Microsoft Windows RSA enVision Event Source Configuration Instructions and Release Notes

Last Modified: October 01, 2010 Event Source (Device) Product Information Vendor Event Source (Device) Supported Versions
Microsoft Windows NT, 2000, XP, 2003, Vista Business, Ultimate, and Enterprise (using SNARE), Server 2008 (Agentless or using SNARE), Windows Server 2008 Enterprise with Hyper-V, Server 2008 R2 Standard, Enterprise, and Datacenter (Agentless or using SNARE), Web Server 2008 R2 (Agentless or using SNARE), 7 Professional, Ultimate, and Enterprise (Agentless)

enVision Product Information Version Event Source (Device) Type

3.7 and later Agentless = winevent_nic, 30 Using third-party collection agent - Adiscon Event Reporter = winevent_er, 15 Using third-party collection agent - InterSect-Alliance BackLog = winevent, 14 Using third-party collection agent - InterSect Alliance SNARE = winevent_snare, 20 agentless = Microsoft Event Logging API using third-party agent = syslog Host.Windows NIC Windows Service, syslog (SNARE), NIC Windows Eventing Collector

Collection method Event Source (Device) Class.Subclass Service

This document contains the following information for the Microsoft Windows event source:
l

Configuration Instructions Release Notes for Content 2.0 Release Notes for Standard Content

Microsoft Windows Configuration Instructions

You must complete the following tasks to set up Microsoft Windows to send events to enVision: I. Set up the remote and target systems II. Set up Windows file or folder auditing III. Set up collection

Copyright 2010 EMC Corporation. All Rights Reserved.

zzRSAenVision Event Source

Set Up the Remote and Target Systems

To set up the remote and target systems, you must set up the event logs and set up Windows auditing.

Set Up Event Logs

Note: To ensure that logs are continuously forwarded to enVision, you must set the log setting so that the log files do not reach maximum size.
To set up event logs:

1. Click Start > Settings > Control Panel > Administrative Tools > Event Viewer. 2. Right-click System, and select Properties. 3. Select Overwrite events as needed. 4. Click Apply, and click OK. 5. Repeat steps 2 to 4 for Application and Security.

Set Up Windows Auditing

Important: To set up auditing for your specific needs, consult your IS department and the OS documentation. There are several options for auditing Windows. The following example from Microsoft describes how to enable local Windows security auditing.
To set up auditing:

1. Log on to Windows with an account that has administrative credentials. 2. Click Start > Settings > Control Panel > Administrative Tools. 3. Double-click Local Security Policy to start the Local Security Settings MMC snap-in. 4. Double-click Local Policies to expand the folder, and double-click Audit Policy. 5. In the right pane, double-click the policy that you want to enable or disable. 6. Select Success (audited security access attempt that succeeds), Fail (audited security access attempt that fails), or both for logging on and logging off.

Set Up Windows File or Folder Auditing

Set up auditing to detect and record security-related events, such as when a user attempts to access a confidential file or folder. When you audit an object, an entry is written to the Windows Security log whenever the object is accessed in the specified way. You determine which objects to audit, whose actions to audit, and exactly which types of actions to audit. After you set up auditing, you can track users who access specified objects and analyze security breaches. The audit trail can show who performed the actions and who tried to perform actions that are not permitted.

RSA enVision Event Source

Because the Security log is limited in size, select the fields and folders to audit carefully. Also consider the amount of disk space that you are willing to allocate to the Security log. You define the maximum size in the Windows Event Viewer. Important: For Active Directory 2008 auditing, see the Microsoft Technet article, AD DS Auditing Stepby-Step Guide. Go to http://technet.microsoft.com/en-us/library/cc731607%28WS.10%29.aspx.
To set up auditing:

1. Open Windows Explorer, and locate the file or folder that you want to audit. 2. Right-click the file or folder, and select Properties. 3. On the Security tab, click Advanced, and click the Auditing tab. 4. Do one of the following:
l

To set up auditing for a new group or user, click Add. In the Name field, enter the name of the user that you want to audit, and click OK. To view or change auditing for an existing group or user, click the group or user, and click View/Edit. To remove auditing for an existing group or user, click the group or user, and click Remove. Go to step 6.

