Event analysis options In the fourth node, 'Event analysis options', you can specify the GFI LANguard S.E.L.M. event analysis options. This node consists of 3 tabs: Object access Event analysis options, object access events Events which are related to object access are the following : Event 560 – Object Open. This event is generated when an object which is being audited for open operations, gets opened by either the operating system or another application. Event 561 - Handle Allocated. A handle can be treated as something pointing to something else. This event is generated when the object which is being audited for operating system handles pointing to the object in question gets a new handle pointing to it. Event 562 - Handle Closed. This event is generated when a handle which was pointing to an object which is being audited for the freeing up of handles gets released. If there were five handles pointing to an object, then now there are 4 handles pointing to it. Event 563 – This event is generated when an object which is being audited for deletion is opened in such a way to be deleted. Event 564 - Object Deleted. This event is generated when an object which is being audited for deletion is deleted. The Object access options allow you to specify how you want GFI LANguard S.E.L.M. to treat object access events. By default GFI LANguard S.E.L.M. will categorize all object access events as medium security events. This means that you will not receive alerts, but you will still be able to monitor usage of important files using the GFI LANguard S.E.L.M. event viewer. If you want to be notified instantly about use of a particular file, you need to promote the security event to critical security. To do this, you will need to specify which events you want to promote – i.e. success audits, failure audits or both. Then you must specify whether you want this rule to apply to all object access events, or just to object access events to particular files. In the above screen grab, you will receive a critical security event on successful access to the file "cmd.exe", but not to a file called "sales.xls". Note: All object access events will still be placed in the GFI LANguard S.E.L.M. database, allowing you to view these important events using the LANguard reporter or LANguard event viewer. Note: Object events 564, 561, 562 do not offer any direct object details, as they are mainly used for debugging purposes for developers. These events create a lot of noise in the events database, and therefore we do not promote these object related events to criteria security events. However we do archive them. Account Events Ignoring events generated by computer accounts The Account Events tab allows you to ignore events generated by computer accounts. Computer accounts can create a lot of 'noise', i.e. events that are meaningless or else provide very little useful or interesting information to the administrator. An example is event 538 - User Logoff. Such events are generated when a computer connects to a domain controller (DC) in order to update the security policies it will use. When such a situation arises, the computer will connect to the DC using its own computer account (COMPUTERNAME$) and not a domain user account. When the computer downloads and updates the active security policy to use, it will log-off the DC and hence generate an event 538 – user logoff were in fact it is a computer account logoff. There are various situations which cause the generation of such events, including DC replication procedures. Also there is very little you can do about them anyway. Therefore, we recommend instructing GFI LANguard S.E.L.M. to ignore these events. To do this simply enable 'Ignore events generated by computer accounts'. S.E.L.M. Events Event Analysis options – ignoring computer account events The S.E.L.M. Events page allows you to specify whether GFI LANguard S.E.L.M. should ignore its own logon events. Basically GFI LANguard S.E.L.M. will need to logon to the machine to retrieve the security events. If included, these events can trigger a false intrusion alert. Therefore, it is recommended that you enable 'Ignore events' generated by GFI LANguard S.E.L.M.. Note: The collector agent will check for the user name and domain properties of the account being used by GFI LANguard S.E.L.M.. If these properties match the account which is being used by the collector, then that particular event is not reported. The event will not appear in either the GFI LANguard S.E.L.M. custom event logs, but WILL appear in the Microsoft Event Log Viewer. For this reason it is strongly recommended to create a new user account in the domain with just enough rights and privileges to scan and monitor the network, and use this account as the user account under which to run the GFI LANguard S.E.L.M. services. Events with user not available (N/A) Event Analysis options – ignoring events with no associated user The Events with user N/A page allows you to specify whether GFI LANguard S.E.L.M. should ignore events which do not have an user associated to it. There are events which are generated and registered by Windows. These events contain no information, making these events useless and discardable. You may instruct LANguard S.E.L.M. to ignore such events, so that they wont grow the database, nor create unnecessary email alerts.