Skip to content

Item Cloning to Create a PCI DSS Windows Template

Video Lecture

Item Cloning to Create a PCI DSS Windows Template

Description

Note

I have removed this content from the course since over time many of the event IDs have become gradually unreliable.

In this lecture, I use item cloning to add many more events to my PCI DSS Windows Template.

I copy the 'Failed Logon' item and create many more.

EventID 4608 : Windows is starting up

EventID 4609 : Windows is shutting down

EventID 4610 : An authentication package has been loaded by the Local Security Authority

EventID 4611 : A trusted logon process has been registered with the Local Security Authority

EventID 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits

EventID 4614 : A notification package has been loaded by the Security Account Manager

EventID 4616 : The system time was changed

EventID 4624 : Successful Logon

EventID 4625 : Failed Logon

EventID 4634 : An account was logged off

EventID 4657 : A registry value was modified

EventID 4660 : An object was deleted

EventID 4663 : An attempt was made to access an object

EventID 4670 : Permissions on an object were changed

EventID 4674 : An operation was attempted on a privileged object

EventID 4720 : A user account was created

EventID 4722 : A user account was enabled

EventID 4723 : An attempt was made to change an account's password

EventID 4725 : A user account was disabled

EventID 4726 : A user account was deleted

EventID 4727 : A security-enabled global group was created

EventID 4728 : A member was added to a security-enabled global group

EventID 4729 : A member was removed from a security-enabled global group

EventID 4730 : A security-enabled global group was deleted

EventID 4731 : A security-enabled local group was created

EventID 4732 : A member was added to a security-enabled local group

EventID 4733 : A member was removed from a security-enabled local group

EventID 4734 : A security-enabled local group was deleted

EventID 4738 : A user account was changed

EventID 4740 : A user account was locked out

EventID 4767 : A user account was unlocked

EventID 5143 : A network share object was modified

EventID 6144 : Security policy in the group policy objects has been applied successfully

If you prefer to have one item that scans all the event IDs above at the same time, then you can use the | (or) symbol in the key to separate event IDs.

eventlog[Security,,,,4608|4609|4610|4611|4612|4614|4616|4624|4625|4634|4657|4660|4663|4670|4674|4720|4722|4723|4725|4726|4727|4728|4729|4730|4731|4732|4733|4734|4738|4740|4767|5143|6144,,skip]

Download finished Template

https://github.com/Sean-Bradley/zabbix_windows_pci_dss_template

Comments