Configuration Guide for Windows Event Native Smart Connector
Event 406 - Windows Server 2016 Page 58 of 349
Event 410
ArcSight Field Vendor Field
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Device Custom String 4 3
Device Custom String 4 Label Client Application
Device Custom String 5 13
Device Custom String 5 Label Proxy
Device Custom String 6 11
Device Custom String 6 Label Forwarded Client IP
Name Following request context headers present
Old File Id __concatenate(67)
Request Client Application 5
Request Url File Name 9
Source Address 15
Source Translated Address __regexToken(11)
Event 411
ArcSight Field Vendor Field
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Device Custom String 4 2
Device Custom String 4 Label Token Type
Device Custom String 5 3
Device Custom String 5 Label Error message
Device Custom String 6 4
Device Custom String 6 Label Exception details
Name Token validation failed
Reason __regexToken(3)
Configuration Guide for Windows Event Native Smart Connector
Event 410 Page 59 of 349
ArcSight Field Vendor Field
Request Url 2
Source Address 5
Source User Name __regexToken(3)
Event 412
ArcSight Field Vendor Field
Destination Dns Domain 4
Device Custom String 1 2
Device Custom String 1 Label Activity ID
Device Custom String 4 1
Device Custom String 4 Label Instance ID
Device Custom String 6 3
Device Custom String 6 Label Token type
Message __concatenate(A token of type 3 for relying party 4 wassuccessfully authenticated)
Name A token for relying party was successfully authenticated
Event 413
ArcSight Field Vendor Field
Destination Dns Domain 5
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Name An error occurred during processing of a token request
Old File Hash __concatenate(Caller2)
Old File Id __concatenate(Device identity6)
Old File Name __concatenate(Act as User4)
Source Address 7
Source User Name __extractNTUser(3)
Configuration Guide for Windows Event Native Smart Connector
Event 412 Page 60 of 349
Event 418
ArcSight Field Vendor Field
File Hash 4
File Name 2
Name Trust between federation server proxy and service was successfullyrenewed
Old File Hash 3
Source Address 1
Event 420
ArcSight Field Vendor Field
File Hash 4
File Name 3
Name Trust between federation server proxy and service was successfullyestablished
Source Address 2
Source User Name __extractNTUser(1)
Surce Nt Domain __extractNTDomain(1)
Event 424
ArcSight Field Vendor Field
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Device Custom String 6 5
Device Custom String 6 Label Inner exception
File Hash 2
File Name 3
Name The federation server proxy was not able to authenticate the clientcertificate presented in the request
Source Address 4
Configuration Guide for Windows Event Native Smart Connector
Event 418 Page 61 of 349
Event 431
ArcSight Field Vendor Field
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Device Custom String 4 5
Device Custom String 4 Label Token Type
Device Custom String 5 4
Device Custom String 5 Label Request Type
Device Custom String 6 6
Device Custom String 6 Label Signature Algorithm
File Size 2
File Type 3
Name An active request was received at STS with RST
Event 512
ArcSight Field Vendor Field
Device Custom Date 1 __concatenate(5 6)
Device Custom Date 1 Label Last Bad Password Attempt
Device Custom Number 1 4
Device Custom Number 1 Label Bad Password Count
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Message __concatenate(The account for the following user 2 is locked out Alogin attempt is being allowed due to the system configuration)
Name The account for the following user is locked out
Source Address 3
Source Nt Domain __extractNTDomain(2)
Source User Name __extractNTUser(2)
Configuration Guide for Windows Event Native Smart Connector
Event 431 Page 62 of 349
Event 513
ArcSight Field Vendor Field
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Device Custom String 6 4
Device Custom String 6 Label Exception details
Name The Artifact REST service failed to return an artifact as a result of an errorduring processing
Request Url 3
Source Address 2
Event 515
ArcSight Field Vendor Field
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Event Outcome This account may be compromised
Message __concatenate(The following user 2 account was in a locked out stateand the correct password was just provided This account may becompromised)
Name The following user account was in a locked out state and the correctpassword was just provided
Source Address 3
Source Nt Domain __extractNTDomain(2)
Source User Name __extractNTUser(2)
Event 516
ArcSight Field Vendor Field
Device Custom Date 1 __concatenate(5 6)
Device Custom Date 1 Label Last Bad Password Attempt
Device Custom Number 1 4
Configuration Guide for Windows Event Native Smart Connector
Event 513 Page 63 of 349
ArcSight Field Vendor Field
Device Custom Number 1 Label Bad Password Count
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Name The following user account has been locked out due to too many badpassword attempts
Source Address 3
Source Nt Domain __extractNTDomain(2)
Source User Name __extractNTUser(2)
Event 1102
ArcSight Field Vendor Field
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Device Custom String 5 4
Device Custom String 5 Label Additional details
Name The Federation Service authorized a request to one of the REST endpoints
Request Url 3
Source Address 2
Event 1200
ArcSight Field Vendor Field
Name The Federation Service issued a valid token
Event 1201
ArcSight Field Vendor Field
Name The Federation Service failed to issue a valid token
Configuration Guide for Windows Event Native Smart Connector
Event 1102 Page 64 of 349
Event 1202
ArcSight Field Vendor Field
Name The Federation Service validated a new credential
Event 1203
ArcSight Field Vendor Field
Name The Federation Service failed to validate a new credential
Event 1204
ArcSight Field Vendor Field
Name A password was changed
Event 1205
ArcSight Field Vendor Field
Name A password change was attempted but failed
Event 1206
ArcSight Field Vendor Field
Name A Sign Out request was successfully processed
Event 1210
ArcSight Field Vendor Field
Name An extranet lockout event has occurred
Configuration Guide for Windows Event Native Smart Connector
Event 1202 Page 65 of 349
Common Mappings for Events - 1200 1201 1202 1203 1204 12051206 and 1210
ArcSight Field Vendor Field
Application Protocol AuthProtocol
Destination Dns Domain RelyingParty
Destination Host Name __regexToken(Server)
Destination Service Name __regexToken(Server)
Device Custom Date 1 LastBadAttempt
Device Custom Date 1 Label Last Bad Attempt
Device Custom Number 1 __oneOfLong(CurrentBadPasswordCount)
Device Custom Number 1 Label Current Bad Password Count
Device Custom Number 2 __oneOfLong(ConfigBadPasswordCount)
Device Custom Number 2 Label Config Bad Password Count
Device Custom String 1 1
Device Custom String 1 Label Activity ID
Device Custom String 5 ForwardedIpAddress
Device Custom String 5 Label Forwarded Ip Address
Device Custom String 6 AuditType
Device Custom String 6 Label Audit Type
Device Domain NetworkLocation
Device External Id DeviceId
Device Process Name ClaimsProvider
Event Outcome AuditResult
Old File Hash __concatenate(SSO Binding Validation LevelSSOBindingValidationLevel)
Old File Name __concatenate(Device AuthDeviceAuth)
Old File Path __concatenate(Primary AuthPrimaryAuth)
Old File Type __concatenate(Failure TypeFailureType)
Reason ErrorCode
Request Client Application UserAgentString
Configuration Guide for Windows Event Native Smart Connector
Common Mappings for Events - 1200 1201 1202 1203 1204 1205 1206 and Page 66 of 349
ArcSight Field Vendor Field
Source Address IpAddress
Source Nt Domain __extractNTDomain(UserId)
Source Translated Address __regexToken(ForwardedIpAddress)
Source User Name __extractNTUser(UserId)
Configuration Guide for Windows Event Native Smart Connector
Common Mappings for Events - 1200 1201 1202 1203 1204 1205 1206 and Page 67 of 349
Active DirectoryActive Directory an essential component of the Windows architecture presents organizationswith a directory service designed for distributed computing environments Active Directory letsorganizations centrally manage and share information on network resources and users whileacting as the central authority for network security
The SmartConnector for Microsoft Windows Event Log ndash Native Windows Security EventMappings document provides the main mappings for the Windows Event Log SmartConnectorsthe field mappings listed in this section are specifically for the SmartConnector for MicrosoftActive Directory Windows Event Log ndash Native Active Directory
Audit Active Directory Objects in WindowsWhen you use Windows auditing you can track both user activities and Windows activities When you use auditing you can specify which events are written to the Security log Forexample the Security log can maintain a record of both valid and invalid logon attempts andevents that relate to creating opening or deleting files or other objects
When you audit Active Directory events Windows writes an event to the Security log on thedomain controller For example if a user attempts to log on to the domain using a domainuser account and the logon attempt is unsuccessful the event is recorded on the domaincontroller and not on the computer on which the logon attempt was made This is because it isthe domain controller that attempted to authenticate the logon attempt but could not do so
To enable auditing of Active Directory objects
1 Configure an audit policy setting for a domain controller (When you configure an auditpolicy setting you can audit objects but you cannot specify which object you want toaudit)
2 Configure auditing for specific Active Directory Objects After you specify the events toaudit for files folders printers and Active Directory Objects Windows tracks and logsthese events
Configure an Audit Policy Setting for a Domain Controller
Auditing is turned off by default For domain controllers an audit policy setting is configuredfor all domain controllers in the domain To audit events that occur on domain controllersconfigure an audit policy setting that applies to all domain controllers in a non-Local GroupPolicy object (GPO) for the domain You can access this policy setting through the DomainControllers organizational unit To audit user access to Active Directory objects configure theAudit Directory Service Access event category in the audit policy setting
Active Directory Page 68 of 349
The computer on which you want to configure an audit policy setting must be granted theManage Auditing and Security Log user right By default Windows grants these rights to theAdministrators group
The files and folders you want to audit must be on Microsoft Windows NT file system (NTFS) volumes
To configure an audit policy setting for a domain controller (steps may vary for differingWindows operating systems)
1 Click Start point to Programs point to Administrative Tools and then click ActiveDirectory Users and Computers
2 From the View menu click Advanced Features
3 Right-click Domain Controllers then click Properties
4 Click the Group Policy tab click Default Domain Controller Policy and then click Edit
5 Click Computer Configuration double-clickWindows Settings double-click SecuritySettings double-click Local Policies and then double-click Audit Policy
6 In the right pane right-click Audit Directory Services Access and then click Security
7 Click Define These Policy Settings then click to select one or both of the following checkboxes
Success Click to audit successful attempts for the event categoryFailure Click to audit failed attempts for the event category
8 Right-click any other event category that you want to audit then click Security
9 Click OK
10 Because the changes you make to your computers audit policy setting takes affect onlywhen the policy setting is propagated (or applied) to your computer to initiate policypropagation either enter seceditrefreshpolicy machine_policy at the commandprompt and then restart the computer or wait for automatic policy propagation whichoccurs at regular intervals you can configure By default policy propagation occurs everyeight hours
Configure Auditing for Specific Active Directory Objects
After you configure an audit policy setting you can configure auditing for specific objects suchas users computers organizational units or groups by specifying both the types of access andthe users whose access you want to audit
To configure auditing for specific Active Directory objects (steps may vary for differingWindows operating systems)
1 Click Start point to Programs point to Administrative Tools and then click ActiveDirectory Users and Computers
Configuration Guide for Windows Event Native Smart Connector
Configure Auditing for Specific Active Directory Objects Page 69 of 349
2 Verify that Advanced Features is selected on the View menu (the command has acheckmark beside it)
3 Right-click on the Active Directory object you want to audit (blackjackcom in theexample) and select Properties
4 Click the Security tab then click the Advanced button Advanced Security Settings forthe object is displayed Click the Auditing tab
Configuration Guide for Windows Event Native Smart Connector
Configure Auditing for Specific Active Directory Objects Page 70 of 349
5 To add an object click Add
6 Either enter the name of either the user or the group whose access you want to audit inthe Enter the object name to select box then click OK or browse the list of names andthen double-click either the user or the group whose access you want to audit
7 Click to select either the Successful checkbox or the Failed checkbox for the actions youwant to audit then click OK Click OK on the next two windows to exit
Active Directory Event Mappings
General Mappings
ArcSight Field Vendor Field
Device Vendor Microsoft
Device Product Microsoft Windows
Configuration Guide for Windows Event Native Smart Connector
Active Directory Event Mappings Page 71 of 349
NTDS Database Mappings
Event 1000ArcSight Field Vendor Field
Name Microsoft Active Directory Domain Services startup complete
Device Version 1 (Microsoft Active Directory Domain services version)
Event 1394ArcSight Field Vendor Field
Name All problems preventing updates to the Active Directory Domain Servicesdatabase have been cleared New updates to the Active Directory DomainServices database are succeeding The Net Logon service has restarted
Event 1404ArcSight Field Vendor Field
Name This directory service is now the intersite topology generator and hasassumed responsibility for generating and maintaining intersite replicationtopologies for this site
Event 1844ArcSight Field Vendor Field
Name The local domain controller could not connect with domain controller hostingdirectory partition to resolve distinguished names
Device Custom String 1 Directory partition
Device Custom String 4 Reason or Error Code
Configuration Guide for Windows Event Native Smart Connector
NTDS Database Mappings Page 72 of 349
Event 2064ArcSight Field Vendor Field
Name Active Directory has detected that the quota-tracking table is either missingor not completely built
Message Active Directory has detected that the quota-tracking table is either missingor not completely built The table will be rebuilt in the background (resumingthe progress of any previous rebuild if possible) Until it has completed quotaenforcement will not be in effect
Event 2065ArcSight Field Vendor Field
Name Active Directory Domain Services has completed rebuilding the quota-tracking table Quota enforcement is now in effect
Event 2886ArcSight Field Vendor Field
Name The security of this directory server can be significantly enhanced byconfiguring the server to reject SASL (Negotiate Kerberos NTLM or Digest)LDAP binds that do not request signing (integrity verification) and LDAP simplebinds that are performed on a cleartext (non-SSLTLS-encrypted) connection
Message Even if no clients are using such binds configuring the server to reject themwill improve the security of this server Some clients may currently be relyingon unsigned SASL binds or LDAP simple binds over a non-SSLTLS connectionand will stop working if this configuration change is made To assist inidentifying these clients if such binds occur this directory server will log asummary event once every 24 hours indicating how many such binds occurred You are encouraged to configure those clients to not use suchbinds Once no such events are observed for an extended period it isrecommended that you configure the server to reject such binds For moredetails and information on how to make this configuration change to theserver please see httpgomicrosoftcomfwlinkLinkID=87923 You canenable additional logging to log an event each time a client makes such a bindincluding information on which client made the bind To do so please raisethe setting for the LDAP Interface Events event logging category to level 2 orhigher
Configuration Guide for Windows Event Native Smart Connector
Event 2064 Page 73 of 349
Windows 2008 NTDS Database Mappings
GeneralArcSight Field Vendor Field
Name Microsoft Active Directory Domain Services startup complete
Device Version Microsoft Active Directory Domain services version
Event 1000ArcSight Field Vendor Field
Name Microsoft Active Directory Domain Services startup complete
Device Version 1 (Microsoft Active Directory Domain services version)
Event 1394ArcSight Field Vendor Field
Name All problems preventing updates to the Active Directory Domain Servicesdatabase have been cleared New updates to the Active Directory DomainServices database are succeeding The Net Logon service has restarted
Event 1404ArcSight Field Vendor Field
Name This directory service is now the intersite topology generator and hasassumed responsibility for generating and maintaining intersite replicationtopologies for this site
Configuration Guide for Windows Event Native Smart Connector
Windows 2008 NTDS Database Mappings Page 74 of 349
Event 1844ArcSight Field Vendor Field
Name The local domain controller could not connect with domain controller hostingdirectory partition to resolve distinguished names
Device Custom String 1 Directory partition
Device Custom String 4 Reason or Error Code
Event 2064ArcSight Field Vendor Field
Name Active Directory has detected that the quota-tracking table is either missingor not completely built
Message Active Directory has detected that the quota-tracking table is either missingor not completely built The table will be rebuilt in the background (resumingthe progress of any previous rebuild if possible) Until it has completed quotaenforcement will not be in effect
Event 2065ArcSight Field Vendor Field
Name Active Directory Domain Services has completed rebuilding the quota-tracking table Quota enforcement is now in effect
Configuration Guide for Windows Event Native Smart Connector
Event 1844 Page 75 of 349
Event 2886ArcSight Field Vendor Field
Name The security of this directory server can be significantly enhanced byconfiguring the server to reject SASL (Negotiate Kerberos NTLM or Digest)LDAP binds that do not request signing (integrity verification) and LDAP simplebinds that are performed on a cleartext (non-SSLTLS-encrypted) connection
Message Even if no clients are using such binds configuring the server to reject themwill improve the security of this server Some clients may currently be relyingon unsigned SASL binds or LDAP simple binds over a non-SSLTLS connectionand will stop working if this configuration change is made To assist inidentifying these clients if such binds occur this directory server will log asummary event once every 24 hours indicating how many such binds occurred You are encouraged to configure those clients to not use suchbinds Once no such events are observed for an extended period it isrecommended that you configure the server to reject such binds For moredetails and information on how to make this configuration change to theserver please see httpgomicrosoftcomfwlinkLinkID=87923 You canenable additional logging to log an event each time a client makes such a bindincluding information on which client made the bind To do so please raisethe setting for the LDAP Interface Events event logging category to level 2 orhigher
General NTDS Mappings
Event 1000ArcSight Field Vendor Field
Name Microsoft Active Directory startup complete
Device Version 1 (Microsoft Active Directory Domain Services version)
Event 1004ArcSight Field Vendor Field
Name Active Directory Domain Services was shut down successfully
Configuration Guide for Windows Event Native Smart Connector
Event 2886 Page 76 of 349
Event 1104ArcSight Field Vendor Field
Name The Knowledge Consistency Checker (KCC) successfully terminated changenotifications
Message This event can occur if either this directory service or the destinationdirectory service has been moved to another site
Destination Host Name 2 (Destination network address)
Device Custom String 1 Directory partition
Device Custom String 6 Destination directory service
Source User Name User
Event 1126ArcSight Field Vendor Field
Name Active Directory was unable to establish a connection with the global catalog
Message Make sure a global catalog is available in the forest and is reachable from thisdomain controller You may use the nltest utility to diagnose this problem
Device Custom String 4 Reason or Error Code
Device Custom String 5 Internal ID
Event 1308ArcSight Field Vendor Field
Name The Knowledge Consistency Checker (KCC) has detected that successiveattempts to replicate with the following directory service has consistentlyfailed
Message The Connection object for this directory service will be ignored and a newtemporary connection will be established to ensure that replicationcontinues Once replication with this directory service resumes thetemporary connection will be removed
Device Custom Number 2 Period of time (minutes)
Configuration Guide for Windows Event Native Smart Connector
Event 1104 Page 77 of 349
ArcSight Field Vendor Field
Device Custom Number 3 Attempts
Device Custom String 4 Reason or Error Code
Device Custom String 6 Directory service
Event 1394ArcSight Field Vendor Field
Name All problems preventing updates to the Active Directory Domain Servicesdatabase have been cleared
Message New updates to the Active Directory Domain Services database aresucceeding The Net Logon service has restarted
Event 1463ArcSight Field Vendor Field
Name Active Directory Domain Services has detected and deleted some possiblycorrupted indices as part of initialization
Event 1844ArcSight Field Vendor Field
Name The local domain controller could not connect with domain controller hostingdirectory partition to resolve distinguished names
Device Custom String 1 Directory partition
Device Custom String 4 Reason or Error Code
Device Custom String 5 Internal ID
Destination Host name 5 (source directory service address)
Configuration Guide for Windows Event Native Smart Connector
Event 1394 Page 78 of 349
Event 1863ArcSight Field Vendor Field
Name This directory server has not received replication information from a numberof directory servers within the configured latency interval
Device Custom String 1 Directory partition
Device Custom Number 1 Number of directory servers in all sites
Device Custom Number 2 Number of directory servers in this site
Device Custom Number 3 Latency Interval (Hours)
File Type Registry Key
File Name 5 (Registry Key)
Event 1864ArcSight Field Vendor Field
Name This is the replication status for directory partition on this directory server
Message Directory servers that do not replicate in a timely manner may encountererrors They may miss password changes and be unable to authenticate A DCthat has not replicated in a tombstone lifetime may have missed the deletionof some objects and may be automatically blocked from future replicationuntil it is reconciled
Device Custom String 1 Directory partition
Device Custom Number 1 More than 24 hours
Device Custom Number 2 More than a week
Device Custom Number 3 More than one month
Event 1869ArcSight Field Vendor Field
Name Active Directory has located a global catalog
Device Custom String 5 Site
Destination Host Name 1 (Global catalog)
Configuration Guide for Windows Event Native Smart Connector
Event 1863 Page 79 of 349
Event 1898ArcSight Field Vendor Field
Name Internal event Schema object was modified
Device Custom String 5 Schema object
File Name 1 (Schema object name)
File Type Schema object
Event 1925ArcSight Field Vendor Field
Name The attempt to establish a replication link for writable directory partitionfailed
Message This directory service will be unable to replicate with the source directoryservice until this problem is corrected
Destination Host Name 2 (Source directory service address)
Device Custom String 1 Directory partition
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source directory service
Source User Name User
Event 1926ArcSight Field Vendor Field
Name The attempt to establish a replication link to a read-only directory partitionfailed
Destination Host Name 2 (Source domain controller address)
Device Custom String 1 Directory partition
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source domain controller
Source User Name User
Configuration Guide for Windows Event Native Smart Connector
Event 1898 Page 80 of 349
Event 2013ArcSight Field Vendor Field
Name Active Directory Domain Services is rebuilding indices as part of theinitialization process
Device Custom Number 3 Indices
Event 2014ArcSight Field Vendor Field
Name Active Directory Domain Services successfully completed rebuilding indice
Device Custom Number 3 Indices
Event 2041ArcSight Field Vendor Field
Name Duplicate event log entries were suppressed
Message See the previous event log entry for details An entry is considered aduplicate if the event code and all of its insertion parameters are identicalThe time period for this run of duplicates is from the time of the previousevent to the time of this event
