> For the complete documentation index, see [llms.txt](https://docs.enzoic.com/enzoic-for-active-directory/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.enzoic.com/enzoic-for-active-directory/product-usage/logging-and-siem-integration/generic-siem-integration.md). # Generic SIEM Integration PolicyEnforcementEnzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. The following describes the information contained in these log entries. Log files are stored under:\ `C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs` ## **1.1 Log Entry Fields / Structure** Each JSON log entry has the following structure.
FieldDescription
timeTimestamp at which the event occurred.
threadIdThe managed .NET thread ID which was running.
levelLevel of event severity. This can be one of the following: INFO, WARN, ERROR.
eventDataA JSON object containing additional details, specific to the event. The object has one field, “data” containing an object with the actual details.
eventThis is either a message or an enum value indicating the event kind. (see the eventKind field in table 1.2)
## **1.2 Event Data Fields – Common to All Events** The content of eventData varies per the type of logged event, but the following fields are always present.
FieldDescription
eventKindIndicates the nature of the event. See table 1.2.1 for possible values.
categoryIndicates first half of the two-part classification of the event. See table 1.2.2 for possible values.
areaIndicates second half of the two-part classification of the event. See table 1.2.3 for possible values.
messageThe high-level information of the event.
detailsEither a free-form complex object or extended message. Can be null.
correlationIdEither NULL or a unique identifier for this event. If a value exists here, it can be searched for in the TXT log file for additional details.
### **1.2.1 Event Kinds**
NameDescription
InfoGeneral informational message.
WarningA recoverable problem or unusual event has occurred.
ErrorA (possibly unrecoverable) problem has occurred, and may require user intervention or investigation.
ServiceStartupThe Enzoic Service is starting
ServiceShutdownThe Enzoic Service is stopping
PasswordChangedUser account password was changed.
PasswordChangeRejectedUser account password change was attempted, but the password did not pass the integrity checks.
CompromiseDetectedDelayedRemediationScheduledA compromised password was detected, and was either remediated, or scheduled for remediation after a delay.
DelayedRemediationActionTakenA previously scheduled remediation was applied.
CompromiseResolvedUser account password changed and the new password
CompromiseResolvedDueToConfigChangeA previously detected non-compliant password is no longer considered non-compliant because the policy settings were relaxed, or the user is no longer covered by the policy.
SettingsChangedAn Enzoic administrator has updated the Enzoic for Active Directory settings.
CustomEmailSettingsChangedAn Enzoic administrator has updated the Enzoic for Active Directory email branding settings.
AdAccessIssueDetectedEnzoic for Active Directory was not able to read one or more attributes from an object in Active Directory. This will happen if you setup highly restrictive attribute level permissions.
CustomSmtpSettingsChangedAn Enzoic administrator has updated the Enzoic for Active Directory custom SMTP mail server settings.
ManualRemediationActionTakenAn Enzoic administrator has performed a remediation action on one or more users in the EnzoicConsole’s Compromised Users Report.
