Audit Other Object Access Events
Some detection rules require monitoring other object access events to detect unauthorized actions or system modifications. Enabling this setting allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests.
To enable Audit Other Object Access Events across a group of servers using Active Directory Group Policies, administrators must enable the Audit Other Object Access Events policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Audit Policy Configuration >
Audit Policies >
Object Access >
Audit Other Object Access Events (Success,Failure)
To enable this policy on a local machine, run the following command in an elevated command prompt:
auditpol.exe /set /subcategory:"Other Object Access Events" /success:enable /failure:enable
When this audit policy is enabled, the following event IDs may be generated:
- 4671: An application attempted to access a blocked ordinal through the TBS.
- 4691: Indirect access to an object was requested.
- 4698: A scheduled task was created.
- 4699: A scheduled task was deleted.
- 4700: A scheduled task was enabled.
- 4701: A scheduled task was disabled.
- 4702: A scheduled task was updated.
- 5148: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
- 5149: The DoS attack has subsided and normal processing is being resumed.
- 5888: An object in the COM+ Catalog was modified.
- 5889: An object was deleted from the COM+ Catalog.
- 5890: An object was added to the COM+ Catalog.
Use the following GitHub search to identify rules that use the events listed: