//+----------------------------------------------------------------------- // // Microsoft Windows // // Copyright (c) Microsoft Corporation 2000 // // File: A U D I T E V T . M O F // // Contents: Audit event schema definitions // // // History: // 06-January-2000 kumarp created // //------------------------------------------------------------------------ /* issues: - best way to represent cred info? - some events were separately defined the success and failure cases. I merged them into one. For example: SE_AUDITID_ADD_SID_HISTORY_SUCCESS/SE_AUDITID_ADD_SID_HISTORY_FAILURE SE_AUDITID_ACCOUNT_MAPPED/SE_AUDITID_ACCOUNT_NOT_MAPPED SE_AUDITID_ACCOUNT_LOGON_SUCCESS/SE_AUDITID_ACCOUNT_LOGON_FAILURE - category: logon and account logon - need to define how the audit-format string is to be specified for new (non-legacy) auditevents - need to have a link between SE_AUDITID_PROCESS_CREATED/EXIT - why is that some events have both primary/client user info while some others have only primary (e.g. AuditEvent_ProcessExit) - should PID be 32 or 64 bit? - type of UserRight ? - tdo ops: DomainId type? - confirm that account-id (rid) is uint32 - ask shaohua about SE_AUDITID_DOMAIN_POLICY_CHANGE - for events that are specifically success or failure type. need to set Success to TRUE/FALSE - how to handle delegated client contexts in n-tier apps - when a process opens an object on a remote machine, which pid gets logged? - make sure that all corresponding properties have identical name across different classes */ // // base class for all audit events // [abstractevent] class AuditEvent : __ExtrinsicEvent { uint16 CategoryId; uint32 AuditId; uint64 CreationTime; Boolean Success = TRUE; }; ///////////////////////////////////////////////////////////////////////////// // // // // // Messages for Category: SE_CATEGID_SYSTEM // // // ///////////////////////////////////////////////////////////////////////////// // // represents SE_CATEGID_SYSTEM category // [abstractevent] class AuditEvent_System : AuditEvent { }; // // // SE_AUDITID_SYSTEM_RESTART // // Category: SE_CATEGID_SYSTEM // class AuditEvent_SystemRestart : AuditEvent_System { uint32 AuditId = 0x0200; }; // // // SE_AUDITID_SYSTEM_SHUTDOWN // // Category: SE_CATEGID_SYSTEM // class AuditEvent_SystemShutdown { uint32 AuditId = 0x0201; }; // // // SE_AUDITID_SYSTEM_AUTH_PACKAGE_LOAD // // Category: SE_CATEGID_SYSTEM // class AuditEvent_AuthPackageLoad : AuditEvent_System { uint32 AuditId = 0x0202; string AuthenticationPackageName; }; // // // SE_AUDITID_SYSTEM_LOGON_PROC_REGISTER // // Category: SE_CATEGID_SYSTEM // class AuditEvent_SystemLogonProcRegister : AuditEvent_System { uint32 AuditId = 0x0203; string LogonProcessName; }; // // // SE_AUDITID_AUDITS_DISCARDED // // Category: SE_CATEGID_SYSTEM // class AuditEvent_AuditsDiscarded { uint32 AuditId = 0x0204; uint32 NumberOfAuditMessagesDiscarded; }; // // // SE_AUDITID_AUDIT_LOG_CLEARED // // Category: SE_CATEGID_SYSTEM // // class AuditEvent_AuditLogCleared { uint32 AuditId = 0x0205; string PrimaryUserName; string PrimaryDomain; uint64 PrimaryLogonId; string ClientUserName; string ClientDomain; uint64 ClientLogonId; }; // // // SE_AUDITID_SYSTEM_NOTIFY_PACKAGE_LOAD // // Category: SE_CATEGID_SYSTEM // class AuditEvent_NotifyPackageLoad { uint32 AuditId = 0x0206; string NotificationPackageName; }; ///////////////////////////////////////////////////////////////////////////// // // // // // Messages for Category: SE_CATEGID_LOGON // // // // // ///////////////////////////////////////////////////////////////////////////// // // represents SE_CATEGID_LOGON // [abstractevent] class AuditEvent_Logon : AuditEvent { }; // // abstract class that stores fields common to all user-logon events // [abstractevent] class AuditEvent_UserLogon : AuditEvent_Logon { string UserName; string Domain; uint16 LogonType; string LogonProcess; string AuthenticationPackage; string WorkstationName; }; // // // SE_AUDITID_SUCCESSFUL_LOGON // // Category: SE_CATEGID_LOGON // // class AuditEvent_SuccessfulLogon : AuditEvent_UserLogon { uint32 AuditId = 0x0210; uint64 LogonId; }; // // // SE_AUDITID_UNKNOWN_USER_OR_PWD // // Category: SE_CATEGID_LOGON // class AuditEvent_UnknownUserOrPwd : AuditEvent_UserLogon { uint32 AuditId = 0x0211; }; // // // SE_AUDITID_ACCOUNT_TIME_RESTR // // Category: SE_CATEGID_LOGON // class AuditEvent_AccountTimeRestr : AuditEvent_UserLogon { uint32 AuditId = 0x0212; }; // // // SE_AUDITID_ACCOUNT_DISABLED // // Category: SE_CATEGID_LOGON // class AuditEvent_AccountDisabled : AuditEvent_UserLogon { uint32 AuditId = 0x0213; }; // // // SE_AUDITID_ACCOUNT_EXPIRED // // Category: SE_CATEGID_LOGON // class AuditEvent_AccountExpired : AuditEvent_UserLogon { uint32 AuditId = 0x0214; }; // Logon Failure:%n // %tReason:%t%tThe specified user account has expired%n // // // SE_AUDITID_WORKSTATION_RESTR // // Category: SE_CATEGID_LOGON // class AuditEvent_WorkstationRestr : AuditEvent_UserLogon { uint32 AuditId = 0x0215; }; // Logon Failure:%n // %tReason:%t%tUser not allowed to logon at this computer%n // // // SE_AUDITID_LOGON_TYPE_RESTR // // Category: SE_CATEGID_LOGON // class AuditEvent_LogonTypeRestr : AuditEvent_UserLogon { uint32 AuditId = 0x0216; }; // Logon Failure:%n // %tReason:%tThe user has not been granted the requested%n // %t%tlogon type at this machine%n // // // SE_AUDITID_PASSWORD_EXPIRED // // Category: SE_CATEGID_LOGON // class AuditEvent_PasswordExpired : AuditEvent_UserLogon { uint32 AuditId = 0x0217; }; // Logon Failure:%n // %tReason:%t%tThe specified accounts password has expired%n // // // SE_AUDITID_NETLOGON_NOT_STARTED // // Category: SE_CATEGID_LOGON // class AuditEvent_NetlogonNotStarted : AuditEvent_UserLogon { uint32 AuditId = 0x0218; }; // Logon Failure:%n // %tReason:%t%tThe NetLogon component is not active%n // // // SE_AUDITID_UNSUCCESSFUL_LOGON // // Category: SE_CATEGID_LOGON // class AuditEvent_UnsuccessfulLogon : AuditEvent_UserLogon { uint32 AuditId = 0x0219; }; // Logon Failure:%n // %tReason:%t%tAn unexpected error occurred during logon%n // // // SE_AUDITID_LOGOFF // // Category: SE_CATEGID_LOGON // class AuditEvent_Logoff : AuditEvent_Logon { uint32 AuditId = 0x021A; string UserName; string Domain; uint64 LogonId; uint16 LogonType; }; // User Logoff:%n // // // SE_AUDITID_ACCOUNT_LOCKED // // Category: SE_CATEGID_LOGON // class AuditEvent_Accountlocked : AuditEvent_UserLogon { uint32 AuditId = 0x021B; }; // Logon Failure:%n // %tReason:%t%tAccount locked out%n // // // SE_AUDITID_SUCCESSFUL_LOGON // // Category: SE_CATEGID_LOGON // class AuditEvent_NetworkLogon : AuditEvent_UserLogon { uint32 AuditId = 0x021c; uint64 LogonId; }; // Successful Network Logon:%n // // abstract base class to represent IPSEC logon events // class AuditEvent_IpsecLogon : AuditEvent_Logon { }; // // // SE_AUDITID_IPSEC_LOGON_SUCCESS // // Category: SE_CATEGID_LOGON // class AuditEvent_IpsecLogonSuccess : AuditEvent_IpsecLogon { uint32 AuditId = 0x021d; string Mode; string PeerIdentity; string Filter; string Parameters; }; //IKE security association established.%n // // // SE_AUDITID_IPSEC_LOGOFF_QM // // Category: SE_CATEGID_LOGON // class AuditEvent_IpsecLogoffQm : AuditEvent_IpsecLogon { uint32 AuditId = 0x021e; string Filter; string InboundSpi; string OutboundSpi; }; // IKE security association ended.%n // Mode: Data Protection (Quick mode) // // // SE_AUDITID_IPSEC_LOGOFF_MM // // Category: SE_CATEGID_LOGON // class AuditEvent_IpsecLogoffMm : AuditEvent_IpsecLogon { uint32 AuditId = 0x021f; string Filter; }; // IKE security association ended.%n // Mode: Key Exchange (Main mode)%n // // // SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST // // Category: SE_CATEGID_LOGON // class AuditEvent_IpsecAuthFailCertTrust : AuditEvent_IpsecLogon { uint32 AuditId = 0x0220; string PeerIdentity; string Filter; }; // IKE security association establishment failed because peer could not authenticate. // The certificate trust could not be established.%n // // // SE_AUDITID_IPSEC_AUTH_FAIL // // Category: SE_CATEGID_LOGON // class AuditEvent_IpsecAuthFail : AuditEvent_IpsecLogon { uint32 AuditId = 0x0221; string PeerIdentity; string Filter; }; // IKE peer authentication failed.%n // // // SE_AUDITID_IPSEC_ATTRIB_FAIL // // Category: SE_CATEGID_LOGON // class AuditEvent_IpsecAttribFail : AuditEvent_IpsecLogon { uint32 AuditId = 0x0222; string Mode; string Filter; string Attribute; string ExpectedValue; string ReceivedValue; }; // IKE security association establishment failed because peer // sent invalid proposal.%n // // // SE_AUDITID_IPSEC_NEGOTIATION_FAIL // // Category: SE_CATEGID_LOGON // class AuditEvent_IpsecNegotiationFail : AuditEvent_IpsecLogon { uint32 AuditId = 0x0223; string Mode; string Filter; string FailurePoint; string FailureReason; }; // IKE security association negotiation failed.%n ///////////////////////////////////////////////////////////////////////////// // // // // // Messages for Category: SE_CATEGID_OBJECT_ACCESS // // // // // ///////////////////////////////////////////////////////////////////////////// // // abstract class that represents SE_CATEGID_OBJECT_ACCESS // [abstractevent] class AuditEvent_ObjectAccess : AuditEvent { string ObjectServer; uint32 ProcessId; }; class AuditEvent_AuthzAccess : AuditEvent { string ObjectServer; uint32 ProcessId; string OperationType; string Objecttype; string ObjectName; // uint64 HandleId; // uint64 OperationId; uint8 PrimaryUserSid[]; string PrimaryUserName; string PrimaryDomain; uint64 PrimaryLogonId; uint8 ClientUserSid[]; string ClientUserName; string ClientDomain; uint64 ClientLogonId; uint32 AccessMask; string AdditionalInfo; }; // // // SE_AUDITID_OPEN_HANDLE // // Category: SE_CATEGID_OBJECT_ACCESS // class AuditEvent_OpenHandle : AuditEvent_ObjectAccess { uint32 AuditId = 0x0230; string ObjectType; string ObjectName; uint64 NewHandleId; uint64 OperationId; string PrimaryUserName; string PrimaryDomain; uint64 PrimaryLogonId; string ClientUserName; string ClientDomain; uint64 ClientLogonId; string Privileges[]; }; // Object Open:%n // // // SE_AUDITID_CREATE_HANDLE // // Category: SE_CATEGID_OBJECT_ACCESS // class AuditEvent_CreateHandle : AuditEvent_ObjectAccess { uint32 AuditId = 0x0231; uint64 HandleId; uint64 OperationId; }; //Handle Allocated:%n // // // SE_AUDITID_CLOSE_HANDLE // // Category: SE_CATEGID_OBJECT_ACCESS // class AuditEvent_CloseHandle : AuditEvent_ObjectAccess { uint32 AuditId = 0x0232; uint64 HandleId; }; //Handle Closed:%n // // // SE_AUDITID_OPEN_OBJECT_FOR_DELETE // // Category: SE_CATEGID_OBJECT_ACCESS // class AuditEvent_OpenObjectForDelete : AuditEvent_ObjectAccess { uint32 AuditId = 0x0233; string ObjectType; string ObjectName; uint64 NewHandleId; uint64 OperationId; string PrimaryUserName; string PrimaryDomain; uint64 PrimaryLogonId; string ClientUserName; string ClientDomain; uint64 ClientLogonId; string Privileges[]; }; //Object Open for Delete:%n // // // SE_AUDITID_DELETE_OBJECT // // Category: SE_CATEGID_OBJECT_ACCESS // class AuditEvent_DeleteObject : AuditEvent_ObjectAccess { uint32 AuditId = 0x0234; uint64 HandleId; }; //Object Deleted:%n // // // SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE // // Category: SE_CATEGID_OBJECT_ACCESS // class AuditEvent_OpenHandleObjectType : AuditEvent_ObjectAccess { uint32 AuditId = 0x0235; string ObjectType; string ObjectName; uint64 NewHandleId; uint64 OperationId; string PrimaryUserName; string PrimaryDomain; uint64 PrimaryLogonId; string ClientUserName; string ClientDomain; uint64 ClientLogonId; string Properties; string Privileges[]; }; //Object Open:%n // SE_AUDITID_OBJECT_OPERATION // // Category: SE_CATEGID_OBJECT_ACCESS // class AuditEvent_ObjectOperation : AuditEvent_ObjectAccess { uint32 AuditId = 0x0236; string OperationType; string Objecttype; string ObjectName; uint64 HandleId; uint64 OperationId; string PrimaryUserName; string PrimaryDomain; uint64 PrimaryLogonId; string ClientUserName; string ClientDomain; uint64 ClientLogonId; uint32 RequestedAccesses; }; //Object Operation:%n ///////////////////////////////////////////////////////////////////////////// // // // // // Messages for Category: SE_CATEGID_PRIVILEGE_USE // // // // // ///////////////////////////////////////////////////////////////////////////// // // represents SE_CATEGID_PRIVILEGE_USE // [abstractevent] class AuditEvent_PrivilegeUse : AuditEvent { string Privileges[]; }; // // // SE_AUDITID_ASSIGN_SPECIAL_PRIV // // Category: SE_CATEGID_PRIVILEGE_USE // class AuditEvent_AssignSpecialPriv : AuditEvent_PrivilegeUse { uint32 AuditId = 0x0240; string UserName; string Domain; uint64 LogonId; }; //Special privileges assigned to new logon:%n // // // SE_AUDITID_PRIVILEGED_SERVICE // // Category: SE_CATEGID_PRIVILEGE_USE // class AuditEvent_PrivilegedService : AuditEvent_PrivilegeUse { uint32 AuditId = 0x0241; string Server; string Service; string PrimaryUserName; string PrimaryDomain; uint64 PrimaryLogonId; string ClientUserName; string ClientDomain; uint64 ClientLogonId; }; //Privileged Service Called:%n //. // // // SE_AUDITID_PRIVILEGED_OBJECT // // Category: SE_CATEGID_PRIVILEGE_USE // class AuditEvent_PrivilegedObject : AuditEvent_PrivilegeUse { uint32 AuditId = 0x0242; string ObjectHandle; string PrimaryUserName; string PrimaryDomain; uint64 PrimaryLogonId; string ClientUserName; string ClientDomain; uint64 ClientLogonId; }; //Privileged object operation:%n //. ///////////////////////////////////////////////////////////////////////////// // // // // // Messages for Category: SE_CATEGID_DETAILED_TRACKING // // // // Event IDs: // // SE_AUDITID_PROCESS_CREATED // // SE_AUDITID_PROCESS_EXIT // // SE_AUDITID_DUPLICATE_HANDLE // // SE_AUDITID_INDIRECT_REFERENCE // // // ///////////////////////////////////////////////////////////////////////////// // // abstract class that represents SE_CATEGID_DETAILED_TRACKING // [abstractevent] class AuditEvent_DetailedTracking : AuditEvent { }; // // // SE_AUDITID_PROCESS_CREATED // // Category: SE_CATEGID_DETAILED_TRACKING // class AuditEvent_ProcessCreated : AuditEvent_DetailedTracking { uint32 AuditId = 0x0250; uint32 ProcessId; string ImageFileName; uint32 CreatorProcessId; string UserName; string Domain; uint64 LogonId; }; //A new process has been created:%n //. // // // SE_AUDITID_PROCESS_EXIT // // Category: SE_CATEGID_DETAILED_TRACKING // class AuditEvent_ProcessExit : AuditEvent_DetailedTracking { uint32 AuditId = 0x0251; uint32 ProcessId; string UserName; string Domain; uint64 LogonId; }; //A process has exited:%n //. // // // SE_AUDITID_DUPLICATE_HANDLE // // Category: SE_CATEGID_DETAILED_TRACKING // class AuditEvent_DuplicateHandle : AuditEvent_DetailedTracking { uint32 AuditId = 0x0252; uint64 SourceHandleId; uint32 SourceProcessId; uint64 TargetHandleId; uint32 TargetProcessId; }; //A handle to an object has been duplicated:%n //. // // // SE_AUDITID_INDIRECT_REFERENCE // // Category: SE_CATEGID_DETAILED_TRACKING // class AuditEvent_IndirectReference : AuditEvent_DetailedTracking { uint32 AuditId = 0x0253; string ObjectType; string ObjectName; uint32 ProcessId; string PrimaryUserName; string PrimaryDomain; uint64 PrimaryLogonId; string ClientUserName; string ClientDomain; uint64 ClientLogonId; uint32 GrantedAccess; }; //Indirect access to an object has been obtained:%n //. ///////////////////////////////////////////////////////////////////////////// // // // // // Messages for Category: SE_CATEGID_POLICY_CHANGE // // // // Event IDs: // // SE_AUDITID_USER_RIGHT_ASSIGNED // // SE_AUDITID_USER_RIGHT_REMOVED // // SE_AUDITID_TRUSTED_DOMAIN_ADD // // SE_AUDITID_TRUSTED_DOMAIN_REM // // SE_AUDITID_POLICY_CHANGE // // SE_AUDITID_IPSEC_POLICY_START // // SE_AUDITID_IPSEC_POLICY_DISABLED // // SE_AUDITID_IPSEC_POLICY_CHANGED // // SE_AUDITID_IPSEC_POLICY_FAILURE // // // ///////////////////////////////////////////////////////////////////////////// // // abstract class that represents SE_CATEGID_POLICY_CHANGE // [abstractevent] class AuditEvent_PolicyChange : AuditEvent { }; // // abstract class that represents user-rights operations // [abstractevent] class AuditEvent_UserRightsOperation : AuditEvent_PolicyChange { string UserRight; uint8 TargetUser[]; // caller string UserName; string Domain; uint64 LogonId; }; // // // SE_AUDITID_USER_RIGHT_ASSIGNED // // Category: SE_CATEGID_POLICY_CHANGE // class AuditEvent_UserRightAssigned : AuditEvent_UserRightsOperation { uint32 AuditId = 0x0260; }; //User Right Assigned:%n //. // // // SE_AUDITID_USER_RIGHT_REMOVED // // Category: SE_CATEGID_POLICY_CHANGE // class AuditEvent_UserRightRemoved : AuditEvent_UserRightsOperation { uint32 AuditId = 0x0261; }; //User Right Removed:%n //. // // abstract class that represents TDO operations // [abstractevent] class AuditEvent_TrustedDomainOperation : AuditEvent_PolicyChange { string DomainName; string DomainId; string UserName; string Domain; uint64 LogonId; }; // // // SE_AUDITID_TRUSTED_DOMAIN_ADD // // Category: SE_CATEGID_POLICY_CHANGE // class AuditEvent_TrustedDomainAdd : AuditEvent_TrustedDomainOperation { uint32 AuditId = 0x0262; }; //New Trusted Domain:%n //. // // // SE_AUDITID_TRUSTED_DOMAIN_REM // // Category: SE_CATEGID_POLICY_CHANGE // class AuditEvent_TrustedDomainRem : AuditEvent_TrustedDomainOperation { uint32 AuditId = 0x0263; }; //Removing Trusted Domain:%n //. // // // SE_AUDITID_TRUSTED_DOMAIN_MOD // // Category: SE_CATEGID_POLICY_CHANGE // class AuditEvent_TrustedDomainMod : AuditEvent_TrustedDomainOperation { uint32 AuditId = 0x026C; }; //Trusted Domain Information Modified:%n //. // // // SE_AUDITID_POLICY_CHANGE // // Category: SE_CATEGID_POLICY_CHANGE // class AuditEvent_PolicyChange : AuditEvent_PolicyChange { uint32 AuditId = 0x0264; // ... new policy here... string UserName; string DomainName; uint64 LogonId; }; //Audit Policy Change:%n //New Policy:%n //... //Changed By:%n //. // // abstract class that represents Ipsec policy operations // [abstractevent] class AuditEvent_IpsecPolicy : AuditEvent_PolicyChange { }; // // // SE_AUDITID_IPSEC_POLICY_START // // Category: SE_CATEGID_POLICY_CHANGE // class AuditEvent_IpsecPolicyStart : AuditEvent_IpsecPolicy { uint32 AuditId = 0x0265; }; //IPSec policy agent started: %t%1%n //Policy Source: %t%2%n //. // // // SE_AUDITID_IPSEC_POLICY_DISABLED // // Category: SE_CATEGID_POLICY_CHANGE // class AuditEvent_IpsecPolicyDisabled : AuditEvent_IpsecPolicy { uint32 AuditId = 0x0266; }; //IPSec policy agent disabled: %t%1%n //. // // // SE_AUDITID_IPSEC_POLICY_CHANGED // // Category: SE_CATEGID_POLICY_CHANGE // class AuditEvent_IpsecPolicyChanged : AuditEvent_IpsecPolicy { uint32 AuditId = 0x0267; }; //IPSEC PolicyAgent Service: %t%1%n //. // // // SE_AUDITID_IPSEC_POLICY_FAILURE // // Category: SE_CATEGID_POLICY_CHANGE // class AuditEvent_IpsecPolicyFailure : AuditEvent_IpsecPolicy { uint32 AuditId = 0x0268; }; //IPSec policy agent encountered a potentially serious failure.