5. If you are adding or editing a group or user, do the following: a. In the Access list box, for each type of access that you want to audit, select Successful, Failed, or both. b. To prevent files and subfolders in the tree from inheriting these audit entries, select Apply these auditing entries. c. Click OK. 6. Click OK. Note: If the checkboxes in the Access list box in the Auditing Entry dialog box are unavailable, or if the Remove button is unavailable in the Access Control Settings dialog box, auditing has been inherited from the parent folder.

Set Up Collection
You can set up either of two methods of collection for Windows logs:
l l

Set Up Agentless Collection Set Up Third-Party Collection Services

Note: If you cannot collect messages from a Windows Server 2003 or 2008 event source, set up the Remote Registry Service account to run as the LocalSystem, not LocalService.

zzRSAenVision Event Source

Important: You must have administrator privileges to read the event logs and retrieve the Application and System messages. You can get security messages without administrator privileges if you set Manage auditing and security log policy for the user.

Set Up Agentless Collection

Windows Eventing Collector
Beginning with the August 2010 Event Source Update, there is a new agentless collector available, the Windows Eventing Collector. For details, see RSA enVision Windows Eventing Collector Service Deployment Overview Guide and the Microsoft Windows Eventing 6.0 Web Services AP Configuration Guide and Release Notes.

Prerequisites
You must be running RSAenVision 4.0 Service Pack 3 or newer. Additionally, ensure you updated enVision by installing the following (available for download from SecurCare Online):
l l l

v4.0SP3_WindowsEventing_SharedMemory.exe RSA_enVision_Windows_Eventing_Collector_Service.exe The June 2010 or later Event Source Update

Disable the Legacy Collector

If you are using the Windows Eventing Collector, RSArecommends that you disable the legacy Windows agentless collector. Otherwise, event collection is duplicated, and enVision stores duplicate message data in its database. Note: If your environment contains both Windows Server 2008 and earlier Windows servers, make sure you only disable the legacy collector for your Windows Server 2008 servers. The Windows Eventing Collector Service cannot collect from servers earlier than Windows Server 2008.
To disable the legacy agentless Windows collector:

1. In enVision, click Overview > System Configuration. 2. Click Services > Device Services > Windows Service > Manage Windows Service. 3. Select the Windows Agentless Collector Service for each event source for which you will be using the Windows Eventing Collector Service. 4. Click Delete.

Enable Collection on the Hyper-V and Terminal Services Gateway Channels

Follow these instructions only if you want to collect events from the Hyper-V or Terminal Services (TS) Gateway channels.

RSA enVision Event Source

To collect from the Hyper-V or TSGateway channels:

1. Add or update the alias for the event source as follows: a. Open a new command shell, and change directories to the E:\nic\enVision version\node_ name\collection-services\winevent directory. b. Run one of the following commands:
l

To add a new alias, type: wineventconfig.exe -a

To edit an existing alias, type: wineventconfig.exe -e

c. Follow the prompts to provide your information. For details,see the enVision Help. d. Enter the list of channels to which to subscribe. Use a comma as the delimiter between channel names. Note: You must enter the names as they appear in the list below. If you misspell any channel name, events from that channel will not be collected. 2. To test your configuration, type:
wineventconfig.exe -t.

Channel List for Hyper-V and TSGateway

The following channels are available for Hyper-V events:
l l l l l l l l l l l

Channel Microsoft-Windows-Hyper-V-Config-Admin Channel Microsoft-Windows-Hyper-V-Config-Operational Channel Microsoft-Windows-Hyper-V-Hypervisor-Admin Channel Microsoft-Windows-Hyper-V-Hypervisor-Operational Channel Microsoft-Windows-Hyper-V-VMMS-Admin Channel Microsoft-Windows-Hyper-V-Worker-Admin Channel Microsoft-Windows-Hyper-V-Image-Management-Service-Admin Channel Microsoft-Windows-Hyper-V-Image-Management-Service-Operational Channel Microsoft-Windows-Hyper-V-SynthStor-Admin Channel Microsoft-Windows-Hyper-V-Integration-Admin Channel Microsoft-Windows-Hyper-V-SynthNic-Admin

The following channels are available for TSGateway events:

l l

Channel Microsoft-Windows-TerminalServices-Gateway/Admin Channel Microsoft-Windows-TerminalServices-Gateway/Operational

Legacy Collector
The NIC Windows Service retrieves Windows logs from remote systems without installing any thirdparty software. This method is known as agentless Windows collection.

zzRSAenVision Event Source

If you use agentless collection, the Remote Registry Service must be running on the remote server. This service allows a remote station to access the event logs. If you use a third-party collection application or an agent, you do not need to configure the NIC Windows Service.

