home *** CD-ROM | disk | FTP | other *** search
Wrap
Text File | 1999-09-07 | 58.5 KB | 4,417 lines
################################################################# # Signature Definitions # Copyright (c) 1998 Centrax Corporation. All rights reserved. # $Id: policy.def,v 1.32 1998/07/06 16:27:51 snapp Exp $ ################################################################# # #Number of signatures 81 #================================================================ BEGIN SIGNATURE #ID 1001 #Input Event ID 560 #Output Signature ID 2001 #Name General Virus and Trojan Horse Activity #Description Detects the modification or attempted modification of any audited executable (Files that end with *.exe, *.bat, and *.com). #Number of fields 7 #---------- #Field Type Object Type #Mask File #Export Flag 0 #---------- #Field Type Access Types #Mask 4417,4418 #Export Flag 0 #---------- #Field Type Object Name #Mask *:\*.exe,*:\*.bat,*:\*.com #Export Flag 1 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD Object Name #================================================================ BEGIN SIGNATURE #ID 1002 #Input Event ID 560 #Output Signature ID 2002 #Name General Object Browsing Activity #Description Detects the reading or attempted reading of any audited object on the system. #Number of fields 7 #---------- #Field Type Object Type #Mask File #Export Flag 0 #---------- #Field Type Access Types #Mask 4416 #Export Flag 0 #---------- #Field Type Object Name #Mask *:\* #Export Flag 1 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD Object Name #================================================================ #BEGIN SIGNATURE #ID #1003 #Input Event ID #560 #Output Signature ID #2003 #Name #Critical System Data File (Read) #Description #The reading of this critical system File or registry key has been designated as a security risk by the security officer. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4416 #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1004 #Input Event ID #560 #Output Signature ID #2004 #Name #Critical System Data File (Modification) #Description #The modification of this critical system File or registry key has been designated as a security risk by the security officer. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4417,4418,1537 #Export Flag #0 #---------- #Field Type #Object Name #Mask #*:\winnt\system.ini,*:\winnt\win.ini,*:\winnt\system32\ntdos.sys,*:\winnt\system32\drivers\ntfs.sys,*:\config.sys,*:\io.sys,*:\msdos.sys #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1005 #Input Event ID #560 #Output Signature ID #2005 #Name #Critical System Data File (Any Access) #Description #The accessing of this critical system File or registry key has been designated as a security risk by the security officer. #Number of fields #6 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type Object Name #Mask #*:\boot.ini,*:\ntldr #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1006 #Input Event ID #560 #Output Signature ID #2006 #Name #Critical System Executable Access (Read) #Description #The reading of this critical system executable has been designated as a security risk by the security officer. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4416 #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1007 #Input Event ID #560 #Output Signature ID #2007 #Name #Critical System Executable Access (Modification) #Description #The modification of this critical system executable has been designated as a security risk by the security officer. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4417,4418,1537 #Export Flag #0 #---------- #Field Type Object Name #Mask #*:\winnt\system32\smss.exe,*:\winnt\system32\csrss.exe,*:\winnt\system32\winlogon.exe,*:\winnt\system32\services.exe,*:\winnt\system32\lsass.exe,*:\winnt\system32\explorer.exe,*:\winnt\system32\spoolss.exe,*:\winnt\system32\taskmgr.exe,*:\winnt\system32\rpcss.exe,*:\winnt\system32\nddeagnt.exe,*:\winnt\system32\ntvdm.exe,*:\winnt\system32\inetsrv\inetinfo.exe,*:\winnt\system32\ntoskrnl.exe,*:\winnt\system32\ntdll.dll,*:\winnt\system32\wsock32.dll #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1008 #Input Event ID #560 #Output Signature ID #2008 #Name #Critical System Executable Access (Any Access) #Description #The accessing of this critical system executable has been designated as a security risk by the security officer. #Number of fields #6 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Object Name #Mask #*:\autoexec.bat,*:\ntdetect.com #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD Object Name #================================================================ #BEGIN SIGNATURE #ID #1009 #Input Event ID #560 #Output Signature ID #2009 #Name #Critical Project Data File (Read) #Description #The reading of this critical project File or registry key has been designated as a security risk by the security officer. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4416 #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1010 #Input Event ID #560 #Output Signature ID #2010 #Name #Critical Project Data File (Modification) #Description #The modification of this critical project File or registry key has been designated as a security risk by the security officer. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4417,4418,1537 #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1011 #Input Event ID #560 #Output Signature ID #2011 #Name #Critical Project Data File (Any Access) #Description #The accessing of this critical project File or registry key has been designated as a security risk by the security officer. #Number of fields #6 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1012 #Input Event ID #560 #Output Signature ID #2012 #Name #Critical Project Executable Access (Read) #Description #The reading of this critical project executable has been designated as a security risk by the security officer. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4416 #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1013 #Input Event ID #560 #Output Signature ID #2013 #Name #Critical Project Executable Access (Modification) #Description #The modification of this critical project executable has been designated as a security risk by the security officer. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4417,4418,1537 #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1014 #Input Event ID #560 #Output Signature ID #2014 #Name #Critical Project Executable Access (Any Access) #Description #The accessing of this critical project executable has been designated as a security risk by the security officer. #Number of fields #6 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1015 #Input Event ID #560 #Output Signature ID #2015 #Name #Decoy Data File (Read) #Description #This data File or registry key has been designated as a decoy by the security officer. The reading of this File or key indicates a browsing user. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4416 #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1016 #Input Event ID #560 #Output Signature ID #2016 #Name #Decoy Data File (Modification) #Description #This date File or registry key has been designated as a decoy by the security officer. Modification of this File or key may indicate the activity of a less knowledgeable user. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4417,4418,1537 #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1017 #Input Event ID #560 #Output Signature ID #2017 #Name #Decoy Data File (Any Access) #Description #This date File or registry key has been designated as a decoy by the security officer. Accessing of this File or key may indicate the activity of a less knowledgeable user. #Number of fields #6 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1018 #Input Event ID #560 #Output Signature ID #2018 #Name #Decoy Executable Access (Read) #Description #This executable has been designated as a decoy by the security officer. The reading of this executable indicates a browsing user. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4416 #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1019 #Input Event ID #560 #Output Signature ID #2019 #Name #Decoy Executable Access (Modification) #Description #This executable has been designated as a decoy by the security officer. The modification of this decoy executable may indicate the activity of a less knowledgeable user. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4417,4418,1537 #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1020 #Input Event ID #560 #Output Signature ID #2020 #Name #Decoy Executable Access (Any Access) #Description #This executable has been designated as a decoy by the security officer. The accessing of this decoy executable may indicate the activity of a less knowledgeable user. #Number of fields #6 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1021 #Input Event ID #560 #Output Signature ID #2021 #Name #Centrax Data File (Read) #Description #The reading of this Centrax File or registry key has been designated as a security risk by the security officer. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4416 #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1022 #Input Event ID #560 #Output Signature ID #2022 #Name #Centrax Data File (Modification) #Description #The modification of this Centrax File or registry key has been designated as a security risk by the security officer. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Access Types #Mask #4417,4418,1537 #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1023 #Input Event ID #560 #Output Signature ID #2023 #Name #Centrax Data File (Any Access) #Description #The accessing of this Centrax File or registry key has been designated as a security risk by the security officer. #Number of fields #6 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type #Object Name #Mask # #Export Flag #1 #---------- #Field Type #Username #Mask # #Export Flag #1 #---------- #Field Type #User Domain #Mask # #Export Flag #1 #---------- #Field Type #Computer #Mask # #Export Flag #1 #---------- #Field Type #Time #Mask # #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #Object Name #================================================================ #BEGIN SIGNATURE #ID #1024 #Input Event ID #560 #Output Signature ID #2024 #Name #Centrax Executable Access (Read) #Description #The reading of this Centrax executable has been designated as a security risk by the security officer. #Number of fields #7 #---------- #Field Type #Object Type #Mask #File #Export Flag #0 #---------- #Field Type Access Types #Mask 4416 #Export Flag 0 #---------- #Field Type Object Name #Mask #Export Flag 1 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD Object Name #================================================================ #BEGIN SIGNATURE #ID #1025 #Input Event ID #560 #Output Signature ID #2025 #Name #Centrax Executable Access (Modification) #Description The modification of this Centrax executable has been designated as a security risk by the security officer. #Number of fields 7 #---------- #Field Type Object Type #Mask File #Export Flag 0 #---------- #Field Type Access Types #Mask 4417,4418,1537 #Export Flag 0 #---------- #Field Type Object Name #Mask *:\program Files\Centrax\bin\detect.exe,*:\program Files\Centrax\bin\Centrax.exe,*:\program Files\Centrax\bin\record.exe,*:\program Files\Centrax\bin\recvlog.exe,*:\program Files\Centrax\bin\setbrows.exe #Export Flag 1 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD Object Name #================================================================ #BEGIN SIGNATURE #ID #1026 #Input Event ID #560 #Output Signature ID #2026 #Name #eNTrax Executable Access (Any Access) #Description The accessing of this eNTrax executable has been designated as a security risk by the security officer. #Number of fields 6 #---------- #Field Type Object Type #Mask File #Export Flag 0 #---------- #Field Type Object Name #Mask #Export Flag 1 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD Object Name #================================================================ BEGIN SIGNATURE #ID 1037 #Input Event ID 529 #Output Signature ID 2037 #Name Failed Logon: Unknown user name or bad password. #Description Logon failed due to an unknown user name or bad password. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1038 #Input Event ID 530 #Output Signature ID 2038 #Name Failed Logon: Account logon time restriction violation. #Description Logon failed due to account logon time restrictions. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1039 #Input Event ID 531 #Output Signature ID 2039 #Name Failed Logon: Account currently disabled. #Description Logon failed because the account is currently disabled. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1040 #Input Event ID 532 #Output Signature ID 2040 #Name Failed Logon: Account has expired. #Description Logon failed because the account has expired. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1041 #Input Event ID 533 #Output Signature ID 2041 #Name Failed Logon: User not allowed to logon at this computer. #Description Logon failed because the computer has restricted access. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1042 #Input Event ID 534 #Output Signature ID 2042 #Name Failed Logon: Logon type not granted at this machine. #Description Logon failed because the user attempted to logon via a logon method (e.g., interactive, network (drive map), batch, service, etc.) currently not allowed. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1043 #Input Event ID 535 #Output Signature ID 2043 #Name Failed Logon: Password has expired. #Description Logon failed because the account's password has expired. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1044 #Input Event ID 536 #Output Signature ID 2044 #Name Failed Logon: Netlogon component not active. #Description Logon failed because Netlogon is not active. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1045 #Input Event ID 537 #Output Signature ID 2045 #Name Failed Logon: An unexpected error occurred during logon. #Description Logon failed for an undetermined reason. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1046 #Input Event ID 539 #Output Signature ID 2046 #Name Failed Logon: Account locked out. #Description Logon failed because the account is currently locked out. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ #BEGIN SIGNATURE #ID #1047 #Input Event ID #0 #Output Signature ID #2047 #Name #Successful Interactive Logon #Description #A user logged on through the console or other interactive program such as FTP, telnet, etc. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1048 #Input Event ID #0 #Output Signature ID #2048 #Name #Successful Network Logon (Network Drive Mapped) #Description #A user successfully mapped to a drive on the target. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1049 #Input Event ID #0 #Output Signature ID #2049 #Name #Successful Batch Logon (RAS) #Description #A user successfully logged onto the target via RAS or other batch mechanism. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1050 #Input Event ID #0 #Output Signature ID #2050 #Name #Successful Service Logon #Description #A service successfully logged onto the target. #Number of fields #0 #================================================================ BEGIN SIGNATURE #ID 1051 #Input Event ID 528 #Output Signature ID 2051 #Name Successful Logon #Description A user or service successfully logged into the target. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ #BEGIN SIGNATURE #ID #1052 #Input Event ID #0 #Output Signature ID #2052 #Name #Successful Administrator Logon #Description #The Administrator logged into the target. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1053 #Input Event ID #0 #Output Signature ID #2053 #Name #Successful Logon of Account with Group Administrators #Description #An account with administrative power logged into the target. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1054 #Input Event ID #0 #Output Signature ID #2054 #Name #Successful non-Administrator Logon #Description #Someone other than the Administrator logged into the target. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1055 #Input Event ID #0 #Output Signature ID #2055 #Name #Successful Logon of Account without Group Administrators #Description #An account without administrative power logged into the target. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1056 #Input Event ID #0 #Output Signature ID #2056 #Name #Failed Administrator Logon #Description #An attempt to logon as the Administrator failed. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1057 #Input Event ID #0 #Output Signature ID #2057 #Name #Failed Logon of Account with Group Administrators #Description #An attempt to logon to an account with administrative power failed. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1058 #Input Event ID #0 #Output Signature ID #2058 #Name #Successful Guest Logon #Description #Guest logged into the target. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1059 #Input Event ID #0 #Output Signature ID #2059 #Name #Successful Logon of Account with Group Guests #Description #A user, that is only a member of group Guests, successfully logged onto the target. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1060 #Input Event ID #0 #Output Signature ID #2060 #Name #Failed Guest Logon #Description #Guest's attempt to logon failed. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1061 #Input Event ID #0 #Output Signature ID #2061 #Name #Failed Logon of Account with Group Guests #Description #A member of group Guests attempt to logon failed. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1062 #Input Event ID #0 #Output Signature ID #2062 #Name #Network Logoff (Network Drive Unmapped) #Description #A network drive originally mapped from this target was unmapped. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1063 #Input Event ID #0 #Output Signature ID #2063 #Name #Successful Date/Time Changed #Description #The date and/or time was modified. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1064 #Input Event ID #0 #Output Signature ID #2064 #Name #Failed Date/Time change #Description #An attempt to modify the date and/or time failed. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1065 #Input Event ID #608 #Output Signature ID #2065 #Name #User Admin Activity #Description #A user was created or modified, or creation or modification was attempted. (Do not select this if you've selected any of the other User Account and User Right activities.) #Number of fields #4 #---------- #Field Type #Username #Mask # #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1066 #Input Event ID 624 #Output Signature ID 2066 #Name User Account Created #Description A new user account was created or creation was attempted. #Number of fields 6 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1067 #Input Event ID 642 #Output Signature ID 2067 #Name User Account Changed #Description A user's account was changed or a change was attempted. #Number of fields 6 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ #BEGIN SIGNATURE #ID #1068 #Input Event ID #626 #Output Signature ID #2068 #Name #User Account Enabled #Description #A user's account was enabled or the enablement was attempted. (Most versions of NT do not produce the event required for this activity.) #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ #BEGIN SIGNATURE #ID #1069 #Input Event ID #629 #Output Signature ID #2069 #Name #User Account Disabled #Description #A user's account was disabled or disablement was attempted. (Most versions of NT do not produce the event required for this activity.) #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1070 #Input Event ID 630 #Output Signature ID 2070 #Name User Account Deleted #Description A user's account was deleted or deletion was attempted. #Number of fields 6 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1071 #Input Event ID 608 #Output Signature ID 2071 #Name User Right Assigned #Description New user rights were added to an account or an addition was attempted. #Number of fields 5 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Affected Username #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1072 #Input Event ID 609 #Output Signature ID 2072 #Name User Right Removed #Description User rights were deleted from an account or a deletion was attempted. #Number of fields 5 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Affected Username #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1073 #Input Event ID 627 #Output Signature ID 2073 #Name Password Change Failed #Description An attempt to change an account's password failed. #Number of fields 7 #---------- #Field Type SuccessFailure #Mask 0 #Export Flag 0 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1074 #Input Event ID 627 #Output Signature ID 2047 #Name Password Change Succeeded #Description The password on an account was modified. #Number of fields 7 #---------- #Field Type SuccessFailure #Mask 1 #Export Flag 0 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ #BEGIN SIGNATURE #ID #1075 #Input Event ID #0 #Output Signature ID #2075 #Name #Three Consecutive Failed Password Changes #Description #An attempt to change an account's password failed 3 times consecutively. #Number of fields #0 #================================================================ #BEGIN SIGNATURE #ID #1076 #Input Event ID #631 #Output Signature ID #2076 #Name #Global Group Admin Activity #Description #A global group was created or modified, or creation or modification was attempted. (Do not select this if you've selected any of the other Global Group activities.) #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1077 #Input Event ID 631 #Output Signature ID 2077 #Name Global Group Created #Description A new global group was created or creation was attempted. #Number of fields 6 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1078 #Input Event ID 632 #Output Signature ID 2078 #Name Global Group Member Added #Description A user was added to a global group or an addition was attempted. #Number of fields 7 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Field Type Member SID #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1079 #Input Event ID 633 #Output Signature ID 2079 #Name Global Group Member Removed #Description A user was deleted from a global group or a deletion was attempted. #Number of fields 7 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Field Type Member SID #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1080 #Input Event ID 634 #Output Signature ID 2080 #Name Global Group Deleted #Description A global group was deleted or a deletion was attempted. #Number of fields 6 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1081 #Input Event ID 641 #Output Signature ID 2081 #Name Global Group Changed #Description A global group was modified or a modification was attempted. #Number of fields 6 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ #================================================================ #BEGIN SIGNATURE #ID #1082 #Input Event ID #635 #Output Signature ID #2082 #Name #Local Group Administrative Activity #Description #A local group was created or modified, or creation or modification was attempted. (Do not select this if you've selected any of the other Local Group activities.) #Number of fields #6 #---------- #Field Type #Username #Mask #Export Flag #1 #---------- #Field Type #User Domain #Mask #Export Flag #1 #---------- #Field Type Computer #Mask #Export Flag #1 #---------- #Field Type #Time #Mask #Export Flag #1 #--------- #Field Type #Account Name #Mask #Export Flag #1 #--------- #Field Type #Account Domain #Mask #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1083 #Input Event ID 635 #Output Signature ID 2083 #Name Local Group Created #Description A new local group was created or creation was attempted. #Number of fields 6 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1084 #Input Event ID 636 #Output Signature ID 2084 #Name Local Group Member Added #Description A user was added to a local group or an addition was attempted. #Number of fields 7 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Field Type Member SID #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ #BEGIN SIGNATURE #ID #1085 #Input Event ID #0 #Output Signature ID #2085 #Name #Member Added to Local Administrators Group #Description #A user was added to the group Administrators or an addition was attempted. #Number of fields #0 #================================================================ BEGIN SIGNATURE #ID 1086 #Input Event ID 637 #Output Signature ID 2086 #Name Local Group Member Removed #Description A user was deleted from a local group or a deletion was attempted. #Number of fields 7 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Field Type Member SID #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ #BEGIN SIGNATURE #ID #1087 #Input Event ID #0 #Output Signature ID #2087 #Name #Member Removed from Local Administrators Group #Description #A user was deleted from the group Administrators or a deletion was attempted. #Number of fields #0 #================================================================ BEGIN SIGNATURE #ID 1088 #Input Event ID 638 #Output Signature ID 2088 #Name Local Group Deleted #Description A local group was deleted or a deletion was attempted. #Number of fields 6 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1089 #Input Event ID 639 #Output Signature ID 2089 #Name Local Group Changed #Description A local group was modified or a modification was attempted. #Number of fields 6 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ #BEGIN SIGNATURE #ID #1090 #Input Event ID #0 #Output Signature ID #2090 #Name #Audit Admin Activity #Description #The audit policy or audit data was modified. (Do not select this if you've selected any of the other Global Group activities.) #Number of fields #0 #================================================================ BEGIN SIGNATURE #ID 1091 #Input Event ID 516 #Output Signature ID 2091 #Name Audit Data Lost #Description NT could not save all audit events into the security log. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1092 #Input Event ID 517 #Output Signature ID 2092 #Name Audit Log Cleared #Description The NT security event log has been cleared. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1093 #Input Event ID 612 #Output Signature ID 2093 #Name Audit Policy Changed #Description The system level audit policy has been modified. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ #BEGIN SIGNATURE #ID #1094 #Input Event ID #612 #Output Signature ID #2094 #Name #Audit Policy Disabled #Description #Auditing has been turned off. #Number of fields #5 #---------- #Field Type #SuccessFailure #Mask #1 #Export Flag #0 #---------- #Field Type #Username #Mask #Export Flag #1 #---------- #Field Type #User Domain #Mask #Export Flag #1 #---------- #Field Type #Computer #Mask #Export Flag #1 #---------- #Field Type #Time #Mask #Export Flag #1 #--------- #Key field for reporting #KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1095 #Input Event ID 512 #Output Signature ID 2095 #Name NT Starting #Description The NT system is booting. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ #BEGIN SIGNATURE #ID #1096 #Input Event ID #513 #Output Signature ID #2096 #Name #NT Shutting Down #Description #The NT system is shutting down. #Number of fields 4 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1097 #Input Event ID 514 #Output Signature ID 2097 #Name Authentication Package Added #Description A new authentication package was added to the system. #Number of fields 5 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Authentication Package #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1098 #Input Event ID 518 #Output Signature ID 2098 #Name Notification Package Added #Description A new notification package was added or addition attempted. The package will be notified of any account or password changes. #Number of fields 5 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Notification Package #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1099 #Input Event ID 610 #Output Signature ID 2099 #Name Trusted Domain Added #Description A new trusted domain was added or addition was attempted. #Number of fields 6 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1100 #Input Event ID 611 #Output Signature ID 2100 #Name Trusted Domain Removed #Description A trusted domain was deleted or deletion was attempted. #Number of fields 6 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1101 #Input Event ID 643 #Output Signature ID 2101 #Name Domain Policy Changed #Description The domain's security policy was modified or modification was attempted. #Number of fields 6 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #================================================================ BEGIN SIGNATURE #ID 1102 #Input Event ID 0 #Output Signature ID 2102 #Name Back Orifice 2000 Execution #Description The Back Orifice 2000 program was run on this machine. #Number of fields 6 #---------- #Field Type Username #Mask #Export Flag 1 #---------- #Field Type User Domain #Mask #Export Flag 1 #---------- #Field Type Computer #Mask #Export Flag 1 #---------- #Field Type Time #Mask #Export Flag 1 #--------- #Field Type Account Name #Mask #Export Flag 1 #--------- #Field Type Account Domain #Mask #Export Flag 1 #--------- #Key field for reporting KEY FIELD #END OF POLICY DEFINITION