Device Custom String 1 Event Code
Device Custom Number 3 Number of duplicate entries
Event 2064ArcSight Field Vendor Field
Name Active Directory Domain Services has detected that the quota-tracking tableis either missing or not completely built
Message The table will be rebuilt in the background (resuming the progress of anyprevious rebuild if possible) Until it has completed quota enforcement willnot be in effect
Configuration Guide for Windows Event Native Smart Connector
Event 2013 Page 81 of 349
Event 2087ArcSight Field Vendor Field
Name Active Directory Domain Services could not resolve DNS host name of thesource domain controller to an IP address
Message This error prevents additions deletions and changes in Active DirectoryDomain Services from replicating between one or more domain controllers inthe forest Security groups group policy users and computers and theirpasswords will be inconsistent between domain controllers until this error isresolved potentially affecting logon authentication and access to networkresources
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source domain controller
File Type Registry key
File Name All of (5rsquorsquo6)
Destination Host Name 2 (Failing DNS host name)
Event 2088ArcSight Field Vendor Field
Name Active Directory Domain Services could not use DNS to resolve the IP addressof the source domain controller
Message To maintain the consistency of Security groups group policy users andcomputers and their passwords Active Directory Domain Servicessuccessfully replicated using the NetBIOS or fully qualified computer name ofthe source domain controller Invalid DNS configuration may be affectingother essential operations on member computers domain controllers orapplication servers in this Active Directory Domain Services forest includinglogon authentication or access to network resources You should immediatelyresolve this DNS configuration error so that this domain controller can resolvethe IP address of the source domain controller using DNS
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source domain controller
Configuration Guide for Windows Event Native Smart Connector
Event 2087 Page 82 of 349
ArcSight Field Vendor Field
File Type Registry key
File Name All of (5rsquorsquo6)
Destination Host Name 2 (Failing DNS host name)
Event 2092ArcSight Field Vendor Field
Name This server is the owner of FSMO role but does not consider it valid
Message For the partition which contains the FSMO this server has not replicatedsuccessfully with any of its partners since this server has been restartedReplication errors are preventing validation of this role Operations whichrequire contacting a FSMO operation master will fail until this condition iscorrected
Device Custom String 1 4 (FSMO Role)
Event 2886ArcSight Field Vendor Field
Name The security of this directory server can be significantly enhanced byconfiguring the server to reject SASL (Negotiate Kerberos NTLM or Digest)LDAP binds that do not request signing (integrity verification) and LDAP simplebinds that are performed on a cleartext (non-SSLTLS-encrypted) connection
Message Even if no clients are using such binds configuring the server to reject themwill improve the security of this server Some clients may currently be relyingon unsigned SASL binds or LDAP simple binds over a non-SSLTLS connectionand will stop working if this configuration change is made To assist inidentifying these clients if such binds occur this directory server will log asummary event once every 24 hours indicating how many such binds occurred You are encouraged to configure those clients to not use suchbinds Once no such events are observed for an extended period it isrecommended that you configure the server to reject such binds For moredetails and information on how to make this configuration change to theserver please see httpgomicrosoftcomfwlinkLinkID=87923 You canenable additional logging to log an event each time a client makes such a bindincluding information on which client made the bind To do so please raisethe setting for the LDAP Interface Events event logging category to level 2 orhigher
Configuration Guide for Windows Event Native Smart Connector
Event 2092 Page 83 of 349
Windows 2008 General NTDS Mappings
Event 1000ArcSight Field Vendor Field
Name Microsoft Active Directory startup complete
Device Version 1 (Microsoft Active Directory Domain Services version)
Event 1004ArcSight Field Vendor Field
Name Active Directory Domain Services was shut down successfully
Event 1104ArcSight Field Vendor Field
Name The Knowledge Consistency Checker (KCC) successfully terminated changenotifications
Message This event can occur if either this directory service or the destinationdirectory service has been moved to another site
Destination Host Name 2 (Destination network address)
Device Custom String 1 Directory partition
Device Custom String 6 Destination directory service
Source User Name User
Configuration Guide for Windows Event Native Smart Connector
Windows 2008 General NTDS Mappings Page 84 of 349
Event 1126ArcSight Field Vendor Field
Name Active Directory was unable to establish a connection with the global catalog
Message Make sure a global catalog is available in the forest and is reachable from thisdomain controller You may use the nltest utility to diagnose this problem
Device Custom String 4 Reason or Error Code
Device Custom String 5 Internal ID
Event 1308ArcSight Field Vendor Field
Name The Knowledge Consistency Checker (KCC) has detected that successiveattempts to replicate with the following directory service has consistentlyfailed
Message The Connection object for this directory service will be ignored and a newtemporary connection will be established to ensure that replicationcontinues Once replication with this directory service resumes thetemporary connection will be removed
Device Custom Number 2 Period of time (minutes)
Device Custom Number 3 Attempts
Device Custom String 4 Reason or Error Code
Device Custom String 6 Directory service
Event 1394ArcSight Field Vendor Field
Name All problems preventing updates to the Active Directory Domain Servicesdatabase have been cleared
Message New updates to the Active Directory Domain Services database aresucceeding The Net Logon service has restarted
Configuration Guide for Windows Event Native Smart Connector
Event 1126 Page 85 of 349
Event 1463ArcSight Field Vendor Field
Name Active Directory Domain Services has detected and deleted some possiblycorrupted indices as part of initialization
Event 1844ArcSight Field Vendor Field
Name The local domain controller could not connect with domain controller hostingdirectory partition to resolve distinguished names
Device Custom String 1 Directory partition
Device Custom String 4 Reason or Error Code
Device Custom String 5 Internal ID
Destination Host name 5 (source directory service address)
Event 1863ArcSight Field Vendor Field
Name This directory server has not received replication information from a numberof directory servers within the configured latency interval
Device Custom String 1 Directory partition
Device Custom Number 1 Number of directory servers in all sites
Device Custom Number 2 Number of directory servers in this site
Device Custom Number 3 Latency Interval (Hours)
File Type Registry Key
File Name 5 (Registry Key)
Configuration Guide for Windows Event Native Smart Connector
Event 1463 Page 86 of 349
Event 1864ArcSight Field Vendor Field
Name This is the replication status for directory partition on this directory server
Message Directory servers that do not replicate in a timely manner may encountererrors They may miss password changes and be unable to authenticate A DCthat has not replicated in a tombstone lifetime may have missed the deletionof some objects and may be automatically blocked from future replicationuntil it is reconciled
Device Custom String 1 Directory partition
Device Custom Number 1 More than 24 hours
Device Custom Number 2 More than a week
Device Custom Number 3 More than one month
Event 1869ArcSight Field Vendor Field
Name Active Directory has located a global catalog
Device Custom String 5 Site
Destination Host Name 1 (Global catalog)
Event 1898ArcSight Field Vendor Field
Name Internal event Schema object was modified
Device Custom String 5 Schema object
File Name 1 (Schema object name)
File Type Schema object
Configuration Guide for Windows Event Native Smart Connector
Event 1864 Page 87 of 349
Event 1925ArcSight Field Vendor Field
Name The attempt to establish a replication link for writable directory partitionfailed
Message This directory service will be unable to replicate with the source directoryservice until this problem is corrected
Destination Host Name 2 (Source directory service address)
Device Custom String 1 Directory partition
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source directory service
Source User Name User
Event 1926ArcSight Field Vendor Field
Name The attempt to establish a replication link to a read-only directory partitionfailed
Destination Host Name 2 (Source domain controller address)
Device Custom String 1 Directory partition
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source domain controller
Source User Name User
Event 2013ArcSight Field Vendor Field
Name Active Directory Domain Services is rebuilding indices as part of theinitialization process
Device Custom Number 3 Indices
Configuration Guide for Windows Event Native Smart Connector
Event 1925 Page 88 of 349
Event 2014ArcSight Field Vendor Field
Name Active Directory Domain Services successfully completed rebuilding indice
Device Custom Number 3 Indices
Event 2041ArcSight Field Vendor Field
Name Duplicate event log entries were suppressed
Message See the previous event log entry for details An entry is considered aduplicate if the event code and all of its insertion parameters are identicalThe time period for this run of duplicates is from the time of the previousevent to the time of this event
Device Custom String 1 Event Code
Device Custom Number 3 Number of duplicate entries
Event 2064ArcSight Field Vendor Field
Name Active Directory Domain Services has detected that the quota-tracking tableis either missing or not completely built
Message The table will be rebuilt in the background (resuming the progress of anyprevious rebuild if possible) Until it has completed quota enforcement willnot be in effect
Configuration Guide for Windows Event Native Smart Connector
Event 2014 Page 89 of 349
Event 2087ArcSight Field Vendor Field
Name Active Directory Domain Services could not resolve DNS host name of thesource domain controller to an IP address
Message This error prevents additions deletions and changes in Active DirectoryDomain Services from replicating between one or more domain controllers inthe forest Security groups group policy users and computers and theirpasswords will be inconsistent between domain controllers until this error isresolved potentially affecting logon authentication and access to networkresources
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source domain controller
File Type Registry key
File Name All of (5rsquorsquo6)
Destination Host Name 2 (Failing DNS host name)
Event 2088ArcSight Field Vendor Field
Name Active Directory Domain Services could not use DNS to resolve the IP addressof the source domain controller
Message To maintain the consistency of Security groups group policy users andcomputers and their passwords Active Directory Domain Servicessuccessfully replicated using the NetBIOS or fully qualified computer name ofthe source domain controller Invalid DNS configuration may be affectingother essential operations on member computers domain controllers orapplication servers in this Active Directory Domain Services forest includinglogon authentication or access to network resources You should immediatelyresolve this DNS configuration error so that this domain controller can resolvethe IP address of the source domain controller using DNS
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source domain controller
Configuration Guide for Windows Event Native Smart Connector
Event 2087 Page 90 of 349
ArcSight Field Vendor Field
File Type Registry key
File Name All of (5rsquorsquo6)
Destination Host Name 2 (Failing DNS host name)
Event 2092ArcSight Field Vendor Field
Name This server is the owner of FSMO role but does not consider it valid
Message For the partition which contains the FSMO this server has not replicatedsuccessfully with any of its partners since this server has been restartedReplication errors are preventing validation of this role Operations whichrequire contacting a FSMO operation master will fail until this condition iscorrected
Device Custom String 1 4 (FSMO Role)
Event 2886ArcSight Field Vendor Field
Name The security of this directory server can be significantly enhanced byconfiguring the server to reject SASL (Negotiate Kerberos NTLM or Digest)LDAP binds that do not request signing (integrity verification) and LDAP simplebinds that are performed on a cleartext (non-SSLTLS-encrypted) connection
Message Even if no clients are using such binds configuring the server to reject themwill improve the security of this server Some clients may currently be relyingon unsigned SASL binds or LDAP simple binds over a non-SSLTLS connectionand will stop working if this configuration change is made To assist inidentifying these clients if such binds occur this directory server will log asummary event once every 24 hours indicating how many such binds occurred You are encouraged to configure those clients to not use suchbinds Once no such events are observed for an extended period it isrecommended that you configure the server to reject such binds For moredetails and information on how to make this configuration change to theserver please see httpgomicrosoftcomfwlinkLinkID=87923 You canenable additional logging to log an event each time a client makes such a bindincluding information on which client made the bind To do so please raisethe setting for the LDAP Interface Events event logging category to level 2 orhigher
Configuration Guide for Windows Event Native Smart Connector
Event 2092 Page 91 of 349
NTDS ISAM Mappings
Event 102ArcSight Field Vendor Field
Name The database engine started a new instance
Device Version All of (5rsquorsquo6rsquorsquo7rsquorsquo8)
Device Custom String 5 Instance ID
Event 103ArcSight Field Vendor Field
Name The database engine stopped the instance
Device Custom String 5 Instance ID
Event 300ArcSight Field Vendor Field
Name The database engine is initiating recovery steps
Event 301ArcSight Field Vendor Field
Name The database engine has begun replaying logfile
File Name 4 (logfile)
Device Custom Number 1 7 (Time Seen)
Device Custom String 4 5 (Processing Stats)
Device Custom String 5 6 (Most Frequent Record Type)
Configuration Guide for Windows Event Native Smart Connector
NTDS ISAM Mappings Page 92 of 349
Event 302ArcSight Field Vendor Field
Name The database engine has successfully completed recovery steps
Event 609ArcSight Field Vendor Field
Name The database engine is initiating index cleanup of database as a result of aWindows version upgrade
Message This message is informational and does not indicate a problem in thedatabase
File Name 4 (database)
Device Version All of (5rsquorsquo6rsquorsquo7rsquorsquo8)
Device Custom String 5 old device version
Event 611ArcSight Field Vendor Field
Name The secondary index of table will be rebuilt as a precautionary measure afterthe Windows version upgrade of this system
File Name 4 (database)
Device Custom String 5 Database Index
Device Custom String 6 Database Table
Event 612ArcSight Field Vendor Field
Name The database engine has successfully completed index cleanup on database
File Name 4 (database)
Configuration Guide for Windows Event Native Smart Connector
Event 302 Page 93 of 349
Event 614ArcSight Field Vendor Field
Name The secondary index of table may be corrupt
Message If there is no later event showing the index being rebuilt then pleasedefragment the database to rebuild the index
File Name 4 (database)
Device Custom String 5 Database Index
Device Custom String 6 Database Table
Event 626ArcSight Field Vendor Field
Name The database engine updated index entries in database because of a changein the NLS version
Message This message is informational and does not indicate a problem in thedatabase
Device Custom Number 3 Index entries
File Name 5 (database)
Event 700ArcSight Field Vendor Field
Name Online defragmentation is beginning a full pass on database
File Name 4 (database)
Event 701ArcSight Field Vendor Field
Name Online defragmentation has completed a full pass on database
File Name 4 (database)
Configuration Guide for Windows Event Native Smart Connector
Event 614 Page 94 of 349
Event 702ArcSight Field Vendor Field
Name Online defragmentation is resuming its pass on database
File Name 4 (database)
Event 703ArcSight Field Vendor Field
Name Online defragmentation has completed the resumed pass on database
File Name 4 (database)
Event 704ArcSight Field Vendor Field
Name Online defragmentation of database was interrupted and terminated
Message The next time online defragmentation is started on this database it willresume from the point of interruption
File Name 4 (database)
Windows 2008 NTDS ISAM Mappings
Event 102ArcSight Field Vendor Field
Name The database engine started a new instance
Device Version All of (5rsquorsquo6rsquorsquo7rsquorsquo8)
Device Custom String 5 Instance ID
Configuration Guide for Windows Event Native Smart Connector
Event 702 Page 95 of 349
Event 103ArcSight Field Vendor Field
Name The database engine stopped the instance
Device Custom String 5 Instance ID
Event 300ArcSight Field Vendor Field
Name The database engine is initiating recovery steps
Event 301ArcSight Field Vendor Field
Name The database engine has begun replaying logfile
File Name 4 (logfile)
Device Custom Number 1 7
Device Custom String 4 5
Device Custom String 5 6
Event 302ArcSight Field Vendor Field
Name The database engine has successfully completed recovery steps
Configuration Guide for Windows Event Native Smart Connector
Event 103 Page 96 of 349
Event 609ArcSight Field Vendor Field
Name The database engine is initiating index cleanup of database as a result of aWindows version upgrade
Message This message is informational and does not indicate a problem in thedatabase
File Name 4 (database)
Device Version All of (5rsquorsquo6rsquorsquo7rsquorsquo8)
Device Custom String 5 old device version
Event 611ArcSight Field Vendor Field
Name The secondary index of table will be rebuilt as a precautionary measure afterthe Windows version upgrade of this system
File Name 4 (database)
Device Custom String 5 Database Index
Device Custom String 6 Database Table
Event 612ArcSight Field Vendor Field
Name The database engine has successfully completed index cleanup on database
File Name 4 (database)
Configuration Guide for Windows Event Native Smart Connector
Event 609 Page 97 of 349
Event 614ArcSight Field Vendor Field
Name The secondary index of table may be corrupt
Message If there is no later event showing the index being rebuilt then pleasedefragment the database to rebuild the index
File Name 4 (database)
Device Custom String 5 Database Index
Device Custom String 6 Database Table
Event 626ArcSight Field Vendor Field
Name The database engine updated index entries in database because of a changein the NLS version
Message This message is informational and does not indicate a problem in thedatabase
Device Custom Number 3 Index entries
File Name 5 (database)
Event 700ArcSight Field Vendor Field
Name Online defragmentation is beginning a full pass on database
File Name 4 (database)
Event 701ArcSight Field Vendor Field
Name Online defragmentation has completed a full pass on database
File Name 4 (database)
Configuration Guide for Windows Event Native Smart Connector
Event 614 Page 98 of 349
Event 702ArcSight Field Vendor Field
Name Online defragmentation is resuming its pass on database
File Name 4 (database)
Event 703ArcSight Field Vendor Field
Name Online defragmentation has completed the resumed pass on database
File Name 4 (database)
Event 704ArcSight Field Vendor Field
Name Online defragmentation of database was interrupted and terminated
Message The next time online defragmentation is started on this database it willresume from the point of interruption
File Name 4 (database)
NTDS KCC Mappings
Event 1104ArcSight Field Vendor Field
Name The Knowledge Consistency Checker (KCC) successfully terminated changenotifications
Message This event can occur if either this directory service or the destinationdirectory service has been moved to another site
Destination Host Name 2 (Destination network address)
Configuration Guide for Windows Event Native Smart Connector
Event 702 Page 99 of 349
ArcSight Field Vendor Field
Destination User Name User
Device Custom String 1 Directory partition
Device Custom String 6 Destination directory service
Event 1128ArcSight Field Vendor Field
Name A replication connection was created from source directory service to thelocal directory service
Device Custom String 1 Creation Point Internal ID
Device Custom String 4 Reason or Error Code
Device Custom String 5 Local directory service
Device Custom String 6 Source directory service
Event 1308ArcSight Field Vendor Field
Name The Knowledge Consistency Checker (KCC) has detected that successiveattempts to replicate with directory service has consistently failed
Message The Connection object for this directory service will be ignored and a newtemporary connection will be established to ensure that replicationcontinues Once replication with this directory service resumes thetemporary connection will be removed
Device Custom Number 2 Period of time (minutes)
Device Custom Number 3 Attempts
Device Custom String 4 Reason or Error Code
Device Custom String 6 Domain service
Configuration Guide for Windows Event Native Smart Connector
Event 1128 Page 100 of 349
Event 1926ArcSight Field Vendor Field
Name The attempt to establish a replication link to a read-only directory partitionfailed
Destination Host Name 2 (Source domain controller address)
Destination User Name User
Device Custom String 1 Directory partition
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source domain controller
Windows 2008 NTDS KCC Mappings
Event 1104ArcSight Field Vendor Field
Name The Knowledge Consistency Checker (KCC) successfully terminated changenotifications
Message This event can occur if either this directory service or the destinationdirectory service has been moved to another site
Destination Host Name 2 (Destination network address)
Destination User Name User
Device Custom String 1 Directory partition
Device Custom String 6 Destination directory service
Event 1128ArcSight Field Vendor Field
Name A replication connection was created from source directory service to thelocal directory service
Device Custom String 1 Creation Point Internal ID
Configuration Guide for Windows Event Native Smart Connector
Event 1926 Page 101 of 349
ArcSight Field Vendor Field
Device Custom String 4 Reason or Error Code
Device Custom String 5 Local directory service
Device Custom String 6 Source directory service
Event 1308ArcSight Field Vendor Field
Name The Knowledge Consistency Checker (KCC) has detected that successiveattempts to replicate with directory service has consistently failed
Message The Connection object for this directory service will be ignored and a newtemporary connection will be established to ensure that replicationcontinues Once replication with this directory service resumes thetemporary connection will be removed
Device Custom Number 2 Period of time (minutes)
Device Custom Number 3 Attempts
Device Custom String 4 Reason or Error Code
Device Custom String 6 Domain service
Event 1926ArcSight Field Vendor Field
Name The attempt to establish a replication link to a read-only directory partitionfailed
Destination Host Name 2 (Source domain controller address)
Destination User Name User
Device Custom String 1 Directory partition
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source domain controller
Configuration Guide for Windows Event Native Smart Connector
Event 1308 Page 102 of 349
Windows 2008 NTDS LDAP Mappings
Event 1000ArcSight Field Vendor Field
Name Microsoft Active Directory Domain Services startup complete
Device Version 1 (Version)
Event 1004ArcSight Field Vendor Field
Name Active Directory Domain Services was shut down successfully
Event 1126ArcSight Field Vendor Field
Name Active Directory Domain Services was unable to establish a connection withthe global catalog
Device Custom String 4 Reason or Error Code
Device Custom String 5 Internal ID
Event 1220ArcSight Field Vendor Field
Name LDAP over Secure Sockets Layer (SSL) will be unavailable at this time becausethe server was unable to obtain a certificate
Device Custom String 4 Reason or Error Code
Configuration Guide for Windows Event Native Smart Connector
Windows 2008 NTDS LDAP Mappings Page 103 of 349
Event 1308ArcSight Field Vendor Field
Name The Knowledge Consistency Checker (KCC) has detected that successiveattempts to replicate with the following directory service has consistentlyfailed
Message The Connection object for this directory service will be ignored and a newtemporary connection will be established to ensure that replicationcontinues Once replication with this directory service resumes thetemporary connection will be removed
Device Custom Number 2 Period of time (minutes)
Device Custom Number 3 Attempts
Device Custom String 4 Reason or Error Code
Device Custom String 6 Directory service
Event 1394ArcSight Field Vendor Field
Name All problems preventing updates to the Active Directory Domain Servicesdatabase have been cleared
Message New updates to the Active Directory Domain Services database aresucceeding The Net Logon service has restarted
Event 1869ArcSight Field Vendor Field
Name Active Directory Domain Services has located a global catalog
