Sample Windows Agent Logs

FortiSIEM Windows Agent Manager generates Windows logs in an easy way to analyze "attribute=value" style without losing any information.

Certificate Monitoring Logs
System Logs
Sysmon Logs
PowerShell Logs
Application Logs
Security Logs
DNS Logs
DHCP Logs
IIS Logs
DFS Logs
File Content Monitoring Logs
File Integrity Monitoring Logs
Installed Software Logs
Registry Change Logs
Removeable Media Logs
WMI Logs

Certificate Added

2023-10-25T19:45:14Z DESKTOP-3NKROF5 192.0.2.0 AccelOps-WUA-Certificate [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="72f70ae7-1111-4dc0-1111-0c953f46f87e" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [certAction]="Added" [authority_key_id]="F4B6E1201DFE29AED2E461A5B2A225B2C817356E" [ca]="0" [common_name]="DigiCert Timestamp 2021" [issuer]="US, DigiCert Inc, www.digicert.com, DigiCert SHA2 Assured ID Timestamping CA" [key_algorithm]="RSA" [key_strength]="2160" [key_usage]="CERT_DIGITAL_SIGNATURE_KEY_USAGE" [not_valid_after]="1925424000" [not_valid_before]="1609459200" [path]="LocalMachine\Trusted Publishers" [self_signed]="0" [serial]="0D424AE0BE3A88F1111021CE1400F0DD" [sha1]="E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3" [sid]="" [signing_algorithm]="sha256RSA" [store]="Trusted Publishers" [store_id]="" [store_location]="LocalMachine" [subject]="US, \"DigiCert, Inc.\", DigiCert Timestamp 2021" [subject_key_id]="3644868EA4BAB066BEBC2821111436DDE36A7ABC" [user]=""

Certificate Removed

2023-10-25T19:52:31Z DESKTOP-3NKROF5 192.0.2.0 AccelOps-WUA-Certificate [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="72f70ae7-1111-4dc0-1111-0c953f46f87e" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [certAction]="Removed" [authority_key_id]="" [ca]="0" [common_name]="expiring913" [issuer]="expiring913" [key_algorithm]="RSA" [key_strength]="2160" [key_usage]="CERT_KEY_ENCIPHERMENT_KEY_USAGE,CERT_DIGITAL_SIGNATURE_KEY_USAGE" [not_valid_after]="1694630930" [not_valid_before]="1694457530" [path]="LocalMachine\Trusted People" [self_signed]="1" [serial]="347CD406C649FDA94507BFA863904500" [sha1]="8E3D8330748D4FB01848E6663E6E209735893199" [sid]="" [signing_algorithm]="sha256RSA" [store]="Trusted People" [store_id]="" [store_location]="LocalMachine" [subject]="expiring913" [subject_key_id]="35EF93076396C311112C51BF121247284686090A" [user]=""

Certificate Expired

2023-10-25T19:46:48Z DESKTOP-3NKROF5 192.0.2.0 AccelOps-WUA-Certificate [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="72f70ae7-1111-4dc0-1111-0c953f46f87e" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [certAction]="Expired" [authority_key_id]="" [ca]="-1" [common_name]="expiring1021" [issuer]="expiring1021" [key_algorithm]="RSA" [key_strength]="2160" [key_usage]="CERT_KEY_ENCIPHERMENT_KEY_USAGE,CERT_DIGITAL_SIGNATURE_KEY_USAGE" [not_valid_after]="1697911109" [not_valid_before]="1697478510" [path]="LocalMachine\Trusted People" [self_signed]="1" [serial]="1F3EB6C111E7478E4DEE1F13EDF3935B" [sha1]="946499B4B192D27682D86F9F93522B11BF0F1AE0" [sid]="" [signing_algorithm]="sha256RSA" [store]="Trusted People" [store_id]="" [store_location]="LocalMachine" [subject]="expiring1021" [subject_key_id]="4DC106FF2111117C13B5E5C62F4C106D12C44C63" [user]=""

Certificate Expiring

2023-10-25T21:40:51Z DESKTOP-3NKROF5 192.0.2.0 AccelOps-WUA-Certificate [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="72f70ae7-1111-4dc0-1111-0c953f46f87e" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [certAction]="Expiring" [authority_key_id]="" [ca]="-1" [common_name]="expiring1029" [issuer]="expiring1029" [key_algorithm]="RSA" [key_strength]="2160" [key_usage]="CERT_KEY_ENCIPHERMENT_KEY_USAGE,CERT_DIGITAL_SIGNATURE_KEY_USAGE" [not_valid_after]="1698596479" [expiry_in_days]="3" [not_valid_before]="1698163880" [path]="LocalMachine\Preview Build Roots" [self_signed]="1" [serial]="2085D79E2DE08A9A4FE011108525F91D" [sha1]="8DA053FCEFE792FC2E57F3A218751F6070E91B78" [sid]="" [signing_algorithm]="sha256RSA" [store]="Preview Build Roots" [store_id]="" [store_location]="LocalMachine" [subject]="expiring1029" [subject_key_id]="362A38630797FF2C78B1A9AE1E1116927C633FA0" [user]=""

System Logs

System Logs generated by pre-7.1.4 Windows Agent
System Logs generated by 7.1.4 and later Windows Agent

System Logs generated by pre-7.1.4 Windows Agent

2024-02-20T23:24:58Z FSM-GFU-Windows2019-WIN2019-172-30-56-129 172.30.56.129 AccelOps-WUA-WinLog-System [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="1e749ab9-bf6e-4052-806b-02068b2d4465" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [eventName]="System" [eventSource]="Service Control Manager" [eventId]="7036" [eventType]="Information" [domain]="" [computer]="FSM-GFU-Windows2019-WIN2019-172-30-56-129" [user]="" [userSID]="" [userSIDAcctType]="" [eventTime]="Feb 20 2024 23:24:57" [deviceTime]="Feb 20 2024 23:24:57" [msg]="The Microsoft Store Install Service service entered the stopped state."

System Logs generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-26T22:22:42Z FSM-GFU-Windows2019-WIN2019-172-30-56-129 172.30.56.129 FSM-WUA-WinLog-System [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="1e749ab9-bf6e-4052-806b-02068b2d4465" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2024-02-26T22:22:41.078643000Z'/><EventRecordID>168290</EventRecordID><Correlation/><Execution ProcessID='744' ThreadID='3880'/><Channel>System</Channel><Computer>FSM-GFU-Windows2019-WIN2019-172-30-56-129</Computer><Security/></System><EventData><Data Name='param1'>Network Setup Service</Data><Data Name='param2'>stopped</Data><Binary>4E0065007400530065007400750070005300760063002F0031000000</Binary></EventData><RenderingInfo Culture='en-US'><Message>The Network Setup Service service entered the stopped state.</Message><Level>Information</Level><Task></Task><Opcode></Opcode><Channel></Channel><Provider>Microsoft-Windows-Service Control Manager</Provider><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>

Sysmon Logs

Sysmon Logs generated by pre-7.1.4 Windows Agent
Sysmon Logs generated by 7.1.4 and later Windows Agent

Sysmon Logs generated by pre-7.1.4 Windows Agent

2024-02-27T23:06:35Z FSM-GFU-Windows2019-WIN2019-172-30-56-129 172.30.56.129 AccelOps-WUA-WinLog-Microsoft-Windows-Sysmon/Operational [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="1e749ab9-bf6e-4052-806b-02068b2d4465" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [eventName]="Microsoft-Windows-Sysmon/Operational" [eventSource]="Microsoft-Windows-Sysmon" [eventId]="1" [eventType]="Information" [domain]="NT AUTHORITY" [computer]="FSM-GFU-Windows2019-WIN2019-172-30-56-129" [user]="SYSTEM" [userSID]="S-1-5-18" [userSIDAcctType]="User" [eventTime]="Feb 27 2024 23:06:35" [deviceTime]="Feb 27 2024 23:06:35" [msg]="Process Create:
RuleName: -
UtcTime: 2024-02-27 23:06:35.046
ProcessGuid: {1e749ab9-6afb-65de-c644-000000001600}
ProcessId: 2068
Image: C:\\Windows\\System32\\HOSTNAME.EXE
FileVersion: 10.0.17763.1 (WinBuild.160101.0800)
Description: Hostname APP
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: hostname.exe
CommandLine: \"C:\\Windows\\system32\\HOSTNAME.EXE\"
CurrentDirectory: C:\\Windows\\system32\\
User: NT AUTHORITY\\SYSTEM
LogonGuid: {1e749ab9-4516-65c0-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: MD5=7F95220A65A5A5D4A98873E86EF2E549,SHA256=1BFF2907C456F99277F45F9B2A21B1B3F11F6C01587D9E6D6F0B2B5F1472FE92,IMPHASH=5CD891320C666621E9783444DB8CBA78
ParentProcessGuid: {1e749ab9-6775-65de-7344-000000001600}
ParentProcessId: 6884
ParentImage: C:\\Program Files\\Fortinet\\FortiSIEM\\FSMLogAgent.exe
ParentCommandLine: \"C:\\Program Files\\Fortinet\\FortiSIEM\\FSMLogAgent.exe\"
ParentUser: NT AUTHORITY\\SYSTEM"

Sysmon Logs generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-27T22:18:54Z FSM-GFU-Windows2019-WIN2019-172-30-56-129 172.30.56.129 FSM-WUA-WinLog-Microsoft-Windows-Sysmon/Operational [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="1e749ab9-bf6e-4052-806b-02068b2d4465" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>13</EventID><Version>2</Version><Level>4</Level><Task>13</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2024-02-27T22:18:53.386292600Z'/><EventRecordID>42662</EventRecordID><Correlation/><Execution ProcessID='3196' ThreadID='5432'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>FSM-GFU-Windows2019-WIN2019-172-30-56-129</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>InvDB-Path</Data><Data Name='EventType'>SetValue</Data><Data Name='UtcTime'>2024-02-27 22:18:53.373</Data><Data Name='ProcessGuid'>{1e749ab9-5fc0-65de-a843-000000001600}</Data><Data Name='ProcessId'>4372</Data><Data Name='Image'>C:\\Windows\\system32\\CompatTelRunner.exe</Data><Data Name='TargetObject'>\\REGISTRY\\A\\{41ae3209-e80b-5fb1-d81b-7b9b2464bf78}\\Root\\InventoryApplicationFile\\osquery.exe|7bec5ef138bedfec\\LowerCaseLongPath</Data><Data Name='Details'>c:\\program files\\fortinet\\fortisiem\\osquery.exe</Data><Data Name='User'>NT AUTHORITY\\SYSTEM</Data></EventData><RenderingInfo Culture='en-US'><Message>Registry value set:
RuleName: InvDB-Path
EventType: SetValue
UtcTime: 2024-02-27 22:18:53.373
ProcessGuid: {1e749ab9-5fc0-65de-a843-000000001600}
ProcessId: 4372
Image: C:\\Windows\\system32\\CompatTelRunner.exe
TargetObject: \\REGISTRY\\A\\{41ae3209-e80b-5fb1-d81b-7b9b2464bf78}\\Root\\InventoryApplicationFile\\osquery.exe|7bec5ef138bedfec\\LowerCaseLongPath
Details: c:\\program files\\fortinet\\fortisiem\\osquery.exe
User: NT AUTHORITY\\SYSTEM</Message><Level>Information</Level><Task>Registry value set (rule: RegistryEvent)</Task><Opcode>Info</Opcode><Channel></Channel><Provider></Provider><Keywords></Keywords></RenderingInfo></Event>

PowerShell Logs

PowerShell Logs generated by pre-7.1.4 Windows Agent
PowerShell Logs generated by 7.1.4 and later Windows Agent

PowerShell Logs generated by pre-7.1.4 Windows Agent

"2024-02-27T23:36:35Z FSM-GFU-Windows2019-WIN2019-172-30-56-129 172.30.56.129 AccelOps-WUA-WinLog-Windows PowerShell [phCustId]=""2000"" [customer]=""org1"" [monitorStatus]=""Success"" [Locale]=""en-US"" [MachineGuid]=""1e749ab9-bf6e-4052-806b-02068b2d4465"" [timeZone]=""-0800"" [extEventRecvProto]=""Windows Agent"" [eventName]=""Windows PowerShell"" [eventSource]=""PowerShell"" [eventId]=""600"" [eventType]=""Information"" [domain]="""" [computer]=""FSM-GFU-Windows2019-WIN2019-172-30-56-129"" [user]="""" [userSID]="""" [userSIDAcctType]="""" [eventTime]=""Feb 27 2024 23:36:35"" [deviceTime]=""Feb 27 2024 23:36:35"" [msg]=""Provider \""WSMan\"" is Started. Details: 
                ProviderName=WSMan
                NewProviderState=Started

                SequenceNumber=55

                HostName=Default Host
                HostVersion=5.1.17763.1432
                HostId=98d60fba-a813-4b20-9052-b56a1d052bc8
                HostApplication=C:\\Program Files\\Fortinet\\FortiSIEM\\FSMLogAgent.exe
                EngineVersion=
                RunspaceId=
                PipelineId=
                CommandName=
                CommandType=
                ScriptName=
                CommandPath=
                CommandLine="""

PowerShell Logs generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-27T23:16:39Z GFU-Win11.getest.com 172.30.56.124 FSM-WUA-WinLog-Windows PowerShell [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="f91bb25d-8ac1-45ea-8345-6263c2168970" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='PowerShell'/><EventID Qualifiers='0'>403</EventID><Version>0</Version><Level>4</Level><Task>4</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2024-02-27T23:16:39.7709133Z'/><EventRecordID>416398</EventRecordID><Correlation/><Execution ProcessID='6064' ThreadID='0'/><Channel>Windows PowerShell</Channel><Computer>GFU-Win11.getest.com</Computer><Security/></System><EventData><Data>Stopped</Data><Data>Available</Data><Data>                NewEngineState=Stopped
                PreviousEngineState=Available

                SequenceNumber=2219

                HostName=Default Host
                HostVersion=5.1.22000.2538
                HostId=b0f192dd-bf79-4fed-9740-8f556f9f63d8
                HostApplication=C:\\Program Files\\Fortinet\\FortiSIEM\\FSMLogAgent.exe
                EngineVersion=5.1.22000.2538
                RunspaceId=0812ae9a-0717-469e-a4de-1103ff4404b3
                PipelineId=
                CommandName=
                CommandType=
                ScriptName=
                CommandPath=
                CommandLine=</Data></EventData><RenderingInfo Culture='en-US'><Message>Engine state is changed from Available to Stopped. 

