N-central Troubleshooting
Monitor Account activity for HIPAA Compliance
Last Modified
Fri Jan 06 13:20 GMT 2023
Description
Account Activity for a device can generally be found in the Domain Controller Security Log. There are event IDs for different purposes of the activity in the Domain Controller. Here is a link to all the entries within the Security Log:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
Environment
All N-able N-central versions
Solution
You can use a Windows Event Log Service to monitor for IDs listed. Generally, for the HIPAA compliance you only need to monitor the following:
| 4614 | A notification package has been loaded by the Security Account Manager |
| 4615 | Invalid use of LPC port |
| 4616 | The system time was changed |
| 4618 | A monitored security event pattern has occurred |
| 4621 | Administrator recovered system from CrashOnAuditFail |
| 4622 | A security package has been loaded by the Local Security Authority |
| 4624 | An account was successfully logged on |
| 4625 | An account failed to log on |
| 4626 | User/Device claims information |
| 4627 | Group membership information |
| 4634 | An account was logged off |
| 4646 | IKE DoS-prevention mode started |
| 4647 | User initiated logoff |
| 4648 | A logon was attempted using explicit credentials |
| 4649 | A replay attack was detect |
However, there may be other events in the security log that would be required by HIPAA Compliance. HIPAA is not very explicit .
You need to understand what IDs would fall into the description of the compliance.
There are two Windows Event Log Services you can use.
Windows Applications and Services Log.
Both are capable of monitoring the ID's listed above. The service are event based service, meaning that when they encounter the ID in the log it will transition the service to failed and then returns to normal. If you create Notification Profiles for the specific instance of this service you will be able to generate a email on the specific event ID and have the sent to appropriate personal.
Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the N-able software or documentation that you purchased from N-able, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.