Logging and SIEM Integration

Enzoic for Active Directory v3.3

Log Files

By default, Enzoic for Active Directory stores logs in the following location: C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs

The following log files are available:

LogType	Filename(s)	Format(s)	Description
Console	EnzoicConsole_{logDate}.json EnzoicConsole_{logDate}.log	JSON TXT	These are logs generated by the Enzoic console UI.
Service	EnzoicService_{logDate}.json EnzoicService_{logDate}.log	JSON TXT	These are logs generated by the Enzoic service. These tend to be the most useful for troubleshooting and contain details for when a compromised password is found for a user by Compromised Password Protection as well as when a password change is blocked.
Filter	EnzoicFilter.txt	TXT	These are logs generated by the Enzoic password filter DLL.

LogType

Filename(s)

Format(s)

Description

Console

EnzoicConsole_{logDate}.json EnzoicConsole_{logDate}.log

JSON TXT

These are logs generated by the Enzoic console UI.

Service

EnzoicService_{logDate}.json EnzoicService_{logDate}.log

JSON TXT

These are logs generated by the Enzoic service. These tend to be the most useful for troubleshooting and contain details for when a compromised password is found for a user by Compromised Password Protection as well as when a password change is blocked.

Filter

EnzoicFilter.txt

TXT

These are logs generated by the Enzoic password filter DLL.

Logs rollover and are only stored for the last 7 days.

SIEM Integration

Enzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. The following describes the information contained in these log entries.

Logs files are stored at: C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs

1.1 Log Entry Fields / Structure

Each JSON log entry has the following structure.

Field	Description
time	Timestamp at which the event occurred.
threadId	The managed .NET thread ID which was running.
level	Level of event severity. This can be one of the following: INFO, WARN, ERROR.
eventData	A JSON object containing additional details, specific to the event. The object has one field, “data” containing an object with the actual details.
event	This is either a message or an enum value indicating the event kind. (see the eventKind field in table 1.2)

Field

Description

time

Timestamp at which the event occurred.

threadId

The managed .NET thread ID which was running.

level

Level of event severity. This can be one of the following: INFO, WARN, ERROR.

eventData

A JSON object containing additional details, specific to the event. The object has one field, “data” containing an object with the actual details.

event

This is either a message or an enum value indicating the event kind. (see the eventKind field in table 1.2)

1.2 Event Data Fields – Common to All Events

The content of eventData varies per the type of logged event, but the following fields are always present.

Field	Description
eventKind	Indicates the nature of the event. See table 1.3 for possible values.
details	Either a free-form complex object or extended message. Can be null.

Field

Description

eventKind

Indicates the nature of the event. See table 1.3 for possible values.

details

Either a free-form complex object or extended message. Can be null.

1.3 Event Kinds

Name	Description
Info	General informational message.
Warning	A recoverable problem or unusual event has occurred.
Error	A (possibly unrecoverable) problem has occurred, and may require user intervention or investigation.
PasswordChanged	User account password was changed.
PasswordChangeRejected	User account password change was attempted, but the password did not pass the integrity checks.
CompromiseDetectedDelayedRemediationScheduled	A compromised password was detected, and was either remediated, or scheduled for remediation after a delay.
DelayedRemediationActionTaken	A previously scheduled remediation was applied.

Name

Description

Info

General informational message.

Warning

A recoverable problem or unusual event has occurred.

Error

A (possibly unrecoverable) problem has occurred, and may require user intervention or investigation.

PasswordChanged

User account password was changed.

PasswordChangeRejected

User account password change was attempted, but the password did not pass the integrity checks.

CompromiseDetectedDelayedRemediationScheduled

A compromised password was detected, and was either remediated, or scheduled for remediation after a delay.

DelayedRemediationActionTaken

A previously scheduled remediation was applied.

Log Entry Details for Each Event Kind

1.4 Info

Recorded when there is a general informational message.

Example:

{
  "time": "2019-08-07 16:24:57.2758",
  "threadId": "22",
  "level": "INFO",
  "event": "Service shutdown.",
  "eventData": {
    "data": {
      "eventKind": "Info",
      "details": null
    }
  }
}

1.5 Warning

Recorded when a recoverable problem or unusual event has occurred.

Example:

{
  "time": "2019-08-07 15:02:37.3696",
  "threadId": "10",
  "level": "WARN",
  "event": "The user tu1 no longer exists. Cleaning up artifacts related to this user.",
  "eventData": {
    "data": {
      "eventKind": "Warning",
      "details": null
    }
  }
}

1.6 Error

Recorded when a problem has occurred that may require user intervention or investigation. The eventData payload contains the exception details and can be helpful to support for further investigation.

Field	Description
exceptionClass	The name of the .NET exception class, if there is an exception.
exceptionMessage	The exception message, if there is an exception.

Field

Description

exceptionClass

The name of the .NET exception class, if there is an exception.

exceptionMessage

The exception message, if there is an exception.

Example:

{
  "time": "2019-08-07 15:02:37.3696",
  "threadId": "10",
  "level": "ERROR",
  "event": "Something bad happened..",
  "eventData": {
    "data": {
      "eventKind": "Error",
      "details": null,
      "exceptionClass": "Exception",
      "exceptionMessage": "Exception text"
    }
  }
}

1.7 PasswordChanged

Recorded when a user password was successfully changed.

