This reference contains information on security-relevant objects and values.
In order to create easy to analyze events, there are a number of events that need to be combined so that they can provide a full picture of what can be seen in the log. This section describes the correlation logic to be used.
Kerberos error code list
The Kerberos error code list provides a complete overview over errors from the Kerberos authentication system.
Windows Event-Specific Articles
Information on events we have researched. Often works together with the Event Repository.
Work in Progress
Papers in this section are not finished, but may already provide some value. Please use them at your sole risk – they may be incomplete, inconsistent and even totally wrong.
Comments on these papers are highly appreciated. If you would like to do so, please directly contact the author specified in the paper.
- Spec for a Simple (reliable) Event Logging Protocol (SELP)
[formatted text] [nroff source]
If you would like to contribute, please download the nroff source and apply edits there!
- On the Nature of Syslog Data [March 2004]
- An Algorithm for Baselining Traffic Data [September 2003]
- The Needle in the Haystack – or how to approach log data.
- Windows Event Log Attack Signatures – so far, more or lesss a think tank.
- IHE and the syslog message size
Windows Default User Objects
Windows Default Global Groups
- Cert Publishers
- Domain Admins
- Domain Computers
- Domain Controllers
- Domain Guests
- Domain Users
- Enterprise Admins
- Group Policy Creator Owner
- Schema Admins
Windows Default Domain Local Groups
- Account Operators
- Pre-Windows 2000 Compatible Access
- Backup Operators
- Print Operators
- RAS and IAS Servers
- Server Operators
Windows Default Local Groups
Windows System Groups
- Anonymous Logon
- Authenticated Users
- CREATOR GROUP
- CREATOR OWNER
- ENTERPRISE DOMAIN CONTROLLER
- TERMINAL SERVER USER
If you are interested in specific Windows Event IDs, you may find related information at the Network Event Parsing Database.