List of Windows Event Reports
EventLog Analyzer offers a range of reports for the Windows environment that can aid in granular monitoring and auditing of events. It also contains reports on attacks common to Windows devices. The moment an a suspicious event is detected, an alert notification will be sent via email or SMS. The following are the report groups for Windows devices.
Windows Event Reports
Windows Firewall Auditing
Reports on the common attacks that can be detected by monitoring events in the Windows Firewall will be listed here.
- Spoof Attack - A malicious entity poses as a legitimate user to compromise a system.
- Internet Protocol half-scan attack - The attacker attempts to scan for open ports by requesting ACK packets to launch an attack.
- Flood Attack - This is a DDoS attack where the attacker initiates multiple connections without finalizing any connection.
- Ping of Death Attack - A DDoS attack where malicious actors try to disrupt a server by sending abnormally large packets.
- SYN Attack - An attacker attempts to flood all the open ports of a server at the same time to launch an attack.
This section contains reports on some common threats to the Windows environment which can aid in the detection, analysis, and forensic investigation of vulnerabilities. The attacks in this category are primarily focused on weakening the defenses of a system. Conducting a deeper analysis of the threats captured in these reports can help prevent an attack at a later stage.
- DoS Attack Subsided - Possible denial of service attack that have ended.
- DoS Attack Entered Defensive Mode - This report is generated when the Windows Filtering Platform has discovered a potential DoS attack and entered into a defensive mode.
- DoS Attacks - This report captures information on the denial of service attacks in a system where legitimate users will be deprived of a service due to a high volume of malicious traffic.
- Downgrade Attacks - This report captures instances of Downgrade Attacks. In this attack, advanced security features of a system will be downgraded to adopt older legacy security features thereby making it vulnerable to attacks.
- Replay Attack - This report captures instance of legitimate data or requests that are captured and replayed by an attacker to bypass authentication or for other malicious purposes.
- Defender Malware Detection - Instances of malware detection in Windows defender will be listed in this report.
- Defender Real Time Protection Detection - This report contains information on anti-virus data from Windows Defender.
- Terminal Server Attacks - This report captures data on attacks to the terminal. server that enables multiple clients in a network to communicate.
- Terminal Server Exceeds Maximum Logon Attempts - Information of multiple failed logon attempts in the terminal server will be available here.
- IP Conflicts - If more than more than one host is assigned the same IP address, an IP conflict that inhibits communication between hosts will occur.The information on such IP conflicts in a network will be listed here.
- User Account Locked Out Error - Instances of user account lockouts will be listed here. This report will aid in the investigation of the probable cause leading up to the account lockout.
Reports on whitelisted and blocked EXE, DLL, and MSI files or automated scripts are listed here.
- EXE or DLL File Allowed to Run - This event is generated when certain apps blocked by the organization are allowed to run.
- EXE or DLL Files Not Allowed to Run due to Enforced rules -This event is generated when certain apps are not allowed to run due to enforced rules.
- EXE or DLL File Not Allowed to Run - This event is generated when certain apps blocked by the organization is not run.
- MSI or Script File Allowed to Run -This event is generated when certain scripts or MSI files blocked by the organization are allowed to run.
- MSI or Script Files Not Allowed to Run due to Enforced rules - This event is generated when certain scripts or MSI files are blocked due to enforced rules.
- MSI or Script File Not Allowed to Run - This event is generated when MSI files or automated scripts blocked by the organization are not allowed to run in a system.
- Software Restricted to Access Program - Any software that is restricted from making changes to systems or files.
Reports on crucial Active Directory events will be listed here. Monitoring these critical changes is essential to ensure that the security features in Active Directory have not been compromised or downgraded.
- Special groups assigned to new logon - This report captures instances of logons to special groups designated by the administrators.
- SID History added to account - If a user is migrated to a new domain, the security identifier history will be added to the new domain. This report essentially helps in tracking users across domains by recording instances where SID history has been added to an account.
- Failed SID History addition - Instances of failed additions of SID history to a user account will be listed here.
- Kerberos policy changes - This report will contain a history of policy changes made to the Kerberos authentication protocol in a network. Monitoring these policy changes is essential to ensure that authentication standards in a network are not downgraded.
- Special groups logon table modifications - This report captures all instances of modifications to special groups.
This report group helps monitor issues related to performance of applications installed in Windows devices.
- Application Errors - This report captures instances of errors in the loading of applications installed in Windows devices.
- Application Hanged - This report captures instances of applications hanging in Windows devices.
- Windows Error Reporting - This report will have information on the frequently occurring errors in Windows devices.
- Blue Screen Error (BSOD) - This report contains instances of blue screen errors in Windows devices.
- System Errors - This report contains reports of the system errors in Windows devices.
- EMET Logs - Information from Microsoft Enhanced Mitigation Experience Toolkit will be available in this report.
- Windows File Protection - This report captures instances of attempts to replace critical Windows system files.
Threat Detection From Antivirus
EventLog Analyzer can collect log data from antivirus solutions such as Kaspersky, Sophos, and McAfee. The reports in this category give an overview of all the threats detected by these solutions.
