Generic SIEM Integration

time

Timestamp at which the event occurred.

threadId

The managed .NET thread ID which was running.

level

Level of event severity. This can be one of the following: INFO, WARN, ERROR.

eventData

A JSON object containing additional details, specific to the event. The object has one field, “data” containing an object with the actual details.

event

This is either a message or an enum value indicating the event kind. (see the eventKind field in table 1.2)

eventKind

Indicates the nature of the event. See table 1.2.1 for possible values.

category

Indicates first half of the two-part classification of the event. See table 1.2.2 for possible values.

area

Indicates second half of the two-part classification of the event. See table 1.2.3 for possible values.

message

The high-level information of the event.

details

Either a free-form complex object or extended message. Can be null.

correlationId

Either NULL or a unique identifier for this event. If a value exists here, it can be searched for in the TXT log file for additional details.

Info

General informational message.

Warning

A recoverable problem or unusual event has occurred.

Error

A (possibly unrecoverable) problem has occurred, and may require user intervention or investigation.

ServiceStartup

The Enzoic Service is starting

ServiceShutdown

The Enzoic Service is stopping

PasswordChanged

User account password was changed.

PasswordChangeRejected

User account password change was attempted, but the password did not pass the integrity checks.

CompromiseDetectedDelayedRemediationScheduled

A compromised password was detected, and was either remediated, or scheduled for remediation after a delay.

DelayedRemediationActionTaken

A previously scheduled remediation was applied.

CompromiseResolved

User account password changed and the new password

CompromiseResolvedDueToConfigChange

A previously detected non-compliant password is no longer considered non-compliant because the policy settings were relaxed, or the user is no longer covered by the policy.

SettingsChanged

An Enzoic administrator has updated the Enzoic for Active Directory settings.

CustomEmailSettingsChanged

An Enzoic administrator has updated the Enzoic for Active Directory email branding settings.

AdAccessIssueDetected

Enzoic for Active Directory was not able to read one or more attributes from an object in Active Directory. This will happen if you setup highly restrictive attribute level permissions.

CustomSmtpSettingsChanged

An Enzoic administrator has updated the Enzoic for Active Directory custom SMTP mail server settings.

ManualRemediationActionTaken

An Enzoic administrator has performed a remediation action on one or more users in the EnzoicConsole’s Compromised Users Report.

General

LDAP

API

Telemetry

SettingsImport

Persistence

StatusReporting

PlatformInvoke

Installation

UserInterface

Startup

Security

Shutdown

Scheduling

CLI

Replication

DataMigration

DelayedRemediation

UserMonitorStatus

PasswordFiltering

PasswordChanged

CMP

EntityEnumeration

BackgroundTask

CheckPassword

SQLite

PasswordChangeFeedback

General

PasswordChange

EntityEnumeration

TestAutomation

Logging

Caching

DataValidation

CredentialProvider

CredentialProviderFilter

ErrorHandling

Daemon

DeferredProcessing

DNS

CredentialCheck

PrerequisiteCheck

Navigation

PasswordCheck

LocalComms

StateSynchronization

ExternalComms

PolicyEnforcement

FilterCommandProcessing

Reporting

ChangeDetection

InitialScanning

HealthAlert

SessionManagement

ContainerLeasing

VersionDetection

ServerDetection

HashExtraction

DeltaIngestion

FullSyncSyndication

AccessControl

SchemaTranslation

SecureStorage

SettingsImport

IntraDomainComms

RepAdmin

SystemHealth

DeletedObjectCleanup

GarbageCleanup

SchemaDetection

FullSyncIngestion

Settings

DeltaSyndication

CredentialManagement

RemoteCommands

LDAPSearchMetrics

exceptionClass

The name of the .NET exception class, if there is an exception.

exceptionMessage

The exception message, if there is an exception.

user

The SAM account name of the account that was updated.

user

The SAM account name of the account on which the password change was attempted.

detection methods

The type of check which identified the match. See 1.3.7.1

match types

One or more values indicating how the match was made. See 1.3.7.2

EnzoicPasswordsApi

The password (or a variant) was found by in the Enzoic database.

EnzoicCredentialsApi

The username and password combination was found in the Enzoic database.

LocalDictionary

The password is or contains a term in the local dictionary.

PasswordSimilarity

The new password is too close to current password based on the result of the Damerau-Levenshtein distance calculation.

UserDisplayName

The password contains the user’s first and/or last name.