### **1.2.2** Event Classification – Category | Category | | ---------------------- | | General | | LDAP | | API | | Telemetry | | SettingsImport | | Persistence | | StatusReporting | | PlatformInvoke | | Installation | | UserInterface | | Startup | | Security | | Shutdown | | Scheduling | | CLI | | Replication | | DataMigration | | DelayedRemediation | | UserMonitorStatus | | PasswordFiltering | | PasswordChanged | | CMP | | EntityEnumeration | | BackgroundTask | | CheckPassword | | SQLite | | PasswordChangeFeedback | ### **1.2.3** Event Classification – Area | Area | | ------------------------ | | General | | PasswordChange | | EntityEnumeration | | TestAutomation | | Logging | | Caching | | DataValidation | | CredentialProvider | | CredentialProviderFilter | | ErrorHandling | | Daemon | | DeferredProcessing | | DNS | | CredentialCheck | | PrerequisiteCheck | | Navigation | | PasswordCheck | | LocalComms | | StateSynchronization | | ExternalComms | | PolicyEnforcement | | FilterCommandProcessing | | Reporting | | ChangeDetection | | InitialScanning | | HealthAlert | | SessionManagement | | ContainerLeasing | | VersionDetection | | ServerDetection | | HashExtraction | | DeltaIngestion | | FullSyncSyndication | | AccessControl | | SchemaTranslation | | SecureStorage | | SettingsImport | | IntraDomainComms | | RepAdmin | | SystemHealth | | DeletedObjectCleanup | | GarbageCleanup | | SchemaDetection | | FullSyncIngestion | | Settings | | DeltaSyndication | | CredentialManagement | | RemoteCommands | | LDAPSearchMetrics | ## **1.3 Log Entry Details for Each Event Kind** ### **1.3.1 Info** Recorded when there is a general informational message. Example: ```json { "time": "2024-08-07 16:24:57.2758", "threadId": "22", "level": "INFO", "event": "Some benign event occurred.", "eventData": { "data": { "eventKind": "Info", "category":"General", "area":"General", "message":" Some benign event occurred." } } } ``` ### **1.3.2 Warning** Recorded when a recoverable problem or unusual event has occurred. Example: ```json { "time": "2024-08-07 16:24:57.2758", "threadId": "22", "level": "WARN", "event": "The user tu1 no longer exists. Cleaning up artifacts related to this user.", "eventData": { "data": { "eventKind": "Warning", "category":"Persistence", "area":"DeletedObjectCleanup", "message":"The user tu1 no longer exists. Cleaning up artifacts related to this user." } } } ``` ### **1.3.3 Error** Recorded when a problem has occurred that may require user intervention or investigation. The eventData payload contains the exception details and can be helpful to support for further investigation. Example: ```json { "time": "2024-08-07 16:24:57.2758", "threadId": "22", "level": "ERROR", "event": "Error removing deleted user ‘tu1’ from monitored entities.", "eventData": { "data": { "eventKind": "Error", "category":"Persistence", "area":"DeletedObjectCleanup", "message": "Error removing deleted user ‘tu1’ from monitored entities.", "exceptionClass": "Exception", "exceptionMessage":"Exception message text", "correlationId":"DE8FEABB3467492093E34DA9CEFC9B70" } } } ```
FieldDescription
exceptionClassThe name of the .NET exception class, if there is an exception.
exceptionMessageThe exception message, if there is an exception.
### **1.3.4 ServiceStartup** Recorded when the Enzoic Service starts. Example: ```json { "time":"2024-12-19T18:21:34.7671925Z", "level":"INFO", "threadId":111, "event":"EnzoicService is starting up.", "eventData": { "data": { "eventKind":"ServiceStartup", "category":"Startup", "area":"General", "message":"EnzoicService is starting up." } } } ``` ### **1.3.5 ServiceShutdown** Recorded when the Enzoic Service is shutting down. Example: ```json { "time":"2024-12-19T18:21:34.7671925Z", "level":"INFO", "threadId":111, "event":"EnzoicService is shutting down.", "eventData": { "data": { "eventKind":"ServiceShutdown", "category":"Shutdown", "area":"General", "message":"EnzoicService is shutting down." } } } ``` ### **1.3.6 PasswordChanged** Recorded when a user password was successfully changed. Example: ```json { "time": "2024-08-07 15:00:59.9008", "threadId": "16", "level": "INFO", "event": "The password for user tu1 has been successfully changed.", "eventData": { "data": { "user": "tu1", "eventKind": "PasswordChanged", "category":"PasswordChanged", "message":" The password for user tu1 has been successfully changed.", "area":"FilterCommandProcessing" } } } ```
FieldDescription
userThe SAM account name of the account that was updated.
