Skip to content

CYBERQUEST Smart Objects

Description

CYBERQUEST's Web Interface includes the administrative section needed for a visual configuration of your audit system.

In the log collection process, CYBERQUEST generates events in certain situations of interest to enhance the investigative process or to read information from native log source. These generated events are composed of information from one or more data streams.

To access the page, go to Settings > Applications Settings > Smart Objects option:

Smart Objects

Use Cases

  • Scenario 1 - Windows Success Interactive Logon Activity

    • Purpose - to identify, in Microsoft Windows enviroment, a new interactive login of a user on a station other than those in the login history.
    • Description - EventID: 9150001, a new event is generated containing details of the user and the new station on which he has interactively logged in. It also contains historical information about the stations to which he logged in interactively (MS Windows EventID 4624, logon type 2).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_WindowsSuccessInteractiveLogonActivity
  • Scenario 2 - Windows Success Network Logon Activity

    • Purpose - to identify, in Microsoft Windows enviroment, a new network login compared to the historical ones ( connection to a shared folder on a computer from the network).
    • Description - EventID: 9150002, a new event is generated containing details of the user and the network IP on which he logged in. It also contains historical information about the network resources he logged on to (MS Windows EventID 4624, logon type 3). Authentication can be done in at least 2 ways: interactive (the station sends the authentication request to Active Directory) or based on an access to a shared resource on the network.
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_WindowsSuccessNetworkLogonActivity
  • Scenario 3 - Windows Success Batch Logon Activity

    • Purpose - to identify, in Microsoft Windows enviroment, a new batch logon against those in history (e.g. a schedule task).
    • Description - EventID: 9150003, a new event is generated containing details of the user and the network IP on which he logged in. It also contains historical information about previous batch logins (MS Windows EventID 4624, logon type 4).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_WindowsSuccessBatchLogonActivity
  • Scenario 4 - Windows Success Service Logon Activity

    • Purpose - to identify, in Microsoft Windows environment, a new service logon compared to the historical ones (e.g. Service startup).
    • Description - EventID: 9150004, a new event is generated containing details of the service and the IP in the network that was logged in. It also contains historical information about previous logins (MS Windows EventID 4624, logon type 5).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 1 year.
    • On/Off - SmartObjects_WindowsSuccessServiceLogonActivity
  • Scenario 5 - Windows Success Network Cleartext Logon Activity

    • Purpose - to identify, in Microsoft Windows environment, a new Cleartext authentication type compared to the historical one (where the password is transmitted in clear. Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication").
    • Description - EventID: 9150005, a new event is generated containing details of the user and the IP in the network to which he logged in. It also contains historical information about previous logins (MS Windows EventID 4624, logon type 8).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_WindowsSuccessNetworkCleartextLogonActivity
  • Scenario 6 - Windows Success Remote Interactive Logon Activity

    • Purpose - to identify, in Microsoft Windows environment, a new remote interactive login in addition to the ones in the history (Terminal Services, Remote Desktop or Remote Assistance).
    • Description - EventID: 9150006, a new event is generated containing details of the user and network IP that logged in. It also contains historical information about previous logins (MS Windows EventID 4624, logon type 10).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_WindowsSuccessRemoteInteractiveLogonActivity
  • Scenario 7 - Windows Success Cached Interactive Logon Activity

    • Purpose - to identify, in Microsoft Windows environment, a cached login after a break period of at least 3 months.
    • Description - EventID: 9150007, a new event is generated containing details of the user and network IP that logged in. It also contains historical information about previous logins (MS Windows EventID 4624, logon type 11).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_WindowsSuccessCachedInteractiveLogonActivity
  • Scenario 8 - Windows Failed Interactive Logon Activity

    • Purpose - to identify, in Microsoft Windows environment, a failed interactive authentication on a station other than those in the history (user key/keyboard password).
    • Description - EventID: 9150011, a new event is generated containing details of the user and IP in the network that was logged in. It also contains historical information about previous logins (MS Windows EventID 4625, logon type 2).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_WindowsFailedInteractiveLogonActivity
  • Scenario 9 - Windows Failed Network Logon Activity

    • Purpose - to identify, in Microsoft Windows environment, a new failed network authentication against the historical one (connection to a shared folder on a computer from the network).
    • Description - EventID: 9150012, a new event is generated containing details of the user and IP from the network that was logged in. It also contains historical information about previous logins (MS Windows EventID 4625, logon type 3).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_WindowsFailedNetworkLogonActivity
  • Scenario 10 - Windows Success Service Activity Service

    • Purpose - to identify, in Microsoft Windows environment, authentications for new network services.
    • Description - EventID: 9150051, a new event is generated containing details of the machine in the network that has logged in and the new service registered (MS Windows EventID 4624, logon type 5). In this way, the traceability of the installation of new services at the organization level is obtained.
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 1 year.
    • On/Off - SmartObjects_WindowsSuccessServiceActivityService
  • Scenario 11 - Windows Success Service Activity Service User

