SIEM, Vulnerability Scanning, Server Monitoring and Compliance Training for IT Professionals
Table of Contents

Security Event Log | Object Access Report

The Object Access enables you to scan the consolidated log database for Event ID 4663. This report is typically used by compliance and audit professionals while auditing domain controllers and stand-alone servers.

Server Manager includes two methods to report 4663(S): An attempt was made to access an object:

MethodDescription
One-Off Object Access ReportParses Event ID 4663, then returns a sub-set of the Event's columns. This report is supported on all locales.
Generic Object Access ReportUses Regular Expressions to parse Security Event Log Entries, extract values, validate subject and target accounts in Active Directory, then finally filter entries using Event Log Filters. This report is only supported on English locales.

How to configure the One-Off Object Access Report

The Options Tab

  • Use the Summary check box to either display each entry or display the count of unique entries grouped by Account Name, Domain, Object, Process and Accesses.
Object Access Report Properties View
Object Access Report Properties View

How to configure the Generic Object Access Report

The Options Tab

  • Use the Filters drop-down to select all of the filters you would like to apply to the report.
Important
To target specific columns (e.g. Process Name), create a Complex Event Log Filter then, create a new Attribute Value Pair Criteria, specify the column's key (e.g. PROCESS_NAME) then, specify the full path to the process or regular expression to target.
Sample Regular Expression Driven Object Access Filter
Sample Regular Expression Driven Object Access Filter
  • Once a filter is assigned, use the Include entries that pass drop-down to select the filter method.
    The following filter options are available:
OptionDescription
AllInclude each entry that passes all assigned filters.
AnyInclude each entry that passes any filter.
NoneInclude each entry that does not pass any of the filters.
IgnoreInclude all entries.
  • Use the Apply filter frequency rules to display the Latest or Oldest entry when it occurs more than X times every X periods.
Note
A unique instance of these settings is attached to each assigned filter. Select the Filter to apply each instance's settings.
  • Use the Duplicates controls to group entries by Source and Event ID then display Latest or Oldest entry along with a count of entries in each group.
Generic Object Access Report Properties View
Generic Object Access Report Properties View

Related Topics

Security Event Log Reports