Field	Description
user	The SAM account name of the account that was updated.

Example:

{
  "time": "2019-08-07 15:00:59.9008",
  "threadId": "16",
  "level": "INFO",
  "event": "PasswordChanged",
  "eventData": {
    "data": {
      "user": "tu1",
      "eventKind": "PasswordChanged",
      "details": null
    }
  }
}

1.8 PasswordChangeRejected

Recorded when a user password change was rejected by Enzoic due to policy settings.

Field	Description
user	The SAM account name of the account on which the password change was attempted.
detection methods	EnzoicApi, LocalDictionary, PasswordSimilarity, UserDisplayName, UserName, UserEmail
match types	ExactMatch, FuzzyMatch, RootPasswordMatch

Field

Description

user

The SAM account name of the account on which the password change was attempted.

detection methods

EnzoicApi, LocalDictionary, PasswordSimilarity, UserDisplayName, UserName, UserEmail

match types

ExactMatch, FuzzyMatch, RootPasswordMatch

Example:

{
  "time":"2020-09-02 14:15:08.5068",
  "threadId": "4",
  "level": "INFO",
  "event": "The password is compromised and cannot be used. Detected by EnzoicApi and matched on RootPasswordMatch",
  "eventData": {
    "data": {
      "user": "testfosmo",
      "detectionMethod":"EnzoicApi",
      "matchTypes":[
        "RootPasswordMatch"
      ],
      "eventKind": "PasswordChangeRejected",
      "details": null
    }
  }
}

1.9 CompromiseDetectedDelayedRemediationScheduled

Recorded by User Password Monitoring when a user password was detected as compromised and a delayed remediation was scheduled (e.g. force password change after 24 hours)

Field	Description
user	The SAM account name of the affected account.
detectionTimestamp	Timestamp of when the compromise was detected.
actionTaken	Indicates the action that was taken in response to the compromise. See table 1.11 for possible values.
actionDelayHours	The number of hours before the delayed remediation will take effect . This only applies when actionTaken is ForcePasswordChangeOnLoginDelayed or DisableAccountDelayed

Field

Description

user

The SAM account name of the affected account.

detectionTimestamp

Timestamp of when the compromise was detected.

actionTaken

Indicates the action that was taken in response to the compromise. See table 1.11 for possible values.

actionDelayHours

The number of hours before the delayed remediation will take effect . This only applies when actionTaken is ForcePasswordChangeOnLoginDelayed or DisableAccountDelayed

Example:

{
  "time": "2019-08-07 15:01:35.7445",
  "threadId": "10",
  "level": "INFO",
  "event": "CompromiseDetectedDelayedRemediationScheduled",
  "eventData": {
    "data": {
      "user": "tu1",
      "detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
      "actionTaken": "ForcePasswordChangeOnLoginDelayed",
      "actionDelayHours": 1,
      "eventKind": "CompromiseDetectedDelayedRemediationScheduled",
      "details": null
    }
  }
}

1.10 DelayedRemediationActionTaken

Recorded by User Password Monitoring when a previously scheduled delayed remediation was taken. For example, if a user was scheduled to force a password change after 24 hours, this event gets logged when the user is set to Force Password Change on Next Logon in AD.

Field	Description
user	The SAM account name of the affected account.
detectionTimestamp	Timestamp of when the compromise was detected.
actionTaken	Possible values: ForcePasswordChangeOnLogin, DisableAccount
actionDelayHours	Always zero.

Field

Description

user

The SAM account name of the affected account.

detectionTimestamp

Timestamp of when the compromise was detected.

actionTaken

Possible values: ForcePasswordChangeOnLogin, DisableAccount

actionDelayHours

Always zero.

Example:

{
  "time": "2019-08-07 15:01:35.7445",
  "threadId": "10",
  "level": "INFO",
  "event": "DelayedRemediationActionTaken",
  "eventData": {
    "data": {
      "user": "tu1",
      "detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
      "actionTaken": "ForcePasswordChangeOnLogin",
      "actionDelayHours": 0,
      "eventKind": "DelayedRemediationActionTaken",
      "details": null
    }
  }
}

1.11 Remediation Actions

The possible remediation action values for log events are listed below.

Name	Description
ForcePasswordChangeOnLogin	The affected user account is updated to require the password to be changed on the next login attempt.
ForcePasswordChangeOnLoginDelayed	The affected user account is updated to require the password to be changed on the next login attempt. This action is delayed by the number of configured hours.
DisableAccount	The affected user account is disabled.
DisableAccountDelayed	The affected user account is disabled. This action is delayed by the number of configured hours.
NotifyOnly	An email notification is sent to the configured recipients. No further remediation is taken.

Name

Description

ForcePasswordChangeOnLogin

The affected user account is updated to require the password to be changed on the next login attempt.

ForcePasswordChangeOnLoginDelayed

The affected user account is updated to require the password to be changed on the next login attempt. This action is delayed by the number of configured hours.

DisableAccount

The affected user account is disabled.

DisableAccountDelayed

The affected user account is disabled. This action is delayed by the number of configured hours.

NotifyOnly

An email notification is sent to the configured recipients. No further remediation is taken.

PreviousTest Page NextBackup Considerations

Last updated 1 year ago