Details: 
                NewEngineState=Stopped
                PreviousEngineState=Available

                SequenceNumber=2219

                HostName=Default Host
                HostVersion=5.1.22000.2538
                HostId=b0f192dd-bf79-4fed-9740-8f556f9f63d8
                HostApplication=C:\\Program Files\\Fortinet\\FortiSIEM\\FSMLogAgent.exe
                EngineVersion=5.1.22000.2538
                RunspaceId=0812ae9a-0717-469e-a4de-1103ff4404b3
                PipelineId=
                CommandName=
                CommandType=
                ScriptName=
                CommandPath=
                CommandLine=</Message><Level>Information</Level><Task>Engine Lifecycle</Task><Opcode>Info</Opcode><Channel></Channel><Provider></Provider><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>

Application Logs

Application Logs generated by pre-7.1.4 Windows Agent
Application Logs generated by 7.1.4 and later Windows Agent

Application Logs generated by pre-7.1.4 Windows Agent

2024-02-27T17:32:20Z FSM-GFU-Windows8-George-172-30-56-122 172.30.56.122 AccelOps-WUA-WinLog-Application [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="69c490e4-9c32-49cb-aefa-3ff10bcfc98a" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [eventName]="Application" [eventSource]="Microsoft-Windows-Security-SPP" [eventId]="16384" [eventType]="Information" [domain]="" [computer]="FSM-GFU-Windows8-George-172-30-56-122" [user]="" [userSID]="" [userSIDAcctType]="" [eventTime]="Feb 27 2024 17:32:20" [deviceTime]="Feb 27 2024 17:32:20" [msg]="Successfully scheduled Software Protection service for re-start at 2024-02-28T00:55:20Z. Reason: RulesEngine."

Application Logs generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-27T20:07:07Z GFU-Win11.getest.com 172.30.56.124 FSM-WUA-WinLog-Application [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="f91bb25d-8ac1-45ea-8345-6263c2168970" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-SPP' Guid='{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}' EventSourceName='Software Protection Platform Service'/><EventID Qualifiers='16384'>16384</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2024-02-27T20:07:07.0902766Z'/><EventRecordID>75607</EventRecordID><Correlation/><Execution ProcessID='5284' ThreadID='0'/><Channel>Application</Channel><Computer>GFU-Win11.getest.com</Computer><Security/></System><EventData><Data>2024-02-28T19:25:07Z</Data><Data>RulesEngine</Data></EventData><RenderingInfo Culture='en-US'><Message>Successfully scheduled Software Protection service for re-start at 2024-02-28T19:25:07Z. Reason: RulesEngine.</Message><Level>Information</Level><Task></Task><Opcode></Opcode><Channel></Channel><Provider>Microsoft-Windows-Security-SPP</Provider><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>

Security Logs

Security Logs generated by pre-7.1.4 Windows Agent
Security Logs generated by 7.1.4 and later Windows Agent
Security Logs in French Windows generated by pre-7.1.4 Windows Agent
Security Logs in French Windows generated by 7.1.4 and later Windows Agent

Security Logs generated by pre-7.1.4 Windows Agent

2024-02-22T01:07:51Z GFU-Win10.gfu.com 172.30.56.127 AccelOps-WUA-WinLog-Security [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="72f70ae7-fedf-4dc0-92e7-0c953f46f87e" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [eventName]="Security" [eventSource]="Microsoft-Windows-Security-Auditing" [eventId]="4703" [eventType]="Information" [domain]="" [computer]="GFU-Win10.gfu.com" [user]="" [userSID]="" [userSIDAcctType]="" [eventTime]="Feb 22 2024 01:07:51" [deviceTime]="Feb 22 2024 01:07:51" [msg]="A token right was adjusted." [[Subject]][Security ID]="S-1-5-18" [Account Name]="GFU-WIN10$" [Account Domain]="GFU" [Logon ID]="0x3E7" [[Target Account]][Security ID]="S-1-5-18" [Account Name]="GFU-WIN10$" [Account Domain]="GFU" [Logon ID]="0x3E7" [[Process Information]][Process ID]="0x3348" [Process Name]="C:\\Windows\\System32\\msiexec.exe" [Enabled Privileges]="" [Disabled Privileges]="SeRestorePrivilege,SeTakeOwnershipPrivilege"

Security Logs generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-27T21:19:33Z FSM-GFU-Windows2019-WIN2019-172-30-56-129 172.30.56.129 FSM-WUA-WinLog-Security [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="1e749ab9-bf6e-4052-806b-02068b2d4465" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4703</EventID><Version>0</Version><Level>0</Level><Task>13317</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-27T21:19:32.430796700Z'/><EventRecordID>9064813051</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='5944'/><Channel>Security</Channel><Computer>FSM-GFU-Windows2019-WIN2019-172-30-56-129</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>FSM-GFU-WINDOWS$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>FSM-GFU-WINDOWS$</Data><Data Name='TargetDomainName'>WORKGROUP</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='ProcessName'>C:\\Windows\\System32\\svchost.exe</Data><Data Name='ProcessId'>0xbdc</Data><Data Name='EnabledPrivilegeList'>SeAssignPrimaryTokenPrivilege
   SeIncreaseQuotaPrivilege
   SeSecurityPrivilege
   SeTakeOwnershipPrivilege
   SeLoadDriverPrivilege
   SeSystemtimePrivilege
   SeBackupPrivilege
   SeRestorePrivilege
   SeShutdownPrivilege
   SeSystemEnvironmentPrivilege
   SeUndockPrivilege
   SeManageVolumePrivilege</Data><Data Name='DisabledPrivilegeList'>-</Data></EventData></Event>

Security Logs in French Windows generated by pre-7.1.4 Windows Agent

2024-02-27T21:59:31Z WIN-H8PJIB0G6QJ 172.30.56.128 AccelOps-WUA-WinLog-Security [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="fr-FR" [MachineGuid]="d1a2dfa9-a8a3-4d5d-b151-2264a07678b4" [timeZone]="+0100" [extEventRecvProto]="Windows Agent" [eventName]="Security" [eventSource]="Microsoft-Windows-Security-Auditing" [eventId]="4798" [eventType]="Information" [domain]="" [computer]="WIN-H8PJIB0G6QJ" [user]="" [userSID]="" [userSIDAcctType]="" [eventTime]="Feb 27 2024 21:59:31" [deviceTime]="Feb 27 2024 21:59:31" [msg]="Une adhésion au groupe local d'un utilisateur a été énumérée." [[Objet]][ID de sécurité]="S-1-5-18" [Nom du compte]="WIN-H8PJIB0G6QJ$" [Domaine du compte]="WORKGROUP" [ID d'ouverture de session]="0x3E7" [[Utilisateur]][ID de sécurité]="S-1-5-21-1726319904-1389896535-1900308177-500" [Nom du compte]="Administrateur" [Domaine du compte]="WIN-H8PJIB0G6QJ" [[Informations sur le processus]][ID du processus]="0x1270" [Nom du processus]="C:\\Program Files\\Fortinet\\FortiSIEM\\osquery.exe"

Security Logs in French Windows generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-27T21:50:49Z WIN-H8PJIB0G6QJ 172.30.56.128 FSM-WUA-WinLog-Security [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="fr-FR" [MachineGuid]="d1a2dfa9-a8a3-4d5d-b151-2264a07678b4" [timeZone]="+0100" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4798</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-27T21:50:49.478751700Z'/><EventRecordID>217951</EventRecordID><Correlation ActivityID='{dc36aa0a-69c4-0001-58aa-36dcc469da01}'/><Execution ProcessID='612' ThreadID='4748'/><Channel>Security</Channel><Computer>WIN-H8PJIB0G6QJ</Computer><Security/></System><EventData><Data Name='TargetUserName'>WDAGUtilityAccount</Data><Data Name='TargetDomainName'>WIN-H8PJIB0G6QJ</Data><Data Name='TargetSid'>S-1-5-21-1726319904-1389896535-1900308177-504</Data><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>WIN-H8PJIB0G6QJ$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='CallerProcessId'>0x128</Data><Data Name='CallerProcessName'>C:\\Program Files\\Fortinet\\FortiSIEM\\osquery.exe</Data></EventData></Event>

DNS Logs

DNS System Logs generated by pre-7.1.4 Windows Agent
DNS System Logs generated by 7.1.4 and later Windows Agent

DNS System Logs generated by pre-7.1.4 Windows Agent

2024-02-28T00:05:04Z GFU-WIN2016.getest.com 172.30.56.121 AccelOps-WUA-WinLog-DNS Server [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="4a2804f4-e1b6-4e28-ac76-de5aa103d255" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [eventName]="DNS Server" [eventSource]="Microsoft-Windows-DNS-Server-Service" [eventId]="2" [eventType]="Information" [domain]="NT AUTHORITY" [computer]="GFU-WIN2016.getest.com" [user]="SYSTEM" [userSID]="S-1-5-18" [userSIDAcctType]="User" [eventTime]="Feb 28 2024 00:05:03" [deviceTime]="Feb 28 2024 00:05:03" [msg]="The DNS server has started."

DNS System Logs generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-27T23:50:52Z GFU-WIN2016-126.gfu.com 172.30.56.126 FSM-WUA-WinLog-DNS Server [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="967fcbac-7d74-445f-99de-c5a1f0acf59d" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-DNS-Server-Service' Guid='{71A551F5-C893-4849-886B-B5EC8502641E}'/><EventID>2</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000001000</Keywords><TimeCreated SystemTime='2024-02-27T23:50:51.965038300Z'/><EventRecordID>330</EventRecordID><Correlation/><Execution ProcessID='6448' ThreadID='6892'/><Channel>DNS Server</Channel><Computer>GFU-WIN2016-126.gfu.com</Computer><Security UserID='S-1-5-18'/></System><EventData Name='DNS_EVENT_STARTUP_OK'></EventData><RenderingInfo Culture='en-US'><Message>The DNS server has started.</Message><Level>Information</Level><Task></Task><Opcode>Info</Opcode><Channel></Channel><Provider>Microsoft-Windows-DNS-Server-Service</Provider><Keywords></Keywords></RenderingInfo></Event>

DHCP Logs

AccelOps-WUA-DHCP-Generic
Thu May 07 05:44:44 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP [monitorStatus]="Success" [ID]="00" [Date]="05/07/15" 
[Time]="13:44:08" [Description]="Started" [IP Address]="" [Host Name]="" [MAC Address]="" [User Name]="" [ TransactionID]="0" 
[ QResult]="6" [Probationtime]="" [ CorrelationID]="" [Dhcid.]=""

#AccelOps-WUA-DHCP-IP-ASSIGN
Thu May 07 05:56:41 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP [monitorStatus]="Success" [ID]="10" [Date]="05/07/15" 
[Time]="13:56:37" [Description]="Assign" [IP Address]="10.1.2.124" [Host Name]="Agent-247.yj" [MAC Address]="000C2922118E" 
[User Name]="" [ TransactionID]="2987030242" [ QResult]="0" [Probationtime]="" [ CorrelationID]="" [Dhcid.]=""

#AccelOps-WUA-DHCP-Generic(Release)
Thu May 07 05:56:41 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP [monitorStatus]="Success" [ID]="12" [Date]="05/07/15" 
[Time]="13:56:33" [Description]="Release" [IP Address]="10.1.2.124" [Host Name]="Agent-247.yj" [MAC Address]="000C2922118E" 
[User Name]="" [ TransactionID]="2179405838" [ QResult]="0" [Probationtime]="" [ CorrelationID]="" [Dhcid.]=""

#AccelOps-WUA-DHCP-IP-LEASE-RENEW
Wed Feb 25 02:53:28 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP [monitorStatus]="Success" [ID]="11" [Date]="02/25/15" 
[Time]="10:53:19" [Description]="Renew" [IP Address]="10.1.2.123" [Host Name]="WIN-2008-249.yj" [MAC Address]="0050568F1B5D" 
[User Name]="" [ TransactionID]="1136957584" [ QResult]="0" [Probationtime]="" [ CorrelationID]="" [Dhcid.]=""

IIS Logs

#AccelOps-WUA-IIS-Web-Request-Success
Thu May 07 03:49:23 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-IIS [monitorStatus]="Success" [date]="2015-05-07" 
[time]="03:44:28" [s-sitename]="W3SVC1" [s-computername]="WIN-2008-LAW-AG" [s-ip]="10.1.2.242" [cs-method]="GET" 
[cs-uri-stem]="/welcome.png" [cs-uri-query]="-" [s-port]="80" [cs-username]="-" [c-ip]="10.1.20.232" [cs-version]="HTTP/1.1" 
[cs(User-Agent)]="Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/42.0.2311.135+Safari/537.36" 
[cs(Cookie)]="-" [cs(Referer)]="http://10.1.2.242/" [cs-host]="10.1.2.242" [sc-status]="200" [sc-substatus]="0" [sc-win32-status]="0" 
[sc-bytes]="185173" [cs-bytes]="324" [time-taken]="78" [site]="Default Web Site" [format]="W3C"

#AccelOps-WUA-IIS-Web-Client-Error
Thu May 07 03:49:23 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-IIS [monitorStatus]="Success" [date]="2015-05-07" [time]="03:44:37" 
[s-sitename]="W3SVC1" [s-computername]="WIN-2008-LAW-AG" [s-ip]="10.1.2.242" [cs-method]="GET" [cs-uri-stem]="/wrongpage" [cs-uri-query]="-" 
[s-port]="80" [cs-username]="-" [c-ip]="10.1.20.232" [cs-version]="HTTP/1.1" [cs(User-Agent)]="Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/42.0.2311.135+Safari/537.36" [cs(Cookie)]="-" [cs(Referer)]="-" [cs-host]="10.1.2.242" [sc-status]="404" 
[sc-substatus]="0" [sc-win32-status]="2" [sc-bytes]="1382" [cs-bytes]="347" [time-taken]="0" [site]="Default Web Site" [format]="W3C"

#AccelOps-WUA-IIS-Web-Forbidden-Access-Denied
Thu May 07 03:30:39 2015 WIN-2008-249.ersijiu.com 10.1.2.249 AccelOps-WUA-IIS [monitorStatus]="Success" [date]="2015-05-07" [time]="03:30:15" [s-ip]="10.1.2.249" [cs-method]="POST" [cs-uri-stem]="/AOCACWS/AOCACWS.svc" [cs-uri-query]="-" [s-port]="80" [cs-username]="-" 
[c-ip]="10.1.2.42" [cs(User-Agent)]="-" [sc-status]="403" [sc-substatus]="4" [sc-win32-status]="5" [time-taken]="1" [site]="Default Web Site" 
[format]="W3C"

DFS Logs

#Win-App-DFSR-1002
Thu May 07 03:01:12 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLog [monitorStatus]="Success" [eventName]="DFS Replication" 
[eventSource]="DFSR" [eventId]="1002" [eventType]="Information" [domain]="" [computer]="WIN-2008-LAW-agent" [user]="" [userSID]="" 
[userSIDAcctType]="" [eventTime]="May 07 2015 11:01:12" [deviceTime]="May 07 2015 11:01:12" [msg]="The DFS Replication service is starting."

#Win-App-DFSR-1004
Thu May 07 03:01:12 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLog [monitorStatus]="Success" [eventName]="DFS Replication" 
[eventSource]="DFSR" [eventId]="1004" [eventType]="Information" [domain]="" [computer]="WIN-2008-LAW-agent" [user]="" [userSID]="" 
[userSIDAcctType]="" [eventTime]="May 07 2015 11:01:12" [deviceTime]="May 07 2015 11:01:12" [msg]="The DFS Replication service has started."

#Win-App-DFSR-1006
Thu May 07 03:01:10 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLog [monitorStatus]="Success" [eventName]="DFS Replication" 
[eventSource]="DFSR" [eventId]="1006" [eventType]="Information" [domain]="" [computer]="WIN-2008-LAW-agent" [user]="" [userSID]="" 
[userSIDAcctType]="" [eventTime]="May 07 2015 11:01:10" [deviceTime]="May 07 2015 11:01:10" [msg]="The DFS Replication service is stopping."

#Win-App-DFSR-1008
Thu May 07 03:01:11 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLog [monitorStatus]="Success" [eventName]="DFS Replication" 
[eventSource]="DFSR" [eventId]="1008" [eventType]="Information" [domain]="" [computer]="WIN-2008-LAW-agent" [user]="" [userSID]="" 
[userSIDAcctType]="" [eventTime]="May 07 2015 11:01:11" [deviceTime]="May 07 2015 11:01:11" [msg]="The DFS Replication service has stopped."

File Content Monitoring Logs

#AccelOps-WUA-UserFile
Thu May 07 05:40:08 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-UserFile [monitorStatus]="Success" [fileName]="C:\test\i.txt" 
[msg]="another newline adddedddddd"

File Integrity Monitoring Logs

The following sections describe various use cases that can be detected by File Integrity Monitoring Logs.

Use Case 1: File or Directory Created
Use Case 2: File or Directory Deleted
Use Case 3: File Content Modified
Use Case 4: File Content Modified and Upload is Selected
Use Case 5: File Renamed
Use Case 6: File Permission Changed
Use Case 7: File Ownership Changed
Use Case 8: File Archive Bit Changed
Use Case 9: File Baseline Changed

Use Case 1: File or Directory Created

Event Type

AO-WUA-FileMon-Added

The ‘added’ event is triggered when a file or directory is added into a directory that is being monitored. Actions such as the following will cause this event to generate:

Copying a file/directory
Creating a shortcut of a file/directory
Sending to compressed zip
Restoring a file/directory
Downloading or saving a file

Important Event Attributes

userId: The ID of the user who added the file.
domain: The user’s domain for a Domain computer.
osObjType- Can be either File or Directory.
fileName: The name of the file or directory that was added.
hashCode, hashAlgo: The file hash obtained by using the specified algorithm.
procName: The name of the Windows process that was used to create the file.
fileOwner: The owner of the file.
targetUserType, targetUser: The user or group to whom the permission applies.
targetFilePermit: The permitted file operations.
targetFileDeny: The denied file operations.
archiveSet: Is true if the Archive bit is set for this file; false otherwise.

Reports

Agent FIM: Windows File/Directory Created/Deleted/Renamed

Rules

Agent FIM - Windows File or Directory Created

Sample Log

2020-03-25T07:30:50Z Win-167 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="jdoe" [domain]="ACME" [eventTime]="Mar 25 2020 07:30:48" [fileName]="C:\\test\\New Text Document.txt" [osObjAction]="Added" [objectType]="File" [hashCode]="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" [hashAlgo]="SHA256" [procName]="C:\\Windows\\explorer.exe" [msg]="" [archiveSet]="true" [fileOwner]=""

Use Case 2: File or Directory Deleted

Event Type

AO-WUA-FileMon-Removed

The ‘removed’ event is triggered when a file or directory is removed. Actions such as the following will cause this event to generate:

Moving a file from one directory to another
Deleting a file or directory

Important Event Attributes

userId: The ID of the user who removed the file.
domain: The user’s domain for a Domain computer.
fileName: The name of the file that was removed.
procName: The Windows process that was used to remove the file.

Report

Agent FIM: Windows File/Directory Creation/Deletion/Rename

Rule

Agent FIM - Windows File or Directory Deleted

Sample Log

2020-03-25T07:43:24Z Win-167 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="jdoe" [domain]="ACME" [eventTime]="Mar 25 2020 07:43:21" [fileName]="C:\\test\\test1.txt" [osObjAction]="Removed" [objectType]="Unknown" [hashCode]="" [hashAlgo]="SHA256" [procName]="C:\\Windows\\explorer.exe" [msg]="" [archiveSet]="false" [fileOwner]=""

Use Case 3: File Content Modified

Event Type

AO-WUA-FileMon-Modified

The ‘modified’ event is triggered when a file or directory is modified. Actions such as the following will cause this event to generate:

Add or delete ‘text’ from the file
Simply saving a file, even without a change, will trigger this event

Important Event Attributes

userId: The user who modified the file.
domain: The user’s domain for a Domain computer.
fileName: The name of the file that was modified.
procName: The Windows process that was used to modify the file.
hashCode, hashAlgo: The file hash after modification and the algorithm used to calculate the hash.

Report

Agent FIM: Windows File Content Modified

Rule

Agent FIM - Windows File Content Modified

Sample Log

2020-03-25T10:50:40Z WIN-167.fortinet.wulei.com 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="jdoe" [domain]="ACME" [eventTime]="Mar 25 2020 10:50:37" [fileName]="C:\\test\\test.txt" [osObjAction]="Modified" [objectType]="File" [hashCode]="6396e3c19b155770f3ae25afa5f29832d6f35b315407ed88820339b705fd2bcc" [hashAlgo]="SHA256" [procName]="C:\\Windows\\System32\<br/>otepad.exe" [msg]="" [archiveSet]="true" [fileOwner]=""

Use Case 4: File Content Modified and Upload is Selected

Event Type

PH_DEV_MON_FILE_CONTENT_CHANGE

Important Event Attributes

userId: The ID of the user who modified the file.
domain: The user’s domain for a Domain computer.
fileName: The name of the file that was modified.
procName: The Windows process that was used to modify the file.
hashCode, hashAlgo: The file hash after modification and the algorithm used to calculate the hash.
oldSVNVersion: The SVN revision number of file before the change.
newSVNVersion: The SVN revision number of file after the change.
addedItem: The lines that were added to the file.
deletedItem: The lines that were removed from the file.

Report

Agent FIM: Windows File Content Modified in SVN

Rule

Audited file or directory content modified in SVN

Sample Log

<14>Mar 25 20:30:44 sp3 phPerfMonitor[17521]: [PH_DEV_MON_FILE_CONTENT_CHANGE]:[eventSeverity]=PHL_INFO,[procName]=phPerfMonitor,[fileName]=phSvnUpdate.cpp,[lineNumber]=306,[phCustId]=2000,[hostName]=Win-169,[hostIpAddr]=10.30.3.169,[fileName]=/C:/test/test.txt,[hashCode]=08998b2cce90ee6695bd8dae82d43137,[oldSVNVersion]=50,[newSVNVersion]=51,[deletedItem]=(none),[addedItem]=333;,[user]=Administrator,[hashAlgo]=SHA256,[phLogDetail]=

Use Case 5: File Renamed

Event Type

AO-WUA-FileMon-Renamed-New-Name

The ‘new-name’ event is triggered when a file or directory is renamed. This event encapsulates the new name of the file/directory.

Important Event Attributes

userId: The ID of the user who renamed the file.
domain: The user’s domain for a Domain computer.
fileName: The new name of the file.
procName: The Windows process that was used to rename the file.
hashCode, hashAlgo: The new file hash using the specified algorithm.

Report

Agent FIM: Windows File/Directory Creation/Deletion/Rename

Rule

None

Sample Log

2020-03-25T09:59:34Z WIN-167.fortinet.wulei.com 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="jdoe" [domain]="ACME" [eventTime]="Mar 25 2020 09:59:32" [fileName]="C:\\test\\test5.txt" [osObjAction]="Renamed [New Name]" [objectType]="File" [hashCode]="2b64c6d9afd8a34ed0dbf35f7de171a8825a50d9f42f05e98fe2b1addf00ab44" [hashAlgo]="SHA256" [procName]="C:\\Windows\\explorer.exe" [msg]="" [archiveSet]="true" [fileOwner]=""

Event Type

AO-WUA-FileMon-Renamed-Old-Name

Important Event Attributes

userId: The ID of the user who modified the file.

domain: The user’s domain for a Domain computer.

fileName: The old name of the file before renaming.

procName: The Windows process that was used to remove the file.