Set Up Third-Party Collection Services

RSAenVision supports Window logs collected by InterSect Alliance SNARE BackLog, InterSect Alliance SNARE for Windows, and Adiscon EventReporterandDNSServer. You can set up collection by any of the following:
l l l

InterSect Alliance SNARE BackLog InterSect Alliance SNARE Adiscon EventReporter andDNSServer

Note: If you install SNARE agent on a Windows Vista or Server 2008 system, you must use SNARE for Windows Vista version 1.1.1.

Set Up InterSect Alliance SNARE BackLog

To set up InterSect Alliance SNAREBackLog:

1. Set the Target Host to the hostname of the enVision appliance collecting the events. 2. Set the Syslog Category to Syslog - Debug. 3. Set the Delimiter to Comma. If you set these incorrectly, you can run configurator.exe, located in the installation directory (the default installation directory is C:\Program Files\Backlog).

Set Up InterSect Alliance SNARE

RSA enVision supports SNARE for Windows 3.1.0 and earlier, and SNARE for Windows Vista 1.1.1. Note: DNS server logs are not supported by SNARE for Windows Vista 1.1.1 on Windows Server 2008.
To set up InterSect Alliance SNARE:

1. Set the Destination Snare Server Address to the IP address of the enVision appliance collecting the events. 2. Set the Destination Port to 514. 3. Set the Syslog facility to Syslog. 4. Set the Syslog Priority to Debug. 5. Ensure that Enable Syslog Header is selected.

RSA enVision Event Source

6. Copy the SNAREdelimiter.reg file from the \etc\devices\winevent_snare directory on the enVision appliance to the machine on which you installed SNARE. 7. To update the SNARE registry with the proper delimiter setting, right-click the SNAREdelimiter.reg file, and select Merge. When prompted to continue, click Yes. 8. On the Windows Start menu, click Settings > Control Panel > Administrative Tools > Services. 9. Restart the SNARE service.
To install and set up InterSect Alliance SNARE on Windows Server 2008 Server Core:

1. Click My Computer > Tools > Map Network Drive, and follow these steps to map a drive: a. From the Drive drop-down list, select the drive to be mapped to. b. In the Folder field, enter the IP address of the drive to be mapped. For example, if the IP address of the core server machine is 1.1.1.1 and the drive to be mapped is C:, enter \\1.1.1.1\c$ in the Folder field. c. Select Reconnect at logon. d. Select Connect using a different user name option, and enter the logon credentials for the Server Core machine. 2. Create a new directory on Server Core, such as C:\files. 3. Copy the SNARE installation file (downloaded from http://www.intersectalliance.com/projects/SnareWindows/index.html#Download to the local machine) and the .reg file (from the \etc\devices\winevent_snare directory on the enVision appliance) to the directory that you created in step 2. 4. Follow these steps to install SNARE on the Server Core installation: a. Open a command shell, and change directories to the directory that you created in step 2. b. To install SNARE, type:
C:\files\SnareSetupVista-1.1.1-MultiArch.exe

Note: When installing the SNARE agent on a Server 2008 Server Core installation, you must set the Remote Control Interface setting to YES with password. If this option is not selected, the SNARE agent can only be configured through the registry. c. To update the SNARE registry with the proper delimiter setting, type:
C:\files\SNAREdelimiter.reg

When prompted to continue, click Yes. 5. To configure the settings through the Internet, connect to the interface through a web browser. For example if the IP address of the Server Core host is 1.1.1.1, go to http://1.1.1.1:6161/ Note: If a firewall prevents the connection, to make a rule that allows connection to the web interface, you can run the command:

zzRSAenVision Event Source

C:\ netsh advfirewall set all profiles firewallpolicy allowinbound,allowoutbound

6. To configure the settings, follow steps 1 to 5 of the preceding SNARE setup procedure. 7. Follow these steps to restart the service: a. To stop the service, at the command prompt, type:
C:/sc stop snare

b. To start the service, type:

C:/sc start snare

c. To verify that the SNARE service is running, type:

