Documentation for Product Version:
Enzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. The following describes the information contained in these log entries.
Logs files are stored at ..\ProgramData\Enzoic\Enzoic for Active Directory\Logs
| Field | Description |
| time | Timestamp at which the event occurred. |
| threadId | The managed .NET thread ID which was running. |
| level | Level of event severity. This can be one of the following: INFO, WARN, ERROR. |
| eventData | A JSON object containing additional details, specific to the event. The object has one field, “data” containing an object with the actual details. |
| event | This is either a message or an enum value indicating the event kind. (see the eventKind field in table 1.2) |
| Field | Description |
| eventKind | Indicates the nature of the event. See table 1.3 for possible values. |
| details | Either a free-form complex object or extended message. Can be null. |
| Name | Description |
| Info | General informational message. |
| Warning | A recoverable problem, or unusual event has occurred. |
| Error | A (possibly unrecoverable) problem has occurred, and may require user intervention or investigation. |
| PasswordChanged | User account password was changed. |
| PasswordChangeRejected | User account password change was attempted, but the password did not pass the integrity checks. |
| CompromiseDetectedDelayedRemediationScheduled | A compromised password was detected, and was either remediated, or scheduled for remediation after a delay. |
| DelayedRemediationActionTaken | A previously scheduled remediation was applied. |
No additional fields.
Example
1
2
3
4
5
6
7
8
9
10
11
12
{
"time": "2019-08-07 16:24:57.2758",
"threadId": "22",
"level": "INFO",
"event": "Service shutdown.",
"eventData": {
"data": {
"eventKind": "Info",
"details": null
}
}
}No additional fields
Example
1
2
3
4
5
6
7
8
9
10
11
12
{
"time": "2019-08-07 15:02:37.3696",
"threadId": "10",
"level": "WARN",
"event": "The user tu1 no longer exists. Cleaning up artifacts related to this user.",
"eventData": {
"data": {
"eventKind": "Warning",
"details": null
}
}
}| Field | Description |
| exceptionClass | The name of the .NET exception class, if there is an exception. |
| exceptionMessage | The exception message, if there is an exception. |
Example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
"time": "2019-08-07 15:02:37.3696",
"threadId": "10",
"level": "ERROR",
"event": "Something bad happened..",
"eventData": {
"data": {
"eventKind": "Error",
"details": null,
"“exceptionClass”": "Exception",
"“exceptionMessage“": "Exception text"
}
}
}| Field | Description |
| user | The SAM account name of the account that was updated. |
Example
1
2
3
4
5
6
7
8
9
10
11
12
13
{
"time": "2019-08-07 15:00:59.9008",
"threadId": "16",
"level": "INFO",
"event": "PasswordChanged",
"eventData": {
"data": {
"user": "tu1",
"eventKind": "PasswordChanged",
"details": null
}
}
}| Field | Description |
| user | The SAM account name of the account on which the password change was attempted. |
| detection methods | EnzoicApi, LocalDictionary, PasswordSimilarity, UserDisplayName, UserName, UserEmail |
| match types | ExactMatch, FuzzyMatch, RootPasswordMatch |
Example
1
2
3
4
5
6
7
8
9
10
11
12
13
{
"time":"2020-09-02 14:15:08.5068",
"threadId": "4",
"level": "INFO",
"event": "The password is compromised and cannot be used. Detected by EnzoicApi and matched on RootPasswordMatch",
"eventData": {
"data": {
"user": "testfosmo",
"detectionMethod":"EnzoicApi",
"matchTypes":[
"RootPasswordMatch"
],
"eventKind": "PasswordChangeRejected",
"details": null
}
}
}|
Field |
Description |
|
user |
The SAM account name of the affected account. |
|
detectionTimestamp |
Timestamp of when the compromise was detected. |
|
actionTaken |
Indicates the action that was taken in response to the compromise. See table 1.11 for possible values. |
|
actionDelayHours |
The number of hours before the delayed remediation will take effect . This only applies when actionTaken is ForcePasswordChangeOnLoginDelayed or DisableAccountDelayed |
Example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{
"time": "2019-08-07 15:01:35.7445",
"threadId": "10",
"level": "INFO",
"event": "CompromiseDetectedDelayedRemediationScheduled",
"eventData": {
"data": {
"user": "tu1",
"detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
"actionTaken": "ForcePasswordChangeOnLoginDelayed",
"actionDelayHours": 1,
"eventKind": "CompromiseDetectedDelayedRemediationScheduled",
"details": null
}
}
}|
Field |
Description |
|
user |
The SAM account name of the affected account. |
|
detectionTimestamp |
Timestamp of when the compromise was detected. |
|
actionTaken |
Possible values: ForcePasswordChangeOnLogin, DisableAccount |
|
actionDelayHours |
Always zero. |
Example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{
"time": "2019-08-07 15:01:35.7445",
"threadId": "10",
"level": "INFO",
"event": "DelayedRemediationActionTaken",
"eventData": {
"data": {
"user": "tu1",
"detectionTimestamp": "2019-08-07T15:01:35.7134337-04:00",
"actionTaken": "ForcePasswordChangeOnLogin",
"actionDelayHours": 0,
"eventKind": "DelayedRemediationActionTaken",
"details": null
}
}
}|
Name |
Description |
|
ForcePasswordChangeOnLogin |
The affected user account is updated to require the password to be changed on the next login attempt. |
|
ForcePasswordChangeOnLoginDelayed |
The affected user account is updated to require the password to be changed on the next login attempt. This action is delayed by the number of configured hours. |
|
DisableAccount |
The affected user account is disabled. |
|
DisableAccountDelayed |
The affected user account is disabled. This action is delayed by the number of configured hours. |
|
NotifyOnly |
An email notification is sent to the configured recipients. No further remediation is taken. |