Skip to main content

1E 23.7 (SaaS)

WindowsEventLog

Trigger

WindowsEventLog

Action

Triggers when a log entry is created in a specific Event Log, optionally matching an XPath filtering expression. This can include the "Classic" Windows Event Logs (Application, Security, Setup and System) and also the "Applications and Services Logs" (although does not include the "Analytic and Debug" logs).

Parameters

Channel (string): The name/path of the event log to monitor. If the corresponding channel has not been enabled for event logging, the Tachyon Agent enables it automatically.

Example: "Security" or "Microsoft-Windows-Bits-Client/Operational"

Query (string): Optional XPath expression to match against incoming entries into the event log

Example: "*[System/EventID=4688]"

See the MSDN references pages on Event Queries and Event XML and Event Selection for details of the supported XPath syntax and examples.

AuditSubCategoryGuid (GUID string): Optional XPath expression to match against incoming entries into the event log.

Example: "0CCE922B-69AE-11D9-BED3-505054503030" corresponds to the "Process Creation" sub-category.

See the MSDN reference for a list of available GUIDs

The Tachyon Agent will modify the local security policy to enable "failure" and "success" auditing for this sub-category for the period that this trigger remains active. Doing so means that corresponding event log entries will be generated when system activity occurs for this sub-category. The Tachyon Agent will attempt to re-enable this level of auditing if the Local Security Authority Subsystem Service (LSASS) indicates that the audit policy has changed - e.g. through a re-application of local/group policy, or if an administrator has manually adjusted the auditing policy using a tool like "auditpol".

DebounceTimeSeconds (Integer): Optional de-bounce time in seconds.

How long to hold back firing this trigger (to wait for additional events to occur); see the section above on Trigger de-bouncing.

Example

Click here to expand examples...