C:/sc query snare

Set Up Adiscon EventReporter andDNSServer

RSA enVision supports EventReporter 8.1. Note: By default, DNS server logging is not selected. Note: The Default EventLog Monitor Service is compatible only with Windows Server 2008 Enterprise Edition. It is not compatible with Windows Server 2008 Standard Edition and therefore not supported by enVision. You must complete the following tasks to set up Adiscon EventReporter and DNS Server: I. Set up EventReporter II. (Optional) Set up Hyper-V III. Set up DNSserver logging

Set Up EventReporter
To set up Adiscon EventReporter:

1. On the Windows Start menu, click Programs > EventReporter > EventReporterConfiguration. 2. In the left-hand panel, double-click Configured Services, and follow these steps: a. Click Default EventLog Monitor > Advanced Options. b. Select Use Legacy Format. c. Select only Add Facilitystring, Add Username, and Add Logtype. d. Click Save. 3. Follow these steps to configure syslog forwarding: a. In the left-hand panel, double-click Rule Sets > Default RuleSet > Forward Syslog > Actions. b. Select Forward Syslog.

RSA enVision Event Source

c. In the Syslog Server field, enter the IP address of the enVision appliance collecting the events. d. Clear Add Syslog Source when forwarding to other Syslog servers. e. Leave all other options at the default settings. 4. Restart the EventReporter service.

Set Up Hyper-V
This procedure is optional. Follow these steps only if you are configuring Hyper-V.
To configure Hyper-V:

Note: EventReporter 11.1 is required to configure Hyper-V support. 1. On the Windows Start menu, click Programs > EventReporter > EventReporterConfiguration. 2. To create a rule set, follow these steps: a. In the left-hand panel, right-click Rule Sets, and select Add Rule Set. b. Name the rule set, and click Next. c. Select Forward Syslog, and accept all other defaults to add the rule set. d. Select your rule set from RuleSets, and click Forward Syslog > Actions > Forward Syslog. e. Accept all defaults, and complete the fields as follows:
l l

Syslog Server: The IPaddress of your enVision appliance Message format: [%level%] %timegenerated%:
%user%/%source%/%sourceproc% (%id%) - "%msg%"

Note: If you cut and paste the message format string, ensure it does not contain any line or paragraph breaks.

zzRSAenVision Event Source

3. To configure a service to use the rule set, follow these steps: a. Right-click Configured Services, and click Add Service > Event Log Monitor V2. b. Accept all defaults, and click Next. c. Click Finish. d. Click the new service. e. By default, all items are selected. Clear all items except those that start with the string, Microsoft-Windows-Hyper-V. Note: The Hyper-V items are under New EventLog - Serviced Channels > Microsoft > Windows. f. In the Rule Set to Use field, select your rule set. g. Click Save. 4. Restart the EventReporter service.

Set Up DNSServer Logging

To set up DNS server logging:

1. On the Windows Start menu, click All Programs > EventReporter > EventReporter Configuration. 2. In the left-hand panel, double-click Configured Services, and follow these steps: 10

RSA enVision Event Source

a. Click Default EventLog Monitor > Advanced Options. b. Select Use Legacy Format. c. Select only Add Facilitystring, Add Username, and Add Logtype. d. Click OK. 3. Following these steps to configure syslog forwarding: a. In the left-hand panel, double-click Rule Sets > Default RuleSet > Forward Syslog > Actions. b. Select Forward Syslog. c. In the Syslog Server field, enter the IP address of the enVision appliance collecting the events. d. Clear Add Syslog Source when forwarding to other Syslog servers. e. Leave all other options at the default settings. 4. Restart the EventReporter service.

Content 2.0 Release Notes

Microsoft Windows Release Notes (20100930-161344) What's New inThis Release

RSA updated Microsoft Windows to Content 2.0. Note: The September 2010 Event Source Update delivers a Content 2.0 update for the winevent_er, winevent_nic and winevent_snare event sources. Along with the updated Windows content is an update for 19 correlated rules. If you do not install the Content 2.0 update for a Windows event source, you receive the standard version of these rules. If, however, you install any of the three listed Windows event sources, you will also receive all of the Content 2.0 versions for these rules. Content 2.0, the new content schema, features substantial improvements to the parsing of event data into the various tables that are used for queries and reports. Content 2.0 is the future direction for all event sources within the supported event sources library. Note: The Table ID for Windows Content 2.0 is 85.

