Logging and SIEM Integration
Enzoic for Active Directory v3.0 and Earlier
Log Files
By default, Enzoic for Active Directory stores logs in the following location:
C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs
The following log files are available:
Console
EnzoicConsole_{logDate}.json EnzoicConsole_{logDate}.log
JSON TXT
These are logs generated by the Enzoic console UI.
Service
EnzoicService_{logDate}.json EnzoicService_{logDate}.log
JSON TXT
These are logs generated by the Enzoic service. These tend to be the most useful for troubleshooting and contain details for when a compromised password is found for a user by Compromised Password Protection as well as when a password change is blocked.
Filter
EnzoicFilter.txt
TXT
These are logs generated by the Enzoic password filter DLL.
Logs rollover and are only stored for the last 7 days.
SIEM Integration
Enzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. The following describes the information contained in these log entries.
Logs files are stored at:
C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs
1.1 Log Entry Fields / Structure
Each JSON log entry has the following structure.
time
Timestamp at which the event occurred.
threadId
The managed .NET thread ID which was running.
level
Level of event severity. This can be one of the following: INFO, WARN, ERROR.
eventData
A JSON object containing additional details, specific to the event. The object has one field, “data” containing an object with the actual details.
event
This is either a message or an enum value indicating the event kind. (see the eventKind field in table 1.2)
1.2 Event Data Fields – Common to All Events
The content of eventData varies per the type of logged event, but the following fields are always present.
eventKind
Indicates the nature of the event. See table 1.3 for possible values.
details
Either a free-form complex object or extended message. Can be null.
1.3 Event Kinds
Info
General informational message.
Warning
A recoverable problem or unusual event has occurred.
Error
A (possibly unrecoverable) problem has occurred, and may require user intervention or investigation.
PasswordChanged
User account password was changed.
PasswordChangeRejected
User account password change was attempted, but the password did not pass the integrity checks.
CompromiseDetectedDelayedRemediationScheduled
A compromised password was detected, and was either remediated, or scheduled for remediation after a delay.
DelayedRemediationActionTaken
A previously scheduled remediation was applied.
Log Entry Details for Each Event Kind
1.4 Info
Recorded when there is a general informational message.
Example:
1.5 Warning
Recorded when a recoverable problem or unusual event has occurred.
Example:
1.6 Error
Recorded when a problem has occurred that may require user intervention or investigation. The eventData payload contains the exception details and can be helpful to support for further investigation.
exceptionClass
The name of the .NET exception class, if there is an exception.
exceptionMessage
The exception message, if there is an exception.
Example:
1.7 PasswordChanged
Recorded when a user password was successfully changed.
user
The SAM account name of the account that was updated.
Example:
1.8 PasswordChangeRejected
Recorded when a user password change was rejected by Enzoic due to policy settings.
user
The SAM account name of the account on which the password change was attempted.
detection methods
EnzoicApi, LocalDictionary, PasswordSimilarity, UserDisplayName, UserName, UserEmail
match types
ExactMatch, FuzzyMatch, RootPasswordMatch
Example:
1.9 CompromiseDetectedDelayedRemediationScheduled
Recorded by Continuous Password Protection when a user password was detected as compromised and a delayed remediation was scheduled (e.g. force password change after 24 hours)
user
The SAM account name of the affected account.
detectionTimestamp
Timestamp of when the compromise was detected.
actionTaken
Indicates the action that was taken in response to the compromise. See table 1.11 for possible values.
actionDelayHours
The number of hours before the delayed remediation will take effect . This only applies when actionTaken is ForcePasswordChangeOnLoginDelayed or DisableAccountDelayed
Example:
1.10 DelayedRemediationActionTaken
Recorded by Continuous Password Protection when a previously scheduled delayed remediation was taken. For example, if a user was scheduled to force a password change after 24 hours, this event gets logged when the user is set to Force Password Change on Next Logon in AD.
user
The SAM account name of the affected account.
detectionTimestamp
Timestamp of when the compromise was detected.
actionTaken
Possible values: ForcePasswordChangeOnLogin, DisableAccount
actionDelayHours
Always zero.
Example:
1.11 Remediation Actions
The possible remediation action values for log events are listed below.
ForcePasswordChangeOnLogin
The affected user account is updated to require the password to be changed on the next login attempt.
ForcePasswordChangeOnLoginDelayed
The affected user account is updated to require the password to be changed on the next login attempt. This action is delayed by the number of configured hours.
DisableAccount
The affected user account is disabled.
DisableAccountDelayed
The affected user account is disabled. This action is delayed by the number of configured hours.
NotifyOnly
An email notification is sent to the configured recipients. No further remediation is taken.
Last updated