Device Custom String 5 Site
Destination Host Name 1 (Global catalog)
Configuration Guide for Windows Event Native Smart Connector
Event 1308 Page 104 of 349
Event 2087ArcSight Field Vendor Field
Name Active Directory Domain Services could not resolve DNS host name of thesource domain controller to an IP address
Message This error prevents additions deletions and changes in Active DirectoryDomain Services from replicating between one or more domain controllers inthe forest Security groups group policy users and computers and theirpasswords will be inconsistent between domain controllers until this error isresolved potentially affecting logon authentication and access to networkresources
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source domain controller
File Type Registry key
File Name All of (5rsquorsquo6)
Source Host Name 2 (Failing DNS host name)
Event 2088ArcSight Field Vendor Field
Name Active Directory Domain Services could not use DNS to resolve the IP addressof the source domain controller
Message To maintain the consistency of Security groups group policy users andcomputers and their passwords Active Directory Domain Servicessuccessfully replicated using the NetBIOS or fully qualified computer name ofthe source domain controller Invalid DNS configuration may be affectingother essential operations on member computers domain controllers orapplication servers in this Active Directory Domain Services forest includinglogon authentication or access to network resources You should immediatelyresolve this DNS configuration error so that this domain controller can resolvethe IP address of the source domain controller using DNS
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source domain controller
Configuration Guide for Windows Event Native Smart Connector
Event 2087 Page 105 of 349
ArcSight Field Vendor Field
File Type Registry key
File Name All of (5rsquorsquo6)
Source Host Name 2 (Failing DNS host name)
Event 2886ArcSight Field Vendor Field
Name The security of this directory server can be significantly enhanced byconfiguring the server to reject SASL (Negotiate Kerberos NTLM or Digest)LDAP binds that do not request signing (integrity verification) and LDAP simplebinds that are performed on a cleartext (non-SSLTLS-encrypted) connection
Message Even if no clients are using such binds configuring the server to reject themwill improve the security of this server Some clients may currently be relyingon unsigned SASL binds or LDAP simple binds over a non-SSLTLS connectionand will stop working if this configuration change is made To assist inidentifying these clients if such binds occur this directory server will log asummary event once every 24 hours indicating how many such binds occurred You are encouraged to configure those clients to not use suchbinds Once no such events are observed for an extended period it isrecommended that you configure the server to reject such binds For moredetails and information on how to make this configuration change to theserver please see httpgomicrosoftcomfwlinkLinkID=87923 You canenable additional logging to log an event each time a client makes such a bindincluding information on which client made the bind To do so please raisethe setting for the LDAP Interface Events event logging category to level 2 orhigher
Configuration Guide for Windows Event Native Smart Connector
Event 2886 Page 106 of 349
Event 2887ArcSight Field Vendor Field
Name During the previous 24 hour period some clients attempted to performLDAP binds
Message During the previous 24 hour period some clients attempted to performLDAP binds that were either (1) A SASL (Negotiate Kerberos NTLM orDigest) LDAP bind that did not request signing (integrity validation) or (2) ALDAP simple bind that was performed on a cleartext (non-SSLTLS-encrypted)connection This directory server is not currently configured to reject suchbinds The security of this directory server can be significantly enhanced byconfiguring the server to reject such binds For more details and informationon how to make this configuration change to the server please seehttpgomicrosoftcomfwlinkLinkID=87923 Summary information on thenumber of these binds received within the past 24 hours is below You canenable additional logging to log an event each time a client makes such a bindincluding information on which client made the bind To do so please raisethe setting for the LDAP Interface Events event logging category to level 2or higher
Device Custom Number 1 Number of simple binds performed without SSLTLS
Device Custom Number 2 Number of NegotiateKerberosNTLMDigest binds performed withoutsigning
NTDS Replication Mappings
Event 1188ArcSight Field Vendor Field
Name A thread in Active Directory Domain Services is waiting for the completion ofa RPC made to directory service
Message Active Directory Domain Services has attempted to cancel the call andrecover this thread If this condition continues restart the directory service
Device Custom String 1 Thread ID
Device Custom String 5 Operation
Device Custom String 6 Directory service
Device Custom Number 2 Timeout period (minutes)
Configuration Guide for Windows Event Native Smart Connector
Event 2887 Page 107 of 349
Event 1232ArcSight Field Vendor Field
Name Active Directory Domain Services attempted to perform a remote procedurecall (RPC) to server The call timed out and was cancelled
Destination Host Name 2 (Destination Host Name)
Device Custom Number 2 Call Timeout (Mins)
Device Custom String 1 Thread ID
Device Custom String 5 Internal ID
Source User Name User
Event 1863ArcSight Field Vendor Field
Name This is the replication status for directory partition on this directory server
Message This directory server has not received replication information from a numberof directory servers within the configured latency interval To identify thedirectory servers by name use the dcdiagexe tool You can also use thesupport tool repadminexe to display the replication latencies of the directoryservers The command is repadmin showvector latency ltpartition-dngt
Device Custom String 1 Directory partition
Device Custom Number 1 Number of domain controllers in all sites
Device Custom Number 3 Number of domain controllers in this site
Device Custom Number 2 Latency Interval (Hours)
File Type Registry Key
File Name Both (5rsquoReplicator latency error interval(hours)rsquo)
Configuration Guide for Windows Event Native Smart Connector
Event 1232 Page 108 of 349
Event 2087ArcSight Field Vendor Field
Name Active Directory Domain Services could not resolve DNS host name of thesource domain controller to an IP address This error prevents additionsdeletions and changes in Active Directory Domain Services from replicatingbetween one or more domain controllers in the forest Security groupsgroup policy users and computers and their passwords will be inconsistentbetween domain controllers until this error is resolved potentially affectinglogon authentication and access to network resources
Source Host Name 2 (Failing DNS host name)
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source domain controller
File Type Registry key
File Name All of (5rsquorsquo6)
Event 2092ArcSight Field Vendor Field
Name This server is the owner of FSMO role but does not consider it valid
Message For the partition which contains the FSMO this server has not replicatedsuccessfully with any of its partners since this server has been restartedReplication errors are preventing validation of this role Operations whichrequire contacting a FSMO operation master will fail until this condition iscorrected
Device Custom String 1 FSMO Role
Configuration Guide for Windows Event Native Smart Connector
Event 2087 Page 109 of 349
Event 2887ArcSight Field Vendor Field
Name During the previous 24 hour period some clients attempted to performLDAP binds
Message During the previous 24 hour period some clients attempted to performLDAP binds that were either (1) A SASL (Negotiate Kerberos NTLM orDigest) LDAP bind that did not request signing (integrity validation) or (2) ALDAP simple bind that was performed on a cleartext (non-SSLTLS-encrypted)connection This directory server is not currently configured to reject suchbinds The security of this directory server can be significantly enhanced byconfiguring the server to reject such binds For more details and informationon how to make this configuration change to the server please seehttpgomicrosoftcomfwlinkLinkID=87923 Summary information on thenumber of these binds received within the past 24 hours is below You canenable additional logging to log an event each time a client makes such a bindincluding information on which client made the bind To do so please raisethe setting for the LDAP Interface Events event logging category to level 2or higher
Device Custom Number 1 Number of simple binds performed without SSLTLS
Device Custom Number 2 Number of NegotiateKerberosNTLMDigest binds performed withoutsigning
Windows 2008 NTDS Replication Mappings
Event 1188ArcSight Field Vendor Field
Name A thread in Active Directory Domain Services is waiting for the completion ofa RPC made to directory service
Message Active Directory Domain Services has attempted to cancel the call andrecover this thread If this condition continues restart the directory service
Device Custom String 1 Thread ID
Device Custom String 5 Operation
Device Custom String 6 Directory service
Device Custom Number 2 Timeout period (minutes)
Configuration Guide for Windows Event Native Smart Connector
Event 2887 Page 110 of 349
Event 1232ArcSight Field Vendor Field
Name Active Directory Domain Services attempted to perform a remote procedurecall (RPC) to server The call timed out and was cancelled
Destination Host Name 2 (Destination Host Name)
Device Custom Number 2 Call Timeout (Mins)
Device Custom String 1 Thread ID
Device Custom String 5 Internal ID
Source User Name User
Event 1863ArcSight Field Vendor Field
Name This is the replication status for directory partition on this directory server
Message This directory server has not received replication information from a numberof directory servers within the configured latency interval To identify thedirectory servers by name use the dcdiagexe tool You can also use thesupport tool repadminexe to display the replication latencies of the directoryservers The command is repadmin showvector latency ltpartition-dngt
Device Custom String 1 Directory partition
Device Custom Number 1 Number of domain controllers in all sites
Device Custom Number 3 Number of domain controllers in this site
Device Custom Number 2 Latency Interval (Hours)
File Type Registry Key
File Name Both (5rsquoReplicator latency error interval(hours)rsquo)
Configuration Guide for Windows Event Native Smart Connector
Event 1232 Page 111 of 349
Event 2087ArcSight Field Vendor Field
Name Active Directory Domain Services could not resolve DNS host name of thesource domain controller to an IP address This error prevents additionsdeletions and changes in Active Directory Domain Services from replicatingbetween one or more domain controllers in the forest Security groupsgroup policy users and computers and their passwords will be inconsistentbetween domain controllers until this error is resolved potentially affectinglogon authentication and access to network resources
Source Host Name 2 (Failing DNS host name)
Device Custom String 4 Reason or Error Code
Device Custom String 6 Source domain controller
File Type Registry key
File Name All of (5rsquorsquo6)
Event 2092ArcSight Field Vendor Field
Name This server is the owner of FSMO role but does not consider it valid
Message For the partition which contains the FSMO this server has not replicatedsuccessfully with any of its partners since this server has been restartedReplication errors are preventing validation of this role Operations whichrequire contacting a FSMO operation master will fail until this condition iscorrected
Device Custom String 1 FSMO Role
Configuration Guide for Windows Event Native Smart Connector
Event 2087 Page 112 of 349
Event 2887ArcSight Field Vendor Field
Name During the previous 24 hour period some clients attempted to performLDAP binds
Message During the previous 24 hour period some clients attempted to performLDAP binds that were either (1) A SASL (Negotiate Kerberos NTLM orDigest) LDAP bind that did not request signing (integrity validation) or (2) ALDAP simple bind that was performed on a cleartext (non-SSLTLS-encrypted)connection This directory server is not currently configured to reject suchbinds The security of this directory server can be significantly enhanced byconfiguring the server to reject such binds For more details and informationon how to make this configuration change to the server please seehttpgomicrosoftcomfwlinkLinkID=87923 Summary information on thenumber of these binds received within the past 24 hours is below You canenable additional logging to log an event each time a client makes such a bindincluding information on which client made the bind To do so please raisethe setting for the LDAP Interface Events event logging category to level 2or higher
Device Custom Number 1 Number of simple binds performed without SSLTLS
Device Custom Number 2 Number of NegotiateKerberosNTLMDigest binds performed withoutsigning
NTDS LDAP Mappings
1000ArcSight Field Vendor Field
Name lsquoMicrosoft Active Directory Domain Services startup completersquo
Device Version 1 (Version)
1004ArcSight Field Vendor Field
Name lsquoActive Directory Domain Services was shut down successfullyrsquo
Configuration Guide for Windows Event Native Smart Connector
Event 2887 Page 113 of 349
1126ArcSight Field Vendor Field
Name lsquoActive Directory Domain Services was unable to establish a connection withthe global catalogrsquo
Device Custom String 5 Internal ID
Device Custom String 4 Reason or Error Code
Reason 3 (Reason or Error Code)
1138ArcSight Field Vendor Field
Name lsquoFunction enteredrsquo
Message Both (lsquoInternal eventFunctionrsquo 1rsquo enteredrsquo)
1139ArcSight Field Vendor Field
Name lsquoFunction exitedrsquo
Message Both (lsquoInternal eventFunctionrsquo1rsquo exitedrsquo)
1213ArcSight Field Vendor Field
Name lsquoAn LDAP client connection was closed because it was disconnected on theclient sidersquo
Device Custom String 5 Internal ID
Configuration Guide for Windows Event Native Smart Connector
1126 Page 114 of 349
1215ArcSight Field Vendor Field
Name lsquoAn LDAP client connection was closed because the client closed theconnectionrsquo
Device Custom String 5 Internal ID
1216ArcSight Field Vendor Field
Name lsquoAn LDAP client connection was closed because of an errorrsquo
Source Address 1 (Source address)
Reason 3 (Reason or Error Code)
Device Custom String 5 Internal ID
1220ArcSight Field Vendor Field
Name lsquoLDAP over Secure Sockets Layer (SSL) will be unavailable at this time becausethe server was unable to obtain a certificatersquo
Device Custom String 4 Reason or Error Code
1308ArcSight Field Vendor Field
Name lsquoThe Knowledge Consistency Checker (KCC) has detected that successiveattempts to replicate with the following directory service has consistentlyfailedrsquo
Message lsquoThe Connection object for this directory service will be ignored and a newtemporary connection will be established to ensure that replicationcontinues Once replication with this directory service resumes thetemporary connection will be removedrsquo
Configuration Guide for Windows Event Native Smart Connector
1215 Page 115 of 349
ArcSight Field Vendor Field
Device Custom Number 3 Attempts
Device Custom String 6 Directory service
Device Custom Number 2 Period of time (minutes)
Device Custom String 4 Reason or Error Code
1317ArcSight Field Vendor Field
Name lsquoThe directory service has disconnected the LDAP connectionrsquo
Message lsquoThe directory service has disconnected the LDAP connection from thefollowing network address due to a time-outrsquo
Source Address 1 (Source address)
1394ArcSight Field Vendor Field
Name lsquoAll problems preventing updates to the Active directory Domain Servicesdatabase have been clearedrsquo
Message lsquoNew updates to the Active Directory Domain Services database aresucceeding The Net Logon service has restartedrsquo
1535ArcSight Field Vendor Field
Name lsquoThe LDAP server returned an errorrsquo
Message Both (lsquoThe LDAP server returned an error valuersquo1)
Reason 1 (Reason or Error Code)
Configuration Guide for Windows Event Native Smart Connector
1317 Page 116 of 349
1655ArcSight Field Vendor Field
Name lsquoActive Directory Domain Services attempted to communicate with thefollowing global catalog and the attempts were unsuccessfulrsquo
Device Host Name 1 (Host name)
Reason 2 (Reason or Error Code)
1869ArcSight Field Vendor Field
Name lsquoActive Directory Domain Services has located a global catalogrsquo
Destination Host Name 1 (Host name)
Device Custom String 5 Site
2041ArcSight Field Vendor Field
Name lsquoDuplicate event log entries were suppressedrsquo
Message lsquoSee the previous event log entry for details An entry is considered aduplicate if the event code and all of its insertion parameters are identicalThe time period for this run of duplicates is from the time of the previousevent to the time of this eventrsquo
Device Custom Number 3 Number of duplicate entries
Configuration Guide for Windows Event Native Smart Connector
1655 Page 117 of 349
2087ArcSight Field Vendor Field
Name lsquoActive Directory Domain Services could not resolve DNS host name of thesource domain controller to an IP addressrsquo
Message lsquoThis error prevents additions deletions and changes in Active DirectoryDomain Services from replicating between one or more domain controllers inthe forest Security groups group policy users and computers and theirpasswords will be inconsistent between domain controllers until this error isresolved potentially affecting logon authentication and access to networkresourcesrsquo
Device Custom String 6 Source domain controller
Source Host Name 2 (Host name)
Device Custom String 4 Reason or Error Code
File Type lsquoRegistry Keyrsquo
File Name All of (5rsquorsquo6)
2088ArcSight Field Vendor Field
Name lsquoActive Directory Domain Services could not use DNS to resolve the IP addressof the source domain controllerrsquo
Message lsquoTo maintain the consistency of Security groups group policy users andcomputers and their passwords Active Directory Domain Servicessuccessfully replicated using the NetBIOS or fully qualified computer name ofthe source domain controller Invalid DNS configuration may be affectingother essential operations on member computers domain controllers orapplication servers in this Active Directory Domain Services forest includinglogon authentication or access to network resources You should immediatelyresolve this DNS configuration error so that this domain controller can resolvethe IP address of the source domain controller using DNSrsquo
Device Custom String 6 Alternate server name
Source Host Name 2 (Host name)
Configuration Guide for Windows Event Native Smart Connector
2087 Page 118 of 349
ArcSight Field Vendor Field
Device Custom String 4 Reason or Error Code
File Type lsquoRegistry Keyrsquo
File Name All of (5rsquorsquo6)
2089ArcSight Field Vendor Field
Name lsquoThis directory partition has not been backed uprsquo
Message lsquoThis directory partition has not been backed up since at least the followingnumber of daysrsquo
Device Custom String 1 Directory partition
Device Custom Number 2 Latency interval (hours)
File Type lsquoRegistry Keyrsquo
File Name All of (3rsquorsquo4)
Configuration Guide for Windows Event Native Smart Connector
2089 Page 119 of 349
2886ArcSight Field Vendor Field
Name lsquoThe security of this directory server can be significantly enhanced byconfiguring the server to reject SASL (Negotiate Kerberos NTLM or Digest)LDAP binds that do not request signing (integrity verification) and LDAP simplebinds that are performed on a clear text (non-SSLTLS-encrypted)connection
Message Even if no clients are using such binds configuring the server to reject themwill improve the security of this server Some clients may currently be relyingon unsigned SASL binds or LDAP simple binds over a non-SSLTLS connectionand will stop working if this configuration change is made To assist inidentifying these clients if such binds occur this directory server will log asummary event once every 24 hours indicating how many such binds occurred You are encouraged to configure those clients to not use suchbinds Once no such events are observed for an extended period it isrecommended that you configure the server to reject such binds For moredetails and information on how to make this configuration change to theserver please see httpgomicrosoftcomfwlinkLinkID=87923 You canenable additional logging to log an event each time a client makes such a bindincluding information on which client made the bind To do so please raisethe setting for the LDAP Interface Events event logging category to level 2 orhigher
Configuration Guide for Windows Event Native Smart Connector
2886 Page 120 of 349
2887ArcSight Field Vendor Field
Name During the previous 24 hour period some clients attempted to performLDAP binds
Message During the previous 24 hour period some clients attempted to performLDAP binds that were either (1) A SASL (Negotiate Kerberos NTLM orDigest) LDAP bind that did not request signing (integrity validation) or (2) ALDAP simple bind that was performed on a cleartext (non-SSLTLS-encrypted)connection This directory server is not currently configured to reject suchbinds The security of this directory server can be significantly enhanced byconfiguring the server to reject such binds For more details and informationon how to make this configuration change to the server please seehttpgomicrosoftcomfwlinkLinkID=87923 Summary information on thenumber of these binds received within the past 24 hours is below You canenable additional logging to log an event each time a client makes such a bindincluding information on which client made the bind To do so please raisethe setting for the LDAP Interface Events event logging category to level 2or higher
Device Custom Number 1 number of simple binds performed without SSLTLS
Device Custom Number 2 number of negotiateKerberosNTLMDigest binds performed without signing
2889ArcSight Field Vendor Field
Name lsquoLDAP bind without requesting signing or performed a simple bindrsquo
Message lsquoThe following client performed a SASL (NegotiateKerberosNTLMDigest)LDAP bind without requesting signing (integrity verification) or performed asimple bind over a cleartext (non-SSLTLS-encrypted) LDAP connectionrsquo
Source User Name 2 (User name)
Source Address 1 (Source address)
Configuration Guide for Windows Event Native Smart Connector
2887 Page 121 of 349
Windows 2012Windows 8 NTDS LDAP Mappings
GeneralArcSight Field Vendor Field
Device Vendor lsquoMicrosoftrsquo
Device Product lsquoMicrosoft Windowsrsquo
1000ArcSight Field Vendor Field
Name lsquoMicrosoft Active Directory Domain Services startup completersquo
Device Version 1 (Version)
1004ArcSight Field Vendor Field
Name lsquoActive Directory Domain Services was shut down successfullyrsquo
1126ArcSight Field Vendor Field
Name lsquoActive Directory Domain Services was unable to establish a connection withthe global catalogrsquo
Device Custom String 5 Internal ID
Device Custom String 4 Reason or Error Code
Reason 3 (Reason or Error Code)
Configuration Guide for Windows Event Native Smart Connector
Windows 2012Windows 8 NTDS LDAP Mappings Page 122 of 349
1138ArcSight Field Vendor Field
Name lsquoFunction enteredrsquo
Message Both (lsquoInternal eventFunctionrsquo 1rsquo enteredrsquo)
1139ArcSight Field Vendor Field
Name lsquoFunction exitedrsquo
Message Both (lsquoInternal eventFunctionrsquo1rsquo exitedrsquo)
1213ArcSight Field Vendor Field
Name lsquoAn LDAP client connection was closed because it was disconnected on theclient sidersquo
Device Custom String 5 Internal ID
1215ArcSight Field Vendor Field
Name lsquoAn LDAP client connection was closed because the client closed theconnectionrsquo
Device Custom String 5 Internal ID
Configuration Guide for Windows Event Native Smart Connector
1138 Page 123 of 349
1216ArcSight Field Vendor Field
Name lsquoAn LDAP client connection was closed because of an errorrsquo
Source Address 1 (Source address)
Reason 3 (Reason or Error Code)
Device Custom String 5 Internal ID
1220ArcSight Field Vendor Field
Name lsquoLDAP over Secure Sockets Layer (SSL) will be unavailable at this time becausethe server was unable to obtain a certificatersquo
Device Custom String 4 Reason or Error Code
1308ArcSight Field Vendor Field
Name lsquoThe Knowledge Consistency Checker (KCC) has detected that successiveattempts to replicate with the following directory service has consistentlyfailedrsquo
Message lsquoThe Connection object for this directory service will be ignored and a newtemporary connection will be established to ensure that replicationcontinues Once replication with this directory service resumes thetemporary connection will be removedrsquo
Device Custom Number 3 Attempts
Device Custom String 6 Directory service
Device Custom Number 2 Period of time (minutes)
Device Custom String 4 Reason or Error Code
Configuration Guide for Windows Event Native Smart Connector
1216 Page 124 of 349
1317ArcSight Field Vendor Field
Name lsquoThe directory service has disconnected the LDAP connectionrsquo
Message lsquoThe directory service has disconnected the LDAP connection from thefollowing network address due to a time-outrsquo
Source Address 1 (Source address)
1394ArcSight Field Vendor Field
Name lsquoAll problems preventing updates to the Active directory Domain Servicesdatabase have been clearedrsquo
Message lsquoNew updates to the Active Directory Domain Services database aresucceeding The Net Logon service has restartedrsquo
1535ArcSight Field Vendor Field
Name lsquoThe LDAP server returned an errorrsquo