Standard Content Release Notes

Microsoft Windows Release Notes (20100902-144020)

11

zzRSAenVision Event Source

Agentless Support for Hyper-V and Terminal Services Gateway

RSAadded support for Hyper-V and Terminal Services (TS) Gateway on Windows Server 2008 Enterprise, using the agentless collector. Note: Support for the agentless collector requires the download and configuration of the Microsoft Windows Eventing 6.0 Web Services API. For details, see the RSA enVision Windows Eventing Collector Service Deployment Overview Guide and the Microsoft Windows Eventing 6.0 Web Services AP Configuration Guide and Release Notes.

Microsoft Windows Release Notes (20100810-182943) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.

Microsoft Windows Release Notes (20100628-101107) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.

Microsoft Windows Release Notes (20100601-100037) Support for Hyper-V

RSAadded support for Hyper-V on Windows Server 2008 Enterprise, using the Event Reporter collection agent.

Reports
To get support for all Windows reports, you must select the Windows Events (BL) item from the Event Source list during installation.

New and Updated Event Messages in Microsoft Windows

For complete details on new and updated messages, see the Event Source Update Help.

Microsoft Windows Release Notes (20100504-112249) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.

Microsoft Windows Release Notes (20100330-154137)

12

RSA enVision Event Source

What's New in This Release

RSAadded support for Windows Server 2008 Enterprise without Hyper-V. RSAqualified SNARE for the following versions of Windows Server 2008 R2:
l l l l

Standard Enterprise Webserver Datacenter

New and Updated Event Messages in Microsoft Windows

For complete details about new and updated messages, see the Event Source Update Help. Note: These message changes may appear in the February Event Source Update, rather than the March Event Source Update.

Microsoft Windows Release Notes (20100301-120755) Windows Event ID Update

The following Windows Event IDs have been modified:
l l l l

624 642 645 646

The modifications are summarized in the following table:

Attribute New Account Name: New Domain: New Account ID: Caller User Name: Caller Domain: Caller Logon ID: {Privileges:|Privileges} Attributes: Sam Account Name: Display Name: User Principal Name: Home Directory: Home Drive: Old Variable <username> <domain> <user_id> <c_user_name> <c_domain> <c_logon_id> <privileges> <space> <fld1> <fld2> <fld3> <directory> <fld4> New Variable <username> <domain> <user_id> <c_user_name> <c_domain> <c_logon_id> <privileges> <space> <info1> <info1> <info1> <directory> <directory>

13

zzRSAenVision Event Source

Attribute

Old Variable

New Variable <directory> <directory> <workstation> <fld7> <expiration_time> <groupid> <fld10> <change_old> <change_new> <acct_control> <param> <info2> <info2>

Script Path: <fld5> Profile Path: <fld6> User Workstations: <workstation> Password Last Set: <fld7> Account Expires: <fld8> Primary Group ID: <fld9> AllowedToDelegateTo: <fld10> Old UAC Value: <fld11> New UAC Value: <fld12> User Account Control: <acct_control> User Parameters: <param> Sid History: <fld15> Logon Hours: <fld16>

Note: The variables <info1>, <directory>, and <info2> contain the values for all of their respective fields. The first attribute for each variable does not display its name in the field. For example, <info1> would hold the values: data8 Display Name: data9 User Principal Name: data10 where data8 is the value for Sam Account Name.

New and Updated Event Messages in Microsoft Windows

For complete details on new and updated messages, see the Event Source Update Help.

Microsoft Windows Release Notes (20100128-170125) New and Updated Event Messages in Microsoft Windows
For complete details on new and updated messages, see the Event Source Update Help.

Microsoft Windows Release Notes (20100111-094859) What's New in This Release

Microsoft Windows Server 2008, Windows 7, and Windows Vista
Note the following limitations for Windows Server 2008, Windows 7, and Windows Vista:

14

RSA enVision Event Source

The enVision Windows Collector cannot retrieve messages from Windows Server 2008, Windows 7, and Windows Vista event sources. The enVision Windows Collector can collect messages from the "Legacy" event stores, such as Application, System, and Security.

Microsoft Windows Server 2008 R2

Microsoft Windows Server 2008 R2 requires the Event Source Update of December 2009 or later.

New and Updated Event Messages in Microsoft Windows

For complete details on new and updated messages, see the Event Source Update Help.

