Logging and SIEM Integration

Enzoic for Active Directory v3.5

Log Files

By default, Enzoic for Active Directory stores logs in the following location: C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs

The following log files are available:

Logs rollover and are only stored for the last 7 days.

SIEM Integration

Enzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. The following describes the information contained in these log entries.

Logs files are stored at: C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs

1.1 Log Entry Fields / Structure

Each JSON log entry has the following structure.

1.2 Event Data Fields – Common to All Events

The content of eventData varies per the type of logged event, but the following fields are always present.

1.3 Event Kinds

Log Entry Details for Each Event Kind

1.4 Info

Recorded when there is a general informational message.

Example:

{
  "time": "2019-08-07 16:24:57.2758",
  "threadId": "22",
  "level": "INFO",
  "event": "Service shutdown.",
  "eventData": {
    "data": {
      "eventKind": "Info",
      "details": null
    }
  }
}

1.5 Warning

Recorded when a recoverable problem or unusual event has occurred.

Example:

{
  "time": "2019-08-07 15:02:37.3696",
  "threadId": "10",
  "level": "WARN",
  "event": "The user tu1 no longer exists. Cleaning up artifacts related to this user.",
  "eventData": {
    "data": {
      "eventKind": "Warning",
      "details": null
    }
  }
}

1.6 Error

Recorded when a problem has occurred that may require user intervention or investigation. The eventData payload contains the exception details and can be helpful to support for further investigation.

Example:

{
  "time": "2019-08-07 15:02:37.3696",
  "threadId": "10",
  "level": "ERROR",
  "event": "Something bad happened..",
  "eventData": {
    "data": {
      "eventKind": "Error",
      "details": null,
      "exceptionClass": "Exception",
      "exceptionMessage": "Exception text"
    }
  }
}

1.7 PasswordChanged

Recorded when a user password was successfully changed.

Example:

{
  "time": "2019-08-07 15:00:59.9008",
  "threadId": "16",
  "level": "INFO",
  "event": "PasswordChanged",
  "eventData": {
    "data": {
      "user": "tu1",
      "eventKind": "PasswordChanged",
      "details": null
    }
  }
}

1.8 PasswordChangeRejected

Recorded when a user password change was rejected by Enzoic due to policy settings.

Example:

{
  "time":"2020-09-02 14:15:08.5068",
  "threadId": "4",
  "level": "INFO",
  "event": "The password is compromised and cannot be used. Detected by EnzoicApi and matched on RootPasswordMatch",
  "eventData": {
    "data": {
      "user": "testfosmo",
      "detectionMethod":"EnzoicApi",
      "matchTypes":[
        "RootPasswordMatch"
      ],
      "eventKind": "PasswordChangeRejected",
      "details": null
    }
  }
}

1.9 CompromiseDetectedDelayedRemediationScheduled

Recorded by User Password Monitoring when a user password was detected as compromised and a delayed remediation was scheduled (e.g. force password change after 24 hours)

Example:

{
  "time": "2019-08-07 15:01:35.7445",
  "threadId": "10",
  "level": "INFO",
  "event": "CompromiseDetectedDelayedRemediationScheduled",
  "eventData": {
    "data": {
      "user": "tu1",
      "detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
      "actionTaken": "ForcePasswordChangeOnLoginDelayed",
      "actionDelayHours": 1,
      "eventKind": "CompromiseDetectedDelayedRemediationScheduled",
      "details": null
    }
  }
}

1.10 DelayedRemediationActionTaken

Recorded by User Password Monitoring when a previously scheduled delayed remediation was taken. For example, if a user was scheduled to force a password change after 24 hours, this event gets logged when the user is set to Force Password Change on Next Logon in AD.

Example:

{
  "time": "2019-08-07 15:01:35.7445",
  "threadId": "10",
  "level": "INFO",
  "event": "DelayedRemediationActionTaken",
  "eventData": {
    "data": {
      "user": "tu1",
      "detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
      "actionTaken": "ForcePasswordChangeOnLogin",
      "actionDelayHours": 0,
      "eventKind": "DelayedRemediationActionTaken",
      "details": null
    }
  }
}

1.11 Remediation Actions

The possible remediation action values for log events are listed below.

Last updated