Message Both (lsquoThe LDAP server returned an error valuersquo1)
Reason 1 (Reason or Error Code)
1655ArcSight Field Vendor Field
Name lsquoActive Directory Domain Services attempted to communicate with thefollowing global catalog and the attempts were unsuccessfulrsquo
Device Host Name 1 (Host name)
Reason 2 (Reason or Error Code)
Configuration Guide for Windows Event Native Smart Connector
1317 Page 125 of 349
1869ArcSight Field Vendor Field
Name lsquoActive Directory Domain Services has located a global catalogrsquo
Destination Host Name 1 (Host name)
Device Custom String 5 Site
2041ArcSight Field Vendor Field
Name lsquoDuplicate event log entries were suppressedrsquo
Message lsquoSee the previous event log entry for details An entry is considered aduplicate if the event code and all of its insertion parameters are identicalThe time period for this run of duplicates is from the time of the previousevent to the time of this eventrsquo
Device Custom Number 3 Number of duplicate entries
2087ArcSight Field Vendor Field
Name lsquoActive Directory Domain Services could not resolve DNS host name of thesource domain controller to an IP addressrsquo
Message lsquoThis error prevents additions deletions and changes in Active DirectoryDomain Services from replicating between one or more domain controllers inthe forest Security groups group policy users and computers and theirpasswords will be inconsistent between domain controllers until this error isresolved potentially affecting logon authentication and access to networkresourcesrsquo
Device Custom String 6 Source domain controller
Source Host Name 2 (Host name)
Device Custom String 4 Reason or Error Code
File Type lsquoRegistry Keyrsquo
File Name All of (5rsquorsquo6)
Configuration Guide for Windows Event Native Smart Connector
1869 Page 126 of 349
2088ArcSight Field Vendor Field
Name lsquoActive Directory Domain Services could not use DNS to resolve the IP addressof the source domain controllerrsquo
Message lsquoTo maintain the consistency of Security groups group policy users andcomputers and their passwords Active Directory Domain Servicessuccessfully replicated using the NetBIOS or fully qualified computer name ofthe source domain controller Invalid DNS configuration may be affectingother essential operations on member computers domain controllers orapplication servers in this Active Directory Domain Services forest includinglogon authentication or access to network resources You should immediatelyresolve this DNS configuration error so that this domain controller can resolvethe IP address of the source domain controller using DNSrsquo
Device Custom String 6 Alternate server name
Source Host Name 2 (Host name)
Device Custom String 4 Reason or Error Code
File Type lsquoRegistry Keyrsquo
File Name All of (5rsquorsquo6)
2089ArcSight Field Vendor Field
Name lsquoThis directory partition has not been backed uprsquo
Message lsquoThis directory partition has not been backed up since at least the followingnumber of daysrsquo
Device Custom String 1 Directory partition
Device Custom Number 2 Latency interval (hours)
File Type lsquoRegistry Keyrsquo
File Name All of (3rsquorsquo4)
Configuration Guide for Windows Event Native Smart Connector
2088 Page 127 of 349
2886ArcSight Field Vendor Field
Name lsquoThe security of this directory server can be significantly enhanced byconfiguring the server to reject SASL (Negotiate Kerberos NTLM or Digest)LDAP binds that do not request signing (integrity verification) and LDAP simplebinds that are performed on a clear text (non-SSLTLS-encrypted)connection
Message Even if no clients are using such binds configuring the server to reject themwill improve the security of this server Some clients may currently be relyingon unsigned SASL binds or LDAP simple binds over a non-SSLTLS connectionand will stop working if this configuration change is made To assist inidentifying these clients if such binds occur this directory server will log asummary event once every 24 hours indicating how many such binds occurred You are encouraged to configure those clients to not use suchbinds Once no such events are observed for an extended period it isrecommended that you configure the server to reject such binds For moredetails and information on how to make this configuration change to theserver please see httpgomicrosoftcomfwlinkLinkID=87923 You canenable additional logging to log an event each time a client makes such a bindincluding information on which client made the bind To do so please raisethe setting for the LDAP Interface Events event logging category to level 2 orhigher
Configuration Guide for Windows Event Native Smart Connector
2886 Page 128 of 349
2887ArcSight Field Vendor Field
Name During the previous 24 hour period some clients attempted to performLDAP binds
Message During the previous 24 hour period some clients attempted to performLDAP binds that were either (1) A SASL (Negotiate Kerberos NTLM orDigest) LDAP bind that did not request signing (integrity validation) or (2) ALDAP simple bind that was performed on a cleartext (non-SSLTLS-encrypted)connection This directory server is not currently configured to reject suchbinds The security of this directory server can be significantly enhanced byconfiguring the server to reject such binds For more details and informationon how to make this configuration change to the server please seehttpgomicrosoftcomfwlinkLinkID=87923 Summary information on thenumber of these binds received within the past 24 hours is below You canenable additional logging to log an event each time a client makes such a bindincluding information on which client made the bind To do so please raisethe setting for the LDAP Interface Events event logging category to level 2or higher
Device Custom Number 1 number of simple binds performed without SSLTLS
Device Custom Number 2 number of negotiateKerberosNTLMDigest binds performed without signing
2889ArcSight Field Vendor Field
Name lsquoLDAP bind without requesting signing or performed a simple bindrsquo
Message lsquoThe following client performed a SASL (NegotiateKerberosNTLMDigest)LDAP bind without requesting signing (integrity verification) or performed asimple bind over a cleartext (non-SSLTLS-encrypted) LDAP connectionrsquo
Source User Name 2 (User name)
Source Address 1 (Source address)
Configuration Guide for Windows Event Native Smart Connector
2887 Page 129 of 349
Local Administrator Password SolutionMS Local Administrator Password Solution is a network service in Windows Server 2012Windows Server 2012 R2 Windows Server 2008 and Windows Server 2016 that provides thefollowing services
l Dial-up remote access server
l Virtual private network (VPN) remote access server
l Internet Protocol (IP) router for connecting subnets of a private network
l Network address translator (NAT) for connecting a private network to the Internet
l Dial-up and VPN site-to-site demand-dial router
Supported Versionsl Microsoft Windows 8
l Microsoft Windows 10
l Microsoft Windows Server 2008 R2
l Microsoft Windows Server 2012
l Microsoft Windows Server 2012 R2
l Microsoft Windows Server 2016
The SmartConnector for Microsoft Windows Event Log ndash Windows Security Event Mappingsdocument provides the main mappings for the Windows Event Log SmartConnectors the fieldmappings listed in this document are specifically for Microsoft Local Administrator PasswordSolution
Configuring MS Local Administrator Password SolutionFor complete information about Microsoftrsquos Reporting and MS Local Administrator PasswordSolution see ldquoRemote Access (DirectAccess Routing and Remote Access)rdquo topic in the TechNet Library for Windows Server
httptechnetmicrosoftcomen-uslibraryhh831416
Local Administrator Password Solution Page 130 of 349
Mappings for Microsoft Local Administrator Password Solution
Event 5
ArcSight Field Vendor Field
Name __ifThenElse(1Validation passed for new local adminpasswordValidation failed for new local admin password against localpassword policy)
Message __ifThenElse(1Validation passed for new local adminpasswordValidation failed for new local admin password against localpassword policy)
Reason 1
Event 10
ArcSight Field Vendor Field
Name __stringConstant(Password expiration too long for computer)
Message __stringConstant(Password expiration too long for computer)
Device Action __stringConstant(Resetting password now)
Device Custom Number 1 __safeToLong(1)
Device Custom String1 Label Excessive Days
Device Custom String2 Label Days to change password
Event 11
ArcSight Field Vendor Field
Name __stringConstant(It is not necessary to change password yet)
Message __stringConstant(It is not necessary to change password yet)
Device Custom Number 2 __safeToLong(1)
Event 12
ArcSight Field Vendor Field
Name __stringConstant(Local Administrator password has been changed)
Message __stringConstant(Local Administrator password has been changed)
Configuration Guide for Windows Event Native Smart Connector
Mappings for Microsoft Local Administrator Password Solution Page 131 of 349
Event 13
ArcSight Field Vendor Field
Name __stringConstant(Local Administrator password has been reported to AD)
Message __stringConstant(Local Administrator password has been reported to AD)
Event 14
ArcSight Field Vendor Field
Name __stringConstant(Finished Successfully)
Message __stringConstant(Finished Successfully)
Event 15
ArcSight Field Vendor Field
Name __stringConstant(Beginning Processing)
Message __stringConstant(Beginning Processing)
Event 16
ArcSight Field Vendor Field
Name __stringConstant(Admin account management not enabled)
Message __stringConstant(Admin account management not enabled)
Device Action __stringConstant(Exiting)
Configuration Guide for Windows Event Native Smart Connector
Event 13 Page 132 of 349
Microsoft Antimalware LogsMicrosoft Antimalware is a network service in Windows Server 2012 Windows Server 2012 R2and Windows Server 2016
Microsoft Antimalware is a real-time protection capability that helps identify and removeviruses spyware and other malicious software with configurable alerts when known maliciousor unwanted software attempts to install itself or run on your system
The antimalware events are collected from the Windows Event system logs to your storageaccount You can configure the storage account for your virtual machine to collect theantimalware events by selecting the appropriate storage account
This section provides information about the SmartConnector for Microsoft Windows Event Logndash Native Microsoft antimalware and its event mappings to ArcSight data fields
Supported Versionsl Microsoft Windows 10
l Microsoft Windows Server 2012
l Microsoft Windows Server 2012 R2
l Microsoft Windows Server 2016
The SmartConnector for Microsoft Windows Event Log ndash Windows Security Event Mappingsdocument provides the main mappings for the Windows Event Log SmartConnectors the fieldmappings listed in this sectionare specifically for Microsoft Antimalware
Mappings for Antimalware
Event 1000
ArcSight Field Vendor Field
Device Version Product Version
Device Custom String 1 Scan ID
Scan Type Index Scan Type Index
Device Event Category Scan Type
Scan Parameter Index Scan Parameter Index
Device Action Scan Parameters
Source Nt Domain Domain
Microsoft Antimalware Logs Page 133 of 349
ArcSight Field Vendor Field
Source User Name User
Sid SID
File Path Scan resources
Event 1001
ArcSight Field Vendor Field
Device Version Product Version
Device Custom String 1 Scan ID
Scan Type Index Scan Type Index
Device Event Category Scan Type
Scan Parameter Index Scan Parameter Index
Device Action Scan Parameters
Source Nt Domain Domain
Source User Name User
Sid SID
Device Custom Number 1 Scan Time Hours
Device Custom Number 2 Scan Time Minutes
Device Custom Number 3 Scan Time Seconds
Event 1002
ArcSight Field Vendor Field
Device Version Product Version
Device Custom String 1 Scan ID
Scan Type Index Scan Type Index
Device Event Category Scan Type
Scan Parameter Index Scan Parameter Index
Device Action Scan Parameters
Source Nt Domain Domain
Source User Name User
Sid SID
Configuration Guide for Windows Event Native Smart Connector
Event 1001 Page 134 of 349
Event 1005
ArcSight Field Vendor Field
Device Custom String 1 Label Scan ID
Device Custom String 1 Scan ID
Device Custom String 5 Error Code
Device Custom String 5 Label Error Code
Device Event Category Scan Type
Device Action Scan Parameters
Source Nt Domain Domain
Source User Name User
Reason Error Code
Event 1011
ArcSight Field Vendor Field
Device Version Product Version
Source Nt Domain Domain
Source User Name User
Sid SID
Device Custom String 1 Threat Name
Device Custom Number 1 Threat ID
Device Custom Number 2 Severity ID
Device Custom Number 3 Category ID
FWLink FWLink
File Path Path
Device Severity Severity Name
Device Custom String 4 Category Name
Device Custom String2 Signature Version
(Concatenating both the fields) Engine Version
Configuration Guide for Windows Event Native Smart Connector
Event 1005 Page 135 of 349
Event 1013
ArcSight Field Vendor Field
Device Version Product Version
Device Custom Date1 Timestamp
Source Nt Domain Domain
Source User Name User
Sid SID
Event 1116
ArcSight Field Vendor Field
Device Version Product Version
Device Custom String 5 Detection ID
Device Custom Date 1 Detection Time
Device Custom Number 1 Threat ID
Device Custom String 1 Threat Name
Device Custom Number 2 Severity ID
Device Custom String 3 Severity Name
Device Custom Number 3 Category ID
Device Custom String 4 Category Name
FWLink FWLink
Status Code Status Code
Status Description Status Description
State State
Source ID Source ID
Source Name Source Name
Source Process Name Process Name
Source User Name Detection User
File Path Path
Origin ID Origin ID
Configuration Guide for Windows Event Native Smart Connector
Event 1013 Page 136 of 349
ArcSight Field Vendor Field
Origin Name Origin Name
Execution ID Execution ID
Execution Name Execution Name
Type ID Type ID
Old File Type Type Name
Pre Execution Status Pre Execution Status
Action ID Action ID
Device Action Action Name
Error Code Error Code
Reason Error Description
Post Clean Status Post Clean Status
Additional Action ID Additional Action ID
Additional Action String Additional Action String
Remediation User Remediation User
(Concatenating both EngineVersion and Signature Versionin Device Custom String 2
Signature Version
(Concatenating both EngineVersion and Signature Versionin Device Custom String 2
Engine Version
Event 1117
ArcSight Field Vendor Field
Product Version Device Version
Detection ID Device Custom String 5
Detection Time Device Custom Date 1
Threat ID Device Custom Number 1
Threat Name Device Custom String 1
Severity ID Device Custom Number 2
Severity Name Device Custom String 3
Configuration Guide for Windows Event Native Smart Connector
Event 1117 Page 137 of 349
ArcSight Field Vendor Field
Category ID Device Custom Number 3
Category Name Device Custom String 4
FWLink FWLink
Status Code Status Code
Status Description Status Description
State State
Source ID Source ID
Source Name Source Name
Source Process Name Process Name
Source User Name Detection User
File Path Path
Origin ID Origin ID
Origin Name Origin Name
Execution ID Execution ID
Execution Name Execution Name
Type ID Type ID
Old File Type Type Name
Pre Execution Status Pre Execution Status
Action ID Action ID
Device Action Name Action Name
Error Code Error Code
Reason Error Description
Post Clean Status Post Clean Status
Additional Action ID Additional Action ID
Additional Action String Additional Action String
Configuration Guide for Windows Event Native Smart Connector
Event 1117 Page 138 of 349
ArcSight Field Vendor Field
Remediation User Remediation User
(Concatenating both EngineVersion and Signature Versionin Device Custom String 2
Signature Version
(Concatenating both EngineVersion and Signature Versionin Device Custom String 2
Engine Version
Event 1150
ArcSight Field Vendor Field
Device Version Product Version
(Concatenating both EngineVersion and Signature Versionin Device Custom String 2
Signature Version
(Concatenating both EngineVersion and Signature Versionin Device Custom String 2
Engine Version
Event 2000
ArcSight Field Vendor Field
Device Venison Product Version
File Id Current Signature Version
Old File Id Previous Signature Version
Source Nt Domain Domain
Source User Name User
Sid SID
Signature Type Index Signature Type Index
Device Event Category Signature Type
Update Type Index Update Type Index
Configuration Guide for Windows Event Native Smart Connector
Event 1150 Page 139 of 349
ArcSight Field Vendor Field
Device Custom String 6 Update Type
(Concatenating both EngineVersion and Signature Versionin Device Custom String 2
Current Engine Version
(Concatenating both EngineVersion and Signature Versionin Device Custom String 2
Previous Engine Version
Event 2001
ArcSight Field Vendor Field
Device Version Product Version
Source Nt Domain Domain
Source User Name User
Sid SID
Device Custom String 5 Error Code
Reason Error Description
File Path FWLink
Event 2002
ArcSight Field Vendor Field
Product Verison Device Version
(Concatenating both PreviousEngine Version and CurrentVersion in Device Custom String2
Previous Engine Version
(Concatenating both PreviousEngine Version and CurrentVersion in Device Custom String2
Current Engine Version
Source Nt Domain Domain
Source User Name User
Configuration Guide for Windows Event Native Smart Connector
Event 2001 Page 140 of 349
ArcSight Field Vendor Field
Sid SID
Feature Index Feature Index
Feature Name Feature Index Name
Event 2010
ArcSight Field Vendor Field
Device Version Product Version
File Id Current Signature Version
Signature Type Index Signature Type Index
Device Event Category Signature Type
Device Custom String 2 Current Engine Version
Dynamic Signature Type Index Dynamic Signature Type Index
Dynamic Signature Type Dynamic Signature Type
File Path Persistence Path
Dynamic Signature Version Dynamic Signature Version
Persistence Limit Type Index Persistence Limit Type Index
Persistence Limit Type Persistence Limit Type
Persistence Limit Value Persistence Limit Value
Event 2011
ArcSight Field Vendor Field
Device Version Product Version
File Id Current Signature Version
Signature Type Index Signature Type Index
Device Event Category Signature Type
Device Custom String 2 Current Engine Version
Dynamic Signature Type Index Dynamic Signature Type Index
Dynamic Signature Type Dynamic Signature Type
File Path Persistence Path
Configuration Guide for Windows Event Native Smart Connector
Event 2010 Page 141 of 349
ArcSight Field Vendor Field
Dynamic Signature Version Dynamic Signature Version
Persistence Limit Type Index Persistence Limit Type Index
Persistence Limit Type Persistence Limit Type
Persistence Limit Value Persistence Limit Value
Removal Reason Index Removal Reason Index
Reason Removal Reason Value
Event 3002
ArcSight Field Vendor Field
Device Version Product Version
Device Custom String 5 Error Code
Reason Error Description
Event 5000
ArcSight Field Vendor Field
Device Version Product Version
Event 5001
ArcSight Field Vendor Field
Device Version Product Version
Event 5004
ArcSight Field Vendor Field
Device Version Product Version
File Hash Feature Name
File Id Feature ID
Device Custom Number 1 Configuration
Device Custom Number 1 Label Configuration
Configuration Guide for Windows Event Native Smart Connector
Event 3002 Page 142 of 349
Event 5007
ArcSight Field Vendor Field
Device Version Product Version
Old File Name Old Value
File Name New Value
Event 5010
ArcSight Field Vendor Field
Device Version Product Version
Event 5012
ArcSight Field Vendor Field
Device Version Product Version
Microsoft Windows Defender AntiVirusMicrosoft Windows Defender AntiVirus is a network service in Windows Server 2012 WindowsServer 2012 R2 Windows Server 2008 and Windows Server 2016 that provides the followingservices
l Dial-up remote access server
l Virtual private network (VPN) remote access server
l Internet Protocol (IP) router for connecting subnets of a private network
l Network address translator (NAT) for connecting a private network to the Internet
l Dial-up and VPN site-to-site demand-dial router
This section provides information about configuring Microsoft Windows Defender AntiVirus asa log source and its event mappings to ArcSight data fields
Supported Versionsl Microsoft Windows 8
l Microsoft Windows 10
l Microsoft Windows Server 2008 R2
Configuration Guide for Windows Event Native Smart Connector
Event 5007 Page 143 of 349
l Microsoft Windows Server 2012
l Microsoft Windows Server 2012 R2
l Microsoft Windows Server 2016
The SmartConnector for Microsoft Windows Event Log ndash Windows Security Event Mappingsdocument provides the main mappings for the Windows Event Log SmartConnectors the fieldmappings listed in this document are specifically for Microsoft Remote Access
Microsoft Windows Defender AntiVirusFor complete information about Microsoftrsquos Reporting and Microsoft Windows DefenderAntiVirus see Microsoftrsquos TechNet Library for Windows Server ldquoRemote Access (DirectAccessRouting and Remote Access)rdquo
httptechnetmicrosoftcomen-uslibraryhh831416
Mappings for Microsoft Windows Defender AntiVirus
Event 1000
ArcSight Field Vendor Field
Device Version Product Version
Device Custom String1 Label Scan ID
Device Custom String1 Scan ID
Scan Type Index Scan Type Index
Device Event Category Scan Type
Scan Parameter Index Scan Parameter Index
Device Action Scan Parameter
Source Nt Domain Domain
Source User Name User
Source User ID SID
File Path Scan Resources
Configuration Guide for Windows Event Native Smart Connector
Microsoft Windows Defender AntiVirus Page 144 of 349
Event 1001
ArcSight Field Vendor Field
Device Version Product Version
Device Custom String1 Label Scan ID
Device Custom String1 Scan ID
Scan Type Index Scan Type Index
Device Event Category Scan Type
Scan Parameter Index Scan Parameter Index
Device Action Scan Parameter
Source Nt Domain Domain
Source User Name User
Source User ID SID
Device Custom Number1 Label Hours
Device Custom Number1 Scan Time Hours
Device Custom Number2 Label Minutes
Device Custom Number2 Scan Time Minutes
Device Custom Number3 Label Seconds
Device Custom Number3 Scan Time Seconds
Event 1002
ArcSight Field Vendor Field
Device Version Product Version
Device Custom String1 Label Scan ID
Device Custom String1 Scan ID
Scan Type Index Scan Type Index
Device Event Category Scan Type
Scan Parameter Index Scan Parameter Index
Device Action Scan Parameter
Configuration Guide for Windows Event Native Smart Connector
Event 1001 Page 145 of 349
ArcSight Field Vendor Field
Source Nt Domain Domain
Source User Name User
Source User ID SID
Event 1009
ArcSight Field Vendor Field
Device Version Product Version
Source Nt Domain Domain
Source User Name User
Source User ID SID
Device Custom String1 Label Threat Name
Device Custom String1 Threat Name
Device Custom Number1 Label Threat ID
Device Custom Number1 Threat ID
Device Custom Number2 Label Severity ID
Device Custom Number2 Severity ID
Device Custom Number3 Label Category ID
Device Custom Number3 Category ID
FWLink FWLink
File Path Path
Old File ID Severity Name
Device Custom String4 Label Category Name
Device Custom String4 Category Name
Device Custom String2Label SignatureEngine Version
Device Custom String2 Signature VersionEngine Version
Configuration Guide for Windows Event Native Smart Connector
Event 1009 Page 146 of 349
Event 1011
ArcSight Field Vendor Field
Device Version Product Version
Source Nt Domain Domain
Source User Name User
Source User ID SID
Device Custom String1 Label Threat Name
Device Custom String1 Threat Name
Device Custom Number1 Label Threat ID
Device Custom Number1 Threat ID
Device Custom Number2 Label Severity ID
Device Custom Number2 Severity ID
Device Custom Number3 Label Category ID
Device Custom Number3 Category ID
FWLink FWLink
File Path Path
Old File ID Severity Name
Device Custom String4 Label Category Name
Device Custom String4 Category Name
Device Custom String2Label SignatureEngine Version
Device Custom String2 Signature VersionEngine Version
Event 1013
ArcSight Field Vendor Field
Device Version Product Version
Device Custom Date1 Label Action Time
Device Custom Date1 Timestamp
Source Nt Domain Domain
Source User Name User
Source User ID SID
Configuration Guide for Windows Event Native Smart Connector
Event 1011 Page 147 of 349
Event 1015
ArcSight Field Vendor Field
Device Version Product Version
Source Nt Domain Domain
Source User Name User
Source User ID SID
Device Custom Number1 Label Threat ID
Device Custom Number1 Threat ID
Device Custom Number2 Label Severity ID
Device Custom Number2 Severity ID
Device Custom Number3 Label Category ID
Device Custom Number3 Category ID
Device Custom String6 Label Detection ID
Device Custom String6 Detection ID
Device Custom String1 Label Threat Name
Device Custom String1 Threat Name
Device Custom String2 Label SignatureEngine Version
Device Custom String2 Signature VersionEngine Version
Device Custom String4 Label Category Name
Device Custom String4 Category Name
FWLink FWLink
Source Process Name Process Name
File Path Path Found
Request Context Detection Origin
Old File Type Detection Type
Source Service Name Detection Source
Configuration Guide for Windows Event Native Smart Connector
Event 1015 Page 148 of 349
Event 1116
ArcSight Field Vendor Field
Device Version Product Version
Start Time Detection Time
Device Custom Number1 Label Threat ID
Device Custom Number1 Threat ID
Device Custom Number2 Label Severity ID
Device Custom Number2 Severity ID
Device Custom Number3 Label Category ID
Device Custom Number3 Category ID
Device Custom String6 Label Detection ID
Device Custom String6 Detection ID
Device Custom String1 Label Threat Name
Device Custom String1 Threat Name
Device Custom String2 Label SignatureEngine Version
Device Custom String2 Signature VersionEngine Version
Device Custom String4 Label Category Name
Device Custom String4 Category Name
Old File ID Severity Name
Status Code Status Code