- Threats Detections by ESET Endpoint Antivirus
- Threats Detections by Kaspersky
- Threats Detection by Microsoft Antimalware
- Threats Detection by Sophos Anti-Virus
- Threats Detection by Norton Anti Virus
- Infected files detected by Symantec Endpoint Protection
- Threat Detections by McAfee
- Defender Malware Detection
- Defender Real Time Protection Detection
This report group helps in monitoring the Windows registry changes, and records attempts to modify it.
- Registry Accessed - A record of all attempts to access the Windows registry.
- Failed Registry Access - This report has a record of failed attempts to access the Windows registry.
- Registry Created - This report will contain a record of all newly created registry keys.
- Failed registry Creations - This report will contain a record of all failed attempts to create registry keys.
- Registry Value Modified - This report captures the changes made to Registry values.
- Failed Registry Modifications - This report captures all failed attempts to modify Registry values.
- Registry Deleted - A record of deleted Registry keys will be available in this report.
- Failed Registry Deletions - A record of failed attempts to delete Registry values will be available in this report.
- Registry Permission Changes - All instances of a change in Registry Permissions will be listed here.
- Top Users on Registry - A list of users who access the Registry the most will be listed here. This report can help flag suspicious users.
Removable Disk Auditing
This report group gives an overview of removable disk activity in Windows devices. This also includes instances of USB or removable disks that have been plugged in and removed even if no files are copied.
- USB Plugged In
- USB Plugged Out
- Removable Disk Reads
- Removable Disk Failed Reads
- Removable Disk Creates
- Removable Disk Failed Creates
- Removable Disk Modifications
- Removable Disk Failed Modifications
- Removable Disk Deletes
- Removable Disk Failed Deletes
- Device Based Removable Disk Changes
- Top Successful Users on Removable Disk Auditing
- Top Failed Users on Removable Disk Auditing
- Removable Disk Changes Trend
Windows Startup Events
This report group provides an overview of Windows System Events such as start-up, shut-downs, and restarts.
- Windows Startups
- Windows Shutdowns
- Windows Restarts
- Unexpected Shutdown
- System Uptime
- Windows Startup and Windows ShutDown
These reports help you track all the services installed in your Windows devices.
- New Service Installed
- Service Started
- Service Stopped
- Service Failed
These reports provide information on software, services, or updates that happen in your Windows environment.
- Software Installed
- Software Updated
- Failed software installations
- Failed software installations due to privilege mismatches
- Software Uninstalled
- Windows Updates - Installed
- Windows update process failed
- Failed hot patching
- Update Packages Installed
- Non valid Windows license
- Failed Windows license activations
- Non activated windows products
- New kernel filter driver installed
Wireless Network Reports
These reports help you closely monitor your wireless network events.
- Wireless Network Authentication
- Wired Network Authentication
- Wired Network Connected
- Wired Network Disconnected
- Wireless Network Connected
- Wireless Network Disconnected
These reports help you track the status of your event logging service in Windows devices.
- Audit Events Dropped
- Error in EventLog Service
- Event log automatic backup
- Security Log Full
These reports capture instances of the logging service shut down to prevent recording logs of any change including malicious or inadvertent activity.
- Event Logging Service Shutdown
- Security Logs Cleared
- Event Logs Cleared
These reports can help you monitor some critical system events in your Windows infrastructure.
- Windows Time Change
- Windows Updates Installed
- AD Backup Error
- GPO Queries Failed
- Invalid Windows license
- Non activated Windows licenses
- Active Directory database corruptions
- Bad disk block
- Failed loadings of Kernel driver
- Code Integrity Check
- Invalid image hash file
- Invalid page hash image file
- Hard disk failures
- System Restored
This report group gives the overall trends in Windows reports based on all recorded events, important events, and user based events.
- All Events
- Important Events
- User Based Report
This report group gives an overview of the trends detected in the logs collected from Windows devices. This report group helps identify the events that are generated the most and the frequency of those events.
- Weekly Report
- Hourly Report
Windows Severity Reports
This report group gives an overview of the success, failure, information, and warning events in Windows devices.
- Success Events
- Information Events
- Failure Events
- Warning Events
- Error Events
Windows Backup and Restore
This report group gives an overview of all the backup and restoration events in Windows devices.
- Failed Windows backup
- Successful Windows backup
- Failed Windows restores
- Successful Windows restores
- System Restored
Windows Firewall Auditing
The Windows Firewall Auditing report group helps in auditing critical changes in Windows Firewall such as the addition, deletion, or modification of Firewall rules and settings.
- Rule Added
- Rule Modified
- Rule Deleted
- Settings Restored
- Settings Changed
- Group Policy Changes
Network Policy Server
This report group helps in the monitoring of the Network Policy server in Windows devices.
- Access granted to users
- Access denied to users
- Discarded requests for users
- Discarded accounting requests for users
- Locked users due to repeated logon failures
- NPS Unlocked user accounts
Data Theft Detection
This report group helps mitigate data theft with reports to monitor printer activity, removable disks, and databases.
- Printer Document Theft
- Removable Media Data Theft
- Shared Network Data Theft
- SQL Server Data Theft by Backups
- SQL Server Data Theft by Reads
- Oracle Data Theft by Reads
- Windows FTP Data Thefts
- Unix FTP Data Thefts