New security capabilities of Event Tracing for Windows

Originally posted by Microsoft Oct 12, 2023 Uncategorized 0 Comments

Whether you’re in cybersecurity, IT, performance, or software development, improved resources can help you diagnose cybersecurity threats. While you could previously use Event Tracing for Windows for limited audit functions, nine events have recently been improved for better insight. Specifically, several security-related events now show Process ID and Process Start Key in the event schema, allowing you to confirm the causal process of these events. We’ve also increased the event version as events are updated over time, following the application compatibility policy.  
 

When will this happen: 
These improvements are already available on all Windows versions. 
 
How this will affect your organization: 
Organizations can better leverage Windows Event Viewer for security diagnostics and auditing. Before now, Event Tracing for Windows logs listed some events and processes affecting a device with a generic message of “The system/kernel logged this event.” As such, some events might have appeared as if they were caused by a different action. Today, the initiating process is added to the payload part of the following events in form of Process ID and Process Start Key: 
 
  • 4697: A service was installed in the system. 
  • 4698: A scheduled task was created. 
  • 4699: A scheduled task was deleted. 
  • 4700: A scheduled task was enabled. 
  • 4701: A scheduled task was disabled. 
  • 4702: A scheduled task was updated. 
  • 4719: System audit policy was changed. 
  • 1102: Security audit log was cleared. Displayed in the Security channel. 
  • 104: The {channel name} log file was cleared. Displayed in the System channel. 
 
These are considered security-related events because attack tools often clear the event log and disable auditing. 
 
What you need to do to prepare: 
Additional information: 
Read New security capabilities of Event Tracing for Windows for step-by-step instructions, screenshots, and examples of these improvements. Review additional information for further help. 

Message ID: MC680761

No comments yet

Leave a Reply

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: