Skip to content

Log Samples

Jump to bottom
RagingRedRiot edited this page Aug 7, 2024 · 2 revisions

Log 12345 Samples

Using Audit-Only Mode Before Configuring Audit Policies

{"audit_policy":{},"error":{"message":["[service.name] The Sysmon service could not be found. (0x80070002)","[process.path] The Sysmon service could not be found. (0x80070002)"]},"event":{"action":"audit-inspection","code":12345},"process":{"path":""},"service":{"name":""},"user_agent":{"name":"Audit Inspector","version":"0.1.8"}}

After Configuring Audit Policies using Audit Inspector (Without Sysmon Installed)

{"audit_policy":{"AccountLockout":"Failure","AuditPolicyChange":"Success","AuthenticationPolicyChange":"Success","CredentialValidation":"Success and Failure","DetailedFileShare":"Failure","EnableScriptBlockInvocationLogging":0,"EnableScriptBlockLogging":1,"FilteringPlatformConnection":"Failure","GroupMembership":"Success","IPsecDriver":"Success and Failure","Logoff":"Success","Logon":"Success and Failure","MPSSVCRule-LevelPolicyChange":"Success","OtherLogonLogoffEvents":"Success and Failure","OtherObjectAccessEvents":"Success and Failure","OtherSystemEvents":"Success and Failure","PlugandPlayEvents":"Success","PowershellLoggingModuleNames":["Microsoft.Powershell.*","Microsoft.WSMan.Management","ActiveDirectory"],"ProcessCreation":"Success","ProcessCreationIncludeCmdLine_Enabled":1,"SecurityGroupManagement":"Success","SecurityStateChange":"Success","SecuritySystemExtension":"Success","SpecialLogon":"Success","SystemIntegrity":"Success and Failure","UserAccountManagement":"Success and Failure","scenoapplylegacyauditpolicy":1},"error":{"message":["[service.name] The Sysmon service could not be found. (0x80070002)","[process.path] The Sysmon service could not be found. (0x80070002)"]},"event":{"action":"audit-inspection","code":12345},"process":{"path":""},"service":{"name":""},"user_agent":{"name":"Audit Inspector","version":"0.1.8"}}

After Configuring Audit Policies using Audit Inspector (With Sysmon Installed)

{"audit_policy":{"AccountLockout":"Failure","AuditPolicyChange":"Success","AuthenticationPolicyChange":"Success","CredentialValidation":"Success and Failure","DetailedFileShare":"Failure","EnableScriptBlockInvocationLogging":0,"EnableScriptBlockLogging":1,"FilteringPlatformConnection":"Failure","GroupMembership":"Success","IPsecDriver":"Success and Failure","Logoff":"Success","Logon":"Success and Failure","MPSSVCRule-LevelPolicyChange":"Success","OtherLogonLogoffEvents":"Success and Failure","OtherObjectAccessEvents":"Success and Failure","OtherSystemEvents":"Success and Failure","PlugandPlayEvents":"Success","PowershellLoggingModuleNames":["Microsoft.Powershell.*","Microsoft.WSMan.Management","ActiveDirectory"],"ProcessCreation":"Success","ProcessCreationIncludeCmdLine_Enabled":1,"SecurityGroupManagement":"Success","SecurityStateChange":"Success","SecuritySystemExtension":"Success","SpecialLogon":"Success","SystemIntegrity":"Success and Failure","UserAccountManagement":"Success and Failure","scenoapplylegacyauditpolicy":1},"error":{"message":[]},"event":{"action":"audit-inspection","code":12345},"file":{"hash":{"sha256":"C041965DD57A676145A1E7461449E746B2C89B6E026FDE383FAA2344B629CB76"},"path":".\\sysmonconfig.xml"},"process":{"hash":{"sha256":["39b094613132377bc236f4ad940a3e02c544f86347c0179a9425edc1bd3b85cd","39b094613132377bc236f4ad940a3e02c544f86347c0179a9425edc1bd3b85cd"]},"path":["C:\\Windows\\Sysmon.exe","C:\\Windows\\Sysmon64.exe"]},"service":{"name":"sysmon64","state":"Running","version":"15.14"},"user_agent":{"name":"Audit Inspector","version":"0.1.8"}}
Clone this wiki locally