Logging and SIEM Integration
Enzoic for Active Directory v3.2
By default, Enzoic for Active Directory stores logs in the following location:
C:\ProgramData\Enzoic\Enzoic for Active Directory\LogsThe following log files are available:
LogType | Filename(s) | Format(s) | Description |
|---|---|---|---|
Console | EnzoicConsole_{logDate}.json
EnzoicConsole_{logDate}.log | JSON
TXT | These are logs generated by the Enzoic console UI. |
Service | EnzoicService_{logDate}.json
EnzoicService_{logDate}.log | JSON
TXT | These are logs generated by the Enzoic service. These tend to be the most useful for troubleshooting and contain details for when a compromised password is found for a user by Compromised Password Protection as well as when a password change is blocked. |
Filter | EnzoicFilter.txt | TXT | These are logs generated by the Enzoic password filter DLL. |
Logs rollover and are only stored for the last 7 days.
Enzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. The following describes the information contained in these log entries.
Logs files are stored at:
C:\ProgramData\Enzoic\Enzoic for Active Directory\LogsEach JSON log entry has the following structure.
Field | Description |
|---|---|
time | Timestamp at which the event occurred. |
threadId | The managed .NET thread ID which was running. |
level | Level of event severity. This can be one of the following: INFO, WARN, ERROR. |
eventData | A JSON object containing additional details, specific to the event. The object has one field, “data” containing an object with the actual details. |
event | This is either a message or an enum value indicating the event kind. (see the eventKind field in table 1.2) |
The content of eventData varies per the type of logged event, but the following fields are always present.
Field | Description |
|---|---|
eventKind | Indicates the nature of the event. See table 1.3 for possible values. |
details | Either a free-form complex object or extended message. Can be null. |
Name | Description |
|---|---|
Info | General informational message. |
Warning | A recoverable problem or unusual event has occurred. |
Error | A (possibly unrecoverable) problem has occurred, and may require user intervention or investigation. |
PasswordChanged | User account password was changed. |
PasswordChangeRejected | User account password change was attempted, but the password did not pass the integrity checks. |
CompromiseDetectedDelayedRemediationScheduled | A compromised password was detected, and was either remediated, or scheduled for remediation after a delay. |
DelayedRemediationActionTaken | A previously scheduled remediation was applied. |
Recorded when there is a general informational message.
Example:
{
"time": "2019-08-07 16:24:57.2758",
"threadId": "22",
"level": "INFO",
"event": "Service shutdown.",
"eventData": {
"data": {
"eventKind": "Info",
"details": null
}
}
}
Recorded when a recoverable problem or unusual event has occurred.
Example:
{
"time": "2019-08-07 15:02:37.3696",
"threadId": "10",
"level": "WARN",
"event": "The user tu1 no longer exists. Cleaning up artifacts related to this user.",
"eventData": {
"data": {
"eventKind": "Warning",
"details": null
}
}
}
Recorded when a problem has occurred that may require user intervention or investigation. The eventData payload contains the exception details and can be helpful to support for further investigation.
Field | Description |
|---|---|
exceptionClass | The name of the .NET exception class, if there is an exception. |
exceptionMessage | The exception message, if there is an exception. |
Example:
{
"time": "2019-08-07 15:02:37.3696",
"threadId": "10",
"level": "ERROR",
"event": "Something bad happened..",
"eventData": {
"data": {
"eventKind": "Error",
"details": null,
"exceptionClass": "Exception",
"exceptionMessage": "Exception text"
}
}
}
Recorded when a user password was successfully changed.
Field | Description |
|---|---|
user | The SAM account name of the account that was updated. |
Example:
{
"time": "2019-08-07 15:00:59.9008",
"threadId": "16",
"level": "INFO",
"event": "PasswordChanged",
"eventData": {
"data": {
"user": "tu1",
"eventKind": "PasswordChanged",
"details": null
}
}
}
Recorded when a user password change was rejected by Enzoic due to policy settings.
Field | Description |
|---|---|
user | The SAM account name of the account on which the password change was attempted. |
detection methods | EnzoicApi,
LocalDictionary,
PasswordSimilarity,
UserDisplayName,
UserName,
UserEmail |
match types | ExactMatch,
FuzzyMatch,
RootPasswordMatch |
Example:
{
"time":"2020-09-02 14:15:08.5068",
"threadId": "4",
"level": "INFO",
"event": "The password is compromised and cannot be used. Detected by EnzoicApi and matched on RootPasswordMatch",
"eventData": {
"data": {
"user": "testfosmo",
"detectionMethod":"EnzoicApi",
"matchTypes":[
"RootPasswordMatch"
],
"eventKind": "PasswordChangeRejected",
"details": null
}
}
}
Recorded by User Password Monitoring when a user password was detected as compromised and a delayed remediation was scheduled (e.g. force password change after 24 hours)
Field | Description |
|---|---|
user | The SAM account name of the affected account. |
detectionTimestamp | Timestamp of when the compromise was detected. |
actionTaken | Indicates the action that was taken in response to the compromise. See table 1.11 for possible values. |
actionDelayHours | The number of hours before the delayed remediation will take effect . This only applies when actionTaken is ForcePasswordChangeOnLoginDelayed or DisableAccountDelayed |
Example:
{
"time": "2019-08-07 15:01:35.7445",
"threadId": "10",
"level": "INFO",
"event": "CompromiseDetectedDelayedRemediationScheduled",
"eventData": {
"data": {
"user": "tu1",
"detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
"actionTaken": "ForcePasswordChangeOnLoginDelayed",
"actionDelayHours": 1,
"eventKind": "CompromiseDetectedDelayedRemediationScheduled",
"details": null
}
}
}
Recorded by User Password Monitoring when a previously scheduled delayed remediation was taken. For example, if a user was scheduled to force a password change after 24 hours, this event gets logged when the user is set to Force Password Change on Next Logon in AD.
Field | Description |
|---|---|
user | The SAM account name of the affected account. |
detectionTimestamp | Timestamp of when the compromise was detected. |
actionTaken | Possible values: ForcePasswordChangeOnLogin, DisableAccount |
actionDelayHours | Always zero. |
Example:
{
"time": "2019-08-07 15:01:35.7445",
"threadId": "10",
"level": "INFO",
"event": "DelayedRemediationActionTaken",
"eventData": {
"data": {
"user": "tu1",
"detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
"actionTaken": "ForcePasswordChangeOnLogin",
"actionDelayHours": 0,
"eventKind": "DelayedRemediationActionTaken",
"details": null
}
}
}
The possible remediation action values for log events are listed below.
Name | Description |
|---|---|
ForcePasswordChangeOnLogin | The affected user account is updated to require the password to be changed on the next login attempt. |
ForcePasswordChangeOnLoginDelayed | The affected user account is updated to require the password to be changed on the next login attempt. This action is delayed by the number of configured hours. |
DisableAccount | The affected user account is disabled. |
DisableAccountDelayed | The affected user account is disabled. This action is delayed by the number of configured hours. |
NotifyOnly | An email notification is sent to the configured recipients. No further remediation is taken. |
Last modified 4mo ago