Report

Agent FIM: Windows File/Directory Creation/Deletion/Rename

Rule

None

Sample Log

None

Use Case 6: File Permission Changed

Event Type

AO-WUA-FileMon-PermissionChange

The ‘permission change’ event is triggered when a file or directory undergoes a change in permissions. Actions such as the following will cause this event to generate:

Sharing out a directory
Modification of the permissions
Add group or user to file or directory

Important Event Attributes

userId: The ID of the user who modified the file permission.
domain: The user’s domain for a Domain computer.
objectType: The type of object. Can be File or Directory.
fileName: The name of the file or directory whose permission was changed.
procName: The Windows process that was used to change the permission.
hashCode, hashAlgo: The file hash using the specified algorithm.
fileOwner: The name of the owner of the file.
targetUserType, targetUser: The name of the user or group to whom the permission below applies.
targetFilePermit: The permitted file operations after change.
targetFileDeny: The denied file operations after change.
archiveSet: Is true if the Archive bit is set for this file; false otherwise.

Report

Agent FIM: Windows File/Directory Permission Changes

Rule

Agent FIM - Windows File Permission Changed

Sample Log

2020-03-25T10:21:00Z WIN-167.fortinet.wulei.com 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="jdoe" [domain]="ACME" [eventTime]="Mar 25 2020 10:20:58" [fileName]="C:\\test\\test.txt" [osObjAction]="PermissionChange" [objectType]="File" [hashCode]="7936d255ef43706a93fdd15f4bbfde45e3b2d2b9a0d4cc7c39184cf745ab78c5" [hashAlgo]="SHA256" [procName]="C:\\Windows\\System32\\dllhost.exe" [msg]="" [archiveSet]="true" [fileOwner]="Joe" [targetUserType]="USER" [targetUser]="BUILTIN\Administrators" [targetFilePermit]="ALL" [targetFileDeny]="WRITE"

Use Case 7: File Ownership Changed

Event Type

AO-WUA-FileMon-OwnershipChange

The ‘ownership change’ event is triggered when a file or directory’s owner has been changed.

Important Event Attributes

userId: The ID of the user who modified the file ownership.
domain: The user’s domain for a Domain computer.
objectType: The type of object whose ownership was changed: File or Directory.
fileName: The name of the file or directory whose ownership was changed.
procName: The Windows process that was used to change ownership.
hashCode, hashAlgo: The file hash using the specified algorithm.
fileOwner: The name of the new file owner.
archiveSet: Is true if the Archive bit is set for this file; false otherwise.

Report

Agent FIM: Windows File/Directory Ownership Changes

Rule

Agent FIM - Windows File Ownership Changed

Sample Log

2020-03-06T07:08:56Z Win-167 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="Administrator" [domain]="WIN-167" [eventTime]="Mar 06 2020 07:08:53" [fileName]="C:\\test\\test1.txt" [osObjAction]="OwnershipChange" [objectType]="File" [hashCode]="d17f25ecfbcc7857f7bebea469308be0b2580943e96d13a3ad98a13675c4bfc2" [hashAlgo]="SHA256" [procName]="C:\\Windows\\System32\\dllhost.exe" [msg]="" [archiveSet]="true" [fileOwner]="Joe"

Use Case 8: File Archive Bit Changed

Event Type

AO-WUA-FileMon-ArchivedBitChange

The ‘archived bit change’ event is triggered when a file or directory undergoes an archive change. Actions such as the following will cause this event to generate:

Under the General tab of the files’ properties:
- Checking the Read-only or Hidden checkboxes in the Attributes row.
- Click Advanced... and checking or unchecking any of the checkboxes for File attributes or Compress or Encrypt attributes.

Important Event Attributes

userId: The ID of the user who modified the file.
domain: The user’s domain for a Domain computer.
objectType: The type of object whose Archive bit was changed: File or Directory.
fileName: The name of the file whose archive bit was changed.
procName: The Windows process that was used to change archive bit.
hashCode, hashAlgo: The file hash using the specified algorithm.
archiveSet: Is true if the Archive bit is set for this file; false otherwise.

Report

Agent FIM: Windows File/Directory Archive Bit Changes

Rule

Agent FIM - Windows File/Directory Archive Bit Changed

Sample Log

2020-03-25T10:02:38Z WIN-167.fortinet.wulei.com 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="jdoe" [domain]="ACME" [eventTime]="Mar 25 2020 10:02:35" [fileName]="C:\\test\\test.txt" [osObjAction]="ArchivedBitChange" [objectType]="File" [hashCode]="7936d255ef43706a93fdd15f4bbfde45e3b2d2b9a0d4cc7c39184cf745ab78c5" [hashAlgo]="SHA256" [procName]="C:\\Windows\\System32\\attrib.exe" [msg]="" [archiveSet]="false" [fileOwner]=""

Use Case 9: File Baseline Changed

Event Type

AO-WUA-FileMon-BaselineChange

Important Event Attributes

userId: The ID of the user who modified the file.
domain: The user’s domain for a Domain computer.
fileName: The name of the file that was changed.
procName: The Windows process that was used to remove the file.
hashCode, hashAlgo: The file hash using the specified algorithm.
targetHashCode: The hash of the target file (defined in the GUI).

Report

Agent FIM: Windows File Change from Baseline

Rule

Agent FIM - Windows File Changed From Baseline

Sample Log

2020-03-25T12:52:42Z Win-169 10.30.3.169 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="5c83ec12-73fd-4e06-a396-1f128564f09e" [timeZone]="+0800" [userId]="Administrator" [domain]="WINSRV2012-169" [fileName]="C:\\test\\test.txt" [osObjAction]="BaselineChange" [hashCode]="c1f79ea2bbfb77bf30446a4c9be762eb" [hashAlgo]="MD5" [targetHashCode]="74DE7651DFC55294CC59240AE514A676" [msg]="

Installed Software Logs

#AccelOps-WUA-InstSw-Added
Thu May 07 05:28:17 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-InstSw [monitorStatus]="Success" [osObjAction]="Added" 
[appName]="7-Zip 9.20 (x64 edition)" [vendor]="Igor Pavlov" [appVersion]="9.20.00.0"

#AccelOps-WUA-InstSw-Removed
Thu May 07 05:28:30 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-InstSw [monitorStatus]="Success" [osObjAction]="Removed" 
[appName]="7-Zip 9.20 (x64 edition)" [vendor]="Igor Pavlov" [appVersion]="9.20.00.0"

Registry Change Logs

#AccelOps-WUA-Registry-Modified
Thu May 07 04:01:58 2015 WIN-2008-249.ersijiu.com 10.1.2.249 AccelOps-WUA-Registry [monitorStatus]="Success" [regKeyPath]="HKLM\\SOFTWARE\\Microsoft\\ExchangeServer\\v14\\ContentIndex\\CatalogHealth\\{0d2a342a-0b15-4995-93db-d18c3df5860d}" [regValueName]="TimeStamp" [regValueType]="1" [osObjAction]="Modified" [oldRegValue]="MgAwADEANQAtADAANQAtADAANwAgADAAMwA6ADQAOQA6ADQANwBaAAAA" 
[newRegValue]="MgAwADEANQAtADAANQAtADAANwAgADAANAA6ADAAMQA6ADQAOABaAAAA"

#AccelOps-WUA-Registry-Removed
Thu May 07 05:25:09 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-Registry [monitorStatus]="Success" 
[regKeyPath]="HKLM\\SOFTWARE\\RegisteredApplications" [regValueName]="Skype" [regValueType]="1" [osObjAction]="Removed" [oldRegValue]="UwBPAEYAVABXAEEAUgBFAFwAQwBsAGkAZQBuAHQAcwBcAEkAbgB0AGUAcgBuAGUAdAAgAEMAYQBsAGwAXABTAGsAeQBwAGUAXABDAGEAcABhAGIAaQBsAGkAdABpAGUAcwBkAGgAZABoAGQAaABkAGgAZABoAGQAAAA=" [newRegValue]=""

Removeable Media Monitoring Logs

AO-WUA-RemovableMedia-Insert

2022-06-24T19:06:55Z CD-DESK-S 0.0.0.0 AccelOps-WUA-RemovableMedia-Insert [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="38ba7825-34a2-41b8-8e3d-0548878bef5b" [timeZone]="-0500" [user]="" [domain]="" [eventTime]="Jun 24 2022 19:06:55" [fileName]="" [diskName]="D:" [isMediaEncrypted]="false" [osObjAction]="" [diskType]="USB" [diskDisplayName]="Samsung USB" [diskVendor]="samsung" [hwDiskModel]="flash_drive_fit 1100" [msg]="Storage media inserted."

AO-WUA-RemovableMedia-Write-ModifyFile

2022-06-24T19:25:06Z CD-DESK-S 192.168.1.147 AccelOps-WUA-RemovableMedia-Write [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="38ba7825-34a2-41b8-8e3d-0548878bef5b" [timeZone]="-0500" [user]="" [domain]="" [eventTime]="Jun 24 2022 19:25:02" [fileName]="D:\\agenttest\\Wireshark-win64-3.6.6.exe" [diskName]="D:" [isMediaEncrypted]="false" [osObjAction]="Modified" [diskType]="USB" [diskDisplayName]="Samsung USB" [diskVendor]="samsung" [hwDiskModel]="flash_drive_fit 1100" [msg]=""

AO-WUA-RemovableMedia-Write-AddFile

2022-06-24T19:25:01Z CD-DESK-S 192.168.1.147 AccelOps-WUA-RemovableMedia-Write [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="38ba7825-34a2-41b8-8e3d-0548878bef5b" [timeZone]="-0500" [user]="" [domain]="" [eventTime]="Jun 24 2022 19:25:00" [fileName]="D:\\agenttest\\Wireshark-win64-3.6.6.exe" [diskName]="D:" [isMediaEncrypted]="false" [osObjAction]="Added" [diskType]="USB" [diskDisplayName]="Samsung USB" [diskVendor]="samsung" [hwDiskModel]="flash_drive_fit 1100" [msg]=""

AO-WUA-RemovableMedia-Write-RemoveFile

2022-06-24T19:24:01Z CD-DESK-S 192.168.1.147 AccelOps-WUA-RemovableMedia-Write [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="38ba7825-34a2-41b8-8e3d-0548878bef5b" [timeZone]="-0500" [user]="" [domain]="" [eventTime]="Jun 24 2022 19:23:56" [fileName]="D:\\agenttest\\WinSCP-5.17.8-Setup.zip" [diskName]="D:" [isMediaEncrypted]="false" [osObjAction]="Removed" [diskType]="USB" [diskDisplayName]="Samsung USB" [diskVendor]="samsung" [hwDiskModel]="flash_drive_fit 1100" [msg]=""

WMI Logs

#AccelOps-WUA-WMI-Win32_Processor
Thu May 07 03:53:33 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WMI [monitorStatus]="Success"  [__CLASS]="Win32_Processor" 
[AddressWidth]="64" [Architecture]="9" [Availability]="3" [Caption]="Intel64 Family 6 Model 26 Stepping 5" [ConfigManagerErrorCode]="" [ConfigManagerUserConfig]="" [CpuStatus]="1" [CreationClassName]="Win32_Processor" [CurrentClockSpeed]="2266" [CurrentVoltage]="33" 
[DataWidth]="64" [Description]="Intel64 Family 6 Model 26 Stepping 5" [DeviceID]="CPU0" [ErrorCleared]="" [ErrorDescription]="" 
[ExtClock]="" [Family]="12" [InstallDate]="" [L2CacheSize]="0" [L2CacheSpeed]="" [L3CacheSize]="0" [L3CacheSpeed]="0" 
[LastErrorCode]="" [Level]="6" [LoadPercentage]="8" [Manufacturer]="GenuineIntel" [MaxClockSpeed]="2266" 
[Name]="Intel(R) Xeon(R) CPU           E5520  @ 2.27GHz" [NumberOfCores]="1" [NumberOfLogicalProcessors]="1" 
[OtherFamilyDescription]="" [PNPDeviceID]="" [PowerManagementCapabilities]="" [PowerManagementSupported]="0" 
[ProcessorId]="0FEBFBFF000106A5" [ProcessorType]="3" [Revision]="6661" [Role]="CPU" [SocketDesignation]="CPU socket #0" 
[Status]="OK" [StatusInfo]="3" [Stepping]="" [SystemCreationClassName]="Win32_ComputerSystem" [SystemName]="WIN-2008-LAW-AG" 
UniqueId]="" [UpgradeMethod]="4" [Version]="" [VoltageCaps]="2"

Sample Windows Agent Logs

FortiSIEM Windows Agent Manager generates Windows logs in an easy way to analyze "attribute=value" style without losing any information.