### **1.3.7 PasswordChangeRejected** Recorded when a user password change was rejected by Enzoic due to policy settings. Example: ```json { "time":"2024-09-02 14:15:08.5068", "threadId": "4", "level": "INFO", "event": "The password is compromised and cannot be used. Detected by EnzoicApi and matched on RootPasswordMatch", "eventData": { "data": { "user": "testfosmo", "detectionMethod":"EnzoicApi", "matchTypes":[ "RootPasswordMatch" ], "eventKind": "PasswordChangeRejected", "details": null } } } ```
FieldDescription
userThe SAM account name of the account on which the password change was attempted.
detection methodsThe type of check which identified the match. See 1.3.7.1
match typesOne or more values indicating how the match was made. See 1.3.7.2
#### **1.3.7.1 Possible values for detectionMethod field** | Value | Description | | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------- | | EnzoicPasswordsApi | The password (or a variant) was found by in the Enzoic database. | | EnzoicCredentialsApi | The username and password combination was found in the Enzoic database. | | LocalDictionary | The password is or contains a term in the local dictionary. | | PasswordSimilarity | The new password is too close to current password based on the result of the Damerau-Levenshtein distance calculation. | | UserDisplayName | The password contains the user’s first and/or last name. | | UserName | The password contains the user’s username | | UserEmail | The password contains the user’s email address | | RepeatingCharacters | The password includes too many of the same character consecutively | | MinimumLength | The password is too short | | MaximumLength | The password is too long | | AtLeastOneUppercaseCharacter | The password lacks an uppercase character | | AtLeastOneLowercaseCharacter | The password lacks a lowercase character | | AtLeastOneNumber | The password lacks a number, 0-9 | | AtLeastOneSymbol | The password lacks any symbol characters, (eg. $, #, %, &) | #### **1.3.7.2 Possible values for matchType field** | Value | Description | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ExactMatch | The exact, unmodified plaintext password was found in the Enzoic database. | | FuzzyMatch | Some variation of the plaintext password was found in the Enzoic database. Several variations of the password are generated and checked. Example: p\@55w0rd would get converted to password which is then found. | | RootPasswordMatch | After normalization of the plaintext password, the resulting value was found in the Enzoic database. Example: Password123!! gets normalized to Password which is then found. | ### **1.3.8 CompromiseDetected** Recorded when a user password or credential is found to be compromised or not does not comply with the user’s policy, during the daily scan. Example: ```json { "time": "2024-08-07 16:24:57.2758", "threadId": "22", "level": "INFO", "event": "CompromiseDetected", "eventData": { "data": { "eventKind": "CompromiseDetected", "category":"Security", "area":"PolicyEnforcement", "message":" ", "user":"tu1", "detectionTimestamp": "2019-08-07 16:24:56.1423", "detectionMethod": "EnzoicPasswordsApi", "matchTypes": ["ExactMatch"], "actionTaken": "DisableAccount", "actionDelayHours": 0 } } ``` | Field | Description | | ------------------ | ---------------------------------------------------------------------------------------- | | user | The SAM account name of the account that was updated. | | detectionTimestamp | The date and time of when the detection originally occurred. | | detectionMethod | The type of check which identified the match. (see table 1.3.7.1) | | matchTypes | One or more values indicating how the match was made. (see table 1.3.7.2) | | actionTaken | The remediation action which was taken in response to the detection. (see table 1.3.8.1) | | actionDelayHours | Always zero for this event kind. | #### 1.3.8.1 Possible values for actionTaken field | Value | Description | | -------------------------- | -------------------------------------------------------------------------------------------------------------------- | | ForceChangePasswordOnLogin | The user’s account was updated to require a password change the next time they log in. | | DisableAccount | The user’s account was immediately disabled. | | NotifyOnly | Only a notification email will be sent to the configured administrators and optionally the end user (if configured). | ### **1.3.9 CompromiseDetectedDelayedRemediationScheduled** Recorded by User Password Monitoring when a user password was detected as out-of-policy and a delayed remediation was scheduled (e.g. force password change after 24 hours) Example: ```json { "time": "2024-08-07 16:24:57.2758", "threadId": "22", "level": "INFO", "event": "CompromiseDetectedDelayedRemediationScheduled", "eventData": { "data": { "eventKind": "CompromiseDetectedDelayedRemediationScheduled", "category":"Security", "area":"PolicyEnforcement", "message":" ", "user":"tu1", "detectionTimestamp": "2024-08-07 16:24:56.1423", "detectionMethod": "EnzoicPasswordsApi", "matchTypes": ["ExactMatch"], "actionTaken": "DisableAccountDelayed", "actionDelayHours": 24 } } } ```
FieldDescription
userThe SAM account name of the affected account.