Status Description Status Description
State State
Source ID Source ID
FWLink FWLink
File Path Path
Request context Detection Origin
Source Service Name Source Name
Source Process Name Process Name
Source User Name Detection User
Configuration Guide for Windows Event Native Smart Connector
Event 1116 Page 149 of 349
ArcSight Field Vendor Field
Origin ID Origin ID
Request Context Origin Name
Execution ID Execution ID
Execution Name Execution Name
Type ID Type ID
Old File Type Type Name
Pre Execution Status Pre Execution Status
Action ID Action ID
Device Action Action Name
Reason Error Code
Device Custom String5 Label Error Description
Device Custom String5 Error Description
Post Clean Status Post Clean Status
Additional Actions ID Additional Actions ID
Remediation User Remediation User
Event 1117
ArcSight Field Vendor Field
Device Version Product Version
Start Time Detection Time
Device Custom Number1 Label Threat ID
Device Custom Number1 Threat ID
Device Custom Number2 Label Severity ID
Device Custom Number2 Severity ID
Device Custom Number3 Label Category ID
Device Custom Number3 Category ID
Device Custom String6 Label Detection ID
Device Custom String6 Detection ID
Device Custom String1 Label Threat Name
Configuration Guide for Windows Event Native Smart Connector
Event 1117 Page 150 of 349
ArcSight Field Vendor Field
Device Custom String1 Threat Name
Device Custom String2 Label SignatureEngine Version
Device Custom String2 Signature VersionEngine Version
Device Custom String4 Label Category Name
Device Custom String4 Category Name
Old File ID Severity Name
Status Code Status Code
Status Description Status Description
State State
Source ID Source ID
FWLink FWLink
File Path Path
Request context Detection Origin
Source Service Name Source Name
Source Process Name Process Name
Source User Name Detection User
Origin ID Origin ID
Request Context Origin Name
Execution ID Execution ID
Execution Name Execution Name
Type ID Type ID
Old File Type Type Name
Pre Execution Status Pre Execution Status
Action ID Action ID
Device Action Action Name
Reason Error Code
Device Custom String5 Label Error Description
Device Custom String5 Error Description
Configuration Guide for Windows Event Native Smart Connector
Event 1117 Page 151 of 349
ArcSight Field Vendor Field
Post Clean Status Post Clean Status
Additional Actions ID Additional Actions ID
Remediation User Remediation User
Event 1150
ArcSight Field Vendor Field
Device Version Platform Version
Device Custom String2 Label SignatureEngine Version
Device Custom String2 Signature VersionEngine Version
Event 1151
ArcSight Field Vendor Field
Device Version Platform Version
Device Custom String2 Label SignatureEngine Version
Device Custom String2 Signature VersionEngine Version
Device Custom String1 Label RTP State OA State IOAV State BM State
Device Custom String 1 RTP State OA State IOAV State BM State
Device Custom Number1 safeToLong(updateRevisionNumber)
Device Custom Number1 Label Last AV Signature Age
Device Custom Number1 AV signature age
Device Custom Number2 Label Last AS Signature Age
Device Custom Number2 AS signature age
Device Custom Number3 Label Last quick scan age
Device Custom Number3 Last quick scan age
Device Floating Point1 Label Last full scan age
Device Floating Point1 Last full scan age
File Create Time AV signature creation time
Old File Create Time AS signature creation time
Start Time Last quick scan start time
Configuration Guide for Windows Event Native Smart Connector
Event 1150 Page 152 of 349
ArcSight Field Vendor Field
End Time Last quick scan end time
Device Custom String4 Label Last Quick Scan Source
Device Custom String4 Last quick scan source
Device Custom Date1 Label Last full scan start time
Device Custom Date1 Last full scan start time
Device Custom Date2 Label Last full scan end time
Device Custom Date2 Last full scan end time
Device Custom String6 Label Last full scan source
Device Custom String6 Last full scan source
Product status Product status
Event 2000
ArcSight Field Vendor Field
Device Version Product Version
Source Nt Domain Domain
Source User Name User
Source User ID SID
Signature Type Index Signature Type Index
Device Event Category Signature Type
Update Type Index Update Type Index
Device Custom String6 Label Update Type
Device Custom String6 Update Type
Device Custom String2 Label Current Engine VersionPrevious Engine VersionCurrent SignatureVersionPrevious Signature Version
Device Custom String2 Current Engine VersionPrevious Engine VersionCurrent SignatureVersionPrevious Signature Version
Configuration Guide for Windows Event Native Smart Connector
Event 2000 Page 153 of 349
Event 2001
ArcSight Field Vendor Field
Device Version Product Version
Source Nt Domain Domain
Source User Name User
Source User ID SID
Signature Type Index Signature Type Index
Device Event Category Signature Type
Update Type Index Update Type Index
Device Custom String6 Label Update Type
Device Custom String6 Update Type
Device Custom String2 Label Current Engine VersionPrevious Engine VersionCurrent SignatureVersionPrevious Signature Version
Device Custom String2 Current Engine VersionPrevious Engine VersionCurrent SignatureVersionPrevious Signature Version
Reason Error Code
Device Custom String5 Label Error Description
Device Custom String5 Error Description
File Path Source Path
Event 2002
ArcSight Field Vendor Field
Device Version Product Version
Source Nt Domain Domain
Source User Name User
Source User ID SID
Device Custom String2 Label Current Previous Engine Version
Device Custom String2 Current Engine Version Previous Engine Version
Feature Index Feature Index
Device Event Category Feature Name
Configuration Guide for Windows Event Native Smart Connector
Event 2001 Page 154 of 349
Event 2010
ArcSight Field Vendor Field
Device Version Product Version
Source Nt Domain Domain
Source User Name User
Source User ID SID
Signature Type Index Signature Type Index
Device Event Category Signature Type
Device Custom String2 Label Current Engine VersionCurrent Signature Version
Device Custom String2 Current Engine VersionCurrent Signature Version
Dynamic Signature Type Index Dynamic Signature Type Index
Dynamic Signature Type Dynamic Signature Type
File Path Persistence Path
Device Custom String1 Label Dynamic Signature Version
Device Custom String1 Dynamic Signature Version
Device Custom Date1 Label Dynamic Signature Compilation Timestamp
Device Custom Date1 Dynamic Signature Compilation Timestamp
Persistence Limit Type Index Persistence Limit Type Index
Persistence Limit Type Persistence Limit Type
Persistence Limit Value Persistence Limit Value
Event 2011
ArcSight Field Vendor Field
Device Version Product Version
Source Nt Domain Domain
Source User Name User
Source User ID SID
Signature Type Index Signature Type Index
Device Event Category Signature Type
Configuration Guide for Windows Event Native Smart Connector
Event 2010 Page 155 of 349
ArcSight Field Vendor Field
Device Custom String2 Label Current Engine VersionCurrent Signature Version
Device Custom String2 Current Engine VersionCurrent Signature Version
Dynamic Signature Type Index Dynamic Signature Type Index
Dynamic Signature Type Dynamic Signature Type
File Path Persistence Path
Device Custom String1 Label Dynamic Signature Version
Device Custom String1 Dynamic Signature Version
Device Custom Date1 Label Dynamic Signature Compilation Timestamp
Device Custom Date1 Dynamic Signature Compilation Timestamp
Persistence Limit Type Index Persistence Limit Type Index
Persistence Limit Type Persistence Limit Type
Persistence Limit Value Persistence Limit Value
Removal Reason Index Removal Reason Index
Reason Removal Reason Value
Event 2030
ArcSight Field Vendor Field
Device Version Product Version
Event 3002
ArcSight Field Vendor Field
Device Version Product Version
File ID Feature ID
File Hash Feature Name
Reason Error Code
Device Custom String5 Label Error Description
Device Custom String5 Error Description
Configuration Guide for Windows Event Native Smart Connector
Event 2030 Page 156 of 349
Event 5000
ArcSight Field Vendor Field
Device Version Product Version
Event 5001
ArcSight Field Vendor Field
Device Version Product Version
Event 5004
ArcSight Field Vendor Field
Device Version Product Version
File Hash Feature Name
Device Custom Number Configuration
Device Custom Number1 Label Configuration
File ID Feature ID
Event 5007
ArcSight Field Vendor Field
Device Version Product Version
Old File Name Old Value
File Name New Value
Event 5010
ArcSight Field Vendor Field
Device Version Product Version
Event 5012
ArcSight Field Vendor Field
Device Version Product Version
Configuration Guide for Windows Event Native Smart Connector
Event 5000 Page 157 of 349
Microsoft DNS Server AnalyticsMicrosoft DNS Server Analytic Logs is a Windows system service and device driver that enablesthe Microsoft Windows Event Log ndash Native (WiNC) SmartConnector to monitor and collect theanalytic events logs from the DNS Server
It provides information about operational events such as dynamic updates zone transfers andDNSSEC zone signing and unsigning
This section provides information about the SmartConnector for Microsoft Windows Event Logndash Native Microsoft DNS Server Analytic Logs and its event mappings to ArcSight data fields
Supported Versionsl Microsoft Windows 8
l Microsoft Windows 10
l Microsoft Windows Server 2008 R2
l Microsoft Windows Server 2012
l Microsoft Windows Server 2012 R2
l Microsoft Windows Server 2016
Configuring Microsoft DNS Server Analytic LogsFor information about configuring Microsoft DNS Logging and Microsoft DNS analytic eventslogs see Microsofts DNS Logging and Diagnostics
Mappings for Windows 2008 R2
General
ArcSight Field Vendor Field
Device Vendor lsquoMicrosoftrsquo
Device Product lsquoMicrosoft Windowsrsquo
Event 20088
ArcSight Field Vendor Field
Name Remote Access Server acquired IP Address
Destination Address 1 (Assigned Address)
Microsoft DNS Server Analytics Page 158 of 349
ArcSight Field Vendor Field
Message Both (lsquoThe Remote Access Server acquired IP Address lsquo1rsquo to be used on theServer Adapterrsquo)
Event 20106
ArcSight Field Vendor Field
Name Unable to add interface
Device Outbound Interface 1 (Interface)
Application Protocol 2 (Protocol)
Message 3 (Message Text)
Event 20184
ArcSight Field Vendor Field
Name Interface is unreachable
Device Inbound Interface 1 (Interface)
Message Both (lsquoInterface lsquo1rsquo is unreachable because it is not currently connected tothe networkrsquo)
Event 20249
ArcSight Field Vendor Field
Name Failed to authenticate
Device Custom String 4 Correlation-ID
Source User Name 2 (Connected User)
Source NT Domain 2 (Domain of Connected User)
Application Protocol 3 (Protocol)
Source Port 3 (Port)
Message Both (lsquoThe user lsquo2rsquo has connected and failed to authenticate on port lsquo3rsquoThe line has been disconnectedrsquo)
Configuration Guide for Windows Event Native Smart Connector
Event 20106 Page 159 of 349
Event 20252
ArcSight Field Vendor Field
Name Authentication process did not complete
Device Custom String 4 Correlation-ID
Application Protocol 2 (Protocol)
Source Port 2 (Port)
Message Both (lsquoThe user connected to port lsquo2rsquo has been disconnected because theauthentication process did not complete within the required amount oftimersquo)
Event 20255
ArcSight Field Vendor Field
Name Connection was prevented
Device Custom String 4 Correlation-ID
Source User Name 3 (Connected User)
Source NT Domain 3 (Domain of Connected User)
Application Protocol 2 (Protocol)
Source Port 2 (Port)
Message 4 (Message Text)
Event 20258
ArcSight Field Vendor Field
Name Account does not have Remote Access privilege
Device Custom String 4 Correlation-ID
Source User Name 3 (Connected User)
Source NT Domain 3 (Domain of Connected User)
Application Protocol 4 (Protocol)
Source Port 4 (Port)
Message Both (lsquoThe account for user lsquo3rsquo connected on port lsquo4rsquo does not haveRemote Access privilege The line has been disconnectedrsquo)
Configuration Guide for Windows Event Native Smart Connector
Event 20252 Page 160 of 349
Event 20266
ArcSight Field Vendor Field
Name Successfully authenticated
Device Custom String 4 Correlation-ID
Source User Name 3 (Connected User)
Source NT Domain 3 (Domain of Connected User)
Application Protocol 4 (Protocol)
Source Port 4 (Port)
Message Both (lsquoThe user lsquoOne of (23)rsquo has connected and has been successfullyauthenticated on port lsquoOne of (34)rsquo Data sent and received over this linkis strongly encryptedrsquo)
Event 20271
ArcSight Field Vendor Field
Name Failed an authentication attempt
Device Custom String 4 Correlation-ID
Source User Name 2 (Connected User)
Source NT Domain 2 (Domain of Connected User)
Source Address 3 (Address)
Reason 5 (Reason)
Message 4 (Message Text)
Event 20272
ArcSight Field Vendor Field
Name User connected and disconnected
Device Custom String 4 Correlation-ID
Source User Name 2 (Connected User)
Source NT Domain 2 (Domain of Connected User)
Application Protocol 3 (Protocol)
Source Port 3 (Port)
Configuration Guide for Windows Event Native Smart Connector
Event 20266 Page 161 of 349
ArcSight Field Vendor Field
Start Time Both (4 5)
End Time Both (5 6)
Device Custom Number 1 User active minutes
Device Custom Number 2 User active seconds
Bytes Out 10 (Bytes Out)
Bytes In 10 (Bytes In)
Additional data 12
Additional data 13
Additional data 14
Message Both (lsquoThe user lsquo2rsquo connected on port lsquo3rsquo on lsquo4rsquo at lsquo5rsquo anddisconnected on lsquo6rsquo at lsquo7rsquo The user was active for lsquo8rsquo minutes lsquo9rsquoseconds lsquo10rsquo bytes were sent and lsquo11rsquo bytes were received The reasonfor disconnecting was lsquo12 The tunnel used was lsquo13rsquo The quarantinestate was lsquo14rsquorsquo)
Event 20274
ArcSight Field Vendor Field
Name User connected and has been assigned address
Device Custom String 4 Correlation-ID
Source User Name 2 (Connected User)
Source NT Domain 2 (Domain of Connected User)
Application Protocol 3 (Protocol)
Source Port 3 (Port )
Destination Address 4 (Assigned Address)
Message Both (lsquoThe user lsquo2rsquo connected on port lsquo3rsquo has been assigned addresslsquo4rsquo)
Event 20275
ArcSight Field Vendor Field
Name User disconnected
Device Custom String 4 Correlation-ID
Configuration Guide for Windows Event Native Smart Connector
Event 20274 Page 162 of 349
ArcSight Field Vendor Field
Source Address 2 (Address)
Message Both (lsquoThe user with ip address lsquo2rsquo has disconnectedrsquo)
Microsoft Exchange Mailbox Access AuditingMicrosoft Exchange Server is the server side of a client-server collaborative applicationproduct developed by Microsoft It is part of Microsofts line of server products used byenterprises using Microsoft infrastructure solutions Microsoft Exchange 2007 Service Pack 2 issupported by this SmartConnector
This section provides information about the SmartConnector for Microsoft Exchange AccessAuditing Windows Event Log Native and its event mappings to ArcSight data fields Thisconnector supports Microsoft Exchange Server 2007 and 2007 SP3 audit application events forWindows Server 2008 Windows Server 2008 R2 and Windows Server 2012 versions
With Exchange Server 2010 Microsoft has added new native audit capabilities such that theaudit logs are maintained in the mailboxes themselves Being able to get those audit logs isvery difficult due to the potential number of mailboxes and the vast amount of data they maycontain and Windows Event Log integration for this will not work
Therefore for Microsoft Exchange 2010 and later versions use the SmartConnector forMicrosoft Exchange PowerShell which retrieves Microsoft Exchange Server 2010 SP2 and 2013Mailbox Audit logs remotely and lets you specify the mailboxes to be audited
The SmartConnector for Microsoft Windows Event Log ndash Native Windows Security EventMappings document provides the main mappings for the Windows Event Log SmartConnectorsthe field mappings listed in this document are specifically for the SmartConnector for WindowsEvent Log ndash Native Microsoft Exchange Audit
Configuring Mailbox Access AuditingUse the Exchange Management Console to access the configuration area for mailbox accessauditing
Enabling Mailbox Access AuditingThe following figure shows the newManage Diagnostic Logging Propertiesmenu option
Configuration Guide for Windows Event Native Smart Connector
Microsoft Exchange Mailbox Access Auditing Page 163 of 349
To configure mailbox access auditing on a particular mailbox server
1 Select that server in the Exchange Management Console and then select the ManageDiagnostics Logging Propertiesmenu option from the action pane the ManageDiagnostics Logging Properties window is displayed
Configuration Guide for Windows Event Native Smart Connector
Enabling Mailbox Access Auditing Page 164 of 349
2 Expand the MSExchangeIS category and then expand the 9000 Private category
3 Under the MSExchangeIS9000 Private category configure auditing for any or all of thefour possible actions
l Folder Access to log events that correspond to opening folders such as the InboxOutbox or Sent Items folders
l Message Access to log events that correspond to explicitly opening messages
l Extended Send As to log events that correspond to sending a message as a mailbox-enabled user
l Extended Send On Behalf Of to log events that correspond to sending a message onbehalf of a mailbox-enabled user
4 When you complete the auditing level configuration click Configure
For more information about Exchange mailbox access auditing seehttpwwwmsexchangeorgarticles_tutorialsexchange-server-2007compliance-policies-archivingexchange-2007-mailbox-access-auditing-part1html
Configuration Guide for Windows Event Native Smart Connector
Enabling Mailbox Access Auditing Page 165 of 349
For examples of configuring Exchange mailbox access auditing seehttpwwwhowexchangeworkscom200909mailbox-access-auditing-in-exchangehtml
Accessing the Audited InformationTo view the information logged navigate to Event Viewer gt Applications amp Services Log gtExchange Auditing
Changing Default Log Storage locationBy default the logs are stored in the Exchange Server installation directory (DriveProgramFilesMicrosoftExchange ServerLoggingAuditLogs) The logs are archived by defaultwhen the location gets full Therefore make sure that the location of the logs is changed to adrive that has enough free space
To modify the log storage location select the properties for the Exchange Auditing log andchange the options
Configuration Guide for Windows Event Native Smart Connector
Accessing the Audited Information Page 166 of 349
Excluding Service AccountsService accounts that have full access to the mailboxes might fill up your mailbox access logwith events To exclude service accounts from being audited run the following command
Get-MailboxDatabase -identity serversgdbname | Add-ADPermission -Userservice account -ExtendedRights ms-Exch-Store-Bypass-Access-Auditing -InheritanceType All
Device Event Mapping to ArcSight FieldsThe following section lists the mappings of ArcSight data fields to the devices specific eventdefinitions See ArcSight 101 for more information about the ArcSight data fields
Exchange Events 10100 10101 Mappings
ArcSight ESM Field Device-Specific Field
Device Custom IPv6 Address 3 Destination IPv6 Address
Device Custom Number 1 Source Process ID
Device Custom String 4 Mailbox Name
Device Custom String 5 Relatively Unique Identifier
Configuration Guide for Windows Event Native Smart Connector
Excluding Service Accounts Page 167 of 349
ArcSight ESM Field Device-Specific Field
File Name 2 (Message ID or Folder name depending uponevent)
File Path 1 (Folder path )
Name A folder in mailbox was opened by user
Source Host Name 9 (Account Name)
Source Process Name 11 (Process Name)
Source Service Name 13 (Application ID)
Target Address Address
Destination User ID 5 (Accessing User (full Exchange ID))
Destination User Name 4 (Account Name)
Destination User Privileges One of (lsquoAdministrative rights were usedrsquo lsquo lsquo)
Exchange Event 10102 Mappings
ArcSight ESM Field Device-Specific Field
Device Custom IPv6 Address 3 Destination IPv6 Address
Device Custom Number 1 Source Process ID
Device Custom Number 3 Administrative Rights
Device Custom String 4 Mailbox Name
Device Custom String 5 Identifier
Device Custom String 6 Administrative Rights
File Name Message ID or Folder name depending upon event
File Path Folder path (when relevant)
Name A message in mailbox was opened by user
Source Host Name Machine Name
Source Process Name Process Name
Source Service Name Application ID
Source User ID Accessing User (full Exchange ID)
Source User Name Account Name
Target Address Address
Configuration Guide for Windows Event Native Smart Connector
Exchange Event 10102 Mappings Page 168 of 349
Exchange Events 10104 10106 Mappings
ArcSight ESM Field Device-Specific Field
Device Custom IPv6 Address 3 Destination IPv6 Address
Device Custom Number 1 Source Process ID
Device Custom String 4 Mailbox Name
Device Custom String 5 Relatively Unique Identifier
Device Custom String 6 Sent as user
File Name 3 (Message ID or Folder name depending uponevent)
Name User sent a message on behalf of another user
Source Host Name 10 (Machine Name)
Source Process Name 12 (Process Name)
Source Service Name 14 (Application ID)
Destination User ID 6 (Accessing User (full Exchange ID))
Destination User Name 5 (Account Name)
Destination User Privileges One of (lsquoAdministrative rights were usedrsquo lsquo lsquo)
Destination Host Name 11 (Address)
Destination Address 11 (Address)
Configuration Guide for Windows Event Native Smart Connector
Exchange Events 10104 10106 Mappings Page 169 of 349
Exchange Online Message TrackingMessage tracking or message tracing as it is called in Office 365 is one of the most basictools used by administrators to monitor the email flow As emails travel through Office 365some information about them gets stored in logs and is available for administrative purposesNo matter if users delete or purge messages the administrator is able to view basicinformation about sent and received emails
This section provides information about configuring Exchange Online Message Tracking andevent mappings
Message tracing does not allow you to peek into a messagersquos contents Still it can provide quitea lot of important data about emails
l Sender and Recipient
l Send and receive dates
l Subject and size
l Status and details of events There are seven possible values in the delivery status fielddelivered failed pending expanded quarantined filtered as spam and unknown
l IP address used to send the message
l Message ID a unique number identifying a message If a message is sent to more than onerecipient it will display once for every recipient in the message trace search but all thoseentries will have the same Message-ID and different Message Trace ID
Device Event Mapping to ArcSight FieldsThe following section lists the mappings of ArcSight data fields to the devices specific eventdefinitions See the ArcSight Console Users Guide for more information about the ArcSightdata fields
ArcSight ESM Field Device-Specific Field
Device Vendor Microsoft
Device Product Exchange Online
Name Both(Message Status)
External Id MessageTraceId
Device Receipt Time Received
Device Event Class Id Both(Message Status)
Device Custom String 3 Subject
Device Custom String 6 Organization
Exchange Online Message Tracking Page 170 of 349
ArcSight ESM Field Device-Specific Field
Source Address FromIP
Source User Name SenderAddress
Destination Address ToIP
Destination User Name RecipientAddress
File Size Size
File Id MessageId
Configuration Guide for Windows Event Native Smart Connector
Device Event Mapping to ArcSight Fields Page 171 of 349
Microsoft Exchange Mailbox StoreMicrosoft Exchange Server is the server side of a client-server collaborative applicationproduct developed by Microsoft It is part of Microsofts line of server products used byenterprises using Microsoft infrastructure solutions Microsoft Exchange 2010 Service Pack 1 issupported by this SmartConnector
This section provides information about configuring Microsoft Exchange Mailbox Store andunderstanding its event mappings to ArcSight data fields This connector supports WindowsServer 2008 R2
With Exchange Server 2010 Microsoft has added new native audit capabilities such that theaudit logs are maintained in the mailboxes themselves Being able to get those audit logs isvery difficult due to the potential number of mailboxes and the vast amount of data they maycontain and Windows Event Log integration for this will not work
Therefore for Microsoft Exchange 2010 and later versions use the SmartConnector forMicrosoft Exchange PowerShell which retrieves Microsoft Exchange Server 2010 SP1 and 2013Mailbox Audit logs remotely and lets you specify the mailboxes to be audited
The SmartConnector for Microsoft Windows Event Log ndash Native Windows Security EventMappings document provides the main mappings for the Windows Event Log SmartConnectorsthe field mappings listed in this document are specifically for the SmartConnector for MicrosoftExchange Mailbox Store Windows Event Log Native
Microsoft Exchange Mailbox Store Page 172 of 349
Configuring Mailbox Store AuditingUse the Exchange Management Console to access the configuration area for mailbox storeauditing
Enabling Mailbox Store
To access the configuration area for mailbox store auditing use the Exchange ManagementConsole The following figure shows the newManage Diagnostic Logging Propertiesmenuoption
To configure mailbox store auditing on a particular mailbox server
1 Select that server in the Exchange Management Console and then select the ManageDiagnostics Logging Propertiesmenu option from the action pane the ManageDiagnostics Logging Properties window is displayed
Configuring Mailbox Store Auditing Page 173 of 349
2 In this window expand the MSExchangeIS category and then expand the 9000 Privatecategory
