SMB events that can be audited overview

02/04/2022 Contributors

ONTAP can audit certain SMB events, including certain file and folder access events, certain logon and logoff events, and central access policy staging events. Knowing which access events can be audited is helpful when interpreting results from the event logs.

The following additional SMB events can be audited in ONTAP 9.2 and later:

Event ID (EVT/EVTX)	Event	Description	Category
4670	Object permissions were changed	OBJECT ACCESS: Permissions changed.	File Access
4907	Object auditing settings were changed	OBJECT ACCESS: Audit settings changed.	File Access
4913	Object Central Access Policy was changed	OBJECT ACCESS: CAP changed.	File Access

Event ID (EVT/EVTX)

Event

Description

Event ID (EVT/EVTX)	Event	Description	Category
540/4624	An account was successfully logged on	LOGON/LOGOFF: Network (SMB) logon.	Logon and Logoff
529/4625	An account failed to log on	LOGON/LOGOFF: Unknown user name or bad password.	Logon and Logoff
530/4625	An account failed to log on	LOGON/LOGOFF: Account logon time restriction.	Logon and Logoff
531/4625	An account failed to log on	LOGON/LOGOFF: Account currently disabled.	Logon and Logoff
532/4625	An account failed to log on	LOGON/LOGOFF: User account has expired.	Logon and Logoff
533/4625	An account failed to log on	LOGON/LOGOFF: User cannot log on to this computer.	Logon and Logoff
534/4625	An account failed to log on	LOGON/LOGOFF: User not granted logon type here.	Logon and Logoff
535/4625	An account failed to log on	LOGON/LOGOFF: User's password has expired.	Logon and Logoff
537/4625	An account failed to log on	LOGON/LOGOFF: Logon failed for reasons other than above.	Logon and Logoff
539/4625	An account failed to log on	LOGON/LOGOFF: Account locked out.	Logon and Logoff
538/4634	An account was logged off	LOGON/LOGOFF: Local or network user logoff.	Logon and Logoff
560/4656	Open Object/Create Object	OBJECT ACCESS: Object (file or directory) open.	File Access
563/4659	Open Object with the Intent to Delete	OBJECT ACCESS: A handle to an object (file or directory) was requested with the Intent to Delete.	File Access
564/4660	Delete Object	OBJECT ACCESS: Delete Object (file or directory). ONTAP generates this event when a Windows client attempts to delete the object (file or directory).	File Access
567/4663	Read Object/Write Object/Get Object Attributes/Set Object Attributes	OBJECT ACCESS: Object access attempt (read, write, get attribute, set attribute). Note: For this event, ONTAP audits only the first SMB read and first SMB write operation (success or failure) on an object. This prevents ONTAP from creating excessive log entries when a single client opens an object and performs many successive read or write operations to the same object.	File Access
NA/4664	Hard link	OBJECT ACCESS: An attempt was made to create a hard link.	File Access
NA/4818	Proposed central access policy does not grant the same access permissions as the current central access policy	OBJECT ACCESS: Central Access Policy Staging.	File Access
NA/NA Data ONTAP Event ID 9999	Rename Object	OBJECT ACCESS: Object renamed. This is an ONTAP event. It is not currently supported by Windows as a single event.	File Access
NA/NA Data ONTAP Event ID 9998	Unlink Object	OBJECT ACCESS: Object unlinked. This is an ONTAP event. It is not currently supported by Windows as a single event.	File Access

Category

540/4624

An account was successfully logged on

LOGON/LOGOFF: Network (SMB) logon.

Logon and Logoff

529/4625

An account failed to log on

LOGON/LOGOFF: Unknown user name or bad password.

Logon and Logoff

530/4625

An account failed to log on

LOGON/LOGOFF: Account logon time restriction.

Logon and Logoff

531/4625

An account failed to log on

LOGON/LOGOFF: Account currently disabled.

Logon and Logoff

532/4625

An account failed to log on

LOGON/LOGOFF: User account has expired.

Logon and Logoff

533/4625

An account failed to log on

LOGON/LOGOFF: User cannot log on to this computer.

Logon and Logoff

534/4625

An account failed to log on

LOGON/LOGOFF: User not granted logon type here.

Logon and Logoff

535/4625

An account failed to log on

LOGON/LOGOFF: User's password has expired.

Logon and Logoff

537/4625

An account failed to log on

LOGON/LOGOFF: Logon failed for reasons other than above.

Logon and Logoff

539/4625

An account failed to log on

LOGON/LOGOFF: Account locked out.

Logon and Logoff

538/4634

An account was logged off

LOGON/LOGOFF: Local or network user logoff.

Logon and Logoff

560/4656

Open Object/Create Object

OBJECT ACCESS: Object (file or directory) open.

File Access

563/4659

Open Object with the Intent to Delete

OBJECT ACCESS: A handle to an object (file or directory) was requested with the Intent to Delete.

File Access

564/4660

Delete Object

OBJECT ACCESS: Delete Object (file or directory). ONTAP generates this event when a Windows client attempts to delete the object (file or directory).

File Access

567/4663

Read Object/Write Object/Get Object Attributes/Set Object Attributes

OBJECT ACCESS: Object access attempt (read, write, get attribute, set attribute).

Note: For this event, ONTAP audits only the first SMB read and first SMB write operation (success or failure) on an object. This prevents ONTAP from creating excessive log entries when a single client opens an object and performs many successive read or write operations to the same object.

File Access

NA/4664

Hard link

OBJECT ACCESS: An attempt was made to create a hard link.

File Access

NA/4818

Proposed central access policy does not grant the same access permissions as the current central access policy

OBJECT ACCESS: Central Access Policy Staging.

File Access

NA/NA Data ONTAP Event ID 9999

Rename Object

OBJECT ACCESS: Object renamed. This is an ONTAP event. It is not currently supported by Windows as a single event.

File Access

NA/NA Data ONTAP Event ID 9998

Unlink Object

OBJECT ACCESS: Object unlinked. This is an ONTAP event. It is not currently supported by Windows as a single event.

File Access

Additional information about Event 4656

The HandleID tag in the audit XML event contains the handle of the object (file or directory) accessed. The HandleID tag for the EVTX 4656 event contains different information depending on whether the open event is for creating a new object or for opening an existing object:

If the open event is an open request to create a new object (file or directory), the HandleID tag in the audit XML event shows an empty HandleID (for example: <Data Name="HandleID">00000000000000;00;00000000;00000000</Data> ).

The HandleID is empty because the OPEN (for creating a new object) request gets audited before the actual object creation happens and before a handle exists. Subsequent audited events for the same object have the right object handle in the HandleID tag.
If the open event is an open request to open an existing object, the audit event will have the assigned handle of that object in the HandleID tag (for example: <Data Name="HandleID">00000000000401;00;000000ea;00123ed4</Data> ).

SMB events that can be audited overview

Creating your file...

Additional information about Event 4656