detectionTimestampTimestamp of when the detection originally occurred.
detectionMethodThe type of check which identified the match. (see table 1.3.7.1)
matchTypesOne or more values indicating how the match was made. (see table 1.3.7.2)
actionTakenIndicates the action that was taken in response to the detection. See table 1.3.9.1 for possible values.
actionDelayHoursThe number of hours before the delayed remediation will take effect . This only applies when actionTaken is ForcePasswordChangeOnLoginDelayed or DisableAccountDelayed
#### **1.3.9.1 Possible values for actionTaken field** | Value | Description | | --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | ForceChangePasswordOnLoginDelayed | The user’s account will be updated to require a password change on the next login, after the period specified in the actionDelayHours field elapses. | | DisableAccountDelayed | The user’s account will be disabled after the period specified in the actionDelayHours field elapses. | ### **1.3.10 DelayedRemediationActionTaken** Recorded when a previously scheduled delayed remediation was taken. For example, if a user was scheduled to force a password change after 24 hours, this event gets logged when the user is set to Force Password Change on Next Logon in AD. Example: ```json { "time": "2024-08-07 16:24:57.2758", "threadId": "22", "level": "INFO", "event": "DelayedRemediationActionTaken", "eventData": { "data": { "eventKind": "DelayedRemediationActionTaken", "category":"Security", "area":"PolicyEnforcement", "message":" ", "user":"tu1", "detectionTimestamp": "2024-08-07 16:24:56.1423", "detectionMethod": "None", "matchTypes": [], "actionTaken": "DisableAccount", "actionDelayHours": 24 } } } ```
FieldDescription
userThe SAM account name of the affected account.
detectionTimestampTimestamp of when the detection originally occurred.
detectionMethodAlways None for this event kind.
matchTypesAlways an empty array for this event kind.
actionTakenThe remediation action which was taken in response to the detection. (see table 1.3.10.1)
actionDelayHoursThe period, in hours, that elapsed before the remediation was applied.
#### **1.3.10.1 Possible values for actionTaken field** | Value | Description | | -------------------------- | -------------------------------------------------------------------------------------- | | ForceChangePasswordOnLogin | The user’s account was updated to require a password change the next time they log in. | | DisableAccount | The user’s account was disabled. | ### **1.3.11 ManualRemediationActionTaken** Recorded when an administrator manually remediates a prior detected compromise or policy violation. Example: ```json { "time": "2024-08-07 16:24:57.2758", "threadId": "22", "level": "INFO", "event": "ManualRemediationActionTaken", "eventData": { "data": { "eventKind": "ManualRemediationActionTaken", "category":"Security", "area":"PolicyEnforcement", "message":" ", "user":"tu1", "detectionTimestamp": "2024-08-07 16:24:56.1423", "detectionMethod": "None", "matchTypes": [], "actionTaken": "DisableAccount", "actionDelayHours": 24 } } } ```
FieldDescription
userThe SAM account name of the affected account.
detectionTimestampTimestamp of when the detection originally occurred.
detectionMethodAlways None for this event kind.
matchTypesAlways an empty array for this event kind.
actionTakenThe remediation action which was manually applied. (see table 1.3.10.1)
actionDelayHoursThe original remediation delay period in hours.
### **1.3.12** CompromiseResolved Recorded when a user with an active compromise or policy violation successfully changed their password. Example: ```json { "time": "2024-08-07 16:24:57.2758", "threadId": "22", "level": "INFO", "event": "The password for user tu1 has been successfully changed.", "eventData": { "data": { "eventKind":"CompromiseResolved", "category":"PasswordChanged", "area":"FilterCommandProcessing", "message":"The password for user tu1 has been successfully changed.", "user":"tu1" } } } ```
FieldDescription
userThe SAM account name of the affected account.