3 Under the MSExchangeIS9000 Private category configure MailBox Store for Event 1016by selecting Logons
4 When you have finished configuring the mailbox store levels click Configure
5 To view events go to Windows Event Viewer 1016 events are saved in ApplicationWindows Events
Accessing the Audited Information
To view the information logged navigate to Event Viewer gt Applications amp Services Log gtExchange Auditing
Configuration Guide for Windows Event Native Smart Connector
Accessing the Audited Information Page 174 of 349
Changing Default Log Storage location
By default the logs are stored in the Exchange Server installation directory (DriveProgramFilesMicrosoftExchange ServerLoggingAuditLogs) The logs are archived by defaultwhen the location gets full Therefore make sure that the location of the logs is changed to adrive that has enough free space
To modify the log storage location select the properties for the Exchange Auditing log andchange the options
Configuration Guide for Windows Event Native Smart Connector
Changing Default Log Storage location Page 175 of 349
Excluding Service Accounts
Service accounts that have full access to the mailboxes might fill up your mailbox access logwith events To exclude service accounts from being audited run the following command
Get-MailboxDatabase -identity serversgdbname | Add-ADPermission -Userservice account -ExtendedRights ms-Exch-Store-Bypass-Access-Auditing -InheritanceType All
Configuration Guide for Windows Event Native Smart Connector
Excluding Service Accounts Page 176 of 349
Device Event Mapping to ArcSight FieldsThe following section lists the mappings of ArcSight data fields to the devices specific eventdefinitions See ArcSight 101 for more information about the ArcSight data fields
General Exchange Events Mappings
ArcSight ESM Field Device-Specific Field
Device Vendor Microsoft
Device Product Exchange Server
Exchange Events 1016 Mappings
ArcSight ESM Field Device-Specific Field
Device Customer String3 2 (Mail Box)
Source Nt Domain 1
Source User Name 1
Device Event Mapping to ArcSight Fields Page 177 of 349
Microsoft Forefront Protection 2010Microsoft Forefront Protection 2010 for Exchange Server (FPE) provides protection againstmalware and spam by including multiple scanning engines in a single solution FPE providescustomers with an administration console that includes customizable configuration settingsfiltering options monitoring features and reports anti-spam protection and integration withthe Forefront Online Protection for Exchange (FOPE) product
This section provides information about configuring Microsoft Forefront Protection and itsevent mappings to ArcSight data fields This connector supports Microsoft Forefront Protection2010 events for Windows Server 2008 Windows Server 2008 R2 and Windows Server 2012Standard with Exchange 2010
The SmartConnector for Microsoft Windows Event Log ndash Native Windows Security EventMappings document provides the main mappings for the Windows Event Log SmartConnectorsthe field mappings listed in this document are specifically for the SmartConnector for WindowsEvent Log ndash Native Microsoft Forefront Protection
Configuring Forefront ProtectionTo enable writing events to the Windows Event Log from Forefront Protection
1 In the Forefront Protection 2010 for Exchange Server Administrator Console click PolicyManagement and under Global Settings click Advanced Options
2 In the Global Settings - Advanced Options pane under the Logging Options sectionselect the Enable event logging check box When checked (the default) you can use theassociated check boxes to individually enable or disable the following options (which areenabled by default)
l IncidentsmdashEnables or disables event logging for incidents
l EnginesmdashEnables or disables event logging for engines
l OperationalmdashEnables or disables logging for all other events such as systeminformation and health events
When the Enable event logging check box is cleared incidents logging is suspended forincidents engines and operational events
3 Click Save
Note The relevant Microsoft Exchange and Microsoft Forefront Server protection services mustbe restarted in order for any changes to these settings to take effect This typically includes theMicrosoft Exchange Transport Microsoft Exchange Information Store and Microsoft ForefrontServer Protection Controller services
Microsoft Forefront Protection 2010 Page 178 of 349
See Microsoft TechNetagrave Microsoft Forefront TechCenter Libraryagrave Forefront Protection2010 for Exchange Serveragrave Operationsagrave Configuring logging options for moreinformation
Device Event Mapping to ArcSight FieldsThe following sections lists the mappings of ArcSight data fields to the devices specific eventdefinitions See ArcSight 101 for more information about the ArcSight data fields
Windows 2008
General
ArcSight ESM Field Device-Specific Field
Device Product Forefront Protection
Device Vendor Microsoft
Event ID 7000ArcSight ESM Field Device-Specific Field
Message All the antimalware engines selected in the Forefront Administration Consolefor scanning have been enabled for updates
Name lsquoAll the antimalware engines selected in the Forefront AdministrationConsolersquo
Event ID 7001ArcSight ESM Field Device-Specific Field
Message Not all the antimalware engines selected in the Forefront AdministrationConsole for scanning have been enabled for updates
Name lsquoNot all the antimalware engines selected in the Forefront AdministrationConsolersquo
Configuration Guide for Windows Event Native Smart Connector
Device Event Mapping to ArcSight Fields Page 179 of 349
Event ID 7002ArcSight ESM Field Device-Specific Field
Name All the antimalware engines enabled for updates have been updatedsuccessfully at the last attempt
Event ID 7003ArcSight ESM Field Device-Specific Field
Name Not all of the antimalware engines enabled for updates have successfullyupdated at the last attemptrsquo
Event ID 7004ArcSight ESM Field Device-Specific Field
Name Less than half of the antimalware engines enabled for updates have updatedsuccessfully at the last attempt
Event ID 7005ArcSight ESM Field Device-Specific Field
Name lsquoAll the antimalware engines enabled for updates have updated successfully inthe last five daysrsquo
Event ID 7006ArcSight ESM Field Device-Specific Field
Name lsquoAt least one of the antimalware engines enabled for updates has not beenupdated in the last five daysrsquo
Configuration Guide for Windows Event Native Smart Connector
Event ID 7002 Page 180 of 349
Event ID 7007ArcSight ESM Field Device-Specific Field
Name None of the antimalware engines enabled for updates have been updated inthe last five days
Event ID 7008ArcSight ESM Field Device-Specific Field
Name The antimalware engines selected for transport scanning have beeninitialized
Event ID 7010ArcSight ESM Field Device-Specific Field
Name The antimalware engines selected for realtime scanning have been initialized
Event ID 7012ArcSight ESM Field Device-Specific Field
Name The transport scan job is enabledrsquo
Event ID 7015ArcSight ESM Field Device-Specific Field
Name The realtime scan job is enabled
Event ID 7018ArcSight ESM Field Device-Specific Field
Name The realtime scanning processes are running normally with no issues
Configuration Guide for Windows Event Native Smart Connector
Event ID 7007 Page 181 of 349
Event ID 7021ArcSight ESM Field Device-Specific Field
Name The transport scanning processes are running normally with no issues
Event ID 7024ArcSight ESM Field Device-Specific Field
Name The MS Exchange Transport Service is running and the Forefront Agent isregistered
Destination Service Name lsquoMS Exchange Transport Servicersquo
Event ID 7025ArcSight ESM Field Device-Specific Field
Name lsquoThe MS Exchange Transport Service is running but the Forefront Agent is notregisteredrsquo
Destination Service Name lsquoMS Exchange Transport Servicersquo
Event ID 7026ArcSight ESM Field Device-Specific Field
Name The MS Information Store is running and the Forefront VSAPI Library isregistered
Event ID 7028ArcSight ESM Field Device-Specific Field
Name The Forefront Protection Product is within the license period
Configuration Guide for Windows Event Native Smart Connector
Event ID 7021 Page 182 of 349
Event ID 7033ArcSight ESM Field Device-Specific Field
Name lsquoThe Forefront Protection Product is within the license periodrsquo
Event ID 7035ArcSight ESM Field Device-Specific Field
Name There is at least amount of disk space available
Event ID 7040ArcSight ESM Field Device-Specific Field
Name The Eventing Service (FSCEventing) is functioning
Destination Service Name lsquoFSC Eventingrsquo
Event ID 7044ArcSight ESM Field Device-Specific Field
Name The Mail Pickup Service (FSEMailPickup) is functioning
Destination Service Name lsquoFSEMailPickuprsquo
Event ID 7046ArcSight ESM Field Device-Specific Field
Name lsquoContent Filter is enabled and definitions have been updated in the last onehourrsquo
Event ID 7048ArcSight ESM Field Device-Specific Field
Name Content Filter is enabled and the last definition update was over 12 hoursago
Configuration Guide for Windows Event Native Smart Connector
Event ID 7033 Page 183 of 349
Event ID 7051ArcSight ESM Field Device-Specific Field
Name The Monitor Service (FSCMonitor) is functioning
Destination Service Name lsquoFSCMonitorrsquo
Event ID 7064ArcSight ESM Field Device-Specific Field
Name lsquoNo archived undeliverable items existrsquo
FSC Controller
Event ID 1000
ArcSight ESM Field Device-Specific Field
Name The Forefront Protection service is running
Destination Service Name lsquoForefront Protectionrsquo
Event ID 1001
ArcSight ESM Field Device-Specific Field
Name The Forefront Protection service has stopped
Destination Service Name lsquoForefront Protectionrsquo
Event ID 1020
ArcSight ESM Field Device-Specific Field
Name The Forefront Protection service is starting
Destination Service Name lsquoForefront Protectionrsquo
Configuration Guide for Windows Event Native Smart Connector
Event ID 7051 Page 184 of 349
Event ID 1021
ArcSight ESM Field Device-Specific Field
Name The Forefront Protection service is stopping
Destination Service Name lsquoForefront Protectionrsquo
Event ID 1022
ArcSight ESM Field Device-Specific Field
Name Forefront Protection Version
Device Version 1 (version)
Additional data 2 (Virus Protection Feature)
Event ID 1023
ArcSight ESM Field Device-Specific Field
Name Forefront Protection Service Pack
Additional data 1 (ServicePack)
Message Both (lsquoForefront Protection Service Packrsquo1)
Event ID 1024
ArcSight ESM Field Device-Specific Field
Name Product ID
Additional data 1 (ProductID)
Message Both (lsquoProduct IDrsquo 1)
Event ID 1025
ArcSight ESM Field Device-Specific Field
Name Licensed Components
Message All of (Licensed Components Component License Type Expiration Date)
Configuration Guide for Windows Event Native Smart Connector
Event ID 1021 Page 185 of 349
Event ID 1026
ArcSight ESM Field Device-Specific Field
Name Licensed Engines
Additional data 1 (LicensedEngines)
Message Both (lsquoLicensed Enginesrsquo 1)
Event ID 1028
ArcSight ESM Field Device-Specific Field
Name System Information
Additional data 1 (System Information)
Message Both (lsquoSystem Informationrsquo 1)
Event ID 1037
ArcSight ESM Field Device-Specific Field
Name Event Tracing session has been started
Device Severity lsquoInformationrsquo
Event ID 1041
ArcSight ESM Field Device-Specific Field
Name lsquoScheduled Scan has been startedrsquo
Event ID 1043
ArcSight ESM Field Device-Specific Field
Name lsquoScheduled Scan has stoppedrsquo
Event ID 1044
ArcSight ESM Field Device-Specific Field
Name lsquoScheduled Scan has completedrsquo
Configuration Guide for Windows Event Native Smart Connector
Event ID 1026 Page 186 of 349
Event ID 2102
ArcSight ESM Field Device-Specific Field
Name lsquoThe Forefront Protection application is still within the license periodrsquo
Event ID 5167
ArcSight ESM Field Device-Specific Field
Name lsquoMicrosoft Forefront Protection Monitor detected abnormal processshutdownrsquo
Source Process Name 1 (process name)
Message Both (lsquoMicrosoft Forefront Protection Monitor detected abnormalrsquo 1rsquoshutdownrsquo)
Event ID 5183
ArcSight ESM Field Device-Specific Field
Name lsquoScheduled scan exceeded the allowed scan time limitrsquo
Event ID 8046
ArcSight ESM Field Device-Specific Field
Name lsquoADMark Createdrsquo
Event ID 8055
ArcSight ESM Field Device-Specific Field
Name lsquoAd Mark Removedrsquo
Message lsquoFailed to Delete Reg Keyrsquo
FSC Eventing
Event ID 1075
ArcSight ESM Field Device-Specific Field
Name The Forefront Protection Eventing Service has started
Destination Service Name lsquoForefront Protection Eventingrsquo
Configuration Guide for Windows Event Native Smart Connector
Event ID 2102 Page 187 of 349
Event ID 1076
ArcSight ESM Field Device-Specific Field
Name The Forefront Protection Eventing Service has stopped
Destination Service Name lsquoForefront Protection Eventingrsquo
FSC Manual Scanner
Event ID 1045
ArcSight ESM Field Device-Specific Field
Name On-Demand Scan started
Request Client Operation 1 (Request Client Operation)
Event ID 1048
ArcSight ESM Field Device-Specific Field
Name On-Demand Scan stopped
Request Client Operation 1 (Request Client Operation)
Event ID 1052
ArcSight ESM Field Device-Specific Field
Name On-Demand Scan has been completed
Request Client Operation 1 (Request Client Operation)
FSC Scheduled Scanner
Event ID 2080
ArcSight ESM Field Device-Specific Field
Name Scheduled scan enabled
Configuration Guide for Windows Event Native Smart Connector
Event ID 1076 Page 188 of 349
Event ID 2081
ArcSight ESM Field Device-Specific Field
Name Scheduled scan disabled
Event ID 3009
ArcSight ESM Field Device-Specific Field
Name Scheduled scan found virus
Device Custom String 4 mailbox name
Message 2 (Message)
Device Custom String 1 virus name
Device Custom String 6 incident
Additional data 4 (scan engine)
Device Action 5 (Device Action)
File Name 3 (File Name)
FSC Realtime Scanner
Event ID 2000
ArcSight ESM Field Device-Specific Field
Name Realtime scan enabled
Event ID 2001
ArcSight ESM Field Device-Specific Field
Name Realtime scan disabled
FSC Transport Scanner
Event ID 2007
ArcSight ESM Field Device-Specific Field
Name Transport scan enabled
Configuration Guide for Windows Event Native Smart Connector
Event ID 2081 Page 189 of 349
Event ID 2008
ArcSight ESM Field Device-Specific Field
Name Transport scan disabled
Event ID 3002
ArcSight ESM Field Device-Specific Field
Name Internet scan found virus
File Path 1 (folder)
Message 2 (Message)
File Name 4 (file name)
Device Custom String 6 Incident
Device Action 6 (Device Action or State)
Device Custom String 1 virus name
Additional data 3 (message ID)
Additional data 5 (scan engine)
FSC Monitor
Event ID 1007
ArcSight ESM Field Device-Specific Field
Name Forefront Protection Monitor detected Information Store process started
Destination Process Name lsquoInformation Storersquo
Event ID 1008
ArcSight ESM Field Device-Specific Field
Name Forefront Protection Monitor detected Information Store shutdown
Destination Process Name lsquoInformation Storersquo
Event ID 1013
ArcSight ESM Field Device-Specific Field
Name Forefront Protection Monitor is active
Configuration Guide for Windows Event Native Smart Connector
Event ID 2008 Page 190 of 349
Event ID 1014
ArcSight ESM Field Device-Specific Field
Name Forefront Protection Monitor is inactive
FSE On Demand Nav
Event ID 1049
ArcSight ESM Field Device-Specific Field
Name The FseOnDemandNav service is running
Destination Process Name lsquoFseOnDemandNavrsquo
Event ID 1050
ArcSight ESM Field Device-Specific Field
Name The FseOnDemandNav service has stopped
Destination Process Name lsquoFseOnDemandNavrsquo
FSE Mail Pickup
Event ID 1029
ArcSight ESM Field Device-Specific Field
Name The Forefront Protection Mail Pickup service is running
Destination Service Name lsquoForefront Protection Mail Pickuprsquo
Event ID 1030
ArcSight ESM Field Device-Specific Field
Name The Forefront Protection Mail Pickup service has stopped
Destination Service Name lsquoForefront Protection Mail Pickuprsquo
Configuration Guide for Windows Event Native Smart Connector
Event ID 1014 Page 191 of 349
FSE IMC
Event ID 1002
ArcSight ESM Field Device-Specific Field
Name FSEIMC service started
Destination Service Name lsquoFSEIMCrsquo
Event ID 1003
ArcSight ESM Field Device-Specific Field
Name FSEIMC sertice stopped
Destination Service Name lsquoFSEIMCrsquo
FSE VS API
Event ID 5066
ArcSight ESM Field Device-Specific Field
Name lsquoRealtime scan exceeded the allowed scan time limitrsquo
FSC VSS Writer
Event ID 1094
ArcSight ESM Field Device-Specific Field
Name The Forefront Protection VSS Writer Service has started
Destination Service Name lsquoForefront Protection VSS Writer Servicersquo
Event ID 1095
ArcSight ESM Field Device-Specific Field
Name The Forefront Protection VSS Writer Service has stopped
Destination Service Name lsquoForefront Protection VSS Writer Servicersquo
Configuration Guide for Windows Event Native Smart Connector
FSE IMC Page 192 of 349
Get Engine Files
Event ID 2011
ArcSight ESM Field Device-Specific Field
Name lsquoMicrosoft Forefront Protection did not detect any new scan engine updatesrsquo
Additional data 1 (scan engine)
Request URL 2 (request URL)
Event ID 2012
ArcSight ESM Field Device-Specific Field
Name Microsoft Forefront Protection performed a successful scan engine updatersquo
Additional data 1 (scan engine)
Request URL 2 (request URL)
Event ID 2017
ArcSight ESM Field Device-Specific Field
Name lsquoForefront Protection has rolled back a scan enginersquo
Additional data 1 (scan engine)
Event ID 2034
ArcSight ESM Field Device-Specific Field
Name Microsoft Forefront Protection is attempting a scan engine update
Request URL 2 (request url)
Additional data 1 (scan engine)
Configuration Guide for Windows Event Native Smart Connector
Get Engine Files Page 193 of 349
Event ID 2109
ArcSight ESM Field Device-Specific Field
Name lsquoThe VBuster scan engine is no longer supportedrsquo
Message lsquoUpdates are no longer available for this engine and therefore the updatecheck for this engine has been disabled Please review the scan enginechosen for your scan jobs and make another selection to ensure up-to-dateprotectionrsquo
Additional data 1 (scan engine)
Request URL 2 (request URL)
Event ID 6012
ArcSight ESM Field Device-Specific Field
Name lsquoMicrosoft Forefront Protection encountered an error while performing ascan engine updatersquo
Additional data 1 (scan engine)
Reason 2 (Error Code)
Message 3 (Error Detail)
Event ID 6014
ArcSight ESM Field Device-Specific Field
Name Microsoft Forefront Protection encountered an error while performing ascan engine update
Additional data 1 (scan engine)
Request URL 2 (request url)
Additional data 3 (proxy settings)
Reason 4 (Error Code)
Message 5 (Error Detail)
Configuration Guide for Windows Event Native Smart Connector
Event ID 2109 Page 194 of 349
Event ID 6019
ArcSight ESM Field Device-Specific Field
Name lsquoMicrosoft Forefront Protection encountered an error while performing ascan engine updatersquo
Additional data 1 (scan engine)
Message 2 (Error Detail)
Event ID 6020
ArcSight ESM Field Device-Specific Field
Name lsquoMicrosoft Forefront Protection encountered an error while performing ascan engine updatersquo
Additional data 1 (scan engine)
Request URL 2 (request URL)
Message 3 (Message)
Configuration Guide for Windows Event Native Smart Connector
Event ID 6019 Page 195 of 349
Microsoft NetlogonNetlogon is a Windows Server process in Windows Server 2019 Windows Server 2016Windows Server 2012 Windows Server 2012 R2 and Windows Server 2008 The process isresponsible for communication between systems in response to a logon request This handlesauthentication of users and other services within a domain
This guide provides information about the SmartConnector for Microsoft Windows Event Log ndashNative Microsoft Netlogon Logs and its event mappings to ArcSight data fields
Supported Versionsl Microsoft Windows 8
l Microsoft Windows 10
l Microsoft Windows Server 2008 R2
l Microsoft Windows Server 2012
l Microsoft Windows Server 2012 R2
l Microsoft Windows Server 2016
l Microsoft Windows Server 2019
The SmartConnector for Microsoft Windows Event Log ndash Windows Security Event Mappingsdocument provides main mappings for the Windows Event Log SmartConnectors The fieldmappings listed in this document are specifically for Microsoft Remote Access
Configuring Microsoft Netlogon LogsFor information about Microsoftrsquos netlogon events logs configuration seehttpssupportmicrosoftcomen-inhelp4557222how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc in the Microsoft TechNet Library
Mappings for Microsoft Netlogon
General
ArcSight Field Vendor Field
Device Product NETLOGON
Device Vendor lsquoMicrosoftrsquo
Microsoft Netlogon Page 196 of 349
Event 5827
ArcSight Field Vendor Field
Device Custom String 1 3 (Account Type)
Device Custom String 1 Label Account Type
Device Custom String 4 4 (Machine Operating System)
Device Custom String 4 Label Machine Operating System
Device Custom String 5 5 (Machine Operating System Build)
Device Custom String 5 Label Machine Operating System Build
Device Custom String 6 6 (Machine Operating System Service Pack)
Device Custom String 6 Label Machine Operating System Service Pack
Event Outcome Denied
Source Host Name 1 (Machine SamAccountName)
Source Nt Domain 2 (Domain)
Name Netlogon service denied vulnerable Netlogon secure channel connectionfrom amachine account
Event 5828
ArcSight Field Vendor Field
Destination Nt Domain 3 (Trust Target)
Device Custom String 1 1 (Account Type)
Device Custom String 1 Label Account Type
Event Outcome Denied
Source Address 4 (Client IP Address)
Source Nt Domain 2 (Trust Name)
Name Netlogon service denied a vulnerable Netlogon secure channel connectionusing a trust account
Configuration Guide for Windows Event Native Smart Connector
Event 5827 Page 197 of 349
Event 5829
ArcSight Field Vendor Field
Device Custom String 1 3
Device Custom String 1 Label Account Type
Device Custom String 4 4
Device Custom String 4 Label Machine Operating System
Device Custom String 5 5
Device Custom String 5 Label Machine Operating System Build
Device Custom String 6 6
Device Custom String 6 Label Machine Operating System Service Pack
Event Outcome Allowed
Source Host Name 1
Source Nt Domain 2
Name Netlogon service allowed a vulnerable Netlogon secure channel connection
Event 5830
Device Custom String 1 3
Device Custom String 1 Label Account Type
Device Custom String 4 4
Device Custom String 4 Label Machine Operating System
Device Custom String 5 5
Device Custom String 5 Label Machine Operating System Build
Device Custom String 6 6
Device Custom String 6 Label Machine Operating System Service Pack
Event Outcome Allowed
Source Host Name 1
Source Nt Domain 2
Name Netlogon service allowed a vulnerable Netlogon secure channel connectionbecause account is allowed in group policy
Configuration Guide for Windows Event Native Smart Connector
Event 5829 Page 198 of 349
Event 5831
ArcSight Field Vendor Field
Destination Nt Domain 3
Device Custom String 1 1
Device Custom String 1 Label Account Type
Event Outcome Allowed
Source Address 4
Source Nt Domain 2
Name Netlogon service allowed a vulnerable Netlogon secure channel connectionbecause trust account is allowed in group policy
Configuration Guide for Windows Event Native Smart Connector
Event 5831 Page 199 of 349
Microsoft Network Policy ServerInternet Authentication Service (IAS) was renamed Network Policy Server (NPS) starting withWindows Server 2008 The content of this guide applies to both IAS and NPS Throughout thetext NPS is used to refer to all versions of the service including the versions originally referredto as IAS
Windows Server 2008 and Windows Server 2016 are supported
Following sections provide information about configuring Microsoft Network Policy Server(NPS) and its event mappings to ArcSight data fields
Supported Versionsl Microsoft Windows 8
l Microsoft Windows Server 2008 R2
l Microsoft Windows Server 2012
l Microsoft Windows Server 2016
The SmartConnector for Microsoft Windows Event Log ndash Native Windows Security EventMappings document provides the main mappings for the Windows Event Log SmartConnectorsthe field mappings listed in this document are specifically for the SmartConnector for WindowsEvent Log ndash Native Microsoft Network Policy Server
Configuring NPS LoggingNPS logging is also called RADIUS accounting and should be configured to your requirementswhether NPS is used as a RADIUS server proxy NAP policy server or any combination of thethree configurations
To configure NPS logging you must configure the events logged and viewed with Event Viewerand determine other information you want to log In addition you must decide whether youwant to log user authentication and accounting information to text log files stored on the localcomputer or to a SQL Server database on either the local computer or a remote computer
Using the event logs in Event Viewer you can monitor Network Policy Server (NPS) errors andother events that you configure NPS to record
NPS records connection request failure events in the System and Security event logs by defaultConnection request failure events consist of requests that are rejected or discarded by NPSOther NPS authentication events are recorded in the Event Viewer system log on the basis of
Configuration Guide for Windows Event Native Smart Connector
Microsoft Network Policy Server Page 200 of 349
the settings that you specify in the NPS snap-in Some events that might contain sensitive dataare recorded in the Event Viewer security log
Use this procedure to configure Network Policy Server (NPS) to record connection requestfailure and success events in the Event Viewer system log
Membership in Domain Admins or equivalent is the minimum required to complete thisprocedure
To configure NPS event logging using the Windows interface
1 Open the Network Policy Server (NPS) snap-in
2 Right-click NPS (Local) and then click Properties
3 On the General tab select each required option and then click OK
Mappings for Network Policy Server
Mappings for Windows 2016 2012 and 8
General
ArcSight ESM Field Device-Specific Field
Device Vendor lsquoMicrosoftrsquo
Device Product lsquoNPSrsquo
Event 13
ArcSight ESM Field Device-Specific Field
Name A RADIUS message was received
Message Both (lsquoA RADIUS message was received from the invalid RADIUS client IPaddressrsquo1)
Source Address 1 (client IP address)
Configuration Guide for Windows Event Native Smart Connector
Mappings for Network Policy Server Page 201 of 349
Event 25
ArcSight ESM Field Device-Specific Field
Name lsquoThe address of remote RADIUS server in remote RADIUS server groupresolves to local address will be ignoredrsquo
Message Both (lsquoThe address of remote RADIUS server lsquo1rsquo in remote RADIUSserver group lsquo2rsquo resolves to local address lsquo3rsquo The address will beignoredrsquo)
Source Address 3 (address)
Additional data 2 (ServerGroup)
Destination Address 1 (address)
Event 4400
ArcSight ESM Field Device-Specific Field
Name A LDAP connection with domain controller for domain is establishedrsquo
Message Both (lsquoA LDAP connection with domain controller lsquo1rsquo for domain lsquo2rsquois establishedrsquo)
Destination Host Name 1 (host name)
Destination NT Domain 2 (domain name)
Event 4402
ArcSight ESM Field Device-Specific Field
Name No Domain controller available for domain
Message Both (lsquoThere is no domain controller available for domain lsquo1)
Destination NT Domain 1 (domain name)
Event 4405
ArcSight ESM Field Device-Specific Field
Name NPS cannot log accounting information in the primary data store
Message Both (lsquoNPS cannot log accounting information in the primary data store(lsquo1rsquo) Due to this logging failure NPS will discard all connectionrequests Error information lsquo2)rsquo
Configuration Guide for Windows Event Native Smart Connector
Event 25 Page 202 of 349
ArcSight ESM Field Device-Specific Field
Destination NT Domain 1 (domain name)
Reason 2 (reason code)
Mappings for Windows 2008 R2
General
ArcSight ESM Field Device-Specific Field
Device Vendor lsquoMicrosoftrsquo
Device Product lsquoNPSrsquo
Event 13
ArcSight ESM Field Device-Specific Field
Name lsquoA RADIUS message was receivedrsquo
Source Address 1 (client IP address)
Message Both (lsquoA RADIUS message was received from the invalid RADIUS client IPaddress lsquorsquo1)
Event 4400
ArcSight ESM Field Device-Specific Field
Name A LDAP connection with domain controller for domain is establishedrsquo
Destination Host Name 1 (host name)
Destination NT Domain 2 (domain name)
Message Both (A LDAP connection with domain controller lsquo1rsquo for domain lsquo2rsquois established)
Event 4402
ArcSight ESM Field Device-Specific Field
Name No Domain controller available for domain
Message Both (lsquoThere is no domain controller available for domainrsquo lsquo1)
Destination NT Domain 1 (domain name)
Configuration Guide for Windows Event Native Smart Connector
Mappings for Windows 2008 R2 Page 203 of 349
Event 4405
ArcSight ESM Field Device-Specific Field
Name NPS cannot log accounting information in the primary data store
Destination Host Name 1 (host name)
Reason 2 (reason code)
Message Both (lsquoNPS cannot log accounting information in the primary data store(lsquo1rsquo) Due to this logging failure NPS will discard all connectionrequests Error information lsquo2rsquo)
Configuration Guide for Windows Event Native Smart Connector
Event 4405 Page 204 of 349
Microsoft Service Control ManagerService Control Manager (SCM) is a special system process under Windows NT family ofoperating systems that starts stops and interacts with Windows service processes It is locatedin SystemRootSystem32servicesexe executable Service processes interact with SCMthrough a well-defined API and the same API interface is used internally by the interactiveWindows service management tools such as the MMC snap-in Servicesmsc and the command-line Service Control utility scexe
The following sections provide information about configuring Service Control Manager and itsevent mappings to ArcSight data fields
Supported versionsl Microsoft Windows 8
l Microsoft Windows 10
l Microsoft Windows Server 2012
l Microsoft Windows Server 2016
The SmartConnector for Microsoft Windows Event Log ndash Native Windows Security EventMappings document provides the main mappings for the Windows Event Log SmartConnectorsthe field mappings listed in this document are specifically for the SmartConnector for WindowsEvent Log ndash Native Microsoft Service Control Manager
Mappings for Windows 2016 2012 8 and 10
General
ArcSight Field Vendor Field
Device Vendor lsquoMicrosoftrsquo
Device Product lsquoMicrosoft Windowsrsquo
Device Custom String 4 Reason or Error Code
7000
ArcSight Field Vendor Field
Name lsquoService failed to startrsquo
Message lsquoThe rsquoparam1rsquo service failed to start due to error lsquoparam2rsquorsquo
Microsoft Service Control Manager Page 205 of 349
ArcSight Field Vendor Field
Destination Service Name param1
Device Custom String 4 param2 (Reason or Error Code)
Reason param2
7001
ArcSight Field Vendor Field
Name lsquoA service depends on other service which failed to startrsquo
Message lsquoThe lsquoparam1rsquo service depends on the lsquoparam2rsquo service which failed to startbecause of error rsquoparam3rsquorsquo
Destination Service Name param1
Source Service Name param2
Device Custom String 4 param3 (Reason or Error Code)
Reason param3
7002
ArcSight Field Vendor Field
Name lsquoThe lsquoparam1rsquo service depends on the lsquoparam2rsquo group and no member of thisgroup startedrsquo
Destination Service Name param1
7003
ArcSight Field Vendor Field
Name lsquoA service depends on a nonexistent servicersquo
Message lsquoThe lsquoparam1rsquo service depends on a nonexistent service lsquoparam2rsquorsquo
Destination Service Name param1
Source Service Name param2
Configuration Guide for Windows Event Native Smart Connector
7001 Page 206 of 349
7005
ArcSight Field Vendor Field
Name lsquoThe lsquoparam1rsquo call failed with error lsquoparam2rsquo
Device Custom String 4 Param2 (Reason or Error Code)
7006
ArcSight Field Vendor Field
Name lsquoThe lsquoparam1rsquo call failed for lsquoparam2rsquo with the following error lsquoparam3rsquorsquo
Device Action param2 (action)
Device Custom String 4 Param3 (Reason or Error Code)
7007
ArcSight Field Vendor Field
Name lsquoThe system reverted to its last known good configurationrsquo
Message lsquoThe system is restartingrsquo
7008
ArcSight Field Vendor Field
Name lsquoNo backslash is in the account namersquo
7009
ArcSight Field Vendor Field
Name lsquoTimeout waiting for the service to connectrsquo
Message lsquoTimeout lsquoparam1rsquo waiting for the lsquoparam2rsquo service to connectrsquo
Destination Service Name param2
7010
ArcSight Field Vendor Field
Name lsquoTimeout waiting for ReadFilersquo
Configuration Guide for Windows Event Native Smart Connector
7005 Page 207 of 349
7011
ArcSight Field Vendor Field
Name lsquoTimeout waiting for a transaction response from the lsquoparam2rsquo servicersquo
Destination Service Name param2
7012
ArcSight Field Vendor Field
Name lsquoMessage returned in transaction has incorrect sizersquo
7015
ArcSight Field Vendor Field
Name lsquoBoot-start or system-start driver lsquoparam1rsquo must not depend on a servicersquo
7016
ArcSight Field Vendor Field
Name lsquoThe lsquoparam1rsquo service has reported an invalid current statersquo
Destination Service Name param1
7017
ArcSight Field Vendor Field
Name lsquoDetected circular dependencies demand starting lsquoparam1rsquorsquo
Destination Service Name param1
7018
ArcSight Field Vendor Field
Name lsquoDetected circular dependencies auto-starting servicesrsquo
Configuration Guide for Windows Event Native Smart Connector
7011 Page 208 of 349
7019
ArcSight Field Vendor Field
Name lsquoCircular dependency The lsquoparam1rsquo service depends on a service in a groupwhich starts laterrsquo
Destination Service Name param1
7020
ArcSight Field Vendor Field
Name lsquoCircular dependency The lsquoparam1rsquo service depends on a group which startslaterrsquo
Destination Service Name param1
7021
ArcSight Field Vendor Field
Name lsquoAbout to revert to the last known good configuration because the lsquoparam1rsquoservice failed to startrsquo
Destination Service Name param1
7022
ArcSight Field Vendor Field
Name lsquoThe lsquoparam1rsquo service hung on startingrsquo
Destination Service Name param1
7023
ArcSight Field Vendor Field
Name lsquoA service terminated with errorrsquo
Message The lsquoparam1rsquo service terminated with the following error lsquoparam2rsquorsquo
Destination Service Name param1
Reason param2
Device Custom String 4 param2 (Reason or Error Code)
Configuration Guide for Windows Event Native Smart Connector
7019 Page 209 of 349
7024
ArcSight Field Vendor Field
Name lsquoThe lsquoparam1rsquo service terminated with the following service-specific errorrsquo
Destination Service Name param1
Device Custom String 4 param2 (Reason or Error Code)
7025
ArcSight Field Vendor Field
Name lsquoAt least one service or driver failed during system startuprsquo
Message lsquoUse Event Viewer to examine the event log for detailsrsquo
7026
ArcSight Field Vendor Field
Name lsquoThe boot-start or system-start driver(s) did not loadrsquo
Message lsquoThe following boot-start or system-start driver(s) did not load rsquoparam1rsquorsquo
Device Process Name param1
7027
ArcSight Field Vendor Field
Name lsquoWindows could not be started as configuredrsquo
Message lsquoA previous working configuration was used insteadrsquo
7028
ArcSight Field Vendor Field
Name lsquoThe lsquoparam1rsquo Registry key denied access to SYSTEM account programsrsquo
Message lsquoThe Service Control Manager took ownership of the Registry keyrsquo
File Name param1
Configuration Guide for Windows Event Native Smart Connector
7024 Page 210 of 349
7030
ArcSight Field Vendor Field
Name lsquoThe lsquoparam1rsquo service is marked as an interactive servicersquo
Destination Service Name param1
Message lsquoThe system is configured to not allow interactive services This service maynot function properlyrsquo
7031
ArcSight Field Vendor Field
Name Both (lsquoThe lsquoparam1rsquo service terminated unexpectedlyrsquo)
Destination Service Name param1 (service name)
Message Both (lsquoThe lsquoparam1rsquo service terminated unexpectedly It has done thislsquoparam2rsquo time(s) The following corrective action will be taken in lsquoparam3rsquo milliseconds lsquoparam5)
Device Action param5 (action)
7032
ArcSight Field Vendor Field
Name lsquoThe Service Control Manager tried to take a corrective action lsquoparam1rsquo afterthe unexpected termination of the lsquoparam2rsquo servicersquo
Device Action param1
Message lsquoThis action failed with errorrsquo
Destination Service Name param2
Device Custom String 4 param3 (Reason or Error Code)
7033
ArcSight Field Vendor Field
Name lsquoThe Service Control Manager did not initialize successfullyrsquo
Message lsquoThe security configuration server (scesrvdll) failed to initialize with errorlsquoparam1rsquo The system is restartingrsquo
Device Custom String 4 param1 (Reason or Error Code)
Configuration Guide for Windows Event Native Smart Connector
7030 Page 211 of 349
7034
ArcSight Field Vendor Field
Name lsquoA service terminated unexpectedlyrsquo
Message lsquoIt has done this lsquoparam2rsquo timesrsquo
Destination Service Name param1
Device Custom Number 3 param2 (Count)
7035
ArcSight Field Vendor Field
Name lsquoThe lsquoparam1rsquo service was successfully sent a lsquoparam2rsquo controlrsquo
Destination Service Name param2
7036
ArcSight Field Vendor Field
Name lsquoService entered the lsquoparam2rdquo statersquo
Message The lsquoparam1rsquo service entered the lsquoparam2rsquo statersquo
Destination Service Name param1
Device Action param2
7037
ArcSight Field Vendor Field
Name lsquoThe Service Control Manager encountered an error undoing a configurationchange to the lsquoparam1rsquo servicersquo
Message lsquoThe servicersquos lsquoparam2rsquo is currently in an unpredictable state If you do notcorrect this configuration you may not be able to restart the lsquoparam1rsquo serviceor may encounter other errors To ensure that the service is configuredproperly use the Services snap-in in Microsoft Management Console (MMC)rsquo
Destination Service Name param1
Configuration Guide for Windows Event Native Smart Connector
7034 Page 212 of 349
7038
ArcSight Field Vendor Field
Name lsquoA service was unable to log on with the currently configured passwordrsquo
Message lsquoThe lsquoparam1rsquo service was unable to log on as lsquoparam2rsquo with the currentlyconfigured password due to the following error lsquoparam3rsquo To ensure that theservice is configured properly use the Services snap-in in MicrosoftManagement Console (MMC)rsquo
Destination Service Name param1
Destination User Name param2
Device Custom String 4 param3 (Reason or Error Code)
Reason param3
7039
ArcSight Field Vendor Field
Name lsquoA service process other than the one launched by the Service ControlManager connected when starting the lsquoparam1rsquo servicersquo
Destination Service Name param1
Message lsquoThe Service Control Manager launched process lsquoparam2rsquo and processlsquoparam3rsquo connected instead Note that if this service is configured to startunder a debugger this behavior is expectedrsquo
7040
ArcSight Field Vendor Field
Name lsquoStart type of lsquoparam1rsquo service was changed from lsquoparam2rsquo to lsquoparam3rsquorsquo
Message lsquoStart type of lsquoparam1rsquo service was changed from lsquoparam2rsquo to lsquoparam3rsquorsquo
Destination Service Name param1
Device Action param3
Configuration Guide for Windows Event Native Smart Connector
7038 Page 213 of 349
7041
ArcSight Field Vendor Field
Name lsquoA service was unable to log on with the currently configured passwordrsquo
Destination Service Name param1
Destination User Name param2
Device Custom String 4 lsquoLogon failure the user has not been granted the requested logon type at thiscomputerrsquo
Message lsquoThe lsquoparam1rsquo service was unable to log on as lsquoparam2rsquo with the currentlyconfigured password due to error This service account does not have thenecessary user right lsquoLog on as a servicersquorsquorsquo
Reason lsquoLogon failure the user has not been granted the requested logon type at thiscomputerrsquo
7042
ArcSight Field Vendor Field
Name lsquoA service was successfully sent a controlrsquo
Destination Service Name param1 (service name)
Device Custom String 4 Reason or Error Code
Message lsquoThe lsquoparam1rsquo service was successfully sent a lsquoparam2rsquo control The reasonspecified was lsquoparam3rsquo [lsquoparam4rsquorsquo] Comment lsquoparam5rsquorsquo
Reason Both (lsquoparam3rsquo lsquoparam4rsquo)
7043
ArcSight Field Vendor Field
Name lsquoThe lsquoparam1rsquo service did not shutdown properly after receiving apreshutdown controlrsquo
Destination Service Name param1
Configuration Guide for Windows Event Native Smart Connector
7041 Page 214 of 349
7045
ArcSight Field Vendor Field
Name lsquoA service was installed in the systemrsquo
Destination Service Name ServiceName
File Path ImagePath
Device Custom String 5 StartType
Device Custom String 6 AccountName
Configuration Guide for Windows Event Native Smart Connector
7045 Page 215 of 349
Microsoft SQL Server AuditWith SQL Server 2008 Microsoft introduced an SQL Server Audit feature that provides a trueauditing solution for enterprise customers While SQL Trace can be used to satisfy manyauditing needs SQL Server Audit offers a number of advantages that can help DBAs moreeasily achieve their goals such as meeting regulatory compliance requirements
The SQL Server Audit feature is intended to replace SQL Trace as the preferred auditingsolution SQL Server Audit is meant to provide full auditing capabilities and only auditingcapabilities unlike SQL Trace which is also used for performance debugging
The following sections provide information about configuring Microsoft SQL Server Audit andits event mappings to ArcSight data fields
Supported Versions
Microsoft Windows Server Version Microsoft SQL Server Version
2008 2008 R2 2008 2012
2012 2012 SP1 2014 2016
SmartConnector for Microsoft Windows Event Log ndash Native Windows Security Event Mappingsprovides the main mappings for the Windows Event Log SmartConnectors the field mappingslisted in this document are specifically for the SmartConnector for Windows Event Log ndash NativeMicrosoft SQL Server Audit
Configuring SQL Server AuditFor complete information about auditing in SQL Server see Microsofts SQL Serverdocumentation at httpsmsdnmicrosoftcomen-uslibrarycc280525(v=sql120)aspx Thislink takes you to the SQL Server 2014 version You can select another version from the OtherVersions drop down menu but the basic steps are the same for sending audit events to anapplication log From the left pane at this link click Create a Server Audit and Server AuditSpecification for detailed instructions
Using SQL Server Management Studio create a server audit as follows
1 In Object Explorer expand the Security folder
2 Right-click the Audits folder and select New Audit to open a Create Audit window
3 Enter a name for your audit (for example LoginFailed) For Audit destination selectApplicationLog from the list
4 Click OK to accept the default settings and save the new audit specification
5 The new audit will appear in the Audits folder To enable the audit select the audit youcreated right-click and select Enable Audit
Microsoft SQL Server Audit Page 216 of 349
Customizing Event Source MappingFor information about customizing event source mapping see Customizing Event SourceMapping
Microsoft SQL Server Audit Application Event Log Mappings
General
ArcSight Field Vendor Field
Device Vendor lsquoMicrosoftrsquo
Device Product lsquoSQL Serverrsquo
Destination User Name
Event 615
ArcSight Field Vendor Field
Name lsquoCould not find databasersquo
Message lsquoCould not find database ID lsquo1rsquo name lsquo2rsquo
Event 849
ArcSight Field Vendor Field
Name lsquoUsing locked pages for buffer poolrsquo
Message lsquoUsing locked pages for buffer poolrsquo
Event 852
ArcSight Field Vendor Field
Name lsquoUsing conventional memory in the memory managerrsquo
Message lsquoUsing conventional memory in the memory managerrsquo
Configuration Guide for Windows Event Native Smart Connector
Customizing Event Source Mapping Page 217 of 349
Event 919
ArcSight Field Vendor Field
Name lsquoUser is changing database script levelrsquo
Message lsquoUser lsquo1rsquo is changing database script level entry lsquo2rsquo to a value of lsquo3
Source User Name 1
Device Custom Number 1 2 (Level entry)
Device Custom Number 2 3 (Changed value)
Event 958
ArcSight Field Vendor Field
Name lsquoThe resource database build versionrsquo
Message lsquoThe resource database build version is lsquo1
Device Custom String 4 1 (Database build version)
Event 1486
ArcSight Field Vendor Field
Name lsquoDatabase Mirroring Transport is disabled in the endpoint configurationrsquo
Message lsquoDatabase Mirroring Transport is disabled in the endpoint configurationrsquo
Event 1814
ArcSight Field Vendor Field
Name lsquoCould not create tempdbrsquo
Message lsquoCould not create tempdb You may not have enough disk space availablersquo
Configuration Guide for Windows Event Native Smart Connector
Event 919 Page 218 of 349
Event 1945
ArcSight Field Vendor Field
Name lsquoWarning The maximum key lengthrsquo
Message One of (Warning The maximum key length for a 1 index is 2 bytesThe index 3 has maximum length of 4 bytes For some combinationof large values the insertupdate operation will fail) (Warning Themaximum key length is 1 bytes The index 2 has maximum lengthof 3 bytes For some combination of large values the insertupdateoperation will fail)
Device Custom String 1 Both (One of (2 1) bytes) (Maximum key length)
Device Custom String 2 One of (32) (Index)
Device Custom String 3 Both (One of (4 3) bytes) (Maximum index)
Device Custom String 4 1 (Index Type)
Event 2007
ArcSight Field Vendor Field
Name lsquoThe module depends on the missing objectrsquo
Message lsquoThe module lsquo1rsquo depends on the missing object lsquo2rsquo The module will stillbe created however it cannot run successfully until the object existsrsquo
Device Custom String 1 1 (Module)
Device Custom String 2 2 (Missing object)
Event 2812
ArcSight Field Vendor Field
Name lsquoCould not find stored procedurersquo
Message lsquoCould not find stored procedure lsquo1
Device Custom String 2 1 (Stored procedure)
Configuration Guide for Windows Event Native Smart Connector
Event 1945 Page 219 of 349
Event 3406
ArcSight Field Vendor Field
Name lsquoTransactions rolled forward in databasersquo
Message 1rsquo transactions rolled forward in database lsquo2 lsquo(lsquo3rsquo)rsquo
Device Custom Number 2 1 (Transactions quantity)
Device Custom String 1 2 (Database name)
Device Custom Number 1 3 (Database ID)
Event 3407
ArcSight Field Vendor Field
Name lsquoTransactions rolled back in databasersquo
Message 1rsquo transactions rolled back in database lsquo2rsquo (lsquo3rsquo) lsquo
Device Custom Number 2 1 (Transactions quantity)
Device Custom String 1 2 (Database name)
Device Custom Number 1 3 (Database ID)
Event 3408
ArcSight Field Vendor Field
Name lsquoRecovery is completersquo
Message lsquoRecovery is complete This is an informational message only No user action isrequiredrsquo
Event 3421
ArcSight Field Vendor Field
Name lsquoRecovery completed for databasersquo
Message lsquoRecovery completed for database lsquo1rsquo (database ID lsquo2rsquo) in lsquo3rsquo second(s)(analysis lsquo4rsquo ms redo lsquo5rsquo ms undo lsquo6rsquo ms)rsquo
Device Custom String 1 1 (Database name)
Device Custom String 2 4 ms (Analysis time)
Configuration Guide for Windows Event Native Smart Connector
Event 3406 Page 220 of 349
ArcSight Field Vendor Field
Device Custom String 3 5 ms (Redo time)
Device Custom String 4 6 ms (Undo time)
Device Custom String 5 3 s (Completed recovery time)
Device Custom String 6 2 (Database ID)
Event 3454
ArcSight Field Vendor Field
Name lsquoRecovery is writing a checkpoint in databasersquo
Message lsquoRecovery is writing a checkpoint in database lsquo1rsquo (lsquo2rsquo) lsquo
Device Custom String 1 1 (Database name)
Device Custom Number 1 2 (Database ID)
Event 5084
ArcSight Field Vendor Field
Name lsquoSetting database optionrsquo
Message lsquoSetting database option lsquo1rsquo to lsquo2rsquo for database lsquo3rsquo lsquo
Device Custom String 1 3 (Database name)
Device Custom String 2 1 (Old option)
Device Custom String 3 2 (New option)
Event 5579
ArcSight Field Vendor Field
Name lsquoFile system accessrsquo
Message lsquoFILESTREAM effective level =lsquo1rsquo configured level = lsquo2rsquo file systemaccess share name = lsquo3rsquo lsquo
Configuration Guide for Windows Event Native Smart Connector
Event 3454 Page 221 of 349
Event 5701
ArcSight Field Vendor Field
Name lsquoChanged database contextrsquo
Message lsquoChanged database context to lsquo1
Device Custom String 1 1 (Database name)
Device Action lsquoChangedrsquo
Event 5703
ArcSight Field Vendor Field
Name lsquoChanged language settingrsquo
Message lsquoChanged language setting to lsquo1
Device Custom String 1 1 (Language setting)
Device Action lsquoChangedrsquo
Event 6253
ArcSight Field Vendor Field
Name lsquoCommon language runtime (CLR) functionality initialized using CLRrsquo
Message lsquoCommon language runtime (CLR) functionality initialized using CLR versionlsquo1rsquo from lsquo2
File Path 2
Device Custom String 4 1 (File version)
Event 6527
ArcSight Field Vendor Field
Name lsquoNET Framework runtime has been stoppedrsquo
Message lsquoNET Framework runtime has been stoppedrsquo
Configuration Guide for Windows Event Native Smart Connector
Event 5701 Page 222 of 349
Event 8128
ArcSight Field Vendor Field
Name lsquoExecute extended stored procedurersquo
Message lsquoUsing lsquo1rsquo version lsquo2rsquo to execute extended stored procedure lsquo3rsquo Thisis an informational message only no user action is requiredrsquo
File Name 1
Device Custom String 3 2 (File version)
Device Custom String 4 3 (Extended stored procedure)
Event 9013
ArcSight Field Vendor Field
Name lsquoTail of the log for database is being rewrittenrsquo
Message lsquoTail of the log for database lsquo1rsquo is being rewritten to match the new sectorsize of lsquo2rsquo bytes lsquo3rsquo bytes at offset lsquo4rsquo in file lsquo5rsquo will be writtenrsquo
Event 9666
ArcSight Field Vendor Field
Name lsquoService endpoint is in disabled or stopped statersquo
Message lsquoThe lsquo1rsquo endpoint is in disabled or stopped statersquo
Destination Service Name 1
Event 9688
ArcSight Field Vendor Field
Name lsquoService Broker manager has startedrsquo
Message lsquoService Broker manager has startedrsquo
Event 9689
ArcSight Field Vendor Field
Name lsquoService Broker manager has shut downrsquo
Message lsquoService Broker manager has shut downrsquo
Configuration Guide for Windows Event Native Smart Connector
Event 8128 Page 223 of 349
Event 10981
ArcSight Field Vendor Field
Name lsquoResource governor reconfiguration succeededrsquo
Message lsquoResource governor reconfiguration succeededrsquo
Event 12288
ArcSight Field Vendor Field
Name lsquoPackage startedrsquo
File Name 1
Event 12291
ArcSight Field Vendor Field
Name lsquoPackage failed
File Name 1
Event 15268
ArcSight Field Vendor Field
Name lsquoAuthentication modersquo
Message lsquoAuthentication mode is lsquo1
Device Custom String 3 1 (Authentication mode)
Event 15457
ArcSight Field Vendor Field
Name lsquoConfiguration option changedrsquo
Message lsquoConfiguration option lsquo1rsquo changed from lsquo2rsquo to lsquo3rsquo Run theRECONFIGURE statement to installrsquo