UserName

The password contains the user’s username

UserEmail

The password contains the user’s email address

RepeatingCharacters

The password includes too many of the same character consecutively

MinimumLength

The password is too short

MaximumLength

The password is too long

AtLeastOneUppercaseCharacter

The password lacks an uppercase character

AtLeastOneLowercaseCharacter

The password lacks a lowercase character

AtLeastOneNumber

The password lacks a number, 0-9

AtLeastOneSymbol

The password lacks any symbol characters, (eg. $, #, %, &)

ExactMatch

The exact, unmodified plaintext password was found in the Enzoic database.

FuzzyMatch

Some variation of the plaintext password was found in the Enzoic database. Several variations of the password are generated and checked. Example: p@55w0rd would get converted to password which is then found.

RootPasswordMatch

After normalization of the plaintext password, the resulting value was found in the Enzoic database. Example: Password123!! gets normalized to Password which is then found.

user

The SAM account name of the account that was updated.

detectionTimestamp

The date and time of when the detection originally occurred.

detectionMethod

The type of check which identified the match. (see table 1.3.7.1)

matchTypes

One or more values indicating how the match was made. (see table 1.3.7.2)

actionTaken

The remediation action which was taken in response to the detection. (see table 1.3.8.1)

actionDelayHours

Always zero for this event kind.

ForceChangePasswordOnLogin

The user’s account was updated to require a password change the next time they log in.

DisableAccount

The user’s account was immediately disabled.

NotifyOnly

Only a notification email will be sent to the configured administrators and optionally the end user (if configured).

user

The SAM account name of the affected account.

detectionTimestamp

Timestamp of when the detection originally occurred.

detectionMethod

The type of check which identified the match. (see table 1.3.7.1)

matchTypes

One or more values indicating how the match was made. (see table 1.3.7.2)

actionTaken

Indicates the action that was taken in response to the detection. See table 1.3.9.1 for possible values.

actionDelayHours

The number of hours before the delayed remediation will take effect . This only applies when actionTaken is ForcePasswordChangeOnLoginDelayed or DisableAccountDelayed

ForceChangePasswordOnLoginDelayed

The user’s account will be updated to require a password change on the next login, after the period specified in the actionDelayHours field elapses.

DisableAccountDelayed

The user’s account will be disabled after the period specified in the actionDelayHours field elapses.

user

The SAM account name of the affected account.

detectionTimestamp

Timestamp of when the detection originally occurred.

detectionMethod

Always None for this event kind.

matchTypes

Always an empty array for this event kind.

actionTaken

The remediation action which was taken in response to the detection. (see table 1.3.10.1)

actionDelayHours

The period, in hours, that elapsed before the remediation was applied.

ForceChangePasswordOnLogin

The user’s account was updated to require a password change the next time they log in.

DisableAccount

The user’s account was disabled.

user

The SAM account name of the affected account.

detectionTimestamp

Timestamp of when the detection originally occurred.

detectionMethod

Always None for this event kind.

matchTypes

Always an empty array for this event kind.

actionTaken

The remediation action which was manually applied. (see table 1.3.10.1)

actionDelayHours

The original remediation delay period in hours.

user

The SAM account name of the affected account.

user

The SAM account name of the affected account.

detectionTimestamp

Timestamp of when the detection originally occurred.

detectionMethod

Always None for this event kind.

matchTypes

Always an empty array for this event kind.

actionTaken

The remediation action which was taken or scheduled to be taken in response to the detection. (see table 1.3.13.1)

actionDelayHours

Always zero for this event kind.

ForceChangePasswordOnLogin

The user’s account was updated to require a password change the next time they log in.

DisableAccount

The user’s account was immediately disabled.

NotifyOnly

Only a notification email will be sent to the configured administrators and optionally the end user (if configured).

ForceChangePasswordOnLoginDelayed

The user’s account was scheduled to be updated to require a password change on the next login, after a delay.

DisableAccountDelayed

The user’s account was scheduled to be disabled after a delay.

user

The SAM account name of the user who made the settings change(s).

details

A JSON object describing the changed fields, with both new and old values. In the case of arrays, added, removed, and modified elements will be included.

user

The SAM account name of the user who made the settings change(s).

details

A JSON object describing the changed fields, with both new and old values.

user

The SAM account name of the user who made the settings change(s).

details

A JSON object describing the changed fields, with both new and old values.