Certificate Monitoring Logs
System Logs
Sysmon Logs
PowerShell Logs
Application Logs
Security Logs
DNS Logs
DHCP Logs
IIS Logs
DFS Logs
File Content Monitoring Logs
File Integrity Monitoring Logs
Installed Software Logs
Registry Change Logs
Removeable Media Logs
WMI Logs

Certificate Monitoring Logs

Certificate Added
Certificate Removed
Certificate Expired
Certificate Expiring

Certificate Added

2023-10-25T19:45:14Z DESKTOP-3NKROF5 192.0.2.0 AccelOps-WUA-Certificate [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="72f70ae7-1111-4dc0-1111-0c953f46f87e" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [certAction]="Added" [authority_key_id]="F4B6E1201DFE29AED2E461A5B2A225B2C817356E" [ca]="0" [common_name]="DigiCert Timestamp 2021" [issuer]="US, DigiCert Inc, www.digicert.com, DigiCert SHA2 Assured ID Timestamping CA" [key_algorithm]="RSA" [key_strength]="2160" [key_usage]="CERT_DIGITAL_SIGNATURE_KEY_USAGE" [not_valid_after]="1925424000" [not_valid_before]="1609459200" [path]="LocalMachine\Trusted Publishers" [self_signed]="0" [serial]="0D424AE0BE3A88F1111021CE1400F0DD" [sha1]="E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3" [sid]="" [signing_algorithm]="sha256RSA" [store]="Trusted Publishers" [store_id]="" [store_location]="LocalMachine" [subject]="US, \"DigiCert, Inc.\", DigiCert Timestamp 2021" [subject_key_id]="3644868EA4BAB066BEBC2821111436DDE36A7ABC" [user]=""

Certificate Removed

2023-10-25T19:52:31Z DESKTOP-3NKROF5 192.0.2.0 AccelOps-WUA-Certificate [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="72f70ae7-1111-4dc0-1111-0c953f46f87e" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [certAction]="Removed" [authority_key_id]="" [ca]="0" [common_name]="expiring913" [issuer]="expiring913" [key_algorithm]="RSA" [key_strength]="2160" [key_usage]="CERT_KEY_ENCIPHERMENT_KEY_USAGE,CERT_DIGITAL_SIGNATURE_KEY_USAGE" [not_valid_after]="1694630930" [not_valid_before]="1694457530" [path]="LocalMachine\Trusted People" [self_signed]="1" [serial]="347CD406C649FDA94507BFA863904500" [sha1]="8E3D8330748D4FB01848E6663E6E209735893199" [sid]="" [signing_algorithm]="sha256RSA" [store]="Trusted People" [store_id]="" [store_location]="LocalMachine" [subject]="expiring913" [subject_key_id]="35EF93076396C311112C51BF121247284686090A" [user]=""

Certificate Expired

2023-10-25T19:46:48Z DESKTOP-3NKROF5 192.0.2.0 AccelOps-WUA-Certificate [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="72f70ae7-1111-4dc0-1111-0c953f46f87e" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [certAction]="Expired" [authority_key_id]="" [ca]="-1" [common_name]="expiring1021" [issuer]="expiring1021" [key_algorithm]="RSA" [key_strength]="2160" [key_usage]="CERT_KEY_ENCIPHERMENT_KEY_USAGE,CERT_DIGITAL_SIGNATURE_KEY_USAGE" [not_valid_after]="1697911109" [not_valid_before]="1697478510" [path]="LocalMachine\Trusted People" [self_signed]="1" [serial]="1F3EB6C111E7478E4DEE1F13EDF3935B" [sha1]="946499B4B192D27682D86F9F93522B11BF0F1AE0" [sid]="" [signing_algorithm]="sha256RSA" [store]="Trusted People" [store_id]="" [store_location]="LocalMachine" [subject]="expiring1021" [subject_key_id]="4DC106FF2111117C13B5E5C62F4C106D12C44C63" [user]=""

Certificate Expiring

2023-10-25T21:40:51Z DESKTOP-3NKROF5 192.0.2.0 AccelOps-WUA-Certificate [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="72f70ae7-1111-4dc0-1111-0c953f46f87e" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [certAction]="Expiring" [authority_key_id]="" [ca]="-1" [common_name]="expiring1029" [issuer]="expiring1029" [key_algorithm]="RSA" [key_strength]="2160" [key_usage]="CERT_KEY_ENCIPHERMENT_KEY_USAGE,CERT_DIGITAL_SIGNATURE_KEY_USAGE" [not_valid_after]="1698596479" [expiry_in_days]="3" [not_valid_before]="1698163880" [path]="LocalMachine\Preview Build Roots" [self_signed]="1" [serial]="2085D79E2DE08A9A4FE011108525F91D" [sha1]="8DA053FCEFE792FC2E57F3A218751F6070E91B78" [sid]="" [signing_algorithm]="sha256RSA" [store]="Preview Build Roots" [store_id]="" [store_location]="LocalMachine" [subject]="expiring1029" [subject_key_id]="362A38630797FF2C78B1A9AE1E1116927C633FA0" [user]=""

System Logs

System Logs generated by pre-7.1.4 Windows Agent
System Logs generated by 7.1.4 and later Windows Agent

System Logs generated by pre-7.1.4 Windows Agent

2024-02-20T23:24:58Z FSM-GFU-Windows2019-WIN2019-172-30-56-129 172.30.56.129 AccelOps-WUA-WinLog-System [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="1e749ab9-bf6e-4052-806b-02068b2d4465" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [eventName]="System" [eventSource]="Service Control Manager" [eventId]="7036" [eventType]="Information" [domain]="" [computer]="FSM-GFU-Windows2019-WIN2019-172-30-56-129" [user]="" [userSID]="" [userSIDAcctType]="" [eventTime]="Feb 20 2024 23:24:57" [deviceTime]="Feb 20 2024 23:24:57" [msg]="The Microsoft Store Install Service service entered the stopped state."

System Logs generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-26T22:22:42Z FSM-GFU-Windows2019-WIN2019-172-30-56-129 172.30.56.129 FSM-WUA-WinLog-System [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="1e749ab9-bf6e-4052-806b-02068b2d4465" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2024-02-26T22:22:41.078643000Z'/><EventRecordID>168290</EventRecordID><Correlation/><Execution ProcessID='744' ThreadID='3880'/><Channel>System</Channel><Computer>FSM-GFU-Windows2019-WIN2019-172-30-56-129</Computer><Security/></System><EventData><Data Name='param1'>Network Setup Service</Data><Data Name='param2'>stopped</Data><Binary>4E0065007400530065007400750070005300760063002F0031000000</Binary></EventData><RenderingInfo Culture='en-US'><Message>The Network Setup Service service entered the stopped state.</Message><Level>Information</Level><Task></Task><Opcode></Opcode><Channel></Channel><Provider>Microsoft-Windows-Service Control Manager</Provider><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>

Sysmon Logs

Sysmon Logs generated by pre-7.1.4 Windows Agent
Sysmon Logs generated by 7.1.4 and later Windows Agent

Sysmon Logs generated by pre-7.1.4 Windows Agent

2024-02-27T23:06:35Z FSM-GFU-Windows2019-WIN2019-172-30-56-129 172.30.56.129 AccelOps-WUA-WinLog-Microsoft-Windows-Sysmon/Operational [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="1e749ab9-bf6e-4052-806b-02068b2d4465" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [eventName]="Microsoft-Windows-Sysmon/Operational" [eventSource]="Microsoft-Windows-Sysmon" [eventId]="1" [eventType]="Information" [domain]="NT AUTHORITY" [computer]="FSM-GFU-Windows2019-WIN2019-172-30-56-129" [user]="SYSTEM" [userSID]="S-1-5-18" [userSIDAcctType]="User" [eventTime]="Feb 27 2024 23:06:35" [deviceTime]="Feb 27 2024 23:06:35" [msg]="Process Create:
RuleName: -
UtcTime: 2024-02-27 23:06:35.046
ProcessGuid: {1e749ab9-6afb-65de-c644-000000001600}
ProcessId: 2068
Image: C:\\Windows\\System32\\HOSTNAME.EXE
FileVersion: 10.0.17763.1 (WinBuild.160101.0800)
Description: Hostname APP
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: hostname.exe
CommandLine: \"C:\\Windows\\system32\\HOSTNAME.EXE\"
CurrentDirectory: C:\\Windows\\system32\\
User: NT AUTHORITY\\SYSTEM
LogonGuid: {1e749ab9-4516-65c0-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: MD5=7F95220A65A5A5D4A98873E86EF2E549,SHA256=1BFF2907C456F99277F45F9B2A21B1B3F11F6C01587D9E6D6F0B2B5F1472FE92,IMPHASH=5CD891320C666621E9783444DB8CBA78
ParentProcessGuid: {1e749ab9-6775-65de-7344-000000001600}
ParentProcessId: 6884
ParentImage: C:\\Program Files\\Fortinet\\FortiSIEM\\FSMLogAgent.exe
ParentCommandLine: \"C:\\Program Files\\Fortinet\\FortiSIEM\\FSMLogAgent.exe\"
ParentUser: NT AUTHORITY\\SYSTEM"

Sysmon Logs generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-27T22:18:54Z FSM-GFU-Windows2019-WIN2019-172-30-56-129 172.30.56.129 FSM-WUA-WinLog-Microsoft-Windows-Sysmon/Operational [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="1e749ab9-bf6e-4052-806b-02068b2d4465" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>13</EventID><Version>2</Version><Level>4</Level><Task>13</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2024-02-27T22:18:53.386292600Z'/><EventRecordID>42662</EventRecordID><Correlation/><Execution ProcessID='3196' ThreadID='5432'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>FSM-GFU-Windows2019-WIN2019-172-30-56-129</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>InvDB-Path</Data><Data Name='EventType'>SetValue</Data><Data Name='UtcTime'>2024-02-27 22:18:53.373</Data><Data Name='ProcessGuid'>{1e749ab9-5fc0-65de-a843-000000001600}</Data><Data Name='ProcessId'>4372</Data><Data Name='Image'>C:\\Windows\\system32\\CompatTelRunner.exe</Data><Data Name='TargetObject'>\\REGISTRY\\A\\{41ae3209-e80b-5fb1-d81b-7b9b2464bf78}\\Root\\InventoryApplicationFile\\osquery.exe|7bec5ef138bedfec\\LowerCaseLongPath</Data><Data Name='Details'>c:\\program files\\fortinet\\fortisiem\\osquery.exe</Data><Data Name='User'>NT AUTHORITY\\SYSTEM</Data></EventData><RenderingInfo Culture='en-US'><Message>Registry value set:
RuleName: InvDB-Path
EventType: SetValue
UtcTime: 2024-02-27 22:18:53.373
ProcessGuid: {1e749ab9-5fc0-65de-a843-000000001600}
ProcessId: 4372
Image: C:\\Windows\\system32\\CompatTelRunner.exe
TargetObject: \\REGISTRY\\A\\{41ae3209-e80b-5fb1-d81b-7b9b2464bf78}\\Root\\InventoryApplicationFile\\osquery.exe|7bec5ef138bedfec\\LowerCaseLongPath
Details: c:\\program files\\fortinet\\fortisiem\\osquery.exe
User: NT AUTHORITY\\SYSTEM</Message><Level>Information</Level><Task>Registry value set (rule: RegistryEvent)</Task><Opcode>Info</Opcode><Channel></Channel><Provider></Provider><Keywords></Keywords></RenderingInfo></Event>

PowerShell Logs

PowerShell Logs generated by pre-7.1.4 Windows Agent
PowerShell Logs generated by 7.1.4 and later Windows Agent

PowerShell Logs generated by pre-7.1.4 Windows Agent

"2024-02-27T23:36:35Z FSM-GFU-Windows2019-WIN2019-172-30-56-129 172.30.56.129 AccelOps-WUA-WinLog-Windows PowerShell [phCustId]=""2000"" [customer]=""org1"" [monitorStatus]=""Success"" [Locale]=""en-US"" [MachineGuid]=""1e749ab9-bf6e-4052-806b-02068b2d4465"" [timeZone]=""-0800"" [extEventRecvProto]=""Windows Agent"" [eventName]=""Windows PowerShell"" [eventSource]=""PowerShell"" [eventId]=""600"" [eventType]=""Information"" [domain]="""" [computer]=""FSM-GFU-Windows2019-WIN2019-172-30-56-129"" [user]="""" [userSID]="""" [userSIDAcctType]="""" [eventTime]=""Feb 27 2024 23:36:35"" [deviceTime]=""Feb 27 2024 23:36:35"" [msg]=""Provider \""WSMan\"" is Started. Details: 
                ProviderName=WSMan
                NewProviderState=Started

                SequenceNumber=55

                HostName=Default Host
                HostVersion=5.1.17763.1432
                HostId=98d60fba-a813-4b20-9052-b56a1d052bc8
                HostApplication=C:\\Program Files\\Fortinet\\FortiSIEM\\FSMLogAgent.exe
                EngineVersion=
                RunspaceId=
                PipelineId=
                CommandName=
                CommandType=
                ScriptName=
                CommandPath=
                CommandLine="""

PowerShell Logs generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-27T23:16:39Z GFU-Win11.getest.com 172.30.56.124 FSM-WUA-WinLog-Windows PowerShell [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="f91bb25d-8ac1-45ea-8345-6263c2168970" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='PowerShell'/><EventID Qualifiers='0'>403</EventID><Version>0</Version><Level>4</Level><Task>4</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2024-02-27T23:16:39.7709133Z'/><EventRecordID>416398</EventRecordID><Correlation/><Execution ProcessID='6064' ThreadID='0'/><Channel>Windows PowerShell</Channel><Computer>GFU-Win11.getest.com</Computer><Security/></System><EventData><Data>Stopped</Data><Data>Available</Data><Data>                NewEngineState=Stopped
                PreviousEngineState=Available

                SequenceNumber=2219

                HostName=Default Host
                HostVersion=5.1.22000.2538
                HostId=b0f192dd-bf79-4fed-9740-8f556f9f63d8
                HostApplication=C:\\Program Files\\Fortinet\\FortiSIEM\\FSMLogAgent.exe
                EngineVersion=5.1.22000.2538
                RunspaceId=0812ae9a-0717-469e-a4de-1103ff4404b3
                PipelineId=
                CommandName=
                CommandType=
                ScriptName=
                CommandPath=
                CommandLine=</Data></EventData><RenderingInfo Culture='en-US'><Message>Engine state is changed from Available to Stopped. 

