Most organizations under attack have no clue they're being targeted. Here are security events to look for in case of a breach The 2012 Verizon Data Breach Investigations Report released last week continues to reverberate. The stats that jumped out at me: 96 percent of data breaches were relatively easy for attackers to pull off, and 97 percent of those attacks were easily avoidable.Want to protect yourself against malicious hackers and malware? Do the basics better and more consistently. Patch better, isolate better — and for god’s sake, enable your monitoring.According to the report, 85 percent of victims were unaware of their compromised state for weeks- to months-long stretches. When they did become aware, 92 percent of the time it was because an outside third party told them. That’s embarrassing.In which group would you rather be? The 85 percent hanging their heads in shame or the 15 percent who had a clue? I know InfoWorld readers care more than the average IT working stiff. It’s why you read our publication and this blog in particular. I also realize that our readers are tasked with dozens of different projects every year, each one a high priority that overrides previous priorities.But the bottom line is this: If you don’t have a good security event logging program, become the champion in your organization and create one. What to monitorYou should enable event log monitoring on all managed workstations and servers. Don’t make the mistake of only monitoring servers — 99 percent of the malicious action begins on a regular end-user’s workstation before it spreads to the servers holding the data. Often, by the time attackers reach the servers, they are operating with an elevated end-user’s credentials, and event log monitoring becomes much tougher.In the interest of giving specific advice, I’ve assembled the Windows security event log IDs [Excel format] that you should be monitoring on Microsoft operating system, although the events and behaviors they cover should be monitored on any OS used by your organization. Microsoft probably has the best security event log ID descriptions, so it’s a good place to start. (Note: I am a full-time employee of Microsoft.)High-criticality events. Here are the events I consider most relevant and require immediate investigation, unless the event that occurred through approved change/configuration control requirements.High-criticality events Vista/W2K8/Win7W2K3/XP legacyEvent description4618–A monitored security event pattern has occurred.–550Possible denial-of-service (DoS) attack.4649–A replay attack was detected. (Note: This may be nonmalicious and frequently reoccurring in some environments.)4692–Backup of data protection master key was attempted.4693–Recovery of data protection master key was attempted.4694–Protection of auditable protected data was attempted.4695–Unprotection of auditable protected data was attempted.4719612System audit policy was changed.4765–SID History was added to an account.4766–An attempt to add SID History to an account failed.4794–An attempt was made to set the Directory Services Restore Mode.4816–RPC detected an integrity violation while decrypting an incoming message.4964–Special groups have been assigned to a new log-on.5124–A security setting was updated on the OCSP Responder Service. Medium-criticality events. Medium-criticality events should be monitored, but shouldn’t generate alerts unless they were incurred in an anomalous manner.Medium-criticality events Vista/ W2K8/ Win7W2K3/ XP LegacyEvent description4621–Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.4646–IKE DoS-prevention mode started.4675–SIDs were filtered.4706610A trust to a domain was removed.4707610A trust to a domain was removed.4713617Kerberos policy was changed.4714618Encrypted data recovery policy was changed.4715–The audit policy (SACL) on an object was changed.4716620Trusted domain information was modified.4724628An attempt was made to reset an account’s password.4727631A security-enabled global group was created.4735639A security-enabled local group was changed.4737641A security-enabled global group was changed.4739643Domain Policy was changed.4754658A security-enabled universal group was created.4755659A security-enabled universal group was changed.4764667A security-disabled group was deleted.4764668A group’s type was changed.4780684The ACL was set on accounts that are members of administrators groups.4782–The password hash an account was accessed.4865–A trusted forest information entry was added.4866–A trusted forest information entry was removed.4867–A trusted forest information entry was modified.4870774Certificate Services revoked a certificate.4882786The security permissions for Certificate Services changed.4890794The certificate manager settings for Certificate Services changed.4892796A property of Certificate Services changed.4896800One or more rows have been deleted from the certificate database.4906–The CrashOnAuditFail value has changed.4907–Auditing settings on object were changed.4908–Special Groups Logon table modified.4912807Per User Audit Policy was changed.4960–IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.4961–IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.4962–IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.4963–IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.4965–IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.4976–During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.4977–During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.4978–During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.4983–An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.4984–An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.5027–The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.5028–The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.5029–The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.5030–The Windows Firewall Service failed to start.5035–The Windows Firewall Driver failed to start.5037–The Windows Firewall Driver detected critical runtime error; terminating.5038–Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.5120–OCSP Responder Service started.5121–OCSP Responder Service stopped.5122–A configuration entry changed in OCSP Responder Service.5123–A configuration entry changed in OCSP Responder Service.5453–An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.5480–IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.5483–IPsec Services failed to initialize RPC server. IPsec Services could not be started.5484–IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.5485–IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.6145–One or more errors occurred while processing security policy in the group policy objects.–640General account database changed. There are numerous other events, many with low criticality, that deserve monitoring and alerting if they occur in an anomalous way (these are listed in my downloadable Excel file). Failed log-ons provide a great example. Every large environment experiences dozens to hundreds of failed, nonmalicious log-ons every day. People simply can’t type their passwords or PINs correctly every time. But an alert should be generated if the number of failed log-ons suddenly exceeds the normal amount expected in a given time period or occurs across more than the normal cross-section of computers. The event could just be the outcome of an errant script that is attempting to use an old password, but it could also be an attacker guessing the password. No event log monitoring plan should be complete without a few well-placed honeypots. In those cases, any attempted log-ons to the fake systems should generate alerts.There are far more to security event log monitoring systems than can be covered in a short article, but if you’ve ever wanted someone to give you specific list of events that you should be monitoring and alerting on, you have it now. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe