Incorrect event id specified for "CA Permissions Corrupted or Missing" in section "Certificate Services" of "Windows Event Monitoring Guidance\Recommended Events to Collect" document

Question

Incorrect event id specified for "CA Permissions Corrupted or Missing" in section "Certificate Services" of "Windows Event Monitoring Guidance\Recommended Events to Collect" document

vburov opened this issue 6 years ago · 4 comments

According to Microsoft documentation the event id = 95 is wrote to log when security permissions are corrupted or missing:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd338541(v=ws.10)

Answer 1 · 2019-04-12T17:02:14.000Z

@iadgovuser8 Might want to cross check with WELM data (attached to the latest release): https://github.com/nsacyber/Windows-Event-Log-Messages/releases

I need to split up that zip file so we don't have to download it all.

Answer 2 · 2019-04-12T17:08:52.000Z

@iadgovuser1 I quickly checked with wevtutil.exe. Yes, the event ID should've been 95 as 90 deals with an exception being thrown which does not deal with permissions per documentation.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726385(v%3dws.10)

Answer 3 · 2019-04-12T17:15:16.000Z

@iadgovuser8 Don't forget to update the csv and json files. :)

Answer 4 · 2019-04-12T17:28:00.000Z

Accepted PR updating JSON 6e92d62