Details: 
                NewEngineState=Stopped
                PreviousEngineState=Available

                SequenceNumber=2219

                HostName=Default Host
                HostVersion=5.1.22000.2538
                HostId=b0f192dd-bf79-4fed-9740-8f556f9f63d8
                HostApplication=C:\\Program Files\\Fortinet\\FortiSIEM\\FSMLogAgent.exe
                EngineVersion=5.1.22000.2538
                RunspaceId=0812ae9a-0717-469e-a4de-1103ff4404b3
                PipelineId=
                CommandName=
                CommandType=
                ScriptName=
                CommandPath=
                CommandLine=</Message><Level>Information</Level><Task>Engine Lifecycle</Task><Opcode>Info</Opcode><Channel></Channel><Provider></Provider><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>

Application Logs

Application Logs generated by pre-7.1.4 Windows Agent
Application Logs generated by 7.1.4 and later Windows Agent

Application Logs generated by pre-7.1.4 Windows Agent

2024-02-27T17:32:20Z FSM-GFU-Windows8-George-172-30-56-122 172.30.56.122 AccelOps-WUA-WinLog-Application [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="69c490e4-9c32-49cb-aefa-3ff10bcfc98a" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [eventName]="Application" [eventSource]="Microsoft-Windows-Security-SPP" [eventId]="16384" [eventType]="Information" [domain]="" [computer]="FSM-GFU-Windows8-George-172-30-56-122" [user]="" [userSID]="" [userSIDAcctType]="" [eventTime]="Feb 27 2024 17:32:20" [deviceTime]="Feb 27 2024 17:32:20" [msg]="Successfully scheduled Software Protection service for re-start at 2024-02-28T00:55:20Z. Reason: RulesEngine."

Application Logs generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-27T20:07:07Z GFU-Win11.getest.com 172.30.56.124 FSM-WUA-WinLog-Application [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="f91bb25d-8ac1-45ea-8345-6263c2168970" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-SPP' Guid='{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}' EventSourceName='Software Protection Platform Service'/><EventID Qualifiers='16384'>16384</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2024-02-27T20:07:07.0902766Z'/><EventRecordID>75607</EventRecordID><Correlation/><Execution ProcessID='5284' ThreadID='0'/><Channel>Application</Channel><Computer>GFU-Win11.getest.com</Computer><Security/></System><EventData><Data>2024-02-28T19:25:07Z</Data><Data>RulesEngine</Data></EventData><RenderingInfo Culture='en-US'><Message>Successfully scheduled Software Protection service for re-start at 2024-02-28T19:25:07Z. Reason: RulesEngine.</Message><Level>Information</Level><Task></Task><Opcode></Opcode><Channel></Channel><Provider>Microsoft-Windows-Security-SPP</Provider><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>

Security Logs

Security Logs generated by pre-7.1.4 Windows Agent
Security Logs generated by 7.1.4 and later Windows Agent
Security Logs in French Windows generated by pre-7.1.4 Windows Agent
Security Logs in French Windows generated by 7.1.4 and later Windows Agent

Security Logs generated by pre-7.1.4 Windows Agent

2024-02-22T01:07:51Z GFU-Win10.gfu.com 172.30.56.127 AccelOps-WUA-WinLog-Security [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="72f70ae7-fedf-4dc0-92e7-0c953f46f87e" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [eventName]="Security" [eventSource]="Microsoft-Windows-Security-Auditing" [eventId]="4703" [eventType]="Information" [domain]="" [computer]="GFU-Win10.gfu.com" [user]="" [userSID]="" [userSIDAcctType]="" [eventTime]="Feb 22 2024 01:07:51" [deviceTime]="Feb 22 2024 01:07:51" [msg]="A token right was adjusted." [[Subject]][Security ID]="S-1-5-18" [Account Name]="GFU-WIN10$" [Account Domain]="GFU" [Logon ID]="0x3E7" [[Target Account]][Security ID]="S-1-5-18" [Account Name]="GFU-WIN10$" [Account Domain]="GFU" [Logon ID]="0x3E7" [[Process Information]][Process ID]="0x3348" [Process Name]="C:\\Windows\\System32\\msiexec.exe" [Enabled Privileges]="" [Disabled Privileges]="SeRestorePrivilege,SeTakeOwnershipPrivilege"

Security Logs generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-27T21:19:33Z FSM-GFU-Windows2019-WIN2019-172-30-56-129 172.30.56.129 FSM-WUA-WinLog-Security [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="1e749ab9-bf6e-4052-806b-02068b2d4465" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4703</EventID><Version>0</Version><Level>0</Level><Task>13317</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-27T21:19:32.430796700Z'/><EventRecordID>9064813051</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='5944'/><Channel>Security</Channel><Computer>FSM-GFU-Windows2019-WIN2019-172-30-56-129</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>FSM-GFU-WINDOWS$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>FSM-GFU-WINDOWS$</Data><Data Name='TargetDomainName'>WORKGROUP</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='ProcessName'>C:\\Windows\\System32\\svchost.exe</Data><Data Name='ProcessId'>0xbdc</Data><Data Name='EnabledPrivilegeList'>SeAssignPrimaryTokenPrivilege
   SeIncreaseQuotaPrivilege
   SeSecurityPrivilege
   SeTakeOwnershipPrivilege
   SeLoadDriverPrivilege
   SeSystemtimePrivilege
   SeBackupPrivilege
   SeRestorePrivilege
   SeShutdownPrivilege
   SeSystemEnvironmentPrivilege
   SeUndockPrivilege
   SeManageVolumePrivilege</Data><Data Name='DisabledPrivilegeList'>-</Data></EventData></Event>

Security Logs in French Windows generated by pre-7.1.4 Windows Agent

2024-02-27T21:59:31Z WIN-H8PJIB0G6QJ 172.30.56.128 AccelOps-WUA-WinLog-Security [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="fr-FR" [MachineGuid]="d1a2dfa9-a8a3-4d5d-b151-2264a07678b4" [timeZone]="+0100" [extEventRecvProto]="Windows Agent" [eventName]="Security" [eventSource]="Microsoft-Windows-Security-Auditing" [eventId]="4798" [eventType]="Information" [domain]="" [computer]="WIN-H8PJIB0G6QJ" [user]="" [userSID]="" [userSIDAcctType]="" [eventTime]="Feb 27 2024 21:59:31" [deviceTime]="Feb 27 2024 21:59:31" [msg]="Une adhésion au groupe local d'un utilisateur a été énumérée." [[Objet]][ID de sécurité]="S-1-5-18" [Nom du compte]="WIN-H8PJIB0G6QJ$" [Domaine du compte]="WORKGROUP" [ID d'ouverture de session]="0x3E7" [[Utilisateur]][ID de sécurité]="S-1-5-21-1726319904-1389896535-1900308177-500" [Nom du compte]="Administrateur" [Domaine du compte]="WIN-H8PJIB0G6QJ" [[Informations sur le processus]][ID du processus]="0x1270" [Nom du processus]="C:\\Program Files\\Fortinet\\FortiSIEM\\osquery.exe"

Security Logs in French Windows generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-27T21:50:49Z WIN-H8PJIB0G6QJ 172.30.56.128 FSM-WUA-WinLog-Security [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="fr-FR" [MachineGuid]="d1a2dfa9-a8a3-4d5d-b151-2264a07678b4" [timeZone]="+0100" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4798</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-27T21:50:49.478751700Z'/><EventRecordID>217951</EventRecordID><Correlation ActivityID='{dc36aa0a-69c4-0001-58aa-36dcc469da01}'/><Execution ProcessID='612' ThreadID='4748'/><Channel>Security</Channel><Computer>WIN-H8PJIB0G6QJ</Computer><Security/></System><EventData><Data Name='TargetUserName'>WDAGUtilityAccount</Data><Data Name='TargetDomainName'>WIN-H8PJIB0G6QJ</Data><Data Name='TargetSid'>S-1-5-21-1726319904-1389896535-1900308177-504</Data><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>WIN-H8PJIB0G6QJ$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='CallerProcessId'>0x128</Data><Data Name='CallerProcessName'>C:\\Program Files\\Fortinet\\FortiSIEM\\osquery.exe</Data></EventData></Event>

DNS Logs

DNS System Logs generated by pre-7.1.4 Windows Agent
DNS System Logs generated by 7.1.4 and later Windows Agent

DNS System Logs generated by pre-7.1.4 Windows Agent

2024-02-28T00:05:04Z GFU-WIN2016.getest.com 172.30.56.121 AccelOps-WUA-WinLog-DNS Server [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="4a2804f4-e1b6-4e28-ac76-de5aa103d255" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [eventName]="DNS Server" [eventSource]="Microsoft-Windows-DNS-Server-Service" [eventId]="2" [eventType]="Information" [domain]="NT AUTHORITY" [computer]="GFU-WIN2016.getest.com" [user]="SYSTEM" [userSID]="S-1-5-18" [userSIDAcctType]="User" [eventTime]="Feb 28 2024 00:05:03" [deviceTime]="Feb 28 2024 00:05:03" [msg]="The DNS server has started."

DNS System Logs generated by 7.1.4 and later Windows Agent

The events are generated in XML format.

2024-02-27T23:50:52Z GFU-WIN2016-126.gfu.com 172.30.56.126 FSM-WUA-WinLog-DNS Server [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="967fcbac-7d74-445f-99de-c5a1f0acf59d" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-DNS-Server-Service' Guid='{71A551F5-C893-4849-886B-B5EC8502641E}'/><EventID>2</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000001000</Keywords><TimeCreated SystemTime='2024-02-27T23:50:51.965038300Z'/><EventRecordID>330</EventRecordID><Correlation/><Execution ProcessID='6448' ThreadID='6892'/><Channel>DNS Server</Channel><Computer>GFU-WIN2016-126.gfu.com</Computer><Security UserID='S-1-5-18'/></System><EventData Name='DNS_EVENT_STARTUP_OK'></EventData><RenderingInfo Culture='en-US'><Message>The DNS server has started.</Message><Level>Information</Level><Task></Task><Opcode>Info</Opcode><Channel></Channel><Provider>Microsoft-Windows-DNS-Server-Service</Provider><Keywords></Keywords></RenderingInfo></Event>

DHCP Logs

AccelOps-WUA-DHCP-Generic
Thu May 07 05:44:44 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP [monitorStatus]="Success" [ID]="00" [Date]="05/07/15" 
[Time]="13:44:08" [Description]="Started" [IP Address]="" [Host Name]="" [MAC Address]="" [User Name]="" [ TransactionID]="0" 
[ QResult]="6" [Probationtime]="" [ CorrelationID]="" [Dhcid.]=""

#AccelOps-WUA-DHCP-IP-ASSIGN
Thu May 07 05:56:41 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP [monitorStatus]="Success" [ID]="10" [Date]="05/07/15" 
[Time]="13:56:37" [Description]="Assign" [IP Address]="10.1.2.124" [Host Name]="Agent-247.yj" [MAC Address]="000C2922118E" 
[User Name]="" [ TransactionID]="2987030242" [ QResult]="0" [Probationtime]="" [ CorrelationID]="" [Dhcid.]=""