Microsoft Windows Release Notes (20091125-130024) What's New in This Release

RSA added support for the following versions of Windows:
l l l l l

Windows 7 Professional Windows 7 Ultimate Windows 7 Enterprise Windows Vista Business Windows Vista Ultimate

Updated Variables For Microsoft Windows Server 2003

RSAmade the following changes to Windows 2003 XMLs:
Field Result Code Failure Code Failure Code Variable 2003 used for the variable copy reason resultcode 1 Number of Event messages IDs affected 672 Notes In Snare, instead of being parsed to an fld, this field is now parsed to resultcode. In EventReporter, instead of being parsed to an fld, it is now parsed to resultcode.

reason resultcode

673 675, 676, 677 680 681 697

reason resultcode

3 1 1 1

Error Code reason resultcode Error Code reason resultcode Status Code reason resultcode

In Snare, this field is not parsed to code and resultcode. In Snare, this field is now parsed to privileges and resultcode.

15

zzRSAenVision Event Source

For the Windows Server 2003 messages, nothing changed except that the data in the "Old variable" now also appears in "Variable used for the copy" for forward compatibility with the Windows Server 2008 messages. The new variable can now also be used in future reports.

Updated Variables For Microsoft Windows Server 2008

RSA made the following changes to Windows Server 2008 XMLs.

Variables Replaced
Field Old New 2008 var2008 iable used variable instead reason status resultcode resultcode resultcode resultcode 1 1 1 1 1 1 Number of Event messages IDs affected 4625 4695 4768 Also, the same field is still 4776 parsed to reason using a variable copy 4777 6272 Notes

Failure Reason fld Status status Sub Status reason Status Code fld Status Code result Error Code Error Code Result reason

reason resultcode auth_ result package

INFO Buckets
Field Failure Reason State Exit Status Status Code Failure Code Audit Status Code Reason Return Code Variable Number of messages affected Event IDs

reason status resultcode resultcode resultcode 18 resultcode reason resultcode

4652, 4653, 4689, 4692, 4693, 4694, 4769, 4771, 4772, 4935, 4936, 4957, 4958, 4983, 4984, 5057, 5060, 6273

New and Modified Reports

RSA created a new reports family under Host - Windows that is called Windows Filtering Platform. Three new reports have been added to this reports family:
l l l

Windows - Detected DoS Attacks Windows - Packets Discarded Due To DoS Attack Windows - Packets Blocked By Windows Filtering Platform

RSA modified the following report under Host - Windows - Logon Logoff.

16

RSA enVision Event Source

Report Name

Changes

Report Description was modified. Column User Name was renamed to Primary User Name. Column Primary Domain was added. Column Logon Account Name was added. Windows - Logons logoffs by User Column Logon Account Domain was added. Column Primary Domain Name was added. Column Primary Logon ID was added. Column Domain Name was removed.

Event Changes
RSA added support to the following Security Event IDs for Agentless Collection.
Event ID 697 4817 5142 5143 5144 5145 5148 5149 5150 5151 5168 6281 6400 6401 6402 6403 6404 6405 6406 6407 6408 1 2 3 103 107 Provider Security Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-Security-Auditing Microsoft-Windows-EventLog Microsoft-Windows-EventLog Microsoft-Windows-EventLog Microsoft-Windows-EventLog Microsoft-Windows-EventLog

RSA modified the event category for the following message IDs.

17

zzRSAenVision Event Source

C Message ID Security_513_Security Security_4776_Microsoft-Windows-SecurityAuditing Security_4753_Microsoft-Windows-SecurityAuditing Security_4741_Microsoft-Windows-SecurityAuditing Security_4742_Microsoft-Windows-SecurityAuditing Old Event Category System.Startup User.Management.Permissions User.Activity.Logoff New Event Category System.Shutdown Auth.General User.Management.Groups.Deletions

Policies.Rights.Successful.Privileged User.Management.Users.Additions Use Policies.Rights.Successful.Privileged User.Management.Users.Modifications Use Policies.Rights.Successful.Privileged User.Management.Users.Deletions Security_4743_Microsoft-Windows-SecurityUse Auditing User.Activity.Logoff User.Management.Users.Deletions

Table Changes
RSA made the following table change.
Message ID Old Table New Table System_6008_EventLog Windows Level Windows Accounting

New and Updated Event Messages in Microsoft Windows

For complete details on new and updated messages, see the Event Source Update Help.