%n //. // // abstract class that represents kerberos policy operations // [abstractevent] class AuditEvent_KerberosPolicy : AuditEvent_PolicyChange { }; // // // SE_AUDITID_KERBEROS_POLICY_CHANGE // // Category: SE_CATEGID_POLICY_CHANGE // class AuditEvent_KerberosPolicyChange : AuditEvent_KerberosPolicy { uint32 AuditId = 0x0269; // changed by string UserName; string DomainName; uint64 LogonId; // changes made }; //Kerberos Policy Changed:%n //Changed By:%n //Changes made:%n //. // // abstract class that represents EFS policy operations // [abstractevent] class AuditEvent_EfsPolicy : AuditEvent_PolicyChange { }; // // // SE_AUDITID_EFS_POLICY_CHANGE // // Category: SE_CATEGID_POLICY_CHANGE // class AuditEvent_EfsPolicyChange : AuditEvent_EfsPolicy { uint32 AuditId = 0x026a; // changed by string UserName; string DomainName; uint64 LogonId; // changes made }; //Encrypted Data Recovery Policy Changed:%n //Changed By:%n //Changes made:%n //. // // abstract class that represents QoS policy operations // [abstractevent] class AuditEvent_QosPolicy : AuditEvent_PolicyChange { }; // // // SE_AUDITID_QOS_POLICY_CHANGE // // Category: SE_CATEGID_POLICY_CHANGE // class AuditEvent_QosPolicyChange : AuditEvent_QosPolicy { uint32 AuditId = 0x026b; // changed by string UserName; string DomainName; uint64 LogonId; // changes made }; //Quality of Service Policy Changed:%n //Changes made:%n //Changed By:%n //. ///////////////////////////////////////////////////////////////////////////// // // // // // Messages for Category: SE_CATEGID_ACCOUNT_MANAGEMENT // // // // Event IDs: // // SE_AUDITID_USER_CREATED // // SE_AUDITID_USER_CHANGE // // SE_AUDITID_ACCOUNT_TYPE_CHANGE // // SE_AUDITID_USER_ENABLED // // SE_AUDITID_USER_PWD_CHANGED // // SE_AUDITID_USER_PWD_SET // // SE_AUDITID_USER_DISABLED // // SE_AUDITID_USER_DELETED // // // // SE_AUDITID_COMPUTER_CREATED // // SE_AUDITID_COMPUTER_CHANGE // // SE_AUDITID_COMPUTER_DELETED // // // // SE_AUDITID_GLOBAL_GROUP_CREATED // // SE_AUDITID_GLOBAL_GROUP_ADD // // SE_AUDITID_GLOBAL_GROUP_REM // // SE_AUDITID_GLOBAL_GROUP_DELETED // // SE_AUDITID_LOCAL_GROUP_CREATED // // SE_AUDITID_LOCAL_GROUP_ADD // // SE_AUDITID_LOCAL_GROUP_REM // // SE_AUDITID_LOCAL_GROUP_DELETED // // // // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED // // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE // // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD // // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM // // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED // // // // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED // // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE // // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD // // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM // // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED // // // // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED // // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE // // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD // // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM // // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED // // // // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED // // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE // // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD // // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM // // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED // // // // SE_AUDITID_GROUP_TYPE_CHANGE // // // // SE_AUDITID_ADD_SID_HISTORY_SUCCESS // // SE_AUDITID_ADD_SID_HISTORY_FAILURE // // // // SE_AUDITID_OTHER_ACCT_CHANGE // // SE_AUDITID_DOMAIN_POLICY_CHANGE // // SE_AUDITID_ACCOUNT_AUTO_LOCKED // // // // // ///////////////////////////////////////////////////////////////////////////// // // abstract class that represents SE_CATEGID_ACCOUNT_MANAGEMENT // [abstractevent] class AuditEvent_AccountManagement : AuditEvent { }; // // abstract class that groups common fields for account change opns // [abstractevent] class AuditEvent_AccountChange : AuditEvent_AccountManagement { string TargetAccountName; string TargetDomain; uint32 TargetAccountId; string CallerUserName; string CallerDomain; uint64 CallerLogonId; }; // // // SE_AUDITID_USER_CREATED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_UserCreated : AuditEvent_AccountChange { uint32 AuditId = 0x0270; string Privileges[]; }; //User Account Created:%n //. // // // SE_AUDITID_ACCOUNT_TYPE_CHANGE // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_AccountTypeChange : AuditEvent_AccountChange { uint32 