#AccelOps-WUA-DHCP-Generic(Release)
Thu May 07 05:56:41 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP [monitorStatus]="Success" [ID]="12" [Date]="05/07/15" 
[Time]="13:56:33" [Description]="Release" [IP Address]="10.1.2.124" [Host Name]="Agent-247.yj" [MAC Address]="000C2922118E" 
[User Name]="" [ TransactionID]="2179405838" [ QResult]="0" [Probationtime]="" [ CorrelationID]="" [Dhcid.]=""

#AccelOps-WUA-DHCP-IP-LEASE-RENEW
Wed Feb 25 02:53:28 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP [monitorStatus]="Success" [ID]="11" [Date]="02/25/15" 
[Time]="10:53:19" [Description]="Renew" [IP Address]="10.1.2.123" [Host Name]="WIN-2008-249.yj" [MAC Address]="0050568F1B5D" 
[User Name]="" [ TransactionID]="1136957584" [ QResult]="0" [Probationtime]="" [ CorrelationID]="" [Dhcid.]=""

IIS Logs

#AccelOps-WUA-IIS-Web-Request-Success
Thu May 07 03:49:23 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-IIS [monitorStatus]="Success" [date]="2015-05-07" 
[time]="03:44:28" [s-sitename]="W3SVC1" [s-computername]="WIN-2008-LAW-AG" [s-ip]="10.1.2.242" [cs-method]="GET" 
[cs-uri-stem]="/welcome.png" [cs-uri-query]="-" [s-port]="80" [cs-username]="-" [c-ip]="10.1.20.232" [cs-version]="HTTP/1.1" 
[cs(User-Agent)]="Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/42.0.2311.135+Safari/537.36" 
[cs(Cookie)]="-" [cs(Referer)]="http://10.1.2.242/" [cs-host]="10.1.2.242" [sc-status]="200" [sc-substatus]="0" [sc-win32-status]="0" 
[sc-bytes]="185173" [cs-bytes]="324" [time-taken]="78" [site]="Default Web Site" [format]="W3C"

#AccelOps-WUA-IIS-Web-Client-Error
Thu May 07 03:49:23 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-IIS [monitorStatus]="Success" [date]="2015-05-07" [time]="03:44:37" 
[s-sitename]="W3SVC1" [s-computername]="WIN-2008-LAW-AG" [s-ip]="10.1.2.242" [cs-method]="GET" [cs-uri-stem]="/wrongpage" [cs-uri-query]="-" 
[s-port]="80" [cs-username]="-" [c-ip]="10.1.20.232" [cs-version]="HTTP/1.1" [cs(User-Agent)]="Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/42.0.2311.135+Safari/537.36" [cs(Cookie)]="-" [cs(Referer)]="-" [cs-host]="10.1.2.242" [sc-status]="404" 
[sc-substatus]="0" [sc-win32-status]="2" [sc-bytes]="1382" [cs-bytes]="347" [time-taken]="0" [site]="Default Web Site" [format]="W3C"

#AccelOps-WUA-IIS-Web-Forbidden-Access-Denied
Thu May 07 03:30:39 2015 WIN-2008-249.ersijiu.com 10.1.2.249 AccelOps-WUA-IIS [monitorStatus]="Success" [date]="2015-05-07" [time]="03:30:15" [s-ip]="10.1.2.249" [cs-method]="POST" [cs-uri-stem]="/AOCACWS/AOCACWS.svc" [cs-uri-query]="-" [s-port]="80" [cs-username]="-" 
[c-ip]="10.1.2.42" [cs(User-Agent)]="-" [sc-status]="403" [sc-substatus]="4" [sc-win32-status]="5" [time-taken]="1" [site]="Default Web Site" 
[format]="W3C"

DFS Logs

#Win-App-DFSR-1002
Thu May 07 03:01:12 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLog [monitorStatus]="Success" [eventName]="DFS Replication" 
[eventSource]="DFSR" [eventId]="1002" [eventType]="Information" [domain]="" [computer]="WIN-2008-LAW-agent" [user]="" [userSID]="" 
[userSIDAcctType]="" [eventTime]="May 07 2015 11:01:12" [deviceTime]="May 07 2015 11:01:12" [msg]="The DFS Replication service is starting."

#Win-App-DFSR-1004
Thu May 07 03:01:12 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLog [monitorStatus]="Success" [eventName]="DFS Replication" 
[eventSource]="DFSR" [eventId]="1004" [eventType]="Information" [domain]="" [computer]="WIN-2008-LAW-agent" [user]="" [userSID]="" 
[userSIDAcctType]="" [eventTime]="May 07 2015 11:01:12" [deviceTime]="May 07 2015 11:01:12" [msg]="The DFS Replication service has started."

#Win-App-DFSR-1006
Thu May 07 03:01:10 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLog [monitorStatus]="Success" [eventName]="DFS Replication" 
[eventSource]="DFSR" [eventId]="1006" [eventType]="Information" [domain]="" [computer]="WIN-2008-LAW-agent" [user]="" [userSID]="" 
[userSIDAcctType]="" [eventTime]="May 07 2015 11:01:10" [deviceTime]="May 07 2015 11:01:10" [msg]="The DFS Replication service is stopping."

#Win-App-DFSR-1008
Thu May 07 03:01:11 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLog [monitorStatus]="Success" [eventName]="DFS Replication" 
[eventSource]="DFSR" [eventId]="1008" [eventType]="Information" [domain]="" [computer]="WIN-2008-LAW-agent" [user]="" [userSID]="" 
[userSIDAcctType]="" [eventTime]="May 07 2015 11:01:11" [deviceTime]="May 07 2015 11:01:11" [msg]="The DFS Replication service has stopped."

File Content Monitoring Logs

#AccelOps-WUA-UserFile
Thu May 07 05:40:08 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-UserFile [monitorStatus]="Success" [fileName]="C:\test\i.txt" 
[msg]="another newline adddedddddd"

File Integrity Monitoring Logs

The following sections describe various use cases that can be detected by File Integrity Monitoring Logs.

Use Case 1: File or Directory Created
Use Case 2: File or Directory Deleted
Use Case 3: File Content Modified
Use Case 4: File Content Modified and Upload is Selected
Use Case 5: File Renamed
Use Case 6: File Permission Changed
Use Case 7: File Ownership Changed
Use Case 8: File Archive Bit Changed
Use Case 9: File Baseline Changed

Use Case 1: File or Directory Created

Event Type

AO-WUA-FileMon-Added

The ‘added’ event is triggered when a file or directory is added into a directory that is being monitored. Actions such as the following will cause this event to generate:

Copying a file/directory
Creating a shortcut of a file/directory
Sending to compressed zip
Restoring a file/directory
Downloading or saving a file

Important Event Attributes

userId: The ID of the user who added the file.
domain: The user’s domain for a Domain computer.
osObjType- Can be either File or Directory.
fileName: The name of the file or directory that was added.
hashCode, hashAlgo: The file hash obtained by using the specified algorithm.
procName: The name of the Windows process that was used to create the file.
fileOwner: The owner of the file.
targetUserType, targetUser: The user or group to whom the permission applies.
targetFilePermit: The permitted file operations.
targetFileDeny: The denied file operations.
archiveSet: Is true if the Archive bit is set for this file; false otherwise.

Reports

Agent FIM: Windows File/Directory Created/Deleted/Renamed

Rules

Agent FIM - Windows File or Directory Created

Sample Log

2020-03-25T07:30:50Z Win-167 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="jdoe" [domain]="ACME" [eventTime]="Mar 25 2020 07:30:48" [fileName]="C:\\test\\New Text Document.txt" [osObjAction]="Added" [objectType]="File" [hashCode]="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" [hashAlgo]="SHA256" [procName]="C:\\Windows\\explorer.exe" [msg]="" [archiveSet]="true" [fileOwner]=""

Use Case 2: File or Directory Deleted

Event Type

AO-WUA-FileMon-Removed

The ‘removed’ event is triggered when a file or directory is removed. Actions such as the following will cause this event to generate:

Moving a file from one directory to another
Deleting a file or directory

Important Event Attributes

userId: The ID of the user who removed the file.
domain: The user’s domain for a Domain computer.
fileName: The name of the file that was removed.
procName: The Windows process that was used to remove the file.

Report

Agent FIM: Windows File/Directory Creation/Deletion/Rename

Rule

Agent FIM - Windows File or Directory Deleted

Sample Log

2020-03-25T07:43:24Z Win-167 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="jdoe" [domain]="ACME" [eventTime]="Mar 25 2020 07:43:21" [fileName]="C:\\test\\test1.txt" [osObjAction]="Removed" [objectType]="Unknown" [hashCode]="" [hashAlgo]="SHA256" [procName]="C:\\Windows\\explorer.exe" [msg]="" [archiveSet]="false" [fileOwner]=""

Use Case 3: File Content Modified

Event Type

AO-WUA-FileMon-Modified

The ‘modified’ event is triggered when a file or directory is modified. Actions such as the following will cause this event to generate:

Add or delete ‘text’ from the file
Simply saving a file, even without a change, will trigger this event

Important Event Attributes

userId: The user who modified the file.
domain: The user’s domain for a Domain computer.
fileName: The name of the file that was modified.
procName: The Windows process that was used to modify the file.
hashCode, hashAlgo: The file hash after modification and the algorithm used to calculate the hash.

Report

Agent FIM: Windows File Content Modified

Rule

Agent FIM - Windows File Content Modified

Sample Log

2020-03-25T10:50:40Z WIN-167.fortinet.wulei.com 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="jdoe" [domain]="ACME" [eventTime]="Mar 25 2020 10:50:37" [fileName]="C:\\test\\test.txt" [osObjAction]="Modified" [objectType]="File" [hashCode]="6396e3c19b155770f3ae25afa5f29832d6f35b315407ed88820339b705fd2bcc" [hashAlgo]="SHA256" [procName]="C:\\Windows\\System32\<br/>otepad.exe" [msg]="" [archiveSet]="true" [fileOwner]=""

Use Case 4: File Content Modified and Upload is Selected

Event Type

PH_DEV_MON_FILE_CONTENT_CHANGE

Important Event Attributes

userId: The ID of the user who modified the file.
domain: The user’s domain for a Domain computer.
fileName: The name of the file that was modified.
procName: The Windows process that was used to modify the file.
hashCode, hashAlgo: The file hash after modification and the algorithm used to calculate the hash.
oldSVNVersion: The SVN revision number of file before the change.
newSVNVersion: The SVN revision number of file after the change.
addedItem: The lines that were added to the file.
deletedItem: The lines that were removed from the file.

Report

Agent FIM: Windows File Content Modified in SVN

Rule

Audited file or directory content modified in SVN

Sample Log

<14>Mar 25 20:30:44 sp3 phPerfMonitor[17521]: [PH_DEV_MON_FILE_CONTENT_CHANGE]:[eventSeverity]=PHL_INFO,[procName]=phPerfMonitor,[fileName]=phSvnUpdate.cpp,[lineNumber]=306,[phCustId]=2000,[hostName]=Win-169,[hostIpAddr]=10.30.3.169,[fileName]=/C:/test/test.txt,[hashCode]=08998b2cce90ee6695bd8dae82d43137,[oldSVNVersion]=50,[newSVNVersion]=51,[deletedItem]=(none),[addedItem]=333;,[user]=Administrator,[hashAlgo]=SHA256,[phLogDetail]=

Use Case 5: File Renamed

Event Type

AO-WUA-FileMon-Renamed-New-Name

The ‘new-name’ event is triggered when a file or directory is renamed. This event encapsulates the new name of the file/directory.

Important Event Attributes

userId: The ID of the user who renamed the file.
domain: The user’s domain for a Domain computer.
fileName: The new name of the file.
procName: The Windows process that was used to rename the file.
hashCode, hashAlgo: The new file hash using the specified algorithm.

Report

Agent FIM: Windows File/Directory Creation/Deletion/Rename

Rule

None

Sample Log

2020-03-25T09:59:34Z WIN-167.fortinet.wulei.com 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="jdoe" [domain]="ACME" [eventTime]="Mar 25 2020 09:59:32" [fileName]="C:\\test\\test5.txt" [osObjAction]="Renamed [New Name]" [objectType]="File" [hashCode]="2b64c6d9afd8a34ed0dbf35f7de171a8825a50d9f42f05e98fe2b1addf00ab44" [hashAlgo]="SHA256" [procName]="C:\\Windows\\explorer.exe" [msg]="" [archiveSet]="true" [fileOwner]=""

Event Type

AO-WUA-FileMon-Renamed-Old-Name

Important Event Attributes

userId: The ID of the user who modified the file.

domain: The user’s domain for a Domain computer.

fileName: The old name of the file before renaming.

procName: The Windows process that was used to remove the file.