Microsoft Windows Release Notes (20091030-104516) What's New in This Release

Updated Variables For Microsoft Windows Server 2003
RSA made the following changes to Windows 2003 XMLs.
Field Process ID Process ID Process ID Process ID New Account ID New Account Name Target Account ID Old 2003 variable Variable used for the copy 1 4 10 1 3 3 12 Number of messages affected Event IDs 520 528, 540, 552, 565 560, 562, 564, 565, 567, 578, 592-594, 600 565 631, 635, 658 631, 635, 658 632, 633, 634, 637, 638, 639, 641, 659, 660, 661, 662, 668

operation_id process_id misc_id process_id process pid user_id username user_id process_id process_id groupid group groupid

18

RSA enVision Event Source

Field Target Account Name

Old 2003 variable username

Variable used for the copy group

Number of messages affected 12

Event IDs 632, 633, 634, 637, 638, 639, 641, 659, 660, 661, 662, 668

For the Windows Server 2003 messages, nothing changed except that the data in the "Old variable" now also appears in "Variable used for the copy" for forward compatibility with the Windows Server 2008 messages. The new variables can now also be used in future reports.

Updated Variables For Microsoft Windows Server 2008

RSAmade the following changes to Windows 2008 XMLs.

Variables Replaced
Field Process ID Object handle Domain ID Supplied Realm Name Access Mask Old 2008 variable handle_id misc_id misc_id misc_ name peer_id New 2008 variable used instead process_id obj_handle domain_id domain mask directory c_logon_id misc_id, misc_ name options 10 c_domain auth_type service 13 1 6 4764, 4758, 4759, 4760, 4761, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4792 4735 4783, 4784, 4789, 4790, 4791, 4792 Number of messages affected 13 1 4 1 1 Event IDs 4624, 4625, 4648, 4688, 4689 4674 4706, 4707, 4716, 4739 4768 4662

Home Directory Logon ID Creator Process ID, service Ticket Options variable of New Logon: form 'fld' Account Domain Pre-Authentication Type Service Name

4624, 4728, 4729, 4732, 4733, 4648, 4768, 4673, 4688

Group: Security fld groupid ID Group: Security handle_id groupid ID c_user_ Group Name group name

19

zzRSAenVision Event Source

INFO Buckets
Field Privileges/ User Rights Accesses Access Mask User Workstation/ Caller Computer Name Subject: Account Name Authentication Package Group: Security ID Group Name Attributes Variable privileges accesses mask workstation username auth_package groupid group info 3 31 4624, 4625, 4656, 4661, 4704, 4705, 4713, 4714, 47264734, 4739-4741, 4743, 4754-4757, 4769-4772, 4780, 4729, 4730, 4733, 4734 Number of messages affected Event IDs

4720, 4738, 4742

Report Changes For Microsoft Windows Server 2008

RSAcreated the following Windows reports:
l l l l l l

l l

FISMA - Personal Termination - Windows Server 2003 HIPAA - Access Establishment and Modification - Windows Server 2003 Detail HIPAA - Password Changes and Expirations - Windows Server 2003 Host - Windows - Account Management - Computer Account Changes - Windows Server 2003 Host - Windows - Account Management - User Group Account Changes - Windows Server 2003 Host - Windows - Policy Changes and Audit logs - Trusted Domain Changes - Windows Sever 2003 Host - Windows - Policy Changes and Audit logs - User Rights Changes - Windows Server 2003 Host - Windows - User Activity - Applications by Users - Windows Server 2003

RSAmade no changes to the following Windows reports:

l l l l l l l l l l l

HIPAA - ePHI Access Report HIPAA - Automatic Workstation Logoff HIPAA - Login Attempts by Unauthorized Accounts - Windows HIPAA - Manual Workstation Logoffs - Windows HIPAA - ePHI Access Report - Windows Detail PCI - Initialization of all audit logs Host - Windows - Restarts/Shutdowns - System Restarts/Shutdowns Host - Windows - Policy Changes and Audit logs - Audit Log Cleared Host - Windows - Policy Changes and Audit logs - Audit Log Full Host - Windows - Policy Changes and Audit logs - Audit Policy Changes Host - Windows - Policy Changes and Audit logs - Policy Changes Summary

RSAupdated the following Windows reports as described in the table.