AuditId = 0x0271; string NewType; }; //User Account Type Change:%n //. // // // SE_AUDITID_USER_ENABLED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_UserEnabled : AuditEvent_AccountChange { uint32 AuditId = 0x0272; }; //User Account Enabled:%n //. // // // SE_AUDITID_USER_PWD_CHANGED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_UserPwdChanged : AuditEvent_AccountChange { uint32 AuditId = 0x0273; string Privileges[]; }; //Change Password Attempt:%n //. // // // SE_AUDITID_USER_PWD_SET // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_UserPwdSet : AuditEvent_AccountChange { uint32 AuditId = 0x0274; }; //User Account password set:%n //. // // // SE_AUDITID_USER_DISABLED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_UserDisabled : AuditEvent_AccountChange { uint32 AuditId = 0x0275; }; //User Account Disabled:%n //. // // // SE_AUDITID_USER_DELETED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_UserDeleted : AuditEvent_AccountChange { uint32 AuditId = 0x0276; string Privileges[]; }; //User Account Deleted:%n //. // // // SE_AUDITID_USER_CHANGE // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_UserChange : AuditEvent_AccountChange { uint32 AuditId = 0x0282; string TypeOfChange; string Privileges[]; }; //User Account Changed:%n //. // ====================================================================== // // abstract class that groups common fields for group change opns // [abstractevent] class AuditEvent_GroupChange : AuditEvent_AccountManagement { string TargetAccountName; string TargetDomain; uint32 TargetAccountId; string CallerUserName; string CallerDomain; uint64 CallerLogonId; string Privileges[]; }; // // abstract class that groups common fields for group membership opns // [abstractevent] class AuditEvent_GroupMembershipChange : AuditEvent_GroupChange { string MemberName; uint32 MemberId; }; // // // SE_AUDITID_GLOBAL_GROUP_CREATED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_GlobalGroupCreated : AuditEvent_GroupChange { uint32 AuditId = 0x0277; }; //Security Enabled Global Group Created:%n //. // // // SE_AUDITID_GLOBAL_GROUP_DELETED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_GlobalGroupDeleted : AuditEvent_GroupChange { uint32 AuditId = 0x027A; }; //Security Enabled Global Group Deleted:%n //. // // // SE_AUDITID_GLOBAL_GROUP_CHANGE // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_GlobalGroupChange : AuditEvent_GroupChange { uint32 AuditId = 0x0281; }; //Security Enabled Global Group Changed:%n //. // // // SE_AUDITID_GLOBAL_GROUP_ADD // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_GlobalGroupAdd : AuditEvent_GroupMembershipChange { uint32 AuditId = 0x0278; }; //Security Enabled Global Group Member Added:%n //. // // // SE_AUDITID_GLOBAL_GROUP_REM // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_GlobalGroupRem : AuditEvent_GroupMembershipChange { uint32 AuditId = 0x0279; }; //Security Enabled Global Group Member Removed:%n //. // // // SE_AUDITID_LOCAL_GROUP_CREATED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_LocalGroupCreated : AuditEvent_GroupChange { uint32 AuditId = 0x027B; }; //Security Enabled Local Group Created:%n //. // // // SE_AUDITID_LOCAL_GROUP_DELETED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_LocalGroupDeleted : AuditEvent_GroupChange { uint32 AuditId = 0x027E; }; //Security Enabled Local Group Deleted:%n //. // // // SE_AUDITID_LOCAL_GROUP_CHANGE // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_LocalGroupChange : AuditEvent_GroupChange { uint32 AuditId = 0x027F; }; //Security Enabled Local Group Changed:%n //. // // // SE_AUDITID_LOCAL_GROUP_ADD // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_LocalGroupAdd : AuditEvent_GroupMembershipChange { uint32 AuditId = 0x027C; }; //Security Enabled Local Group Member Added:%n //. // // // SE_AUDITID_LOCAL_GROUP_REM // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_LocalGroupRem : AuditEvent_GroupMembershipChange { uint32 AuditId = 0x027D; }; //Security Enabled Local Group Member Removed:%n //. // // // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledLocalGroupCreated : AuditEvent_GroupChange { uint32 AuditId = 0x0288; }; //Security Disabled Local Group Created:%n //. // // // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledLocalGroupChange : AuditEvent_GroupChange { uint32 AuditId = 0x0289; }; //Security Disabled Local Group Changed:%n //. // // // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledLocalGroupAdd : AuditEvent_GroupMembershipChange { uint32 AuditId = 0x028A; }; //Security Disabled Local Group Member Added:%n //. // // // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledLocalGroupRem : AuditEvent_GroupMembershipChange { uint32 AuditId = 0x028B; }; //Security Disabled Local Group Member Removed:%n //. // // // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledLocalGroupDeleted : AuditEvent_GroupChange { uint32 AuditId = 0x028C; }; //Security Disabled Local Group Deleted:%n //. // // // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledGlobalGroupCreated : AuditEvent_GroupChange { uint32 AuditId = 0x028D; }; //Security Disabled Global Group Created:%n //. // // // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledGlobalGroupChange : AuditEvent_GroupChange { uint32 AuditId = 0x028E; }; //Security Disabled Global Group Changed:%n //. // // // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledGlobalGroupAdd : AuditEvent_GroupMembershipChange { uint32 AuditId = 0x028F; }; //Security Disabled Global Group Member Added:%n //. // // // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledGlobalGroupRem : AuditEvent_GroupMembershipChange { uint32 AuditId = 0x0290; }; //Security Disabled Global Group Member Removed:%n //. // // // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledGlobalGroupDeleted : AuditEvent_GroupChange { uint32 AuditId = 0x0291; }; //Security Disabled Global Group Deleted:%n //. // // // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityEnabledUniversalGroupCreated : AuditEvent_GroupChange { uint32 AuditId = 0x0292; }; //Security Enabled Universal Group Created:%n //. // // // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityEnabledUniversalGroupChange : AuditEvent_GroupChange { uint32 AuditId = 0x0293; }; //Security Enabled Universal Group Changed:%n //. // // // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityEnabledUniversalGroupAdd : AuditEvent_GroupMembershipChange { uint32 AuditId = 0x0294; }; //Security Enabled Universal Group Member Added:%n //. // // // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityEnabledUniversalGroupRem : AuditEvent_GroupMembershipChange { uint32 AuditId = 0x0295; }; //Security Enabled Universal Group Member Removed:%n //. // // // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityEnabledUniversalGroupDeleted : AuditEvent_GroupChange { uint32 AuditId = 0x0296; }; //Security Enabled Universal Group Deleted:%n //. // // // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledUniversalGroupCreated : AuditEvent_GroupChange { uint32 AuditId = 0x0297; }; //Security Disabled Universal Group Created:%n //. // // // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledUniversalGroupChange : AuditEvent_GroupChange { uint32 AuditId = 0x0298; }; //Security Disabled Universal Group Changed:%n //. // // // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledUniversalGroupAdd : AuditEvent_GroupMembershipChange { uint32 AuditId = 0x0299; }; //Security Disabled Universal Group Member Added:%n //. // // // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledUniversalGroupRem : AuditEvent_GroupMembershipChange { uint32 AuditId = 0x029A; }; //Security Disabled Universal Group Member Removed:%n //. // // // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_SecurityDisabledUniversalGroupDeleted { uint32 AuditId = 0x029B; }; //Security Disabled Universal Group Deleted:%n //. // // // SE_AUDITID_OTHER_ACCOUNT_CHANGE // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // // Note: not used // class AuditEvent_OtherAccountChange : AuditEvent_AccountManagement { uint32 AuditId = 0x0280; string TypeOfChange; string ObjectType; string ObjectName; string ObjectId; // type? string CallerUserName; string CallerDomain; uint64 CallerLogonId; }; //General Account Database Change:%n //. // // // SE_AUDITID_GROUP_TYPE_CHANGE // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_GroupTypeChange : AuditEvent_GroupChange { uint32 AuditId = 0x029C; uint8 NewType; }; //Group Type Changed:%n //. // // // SE_AUDITID_DOMAIN_POLICY_CHANGE // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // //$ BUGBUG kumarp 23-February-2000 // which class to derive from? // class AuditEvent_DomainPolicyChange { uint32 AuditId = 0x0283; string TypeOfChange; string Domain; string DomainId; string CallerUserName; string CallerDomain; string CallerLogonId; string Privileges[]; }; //Domain Policy Changed: %1 modified%n //. // // // SE_AUDITID_ACCOUNT_AUTO_LOCKED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_AccountAutoLocked : AuditEvent_AccountChange { uint32 AuditId = 0x0284; string CallerMachineName; }; //User Account Locked Out:%n //. // // abstract class that groups common fields for computer account change opns // [abstractevent] class AuditEvent_ComputerAccountChange : AuditEvent_AccountChange { }; // // // SE_AUDITID_COMPUTER_CREATED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_ComputerCreated : AuditEvent_ComputerAccountChange { uint32 AuditId = 0x0285; string Privileges[]; }; //Computer Account Created:%n //. // // // SE_AUDITID_COMPUTER_CHANGE // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_ComputerChange : AuditEvent_ComputerAccountChange { uint32 AuditId = 0x0286; string TypeOfChange; string Privileges[]; }; //Computer Account Changed:%n //. // // // SE_AUDITID_COMPUTER_DELETED // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_ComputerDeleted : AuditEvent_ComputerAccountChange { uint32 AuditId = 0x0287; string Privileges[]; }; //Computer Account Deleted:%n //. // // // SE_AUDITID_ADD_SID_HISTORY_SUCCESS+SE_AUDITID_ADD_SID_HISTORY_FAILURE // // Category: SE_CATEGID_ACCOUNT_MANAGEMENT // class AuditEvent_AddSidHistory : AuditEvent_AccountChange { uint32 AuditId = 0x029D; string SourceAccountName; string SourceAccountId; string Privileges[]; }; //Add SID History:%n //. ///////////////////////////////////////////////////////////////////////////// // // // // // Messages for Category: SE_CATEGID_ACCOUNT_LOGON // // // // Event IDs: // // SE_AUDITID_AS_TICKET_SUCCESS // // SE_AUDITID_TGS_TICKET_SUCCESS // // SE_AUDITID_TICKET_RENEW_SUCCESS // // SE_AUDITID_PREAUTH_FAILURE // // SE_AUDITID_AS_TICKET_FAILURE // // SE_AUDITID_TGS_TICKET_FAILURE // // SE_AUDITID_ACCOUNT_MAPPED // // SE_AUDITID_ACCOUNT_NOT_MAPPED // // SE_AUDITID_ACCOUNT_LOGON_SUCCESS // // SE_AUDITID_ACCOUNT_LOGON_FAILURE // // // ///////////////////////////////////////////////////////////////////////////// // // abstract class that represents SE_CATEGID_ACCOUNT_LOGON // [abstractevent] class AuditEvent_AccountLogon : AuditEvent { }; // // abstract class that groups common fields for kerberos logon // [abstractevent] class AuditEvent_KerberosLogon : AuditEvent_AccountLogon { }; // // // SE_AUDITID_AS_TICKET_SUCCESS+SE_AUDITID_AS_TICKET_FAILURE // // Category: SE_CATEGID_ACCOUNT_LOGON // class AuditEvent_AsTicket : AuditEvent_KerberosLogon { uint32 AuditId = 0x02a0; string UserName; string SuppliedRealmName; string UserId; string ServiceName; string ServiceId; string TicketOptions; string TicketEncryptionType; string PreAuthenticationType; string ClientAddress; uint32 StatusCode = 0; }; //Authentication Ticket Granted:%n //. // // // SE_AUDITID_TGS_TICKET_SUCCESS+SE_AUDITID_TGS_TICKET_FAILURE // // Category: SE_CATEGID_ACCOUNT_LOGON // class AuditEvent_TgsTicket : AuditEvent_KerberosLogon { uint32 AuditId = 0x02a1; string UserName; string UserDomain; string ServiceName; string ServiceId; string TicketOptions; string TicketEncryptionType; string ClientAddress; uint32 StatusCode = 0; }; //Service Ticket Granted:%n //. // // // SE_AUDITID_TICKET_RENEW_SUCCESS // // Category: SE_CATEGID_ACCOUNT_LOGON // class AuditEvent_TicketRenewSuccess : AuditEvent_KerberosLogon { uint32 AuditId = 0x02a2; string UserName; string UserDomain; string ServiceName; string ServiceId; string TicketOptions; string TicketEncryptionType; string ClientAddress; }; //Ticket Granted Renewed:%n //. // // // SE_AUDITID_PREAUTH_FAILURE // // Category: SE_CATEGID_ACCOUNT_LOGON // class AuditEvent_PreauthFailure : AuditEvent_KerberosLogon { uint32 AuditId = 0x02a3; string UserName; string UserId; string ServiceName; string PreAuthenticationType; string FailureCode; string ClientAddress; }; //Pre-authentication failed:%n //. // // // SE_AUDITID_ACCOUNT_MAPPED+SE_AUDITID_ACCOUNT_NOT_MAPPED // // Category: SE_CATEGID_ACCOUNT_LOGON // class AuditEvent_AccountMapping : AuditEvent_KerberosLogon { uint32 AuditId = 0x02a6; string SourceName; string ClientName; string MappedName; }; //Account Mapped for Logon by: %1%n //. // // // SE_AUDITID_ACCOUNT_LOGON_SUCCESS+SE_AUDITID_ACCOUNT_LOGON_FAILURE // // Category: SE_CATEGID_ACCOUNT_LOGON // class AuditEvent_AccountLogonAttempt { uint32 AuditId = 0x02a8; string ClientName; string AccountName; string Workstation; uint32 StatusCode = 0; }; //Account Used for Logon by: %1%n //. // // abstract class that groups common fields for session connection // [abstractevent] class AuditEvent_SessionConnection : AuditEvent_AccountLogon { string UserName; string Domain; uint64 LogonId; string SessionName; string ClientName; string ClientAddress; string Winstation; }; // // // SE_AUDITID_SESSION_RECONNECTED // // Category: SE_CATEGID_LOGON // class AuditEvent_SessionReconnected : AuditEvent_SessionConnection { uint32 AuditId = 0x02aa; }; //Session reconnected to winstation:%n //. // // // SE_AUDITID_SESSION_DISCONNECTED // // Category: SE_CATEGID_LOGON // class AuditEvent_SessionDisconnected : AuditEvent_SessionConnection { uint32 AuditId = 0x02ab; }; //Session disconnected from winstation:%n //.