Report

Agent FIM: Windows File/Directory Creation/Deletion/Rename

Rule

None

Sample Log

None

Use Case 6: File Permission Changed

Event Type

AO-WUA-FileMon-PermissionChange

The ‘permission change’ event is triggered when a file or directory undergoes a change in permissions. Actions such as the following will cause this event to generate:

Sharing out a directory
Modification of the permissions
Add group or user to file or directory

Important Event Attributes

userId: The ID of the user who modified the file permission.
domain: The user’s domain for a Domain computer.
objectType: The type of object. Can be File or Directory.
fileName: The name of the file or directory whose permission was changed.
procName: The Windows process that was used to change the permission.
hashCode, hashAlgo: The file hash using the specified algorithm.
fileOwner: The name of the owner of the file.
targetUserType, targetUser: The name of the user or group to whom the permission below applies.
targetFilePermit: The permitted file operations after change.
targetFileDeny: The denied file operations after change.
archiveSet: Is true if the Archive bit is set for this file; false otherwise.

Report

Agent FIM: Windows File/Directory Permission Changes

Rule

Agent FIM - Windows File Permission Changed

Sample Log

2020-03-25T10:21:00Z WIN-167.fortinet.wulei.com 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="jdoe" [domain]="ACME" [eventTime]="Mar 25 2020 10:20:58" [fileName]="C:\\test\\test.txt" [osObjAction]="PermissionChange" [objectType]="File" [hashCode]="7936d255ef43706a93fdd15f4bbfde45e3b2d2b9a0d4cc7c39184cf745ab78c5" [hashAlgo]="SHA256" [procName]="C:\\Windows\\System32\\dllhost.exe" [msg]="" [archiveSet]="true" [fileOwner]="Joe" [targetUserType]="USER" [targetUser]="BUILTIN\Administrators" [targetFilePermit]="ALL" [targetFileDeny]="WRITE"

Use Case 7: File Ownership Changed

Event Type

AO-WUA-FileMon-OwnershipChange

The ‘ownership change’ event is triggered when a file or directory’s owner has been changed.

Important Event Attributes

userId: The ID of the user who modified the file ownership.
domain: The user’s domain for a Domain computer.
objectType: The type of object whose ownership was changed: File or Directory.
fileName: The name of the file or directory whose ownership was changed.
procName: The Windows process that was used to change ownership.
hashCode, hashAlgo: The file hash using the specified algorithm.
fileOwner: The name of the new file owner.
archiveSet: Is true if the Archive bit is set for this file; false otherwise.

Report

Agent FIM: Windows File/Directory Ownership Changes

Rule

Agent FIM - Windows File Ownership Changed

Sample Log

2020-03-06T07:08:56Z Win-167 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="Administrator" [domain]="WIN-167" [eventTime]="Mar 06 2020 07:08:53" [fileName]="C:\\test\\test1.txt" [osObjAction]="OwnershipChange" [objectType]="File" [hashCode]="d17f25ecfbcc7857f7bebea469308be0b2580943e96d13a3ad98a13675c4bfc2" [hashAlgo]="SHA256" [procName]="C:\\Windows\\System32\\dllhost.exe" [msg]="" [archiveSet]="true" [fileOwner]="Joe"

Use Case 8: File Archive Bit Changed

Event Type

AO-WUA-FileMon-ArchivedBitChange

The ‘archived bit change’ event is triggered when a file or directory undergoes an archive change. Actions such as the following will cause this event to generate:

Under the General tab of the files’ properties:
- Checking the Read-only or Hidden checkboxes in the Attributes row.
- Click Advanced... and checking or unchecking any of the checkboxes for File attributes or Compress or Encrypt attributes.

Important Event Attributes

userId: The ID of the user who modified the file.
domain: The user’s domain for a Domain computer.
objectType: The type of object whose Archive bit was changed: File or Directory.
fileName: The name of the file whose archive bit was changed.
procName: The Windows process that was used to change archive bit.
hashCode, hashAlgo: The file hash using the specified algorithm.
archiveSet: Is true if the Archive bit is set for this file; false otherwise.

Report

Agent FIM: Windows File/Directory Archive Bit Changes

Rule

Agent FIM - Windows File/Directory Archive Bit Changed

Sample Log

2020-03-25T10:02:38Z WIN-167.fortinet.wulei.com 10.30.2.167 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="e892a6e4-bbfa-4ba6-bc8c-00d2c31812b4" [timeZone]="+0800" [userId]="jdoe" [domain]="ACME" [eventTime]="Mar 25 2020 10:02:35" [fileName]="C:\\test\\test.txt" [osObjAction]="ArchivedBitChange" [objectType]="File" [hashCode]="7936d255ef43706a93fdd15f4bbfde45e3b2d2b9a0d4cc7c39184cf745ab78c5" [hashAlgo]="SHA256" [procName]="C:\\Windows\\System32\\attrib.exe" [msg]="" [archiveSet]="false" [fileOwner]=""

Use Case 9: File Baseline Changed

Event Type

AO-WUA-FileMon-BaselineChange

Important Event Attributes

userId: The ID of the user who modified the file.
domain: The user’s domain for a Domain computer.
fileName: The name of the file that was changed.
procName: The Windows process that was used to remove the file.
hashCode, hashAlgo: The file hash using the specified algorithm.
targetHashCode: The hash of the target file (defined in the GUI).

Report

Agent FIM: Windows File Change from Baseline

Rule

Agent FIM - Windows File Changed From Baseline

Sample Log

2020-03-25T12:52:42Z Win-169 10.30.3.169 AccelOps-WUA-FileMon [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="5c83ec12-73fd-4e06-a396-1f128564f09e" [timeZone]="+0800" [userId]="Administrator" [domain]="WINSRV2012-169" [fileName]="C:\\test\\test.txt" [osObjAction]="BaselineChange" [hashCode]="c1f79ea2bbfb77bf30446a4c9be762eb" [hashAlgo]="MD5" [targetHashCode]="74DE7651DFC55294CC59240AE514A676" [msg]="

Installed Software Logs

#AccelOps-WUA-InstSw-Added
Thu May 07 05:28:17 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-InstSw [monitorStatus]="Success" [osObjAction]="Added" 
[appName]="7-Zip 9.20 (x64 edition)" [vendor]="Igor Pavlov" [appVersion]="9.20.00.0"

#AccelOps-WUA-InstSw-Removed
Thu May 07 05:28:30 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-InstSw [monitorStatus]="Success" [osObjAction]="Removed" 
[appName]="7-Zip 9.20 (x64 edition)" [vendor]="Igor Pavlov" [appVersion]="9.20.00.0"

Registry Change Logs

#AccelOps-WUA-Registry-Modified
Thu May 07 04:01:58 2015 WIN-2008-249.ersijiu.com 10.1.2.249 AccelOps-WUA-Registry [monitorStatus]="Success" [regKeyPath]="HKLM\\SOFTWARE\\Microsoft\\ExchangeServer\\v14\\ContentIndex\\CatalogHealth\\{0d2a342a-0b15-4995-93db-d18c3df5860d}" [regValueName]="TimeStamp" [regValueType]="1" [osObjAction]="Modified" [oldRegValue]="MgAwADEANQAtADAANQAtADAANwAgADAAMwA6ADQAOQA6ADQANwBaAAAA" 
[newRegValue]="MgAwADEANQAtADAANQAtADAANwAgADAANAA6ADAAMQA6ADQAOABaAAAA"

#AccelOps-WUA-Registry-Removed
Thu May 07 05:25:09 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-Registry [monitorStatus]="Success" 
[regKeyPath]="HKLM\\SOFTWARE\\RegisteredApplications" [regValueName]="Skype" [regValueType]="1" [osObjAction]="Removed" [oldRegValue]="UwBPAEYAVABXAEEAUgBFAFwAQwBsAGkAZQBuAHQAcwBcAEkAbgB0AGUAcgBuAGUAdAAgAEMAYQBsAGwAXABTAGsAeQBwAGUAXABDAGEAcABhAGIAaQBsAGkAdABpAGUAcwBkAGgAZABoAGQAaABkAGgAZABoAGQAAAA=" [newRegValue]=""

Removeable Media Monitoring Logs

AO-WUA-RemovableMedia-Insert

2022-06-24T19:06:55Z CD-DESK-S 0.0.0.0 AccelOps-WUA-RemovableMedia-Insert [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="38ba7825-34a2-41b8-8e3d-0548878bef5b" [timeZone]="-0500" [user]="" [domain]="" [eventTime]="Jun 24 2022 19:06:55" [fileName]="" [diskName]="D:" [isMediaEncrypted]="false" [osObjAction]="" [diskType]="USB" [diskDisplayName]="Samsung USB" [diskVendor]="samsung" [hwDiskModel]="flash_drive_fit 1100" [msg]="Storage media inserted."

AO-WUA-RemovableMedia-Write-ModifyFile

2022-06-24T19:25:06Z CD-DESK-S 192.168.1.147 AccelOps-WUA-RemovableMedia-Write [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="38ba7825-34a2-41b8-8e3d-0548878bef5b" [timeZone]="-0500" [user]="" [domain]="" [eventTime]="Jun 24 2022 19:25:02" [fileName]="D:\\agenttest\\Wireshark-win64-3.6.6.exe" [diskName]="D:" [isMediaEncrypted]="false" [osObjAction]="Modified" [diskType]="USB" [diskDisplayName]="Samsung USB" [diskVendor]="samsung" [hwDiskModel]="flash_drive_fit 1100" [msg]=""

AO-WUA-RemovableMedia-Write-AddFile

2022-06-24T19:25:01Z CD-DESK-S 192.168.1.147 AccelOps-WUA-RemovableMedia-Write [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="38ba7825-34a2-41b8-8e3d-0548878bef5b" [timeZone]="-0500" [user]="" [domain]="" [eventTime]="Jun 24 2022 19:25:00" [fileName]="D:\\agenttest\\Wireshark-win64-3.6.6.exe" [diskName]="D:" [isMediaEncrypted]="false" [osObjAction]="Added" [diskType]="USB" [diskDisplayName]="Samsung USB" [diskVendor]="samsung" [hwDiskModel]="flash_drive_fit 1100" [msg]=""

AO-WUA-RemovableMedia-Write-RemoveFile

2022-06-24T19:24:01Z CD-DESK-S 192.168.1.147 AccelOps-WUA-RemovableMedia-Write [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="38ba7825-34a2-41b8-8e3d-0548878bef5b" [timeZone]="-0500" [user]="" [domain]="" [eventTime]="Jun 24 2022 19:23:56" [fileName]="D:\\agenttest\\WinSCP-5.17.8-Setup.zip" [diskName]="D:" [isMediaEncrypted]="false" [osObjAction]="Removed" [diskType]="USB" [diskDisplayName]="Samsung USB" [diskVendor]="samsung" [hwDiskModel]="flash_drive_fit 1100" [msg]=""

WMI Logs

#AccelOps-WUA-WMI-Win32_Processor
Thu May 07 03:53:33 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WMI [monitorStatus]="Success"  [__CLASS]="Win32_Processor" 
[AddressWidth]="64" [Architecture]="9" [Availability]="3" [Caption]="Intel64 Family 6 Model 26 Stepping 5" [ConfigManagerErrorCode]="" [ConfigManagerUserConfig]="" [CpuStatus]="1" [CreationClassName]="Win32_Processor" [CurrentClockSpeed]="2266" [CurrentVoltage]="33" 
[DataWidth]="64" [Description]="Intel64 Family 6 Model 26 Stepping 5" [DeviceID]="CPU0" [ErrorCleared]="" [ErrorDescription]="" 
[ExtClock]="" [Family]="12" [InstallDate]="" [L2CacheSize]="0" [L2CacheSpeed]="" [L3CacheSize]="0" [L3CacheSpeed]="0" 
[LastErrorCode]="" [Level]="6" [LoadPercentage]="8" [Manufacturer]="GenuineIntel" [MaxClockSpeed]="2266" 
[Name]="Intel(R) Xeon(R) CPU           E5520  @ 2.27GHz" [NumberOfCores]="1" [NumberOfLogicalProcessors]="1" 
[OtherFamilyDescription]="" [PNPDeviceID]="" [PowerManagementCapabilities]="" [PowerManagementSupported]="0" 
[ProcessorId]="0FEBFBFF000106A5" [ProcessorType]="3" [Revision]="6661" [Role]="CPU" [SocketDesignation]="CPU socket #0" 
[Status]="OK" [StatusInfo]="3" [Stepping]="" [SystemCreationClassName]="Win32_ComputerSystem" [SystemName]="WIN-2008-LAW-AG" 
UniqueId]="" [UpgradeMethod]="4" [Version]="" [VoltageCaps]="2"

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

User Guide

Sample Windows Agent Logs

Sample Windows Agent Logs

Certificate Monitoring Logs

Certificate Added

Certificate Removed

Certificate Expired

Certificate Expiring

System Logs

System Logs generated by pre-7.1.4 Windows Agent

System Logs generated by 7.1.4 and later Windows Agent

Sysmon Logs