Item Cloning to Create a PCI DSS Windows Template
In this lecture, I use item cloning to add many more events to my PCI DSS Windows Template.
I copy the 'Failed Logon' item and create many more.
Below is a link to download the template created in this Lecture. You can import it into Zabbix.
All the event items I added were,
EventID 4608 : Windows is starting up
EventID 4609 : Windows is shutting down
EventID 4610 : An authentication package has been loaded by the Local Security Authority
EventID 4611 : A trusted logon process has been registered with the Local Security Authority
EventID 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
EventID 4614 : A notification package has been loaded by the Security Account Manager
EventID 4616 : The system time was changed
EventID 4624 : Successful Logon
EventID 4625 : Failed Logon
EventID 4634 : An account was logged off
EventID 4657 : A registry value was modified
EventID 4660 : An object was deleted
EventID 4663 : An attempt was made to access an object
EventID 4670 : Permissions on an object were changed
EventID 4674 : An operation was attempted on a privileged object
EventID 4720 : A user account was created
EventID 4722 : A user account was enabled
EventID 4723 : An attempt was made to change an account's password
EventID 4725 : A user account was disabled
EventID 4726 : A user account was deleted
EventID 4727 : A security-enabled global group was created
EventID 4728 : A member was added to a security-enabled global group
EventID 4729 : A member was removed from a security-enabled global group
EventID 4730 : A security-enabled global group was deleted
EventID 4731 : A security-enabled local group was created
EventID 4732 : A member was added to a security-enabled local group
EventID 4733 : A member was removed from a security-enabled local group
EventID 4734 : A security-enabled local group was deleted
EventID 4738 : A user account was changed
EventID 4740 : A user account was locked out
EventID 4767 : A user account was unlocked
EventID 5143 : A network share object was modified
EventID 6144 : Security policy in the group policy objects has been applied successfully
After adding all of the items, I realised that I didn't create the Application 'Security' in the new template, so then I created it and then used Mass Update to update all the new items to use the 'Security' application.
If you prefer to have one item that scans all the event ids above at the same time, then you can use this for its key.