    • Purpose - to identify, in Microsoft Windows environment, new network logins versus those in the history, of type service run under a user.
    • Description - EventID: 9150052, a new event is generated containing details of the network machine logged on, the newly registered service/user combination (MS Windows EventID 4624, logon type 5). In this way the traceability of the installation of new services logged on by other users at the organisation level is obtained.
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 1 year.
    • On/Off - SmartObjects_WindowsSuccessServiceActivityServiceUser
  • Scenario 12 - Windows Success Service Activity Service Computer

    • Purpose - to identify, in Microsoft Windows environment, new network logins versus those in the history, as a service running on a machine.
    • Description - EventID: 9150053, a new event is generated containing details of the networked machine that has been logged on, the newly registered service/user combination (MS Windows EventID 4624, logon type 5). In this way the traceability of the installation of new services logged on by other computers in the organisation is obtained.
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 1 year.
    • On/Off - SmartObjects_WindowsSuccessServiceActivityServiceComputer
  • Scenario 13 - Windows Failed Service Activity Service

    • Purpose - to identify, in Microsoft Windows environment, failed authentications for new network services.
    • Description - EventID: 9150061, a new event is generated containing details of the machine in the network on which authentication failed and the new service registered (MS Windows EventID 4625, logon type 5).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 1 year.
    • On/Off - SmartObjects_WindowsFailedServiceActivityService
  • Scenario 14 - Windows Failed Service Activity Service User

    • Purpose - to identify, in Microsoft Windows enviroment, new failed network logins versus those in the history, of the service type run under a user.
    • Description - EventID: 9150062, a new event is generated containing details of the machine in the network that has logged in, the newly registered service/user combination (MS Windows EventID 4625, logon type 5).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 1 year.
    • On/Off - SmartObjects_WindowsFailedServiceActivityServiceUser
  • Scenario 15 - Windows Failed Service Activity Service Computer

    • Purpose - to identify, in Microsoft Windows environment, new failed network logins versus those in the history, of the service type run on a machine.
    • Description - EventID: 9150063, a new event is generated containing details of the network machine that was logged on, the new service/user combination registered (MS Windows EventID 4625, logon type 5).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 1 year.
    • On/Off - SmartObjects_WindowsFailedServiceActivityServiceComputer
  • Scenario 16 - Linux Success Logon Activity SSH

    • Purpose - to identify, in Linux environments, new SSH logins versus historical ones.
    • Description - EventID: 9150101, a new event is generated containing details of the user and the Linux machine on which SSH was logged in.
    • Prerequisites - Event forwarding.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_LinuxSuccessSshdLogonActivity
  • Scenario 17 - Linux Success Logon Activity Sudo

    • Purpose - to identify, in Linux environments, new SUDO logins versus historical ones.
    • Description - EventID: 9150102, a new event is generated containing details of the user and the Linux machine on which SUDO has logged in.
    • Prerequisites - Event forwarding.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_LinuxSuccessSudoLogonActivity
  • Scenario 18 - Linux Success Logon Activity Su Computer

    • Purpose - to identify, in Linux environments, new SU logins versus historical ones, organized by computer.
    • Description - EventID: 9150103, a new event is generated containing details of the user and the Linux machine on which the SU has logged in.
    • Prerequisites - Event forwarding.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_LinuxSuccessSuComputerLogonActivity
  • Scenario 19 - Linux Success Logon Activity Su SrcIP

    • Purpose - to identify, in Linux environments, new SU logins against historical ones, organized by source IP.
    • Description - EventID: 9150104, a new event is generated containing details of the user and the IP on which the SU logged in.
    • Prerequisites - Event forwarding.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_LinuxSuccessSuSrcIPLogonActivity
  • Scenario 20 - Linux Failed Logon Activity SSH

    • Purpose - to identify, in Linux environments, new failed SSH logins versus historical ones.
    • Description - EventID: 9150151, a new event is generated containing details of the user and Linux machine on which the SSH login failed.
    • Prerequisites - Event forwarding.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_LinuxFailedSshdLogonActivity
  • Scenario 21 - VPN Success Logon Activity by Country

    • Purpose - monitors whether a new username/geolocation combination has successfully logged into the organization on the VPN against history. We only have for openVPN and FortiGate. Organize by country of login.
    • Description - EventID: 9150201, a new event is generated containing details of the user and the country from where the VPN login was performed.
    • Prerequisites - FortiGate and Qnap.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_VPNByCountrySuccessLogonActivity
  • Scenario 22 - VPN Success Logon Activity by ClientIP