<?xml version="1.0" encoding="UTF-8"?>
<TriggerTemplate Name="AccountLogonFails" Category="Event" Description="When a logon fails due to bad username or password" Type="WindowsEventLog" ReadablePayload="When a logon fails due to bad username or password">
  <AgentParameters>
    <Parameter Name="Channel" Value="Security" />
    <Parameter Name="Query" Value="*[System/EventID=4625]" />
    <Parameter Name="AuditSubCategoryGuid" Value="0CCE9215-69AE-11D9-BED3-505054503030" />
    <Parameter Name="DebounceTimeSeconds" Value="1" />
  </AgentParameters>
</TriggerTemplate>
<?xml version="1.0" encoding="UTF-8"?>
<TriggerTemplate Name="AnyProcessCrash" Category="Event" Description="When any process crashes (Windows only)" Type="WindowsEventLog" ReadablePayload="On crash of any running process">
  <AgentParameters>
    <Parameter Name="Channel" Value="Application" />
    <Parameter Name="Query" Value="*[System[(Level=2) and (EventID=1000)]]" />
    <Parameter Name="DebounceTimeSeconds" Value="0" />
  </AgentParameters>
</TriggerTemplate>
<?xml version="1.0" encoding="UTF-8"?>
<TriggerTemplate Name="FirewallEnableChange" Category="Event" Description="When a Firewall profile state changes" Type="WindowsEventLog" ReadablePayload="When a Firewall profile state changes">
  <AgentParameters>
    <Parameter Name="Channel" Value="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" />
    <Parameter Name="Query" Value="*[System/EventID=2003] and *[EventData[Data[@Name="SettingType"] and (Data="1")]]" />
    <Parameter Name="AuditSubCategoryGuid" Value="" />
    <Parameter Name="DebounceTimeSeconds" Value="2" />
  </AgentParameters>
</TriggerTemplate>
<?xml version="1.0" encoding="UTF-8"?>
<TriggerTemplate Name="ProcessCrash" Category="Event" Description="When a process crashes (Windows only)" Type="WindowsEventLog" ReadablePayload="On crash of process "%executable%"">
  <AgentParameters>
    <Parameter Name="Channel" Value="Application" />
    <Parameter Name="Query" Value="*[System[(Level=2) and (EventID=1000)]] and *[EventData[Data='%executable%']]" />
    <Parameter Name="DebounceTimeSeconds" Value="0" />
  </AgentParameters>
  <UserParameterJson><![CDATA[[{"Name":"Executable","Pattern":"%executable%","DataType":"string","ControlType":"freeText","ControlMetadata":null,"Placeholder":"executable with or without path","DefaultValue":null,"Validation":{"Regex":null,"MaxLength":"1024","AllowedValues":null,"NumValueRestrictions":null},"Value":null,"HintText":null,"Source":null}]]]></UserParameterJson>
</TriggerTemplate>
<?xml version="1.0" encoding="UTF-8"?>
<TriggerTemplate Name="ProcessLaunch" Category="Event" Description="When a process starts (Windows only)" Type="WindowsEventLog" ReadablePayload="On launch of process "%executable%"">
  <AgentParameters>
    <Parameter Name="Channel" Value="Security" />
    <Parameter Name="Query" Value="*[System/EventID=4688] and *[EventData[Data[@Name="NewProcessName"] and (Data="%executable%")]]" />
    <Parameter Name="AuditSubCategoryGuid" Value="0CCE922B-69AE-11D9-BED3-505054503030" />
    <Parameter Name="DebounceTimeSeconds" Value="0" />
  </AgentParameters>
  <UserParameterJson><![CDATA[[{"Name":"Executable","Pattern":"%executable%","DataType":"string","ControlType":"freeText","ControlMetadata":null,"Placeholder":"executable with path","DefaultValue":null,"Validation":{"Regex":null,"MaxLength":"1024","AllowedValues":null,"NumValueRestrictions":null},"Value":null,"HintText":null,"Source":null}]]]></UserParameterJson>
</TriggerTemplate>
<?xml version="1.0" encoding="UTF-8"?>
<TriggerTemplate Name="UsbDriveInsertion" Category="Event" Description="When a USB drive is attached" Type="WindowsEventLog" ReadablePayload="When a USB drive is attached">
  <AgentParameters>
    <Parameter Name="Channel" Value="Microsoft-Windows-DriverFrameworks-UserMode/Operational" />
    <Parameter Name="Query" Value="*[System/EventID=1003] or *[System/EventID=1006]" />
    <Parameter Name="AuditSubCategoryGuid" Value="" />
    <Parameter Name="DebounceTimeSeconds" Value="5" />
  </AgentParameters>
</TriggerTemplate>
<?xml version="1.0" encoding="UTF-8"?>
<TriggerTemplate Name="UserAddedToLocalAdmin" Category="Event" Description="When an account is added as a local administrator" Type="WindowsEventLog" ReadablePayload="When an account is added as a local administrator">
  <AgentParameters>
    <Parameter Name="Channel" Value="Security" />
    <Parameter Name="Query" Value="*[System/EventID=4732] and *[EventData[Data[@Name="TargetUserName"] and (Data="Administrators")]]" />
    <Parameter Name="AuditSubCategoryGuid" Value="0CCE9237-69AE-11D9-BED3-505054503030" />
    <Parameter Name="DebounceTimeSeconds" Value="1" />
  </AgentParameters>
</TriggerTemplate>
<?xml version="1.0" encoding="UTF-8"?>
<TriggerTemplate Name="WindowsEventLog" Category="Advanced" Description="When an event log entry is created (Windows only)" Type="WindowsEventLog" ReadablePayload="On Windows"%channel%" event log entry matching "%query%" (debounce for %debounce% seconds)">
  <AgentParameters>
    <Parameter Name="Channel" Value="%channel%" />
    <Parameter Name="Query" Value="%query%" />
    <Parameter Name="DebounceTimeSeconds" Value="%debounce%" />
  </AgentParameters>
  <UserParameterJson><![CDATA[[{"Name":"Channel","Pattern":"%channel%","DataType":"string","ControlType":"freeText","ControlMetadata":null,"Placeholder":"channel","DefaultValue":null,"Validation":{"Regex":null,"MaxLength":"1024","AllowedValues":null,"NumValueRestrictions":null},"Value":null,"HintText":null,"Source":null},{"Name":"Query","Pattern":"%query%","DataType":"string","ControlType":"freeText","ControlMetadata":null,"Placeholder":"query","DefaultValue":null,"Validation":{"Regex":null,"MaxLength":"1024","AllowedValues":null,"NumValueRestrictions":null},"Value":null,"HintText":null,"Source":null},{"Name":"Debounce","Pattern":"%debounce%","DataType":"string","ControlType":"freeText","ControlMetadata":null,"Placeholder":"debounce time (seconds)","DefaultValue":"0","Validation":{"Regex":"[0-9]{0,2}","MaxLength":"2","AllowedValues":null,"NumValueRestrictions":null},"Value":null,"HintText":null,"Source":null}]]]></UserParameterJson>
</TriggerTemplate>
<?xml version="1.0" encoding="UTF-8"?>
<TriggerTemplate Name="WindowsSecurityEventLog" Category="Advanced" Description="When a security event is created (Windows only)" Type="WindowsEventLog" ReadablePayload="On Windows Security event log entry matching "%query%" (audit category "%auditSubcategoryGuid%", debounce for %debounce% seconds)">
  <AgentParameters>
    <Parameter Name="Channel" Value="Security" />
    <Parameter Name="Query" Value="%query%" />
    <Parameter Name="AuditSubCategoryGuid" Value="%auditSubcategoryGuid%" />
    <Parameter Name="DebounceTimeSeconds" Value="%debounce%" />
  </AgentParameters>
  <UserParameterJson><![CDATA[[{"Name":"Query","Pattern":"%query%","DataType":"string","ControlType":"freeText","ControlMetadata":null,"Placeholder":"query","DefaultValue":null,"Validation":{"Regex":null,"MaxLength":"1024","AllowedValues":null,"NumValueRestrictions":null},"Value":null,"HintText":null,"Source":null},{"Name":"AuditSubcategoryGuid","Pattern":"%auditSubcategoryGuid%","DataType":"string","ControlType":"freeText","ControlMetadata":null,"Placeholder":"audit sub-category GUID","DefaultValue":null,"Validation":{"Regex":"([0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12})","MaxLength":"36","AllowedValues":null,"NumValueRestrictions":null},"Value":null,"HintText":null,"Source":null},{"Name":"Debounce","Pattern":"%debounce%","DataType":"string","ControlType":"freeText","ControlMetadata":null,"Placeholder":"debounce time (seconds)","DefaultValue":"0","Validation":{"Regex":"[0-9]{0,2}","MaxLength":"2","AllowedValues":null,"NumValueRestrictions":null},"Value":null,"HintText":null,"Source":null}]]]></UserParameterJson>
</TriggerTemplate>

Platforms

  • Windows Vista and later.

Notes

Warning

This trigger is very powerful, as many applications and operating system components use the Windows Event Log to capture activity. Additionally, the trigger can be used to monitor for Security events which depend on a specific security auditing policy.