### 1.3.13 CompromiseResolvedDueToConfigChange Recorded when a previous policy violation detection is voided because the policy settings or monitored entities changed. Example: ```json { "time": "2024-08-07 16:24:57.2758", "threadId": "22", "level": "INFO", "event": "CompromiseResolvedDueToConfigChange", "eventData": { "data": { "eventKind":"CompromiseResolvedDueToConfigChange", "category":"Security", "area":"PolicyEnforcement", "message":" ", "user":"tu1", "detectionTimestamp": "2024-08-07 16:24:56.1423", "detectionMethod": "None", "matchTypes": [], "actionTaken":"DisableAccount", "actionDelayHours": 0 } } } ```
FieldDescription
userThe SAM account name of the affected account.
detectionTimestampTimestamp of when the detection originally occurred.
detectionMethodAlways None for this event kind.
matchTypesAlways an empty array for this event kind.
actionTakenThe remediation action which was taken or scheduled to be taken in response to the detection. (see table 1.3.13.1)
actionDelayHoursAlways zero for this event kind.
#### 1.3.13.1 Possible values for actionTaken field | Value | Description | | --------------------------------- | -------------------------------------------------------------------------------------------------------------------- | | ForceChangePasswordOnLogin | The user’s account was updated to require a password change the next time they log in. | | DisableAccount | The user’s account was immediately disabled. | | NotifyOnly | Only a notification email will be sent to the configured administrators and optionally the end user (if configured). | | ForceChangePasswordOnLoginDelayed | The user’s account was scheduled to be updated to require a password change on the next login, after a delay. | | DisableAccountDelayed | The user’s account was scheduled to be disabled after a delay. | ### 1.3.14 SettingsChanged Recorded when the application configuration settings are updated. This includes Settings, License and Monitoring Policies. Custom Email and Custom SMTP settings are NOT included, as they have their own dedicated event kinds. Example: ```json { "time": "2024-08-07 16:24:57.2758", "threadId": "22", "level": "INFO", "event": "SettingsChanged", "eventData": { "data": { "eventKind":"SettingsChanged", "category":"LDAP", "area":"Settings", "message":"", "user":"admin1", "details": { "SharedSettings": { "Client": { "DisableEnzoicCredentialProvider": { "oldVal": true, "newVal": false } } } } } } } ```
FieldDescription
userThe SAM account name of the user who made the settings change(s).
detailsA JSON object describing the changed fields, with both new and old values. In the case of arrays, added, removed, and modified elements will be included.
### 1.3.15 CustomEmailSettingsChanged Recorded when the application custom email configuration settings are updated in any policy. Example: ```json { "time": "2024-08-07 16:24:57.2758", "threadId": "22", "level": "INFO", "event": "CustomEmailSettingsChanged", "eventData": { "data": { "eventKind":"CustomEmailSettingsChanged", "category":"UserInterface", "area":"ChangeDetection", "message":"", "user":"admin1", "details": { "CompanyName": { "oldVal": null, "newVal": "Test Org" } } } } ```
FieldDescription
userThe SAM account name of the user who made the settings change(s).
detailsA JSON object describing the changed fields, with both new and old values.
### 1.3.16 CustomSmtpSettingsChanged Recorded when the application custom email server configuration settings are updated. Example: ```json { "time": "2024-08-07 16:24:57.2758", "threadId": "22", "level": "INFO", "event": "CustomSmtpSettingsChanged", "eventData": { "data": { "eventKind":"CustomSmtpSettingsChanged", "category":"UserInterface", "area":"ChangeDetection", "message":"", "user":"admin1", "details": { "SenderEmailAddress": { "oldVal": null, "newVal": "admin1@test.org" } } } } } ```
FieldDescription
userThe SAM account name of the user who made the settings change(s).
detailsA JSON object describing the changed fields, with both new and old values.
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.enzoic.com/enzoic-for-active-directory/product-usage/logging-and-siem-integration/generic-siem-integration.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.