Event ID 560 – Object Open
|Type||Success Audit; Failure Audit|
|Description||A program has opened an object.|
When a program opens an object, event ID 560 is logged. The opening of the object can be of the following types:
— The audit policy for the object has enabled the requested access type to be audited.
— Auditing the object depends on the success or failure of opening it.
— The audit policy of the object has included the current account being used to run the program in its list of approved accounts (for auditing)
If the opening is a failure, only event 560 will be logged. If it is a success, event 562 will be logged subsequent to the logging of 560.
This log data provides the following information:
- Object Type
- Object Name
- New Handle ID
- Operation ID
- Process ID
- Image File Name
- Primary Fields
- Client Fields
- Logon IDs
Why does event ID 560 need to be monitored?
- To track failed and successful attempts to access files and other Windows objects
- To prevent privilege abuse
- To detect abnormal and potentially malicious activity
- To ensure compliance with regulatory mandates
ADAudit Plus provides real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports provide detailed information about object related events.
Event 560 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Windows Vista is 4656