Report Name Host - Windows - Account Management - Global Group Account Changes Changes Replaced User Name by Group Name in result set

20

RSA enVision Event Source

Report Name

Changes

Host - Windows - Account Management - Local Replaced User Name by Group Name in result set Group Account Changes Host - Windows - Account Management - Universal Replaced User Name by Group Name in result set Group Account Changes The report description was modified: Host - Windows - Files/Objects Access - Access to Files
l

Column Domain has been renamed to Primary Domain Name Column User Name has been renamed to Primary User Name Column Domain has been renamed to Primary Domain Name Column User Name has been renamed to Primary User Name Column Domain has been renamed to Primary Domain Name Column User Name has been renamed to Primary User Name Column Client User Name has been added Column Client Domain Name has been added Column User Name has been renamed to Primary User Name Column Logon Account Name has been added Column Username has been renamed to Primary Username Column Logon Account Name has been added Column Username has been renamed to Primary Username Column Logon Account Name has been added Column Username has been renamed to Primary Username Column Logon Account Name has been added Column Username has been renamed to Primary Username Column Logon Account Name has been added

The report description was modified: Host - Windows - Files/Objects Access - Registry Access
l

The report description was modified:

l

Host - Windows - User Activity - Privileged Activities by User

l l

The report description was modified: FISMA - Collaborative Computing

l

The report description was modified: HIPAA - Access Authorization

l

The report description was modified: HIPAA - Access Authorization - Windows Details
l

The report description was modified: HIPAA - Failed Logon Attempts to ePHI Systems
l

The report description was modified: Host - Windows - Logon/Logoff - Local Logons/logoffs by User
l

21

zzRSAenVision Event Source

Report Name
l

Changes

Column Primary Logon ID has been added Column User Name has been renamed to Primary User Name Column Domain Name has been renamed to Primary Domain Name Column Logon Account Name has been added Column Logon Domain has been added

The report description was modified:

l

Host - Windows - Logon/Logoff - Failed Logons

l l

HIPAA - ePHI Access Report By Administrative Users FISMA - Personal Termination - Windows

The report description was modified

l l

Removing the Windows Server 2003 events Column UserName has been renamed to Target UserName

HIPAA - Access Establishment and Modification - Removing the Windows Server 2003 events where we Windows Detail also introduced a Group Name
l l

HIPAA - Password Changes and Expirations

l

Host - Windows - Account Management - Computer Account Changes Host - Windows - Account Management - User Group Account Changes

l l

l l

l l

Host - Windows - Policy Changes and Audit logs Trusted Domain Changes

l l

Host - Windows - Policy Changes and Audit logs User Rights Changes

Removing the Windows Server 2003 events Column UserName has been renamed to Target Username Column Domain Name has been renamed to Target Domain Name Removing the Windows Server 2003 events Column User Name has been renamed to Target User Name Removing the Windows Server 2003 events Column User Name has been renamed to Target User Name Removing the Windows Server 2003 events Column Domain Name has been renamed to Target Domain Column User Name has been renamed to Event User Column Client Domain has been renamed to User Domain Column Client User Name has been renamed to User Name Removing the Windows Server 2003 events Column User Name has been renamed to Event User Column Client Domain has been renamed to Domain Name Column Client User Name has been renamed to User Name Column Target User Name has been added

22

RSA enVision Event Source

Report Name Host - Windows - User Activity - Applications by Users

l l l

Changes

Removing the Windows Server 2003 events The Column Name has been removed The Column Process ID has been added

New and Updated Event Messages in Microsoft Windows

For complete details on new and updated messages, see the Event Source Update Help.

Microsoft Windows Release Notes (20091005-160143) What's New in This Release

RSAupdated the configuration instructions for Windows Server 2008. The update includes:
l l l

For Adiscon EventReporter, configuration for DNS servers was added. For Active Directory Auditing, Active Directory 2008 messages were refined. For InterSect Alliance SNARE, DNS Server logs are not supported by Snare for Windows Vista 1.1.1 on Windows Server 2008.

New and Updated Event Messages in Microsoft Windows

RSAupdated messages for the Windows Event Reporter and SNARE third-party collection agents, as well as agentless collection. For complete details on new and updated messages, see the Event Source Update Help.

23