Device Custom String 3 1 (Configuration option)
Device Custom Number 1 2 (Old value)
Device Custom Number 2 3 (New value)
Configuration Guide for Windows Event Native Smart Connector
Event 10981 Page 224 of 349
Event 15477
ArcSight Field Vendor Field
Name lsquoCaution Changing any part of an object name could break scripts and storedproceduresrsquo
Message lsquoCaution Changing any part of an object name could break scripts and storedproceduresrsquo
Event 17069
ArcSight Field Vendor Field
Name lsquoMicrosoft SQL Server 2012 (SP1)rsquo
Message 1
Event 17101
ArcSight Field Vendor Field
Name lsquoMicrosoft Corporationrsquo
Message lsquoMicrosoft Corporationrsquo
Event 17103
ArcSight Field Vendor Field
Name lsquoAll rights reservedrsquo
Message lsquoAll rights reservedrsquo
Event 17104
ArcSight Field Vendor Field
Name lsquoServer process IDrdquo
Message lsquoServer process ID is lsquo1
Destination Process ID 1
Configuration Guide for Windows Event Native Smart Connector
Event 15477 Page 225 of 349
Event 17107
ArcSight Field Vendor Field
Name lsquoPerfmon counters for resource governor pools and groups failed to initializeand are disabledrsquo
Message lsquoPerfmon counters for resource governor pools and groups failed to initializeand are disabledrsquo
Event 17108
ArcSight Field Vendor Field
Name lsquoPassword policy update was successfulrsquo
Message lsquoPassword policy update was successfulrsquo
Device Action lsquoUpdatersquo
Event 17110
ArcSight Field Vendor Field
Name lsquoRegistry startup parametersrsquo
Message lsquoRegistry startup parameters lsquo1
Device Custom String 1 1 (Parameters)
Event 17111
ArcSight Field Vendor Field
Name lsquoLogging SQL Server messagesrsquo
Message lsquoLogging SQL Server messages in file lsquo1
File Name 1
Event 17115
ArcSight Field Vendor Field
Name lsquoCommand Line Startuprsquo
Message lsquoCommand Line Startup Parameters lsquo1
Configuration Guide for Windows Event Native Smart Connector
Event 17107 Page 226 of 349
ArcSight Field Vendor Field
Device Action lsquoStartuprsquo
Device Custom String 1 1 (Parameters)
Event 17125
ArcSight Field Vendor Field
Name lsquoUsing dynamic lock allocationrsquo
Message lsquoUsing dynamic lock allocation Initial allocation of lsquo1rsquo Lock blocks and lsquo2rsquoLock Owner blocks per nodersquo
Device Custom Number 1 1 (Lock blocks)
Device Custom Number 2 2 (Lock owner blocks)
Event 17126
ArcSight Field Vendor Field
Name lsquoSQL Server is now ready for client connectionsrsquo
Message lsquoSQL Server is now ready for client connectionsrsquo
Event 17136
ArcSight Field Vendor Field
Name lsquoClearing tempdb databasersquo
Message lsquoClearing tempdb databasersquo
Event 17137
ArcSight Field Vendor Field
Name lsquoStarting up databasersquo
Message lsquoStarting up database lsquo1
Device Custom String 1 1 (Database name)
Configuration Guide for Windows Event Native Smart Connector
Event 17125 Page 227 of 349
Event 17147
ArcSight Field Vendor Field
Name lsquoSQL Server is terminating because of a system shutdownrsquo
Message lsquoSQL Server is terminating because of a system shutdown This is aninformational message only No user action is requiredrsquo
Event 17148
ArcSight Field Vendor Field
Name lsquoSQL Server is terminatingrsquo
Message lsquoSQL Server is terminating in response to a lsquostoprsquo request from Service ControlManagerrsquo
Event 17152
ArcSight Field Vendor Field
Name lsquoNode configurationrsquo
Message lsquoNode configuration node lsquo1rsquo CPU mask lsquo2rsquo lsquo3rsquo Active CPU masklsquo4rsquo lsquo5rsquo This message provides a description of the NUMA configurationfor this computer This is an informational message only No user action isrequiredrsquo
Device Custom String 2 1 (Node)
Device Custom String 3 2 (CPU mask)
Device Custom String 4 4 (Active CPU mask)
Device Custom String 5 3 (Flag CPU mask)
Device Custom String 6 5 (Flag Active CPU mask)
Event 17162
ArcSight Field Vendor Field
Name lsquoSQL Server is startingrsquo
Message lsquoSQL Server is starting at normal priority base (=7)rsquo
Configuration Guide for Windows Event Native Smart Connector
Event 17147 Page 228 of 349
Event 17164
ArcSight Field Vendor Field
Name lsquoSQL Server detected socketsrsquo
Message lsquoSQL Server detected lsquo1rsquo sockets with lsquo2rsquo cores per socket and lsquo3rsquological processors per socket lsquo4rsquo total logical processors using lsquo5rsquo logicalprocessors based on SQL Server licensing This is an informational messageno user action is requiredrsquo
Device Custom Number 1 1 (Detected sockets)
Device Custom Number 2 2 (Cores per socket)
Device Custom Number 3 3 (Processors per socket)
Device Custom String 3 4 (Total processors)
Device Custom String 4 5 (Using processors)
Event 17176
ArcSight Field Vendor Field
Name lsquoThis instance of SQL Server last reported using a process IDrsquo
Message lsquoThis instance of SQL Server last reported using a process ID of lsquo1rsquo at lsquo2rsquo(local) lsquo3rsquo (UTC) This is an informational message only no user action isrequiredrsquo
Destination Process ID 1
Device Custom Date 1 2 lsquoMMddyyyy hhmmss aarsquo (Last Report Time (local)
Device Custom Date 2 3 lsquoMMddyyyy hhmmss aarsquo (Last Report Time (UTC))
Event 17177
ArcSight Field Vendor Field
Name lsquoThis instance of SQL Server has been using a process IDrdquo
Message lsquoThis instance of SQL Server has been using a process ID of lsquo1rsquo since lsquo2rsquo(local) lsquo3rsquo (UTC) lsquo
Configuration Guide for Windows Event Native Smart Connector
Event 17164 Page 229 of 349
Event 17199
ArcSight Field Vendor Field
Name lsquoRestart SQL Server using the trace flagrsquo
Message lsquoDedicated administrator connection support was not started because it isdisabled on this edition of SQL Server If you want to use a dedicatedadministrator connection restart SQL Server using the trace flag lsquo1rsquo This isan informational message only No user action is requiredrsquo
Device Custom Number 1 1 (Trace flag)
Event 17201
ArcSight Field Vendor Field
Name lsquoDedicated admin connection support was establishedrsquo
Message lsquoDedicated admin connection support was established for listening locally onport lsquo1
Destination Port 1
Event 17550
ArcSight Field Vendor Field
Name lsquoDBCC TRACEON server processrsquo
Message lsquoDBCC TRACEON lsquo1rsquo server process ID (SPID) lsquo2rsquo This is an informationalmessage only no user action is requiredrdquo
Destination Process Name lsquoDBCC TRACEONrsquo 1
Destination Process ID 2
Event 17551
ArcSight Field Vendor Field
Name lsquoDBCC TRACEOFF server processrsquo
Message lsquoDBCC TRACEOFF lsquo1rsquo server process ID (SPID) lsquo2rsquo This is an informationalmessage only no user action is requiredrsquo
Destination Process Name lsquoDBCC TRACEONrsquo 1
Destination Process ID 2
Configuration Guide for Windows Event Native Smart Connector
Event 17199 Page 230 of 349
Event 17561
ArcSight Field Vendor Field
Name lsquoindex restoredrsquo
Message lsquoindex restored for lsquo 2 rsquorsquo 3
Device Custom String 1 2 (Report server database)
Device Custom String 3 3 (Object name)
Event 17656
ArcSight Field Vendor Field
Name lsquoWarningrsquo
Message lsquoWarning rsquo
Event 17658
ArcSight Field Vendor Field
Name lsquoSQL Server started in single-user modersquo
Message lsquoSQL Server started in single-user mode This is an informational message onlyNo user action is requiredrsquo
Event 17663
ArcSight Field Vendor Field
Name lsquoServer namersquo
Message lsquoServer name is lsquo1
Destination Host Name 1
Event 17811
ArcSight Field Vendor Field
Name lsquoThe maximum number of dedicated administrator connections for thisinstancersquo
Message lsquoThe maximum number of dedicated administrator connections for thisinstance is 1
Configuration Guide for Windows Event Native Smart Connector
Event 17561 Page 231 of 349
ArcSight Field Vendor Field
Device Custom Number 1 1 (Maximum administrator connections)
Event 18453
ArcSight Field Vendor Field
Name lsquoLogin succeededrsquo
Message lsquoLogin succeeded for user Connection made using Windows authenticationrsquo
Destination User Name 1
Destination NT Domain 1
Device Custom String 1 2 (Windows authentication)
Event 18454
ArcSight Field Vendor Field
Name lsquoLogin succeededrsquo
Message lsquoLogin succeeded for user Connection made using SQL Server authenticationrsquo
Source User Name 1
Source Address 2
Device Custom IPv6 Address 2 2 (Source IPv6 Address)
Event 18456
ArcSight Field Vendor Field
Name lsquoLogin failed for userrsquo
Message lsquoLogin failed for user lsquo1rsquo lsquo2rsquo lsquo3
Device Custom String 3 2 (Login failed)
Source User Name 1
Source Address 3
Configuration Guide for Windows Event Native Smart Connector
Event 18453 Page 232 of 349
Event 18488
ArcSight Field Vendor Field
Name lsquoLogin failed for userrsquo
Message lsquoLogin failed for user lsquo1rsquo Reason The password of the account must bechanged lsquo2
Source User Name 1
Source Address 2
Event 18496
ArcSight Field Vendor Field
Name lsquoSystem Manufacturer and System Model Informationrsquo
Message lsquoSystem Manufacturer lsquo1rsquo System Model lsquo2rsquo lsquo
Device Custom String 1 1 (System Manufacturer)
Device Custom String 2 2 (System Model)
Event 19030
ArcSight Field Vendor Field
Name lsquoSQL Trace was startedrsquo
Message lsquoSQL Trace ID lsquo1rsquo was started by login lsquo2rsquo lsquo
Device Custom String 1 1 (Trace ID)
Source User Name 2
Event 19031
ArcSight Field Vendor Field
Name lsquoSQL Trace stoppedrsquo
Message lsquoSQL Trace stopped Trace ID = lsquo1rsquo Login Name = lsquo2
Source User Name 2
Configuration Guide for Windows Event Native Smart Connector
Event 18488 Page 233 of 349
Event 19032
ArcSight Field Vendor Field
Name lsquoSQL Trace was stopped due to server shutdownrsquo
Message lsquoSQL Trace was stopped due to server shutdown Trace ID = lsquo1rsquo This is aninformational message only no user action is requiredrsquo
Device Custom Number 1 1 (Trace ID)
Event 26018
ArcSight Field Vendor Field
Name lsquoA self-generated certificate was successfully loaded for encryptionrsquo
Message lsquoA self-generated certificate was successfully loaded for encryptionrsquo
Event 26022
ArcSight Field Vendor Field
Name lsquoServer is listeningrsquo
Message lsquoServer is listening on [lsquo1rsquo ltrsquo2rsquogt lsquo3rsquo ]rsquo
Device Custom String 4 1 (Listening Address)
Application Protocol 2
Destination Port 3
Event 26037
ArcSight Field Vendor Field
Name lsquoSQL Server Network Interface library could not register the Server PrincipalNamersquo
Message lsquoError lsquo1rsquo state lsquo2rsquo Failure to register an SPN may cause integratedauthentication to fall back to NTLM instead of Kerberosrsquo
Configuration Guide for Windows Event Native Smart Connector
Event 19032 Page 234 of 349
Event 26048
ArcSight Field Vendor Field
Name lsquoServer local connection provider is ready to accept connectionrsquo
Message lsquoServer local connection provider is ready to accept connection on [lsquo1rsquo]rsquo
File Path 1
Event 26067
ArcSight Field Vendor Field
Name lsquoSQL Server Network Interface library could not register the Service PrincipalName (SPN)rsquo
Message lsquoThe SQL Server Network Interface library could not register the ServicePrincipal Name (SPN) lsquo1rsquo for the SQL Server service Windows return codelsquo2rsquo state lsquo3rsquo Failure to register a SPN might cause integratedauthentication to use NTLM instead of Kerberos This is an informationalmessage Further action is only required if Kerberos authentication isrequired by authentication policies and if the SPN has not been manuallyregisteredrsquo
Source Service Name 1
Reason 2
Device Custom String 1 3 (State)
Event 26076
ArcSight Field Vendor Field
Name lsquoSQL Server is attempting to register a Service Principal Name (SPN)rsquo
Message lsquoSQL Server is attempting to register a Service Principal Name (SPN) for theSQL Server service Kerberos authentication will not be possible until a SPN isregistered for the SQL Server service This is an informational message Nouser action is requiredrsquo
Configuration Guide for Windows Event Native Smart Connector
Event 26048 Page 235 of 349
Event 30090
ArcSight Field Vendor Field
Name lsquoNew instance of full-text filter daemon host process has been successfullystartedrsquo
Message lsquoA new instance of the full-text filter daemon host process has beensuccessfully startedrsquo
Event 33090
ArcSight Field Vendor Field
Name lsquoAttempting to load library into memoryrsquo
Message lsquoAttempting to load library lsquo1rsquo into memory This is an informationalmessage only No user action is requiredrsquo
File Name 1
Event 33204
ArcSight Field Vendor Field
Name lsquoSQL Server Audit could not write to the security logrsquo
Message lsquoSQL Server Audit could not write to the security logrsquo
Event 33205
ArcSight Field Vendor Field
Source Service Name EventSource
Device Event Class ID All of (class_type lsquo|rsquo action_id)
Device Action action_id
Event Outcome succeeded
File ID object_id
File Type class_type
File Name object_name
File Size sequence_number
File Hash audit_schema_version
Configuration Guide for Windows Event Native Smart Connector
Event 30090 Page 236 of 349
ArcSight Field Vendor Field
Old File ID transaction_id
Message statement
Source User ID server_principal_id
Source User Name server_principal_name
Source NT Domain server_principal_name
Destination User ID One of (server_principal_id target_server_principal_id)
Destination NT Domain One of (target_server_principal_name server_principal_name)
Destination Host Name server_instance_name
Device Custom Number 1 session_id
Device Custom Number 2 database_principal_id
Device Custom Number 3 target_database_principal_id
Device Custom String 1 object_name
Device Custom String 2 statement
Device Custom String 3 database_name
Device Custom String 4 Device Custom String 4 = database_principal_name
Device Custom String 5 One of (target_database_principal_name database_principal_name)
Device Custom String 6 schema_name
Old File Name All of(Additional Information additional_information)
Source Address One of(additional_information device address (In case the address is localmachine) )
Source Host Name device host name (In case the address is local machine)
Destination User Name One Of(target_server_principal_nameserver_principal_name)
Device Custom IPv6 Address 2 additional_information
Event 33217
ArcSight Field Vendor Field
Name lsquoSQL Server Audit is starting the auditsrsquo
Message lsquoSQL Server Audit is starting the audits This is an informational message Nouser action is requiredrsquo
Configuration Guide for Windows Event Native Smart Connector
Event 33217 Page 237 of 349
Event 33218
ArcSight Field Vendor Field
Name lsquoSQL Server Audit has started the auditsrsquo
Message lsquoSQL Server Audit has started the audits This is an informational message Nouser action is requiredrsquo
Event 49903
ArcSight Field Vendor Field
Name lsquoDetected RAMrsquo
Message lsquoDetected lsquo1rsquo of RAM This is an informational message no user action isrequiredrsquo
Device Custom Number 1 1 (Detected RAM)
Event 49904
ArcSight Field Vendor Field
Name lsquoService accountrsquo
Message lsquoThe service account is lsquo1rsquo This is an informational message no user actionis requiredrsquo
Source Service Name 1
Event 49910
ArcSight Field Vendor Field
Name lsquoSoftware Usage Metrics is disabledrsquo
Message lsquoSoftware Usage Metrics is disabledrsquo
Event 49916
ArcSight Field Vendor Field
Name lsquoUTC adjustmentrsquo
Message lsquoUTC adjustmentrsquo
Device Custom String 1 All of 1 2 (UTC Adjustment)
Configuration Guide for Windows Event Native Smart Connector
Event 33218 Page 238 of 349
Event 49917
ArcSight Field Vendor Field
Name lsquoDefault collationrsquo
Message All of lsquoDefault collationlsquo1rsquo (lsquo2rsquo lsquo3rsquo)rsquo
Device Custom String 1 2 (Language)
Device Custom String 4 1 (SQL collation)
Device Custom Number 2 3 (Language ID)
Configuration Guide for Windows Event Native Smart Connector
Event 49917 Page 239 of 349
Microsoft SysmonMicrosoft Sysmon Logs is a Windows system service and device driver that once installed on asystem remains resident across system reboots to monitor and log system activity to theWindows event log
It provides detailed information about process creations network connections and changes tofile creation time By collecting the events it generates using Windows Event Collection or SIEMagents and subsequently analyzing them users can identify malicious or anomalous activity andunderstand how intruders and malware operate on your network
The following sections provide information about Microsoft Sysmon Logs and its eventmappings to ArcSight data fields
Supported Versionsl Microsoft Windows 8
l Microsoft Windows 10
l Microsoft Windows Server 2008 R2
l Microsoft Windows Server 2012
l Microsoft Windows Server 2012 R2
l Microsoft Windows Server 2016
l Microsoft Windows Server 2019
This connector supports Microsoft Sysmon Operational version 11 events
The SmartConnector for Microsoft Windows Event Log ndash Windows Security Event Mappingsdocument provides the main mappings for the Windows Event Log SmartConnectors the fieldmappings listed in this document are specifically for Microsoft Remote Access
Configuring Microsoft Sysmon LogsFor complete information about Microsoftrsquos Reporting and Microsoft Sysmon Logs seeMicrosoftrsquos TechNet Library for Windows Server ldquoRemote Access (DirectAccess Routing andRemote Access)rdquo
httptechnetmicrosoftcomen-uslibraryhh831416
Microsoft Sysmon Page 240 of 349
Mappings for Microsoft Sysmon Logs
General
ArcSight Field Vendor Field
Destination Process Id ProcessId
Device Product Sysmon
Device Vendor lsquoMicrosoftrsquo
Device Version Unknown
Event 1
ArcSight Field Vendor Field
Destination Process Name Image
Destination Service Name CommandLine
Device Action Process Create
Device Custom String 1 IntegrityLevel
Device Custom String 4 CommandLine
Device Custom String 6 LogonGuid
Device Receipt Time UtcTime
File Hash Hashes
File Id ProcessGuid
Message Description
Name Process Created
Old File Hash MITRE ID
Old File Id ParentProcessGuid
Old File Name OriginalFileName
Old File Path CurrentDirectory
Source Nt Domain __extractNTDomain(User)
Source Process Id ParentProcessId
Source Process Name ParentImage
Configuration Guide for Windows Event Native Smart Connector
Mappings for Microsoft Sysmon Logs Page 241 of 349
ArcSight Field Vendor Field
Source Service Name ParentCommandLine
Source User Id LogonId
Source User Name __extractNTUser(User)
Event 2
ArcSight Field Vendor Field
Destination Process Name Image
Device Action File creation time changed
Device Receipt Time UtcTime
File Create Time CreationUtcTime
File Id ProcessGuid
File Path TargetFilename
Message File creation time changed
Name File creation time changed
Old File Create Time PreviousCreationUtcTime
Old File Hash MITRE ID
Event 3
ArcSight Field Vendor Field
Destination Address __oneOfAddress(DestinationIp) (for destination aware)
Device Custom IPv6 Address 2 __stringToIPv6Address(SourceIp) (for non-destination aware)
Device Custom IPv6 Address 3 __stringToIPv6Address(DestinationIp) (for non-destination aware)
Destination Host Name DestinationHostname
Destination Port __safeToInteger(DestinationPort)
Destination Process Name Image
Device Action __concatenate(Initiated Initiated)
Device Receipt Time UtcTime
File Id ProcessGuid
Message Network connection detected
Configuration Guide for Windows Event Native Smart Connector
Event 2 Page 242 of 349
ArcSight Field Vendor Field
Name Network connection detected
Old File Hash MITRE ID
Source Address __oneOfAddress(SourceIp) (for destination aware)
Source Host Name SourceHostname
Source Nt Domain __extractNTDomain(User)
Source Port __safeToInteger(SourcePort)
Source Port Name SourcePortName
Source User Name __extractNTUser(User)
Transport Protocol Protocol
Event 4
ArcSight Field Vendor Field
Additional DataSchema Version SchemaVersion
Device Action State
Device Receipt Time UtcTime
Message Sysmon service state changed
Name Sysmon service state changed
Event 5
ArcSight Field Vendor Field
Destination Process Name Image
Device Action Process Terminated
Device Receipt Time UtcTime
File Id ProcessGuid
Message Process Terminated
Name Process Terminated
Old File Hash MITRE ID
Configuration Guide for Windows Event Native Smart Connector
Event 4 Page 243 of 349
Event 6
ArcSight Field Vendor Field
Device Action Driver Loaded
Device Receipt Time UtcTime
File Hash Hashes
File Name ImageLoaded
File Permission SignatureStatus
File Type Signed
Message Driver Loaded
Name Driver Loaded
Old File Hash MITRE ID
Event 7
ArcSight Field Vendor Field
Destination Process Name Image
Device Action Image Loaded
Device Receipt Time UtcTime
File Hash Hashes
File Id ProcessGuid
File Name ImageLoaded
File Permission SignatureStatus
File Type Signed
Message Description
Name Image Loaded
Old File Hash MITRE ID
Old File Name OriginalFileName
Configuration Guide for Windows Event Native Smart Connector
Event 6 Page 244 of 349
Event 8
ArcSight Field Vendor Field
Destination Process Name TargetImage
Device Action CreateRemoteThread detected
Device Process Id SourceProcessId
Device Receipt Time UtcTime
File Id TargetProcessGuid
Message CreateRemoteThread detected
Name CreateRemoteThread detected
Old File Hash MITRE ID
Old File Id SourceProcessGuid
Source Process Name SourceImage
Event 9
ArcSight Field Vendor Field
Device Action RawAccessRead detected
Device Custom String 5 Device
Device Receipt Time UtcTime
Destination Process Name Image
File Id ProcessGuid
Message RawAccessRead detected
Name RawAccessRead detected
Old File Hash MITRE ID
Event 10
ArcSight Field Vendor Field
Additional DataSource ThreadId
SourceThreadId
Destination Process Name TargetImage
Configuration Guide for Windows Event Native Smart Connector
Event 8 Page 245 of 349
ArcSight Field Vendor Field
Device Action Process accessed
Device Custom String 1 GrantedAccess
Device Process Id __safeToInteger(SourceProcessId)
Device Receipt Time UtcTime
File Id TargetProcessGUID
Message Process accessed
Name Process accessed
Old File Id SourceProcessGUID
Old File Hash MITRE ID
Old File Path CallTrace
Source Process Name SourceImage
Event 11
ArcSight Field Vendor Field
Destination Process Name Image
Device Action File Created
Device Receipt Time UtcTime
File Create Time CreationUtcTime
File Id ProcessGuid
File Path TargetFilename
Message File created
Name File created
Old File Hash MITRE ID
Event 12
ArcSight Field Vendor Field
Destination Process Name Image
Device Action Registry object added or deleted
Device Custom String 1 EventType
Configuration Guide for Windows Event Native Smart Connector
Event 11 Page 246 of 349
ArcSight Field Vendor Field
Device Receipt Time UtcTime
File Id ProcessGuid
File Path TargetObject
Message Registry object added or deleted
Name Registry object added or deleted
Old File Hash MITRE ID
Event 13
ArcSight Field Vendor Field
Destination Process Name Image
Device Action Registry value set
Device Custom String 1 EventType
Device Custom String 4 Details
Device Receipt Time UtcTime
File Id ProcessGuid
File Path TargetObject
Message Registry value set
Name Registry value set
Old File Hash MITRE ID
Event 14
ArcSight Field Vendor Field
Destination Process Name Image
Device Action Registry key and value rename
Device Custom String 1 EventType
Device Receipt Time UtcTime
File Id ProcessGuid
File Path NewName
Configuration Guide for Windows Event Native Smart Connector
Event 13 Page 247 of 349
ArcSight Field Vendor Field
Name Registry key and value rename
Old File Hash MITRE ID
Old File Path TargetObject
Event 15
ArcSight Field Vendor Field
Destination Process Name Image
Device Action File stream created
Device Receipt Time UtcTime
File Hash Hash
File Id ProcessGuid
File Create Time CreationUtcTime
File Path TargetFilename
Message File stream created
Name File stream created
Old File Hash MITRE ID
Event 16
ArcSight Field Vendor Field
Device Action Sysmon config state changed
Device Receipt Time UtcTime
File Hash ConfigurationFileHash
Message Sysmon config state changed
Name Sysmon config state changed
Source Process Name Configuration
Configuration Guide for Windows Event Native Smart Connector
Event 15 Page 248 of 349
Event 17
ArcSight Field Vendor Field
Destination Process Name Image
Device Action Pipe Created
Device Custom String 1 EventType
Device Custom String 6 PipeName
Device Receipt Time UtcTime
File Id ProcessGuid
Message Create Pipe
Name Create Pipe
Old File Hash MITRE ID
Event 18
ArcSight Field Vendor Field
Destination Process Name Image
Device Action Pipe Connected
Device Custom String 1 EventType
Device Custom String 6 PipeName
Device Receipt Time UtcTime
File Id ProcessGuid
Message Pipe Connected
Name Pipe Connected
Old File Hash MITRE ID
Event 19
ArcSight Field Vendor Field
Device Action Operation
Device Custom String 1 EventType
Device Custom String 4 Name
Configuration Guide for Windows Event Native Smart Connector
Event 17 Page 249 of 349
ArcSight Field Vendor Field
Device Receipt Time UtcTime
Name WmiEventFilter activity detected
Old File Hash MITRE ID
Old File Path EventNamespace
Source Nt Domain __extractNTDomain(User)
Source User Name __extractNTUser(User)
Event 20
ArcSight Field Vendor Field
Device Action Operation
Device Custom String 1 EventType
Device Custom String 4 Name
Device Receipt Time UtcTime
File Path Destination
File Type Type
Name WmiEventConsumer activity detected
Old File Hash MITRE ID
Source Nt Domain __extractNTDomain(User)
Source User Name __extractNTUser(User)
Event 21
ArcSight Field Vendor Field
Device Action Operation
Device Custom String 1 EventType
Device Custom String 4 Filter
Device Custom String 5 Consumer
Device Receipt Time UtcTime
Name WmiEventConsumerToFilter activity detected
Configuration Guide for Windows Event Native Smart Connector
Event 20 Page 250 of 349