    • Purpose - monitors whether a new username/geolocation combination has successfully logged into the organization on the VPN against history. We only have for openVPN and FortiGate. Organize by IP from where logged in.
    • Description - EventID: 9150202, a new event is generated containing details of the user and the IP from where the VPN login was performed.
    • Prerequisites - FortiGate and Qnap.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_VPNByClientIPSuccessLogonActivity
  • Scenario 23 - An object was moved from _SourceFile_ to _Destination_

    • Purpose - to identify, in Microsoft Windows environments, the moved files with the location before and after the move.
    • Description - EventID: 580466301, a new event is generated containing details of the file name and path before and after the move.
    • Prerequisites - Windows Object Access enabled and folder with auditing enabled (at Windows level).
  • Scenario 24 - An object was deleted

    • Purpose - to identify, in Microsoft Windows environments, deleted files/objects with the location and name of the file/object.
    • Description - EventID: 580466302, a new event is generated containing details of the name and path of the deleted file.
    • Prerequisites - Windows Object Access enabled and folder with auditing enabled (at Windows level).
  • Scenario 25 - A file was created or modified

    • Purpose - to identify, in Microsoft Windows environments, newly created or modified files with the location and file name.
    • Description - EventID: 580466303, a new event is generated containing details about the name and path of the created/modified file.
    • Prerequisites - Windows Object Access enabled and folder with auditing enabled (at Windows level).
  • Scenario 26 - A new folder was created

    • Purpose - to identify, in Microsoft Windows environments, newly created folders with location and folder name.
    • Description - EventID: 580466304, a new event is generated containing details about the name and path of the created folder.
    • Prerequisites - Windows Object Access enabled and folder with auditing enabled (at Windows level).
  • Scenario 27 - An object was renamed from _SourceFile_ to _DestinationFile_

    • Purpose - to identify, in Microsoft Windows environments, renamed objects with the location and name of the object before and after renaming.
    • Description - EventID: 580466305, a new event is generated containing details of the object name and path before and after renaming.
    • Prerequisites - Windows Object Access enabled and folder with auditing enabled (at Windows level).
  • Scenario 28 - An object was accessed

    • Purpose - to identify, in Microsoft Windows environments, the accessed objects by mentioning the location and the name of the object.
    • Description - EventID: 580466306, a new event is generated containing details of the name and path of the accessed object.
    • Prerequisites - Windows Object Access enabled and folder with auditing enabled (at Windows level).
  • Scenario 29 - Windows Failed Batch Logon Activity

    • Purpose - to identify, in the Microsoft Windows enviroment, a failed batch logon against those in history (e.g. a schedule task).
    • Description - EventID: 9150013, a new event is generated containing details of the user and the network IP on which he login failed. It also contains historical information about previous batch logins (MS Windows EventID 4625, logon type 4).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_WindowsFailedBatchLogonActivity
  • Scenario 30 - Windows Failed Service Logon Activity

    • Purpose - to identify, in Microsoft Windows environment, a failed service logon compared to the historical ones (e.g. Service startup).
    • Description - EventID: 9150014, a new event is generated containing details of the service and the IP in the network that was login failed. It also contains historical information about previous logins (MS Windows EventID 4625, logon type 5).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 1 year.
    • On/Off - SmartObjects_WindowsFailedServiceLogonActivity
  • Scenario 31 - Windows Failed Network Cleartext Logon Activity

    • Purpose - to identify, in Microsoft Windows environment, a new failed Cleartext authentication type compared to the historical one (where the password is transmitted in clear. Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication").
    • Description - EventID: 9150015, a new event is generated containing details of the user and the IP in the network to which he login failed. It also contains historical information about previous logins (MS Windows EventID 4625, logon type 8).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_WindowsFailedNetworkCleartextLogonActivity
  • Scenario 32 - Windows Failed Remote Interactive Logon Activity

    • Purpose - to identify, in Microsoft Windows environment, a new failed remote interactive login in addition to the ones in the history (Terminal Services, Remote Desktop or Remote Assistance).
    • Description - EventID: 9150016, a new event is generated containing details of the user and network IP that login failed. It also contains historical information about previous logins (MS Windows EventID 4625, logon type 10).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_WindowsFailedRemoteInteractiveLogonActivity
  • Scenario 33 - Windows Failed Cached Interactive Logon Activity

    • Purpose - to identify, in Microsoft Windows environment, a failed cached login after a break period of at least 3 months.
    • Description - EventID: 9150017, a new event is generated containing details of the user and network IP that login failed. It also contains historical information about previous logins (MS Windows EventID 4625, logon type 11).
    • Prerequisites - Windows Security Auditing.
    • History retention of previously events - 30 days.
    • On/Off - SmartObjects_WindowsFailedRemoteInteractiveLogonActivity