与安全分数结果关联的 Windows 事件是什么
Summary: 本文提供完成戴尔可信设备安全评估后的 Windows 事件日志示例。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
受影响的产品:
- 戴尔可信设备
受影响的平台:
- OptiPlex
- Latitude
- Precision 工作站
- XPS
目录:
与安全分数结果关联的 Windows 事件
Windows 事件详细信息
以下部分显示了一些相关的 Windows 事件日志示例:
- 安全分数
- BIOS 验证
- 攻击指标
- ME 验证
安全分数
每次刷新安全分数评估时,安全分数插件程序都会生成一个事件。写入戴尔应用程序事件日志的安全分数评估事件具有名为 “可信设备 |安全评估。
事件
以下是为安全分数评估生成的事件示例。
结果:通过(示例)
Event ID: 13 Level: Informational Dell Trusted Device has completed a security scan of the system with service tag xxxxxxx at 9/28/2020 2:56:08 PM. Result: PASSED Score: 100 Risk Areas Scanned: (Passed: 7, Warning: 0, Fail: 0) - Antivirus solution detected and enabled: PASS - BIOS Admin Password set: PASS - BIOS Verification: PASS - Disk Encryption: PASS - Firewall solution detected and enabled: PASS - Indicators of Attack detected: PASS - TPM enabled: PASS
结果:通过,带警告(示例)
Event ID: 14 Level: Warning Dell Trusted Device has completed a security scan of the system with service tag xxxxxxx at 9/28/2020 2:56:08 PM. Result: PASSED, with warnings Score: 100 Risk Areas Scanned: (Passed: 6, Warning: 1, Fail: 0) - Antivirus solution detected and enabled: PASS - BIOS Admin Password set: PASS - BIOS Verification: PASS - Disk Encryption: WARNING - Firewall solution detected and enabled: PASS - Indicators of Attack detected: PASS - TPM enabled: PASS
结果:失败(示例)。
Event ID: 15 Level: Error Dell Trusted Device has completed a security scan of the system with service tag xxxxxxx at 9/28/2020 5:05:22 PM. Result: FAILED Score: 71 Risk Areas Scanned: (Passed: 4, Warning: 1, Fail: 2) - Antivirus solution detected and enabled: PASS - BIOS Admin Password set: PASS - BIOS Verification: PASS - Disk Encryption: WARNING - Firewall solution detected and enabled: PASS - Indicators of Attack detected: FAIL - TPM enabled: FAIL
BIOS 验证
如果 BIOS 验证完成并成功,则会在戴尔应用程序事件日志中写入一个信息级别的条目,描述结果。如果由于任何原因无法完成 BIOS 验证处理,则会在 Windows 系统事件日志中写入一个错误级别(或警告级别)条目,描述故障。写入 Windows 系统事件日志的条目具有名为 “戴尔可信设备 |Intel BIOS Verification。
事件
事件 ID 4 表示以下错误类型:
验证失败
BIOS Verification failed and have a Fail evaluation. Event ID: 4 Level: Error BIOS Verification : 1 (Failed Result) [Displays the complete Json Payload.]
检测篡改:
BIOS Verification failed and have a tampering detected error Event ID: 4 Level: Error BIOS Verification : 2 (Tampered Result) [Displays the complete Json Payload.]
事件 ID 2 表示以下错误类型:
驱动程序错误
BIOS Verification failed and have a driver error. Event ID: 2 Level: Error BIOS Verification : 8 (Driver Error). See log file for more information
网络连接错误
BIOS Verification failed and have a network connection error Event ID: 2 Level: Error BIOS Verification : 13 (Network Connectivity Error) See log file for more information
不支持的平台
BIOS Verification failed and have a platform unsupported error Event ID: 2 Level: Error BIOS Verification : 11 (Platform Not Currently Supported) See log file for more information
Unknown Error
BIOS Verification failed and have an unknown error Event ID: 2 Level: Error BIOS Verification : 3 (Unknown Error). See log file for more information
内部服务器错误
BIOS Verification failed and have an internal error Event ID: 2 Level: Error BIOS Verification : 6 (Internal Error). See log file for more information
无效 BIOS 数据错误
BIOS Verification failed and have an invalid bios data error Event ID: 2 Level: Error BIOS Verification : 9 (Invalid BIOS Data Error). See log file for more information
攻击指标
攻击指示器 (IoA) 插件生成的事件旨在报告 IoA 威胁链中的状态更改。
- 写入 Windows 系统事件日志的 IoA 事件具有名为 “戴尔可信设备 |BIOS 事件和 IoA。
- 写入戴尔应用程序事件日志的 IoA 事件具有名为 “可信设备 |BIOS 事件和 IoA。
事件
IoA 插件生成以下事件。这些内容可能略有不同,例如 <<攻击类型>> 和 <<相关属性更改>>,具体取决于所涉及的威胁链。写入事件时,变量内容将替换为实际内容。
当前事件 ID 定义与威胁的当前状态相关联:
- 10指示尚未满足链标准。
- 11指示链标准已满足部分攻击的级别。
- 指示已经完全满足链标准。
检测到部分攻击
When a partial attack is detected, the following event is written: Event ID: 11 Level: Warning A partial Indicator of Attack was detected (Category: <<Attack Type>>) based on the following events: <<Relevant Attribute Changes>>
部分攻击升级为全面攻击:
When a partial attack escalates to a full attack, the following event is written: Event ID: 12 Level: Error A partial Indicator of Attack has escalated (Category: <<Attack Type>>) based on the following events: <<Relevant Attribute Changes>>
部分攻击已清除
When a partial attack is cleared, the following event is written: Event ID: 10 Level: Information A partial Indicator of Attack has been cleared (Category: <<Attack Type>>).
全面攻击
When a threat chain goes from clear to detecting a full attack, the following event is written: Event ID: 12 Level: Error An Indicator of Attack was detected (Category: <<Attack Type>>) based on the following events: <<Relevant Attribute Changes>>
全面攻击减少为部分攻击
When a full attack is reduced to a partial attack, the following event is written: Event ID: 11 Level: Warning An Indicator of Attack has been reduced (Category: <<Attack Type>>) based on the following events: <<Relevant Attribute Changes>>
完全攻击已清除
When a full attack is cleared, the following event is written: Event ID: 10 Level: Information An Indicator of Attack has been cleared (Category: <<Attack Type>>).
ME 验证
ME Verification 负责处理 ME 验证流程。如果 ME 验证完成并成功,则会在戴尔应用程序事件日志中写入一个信息级别的条目,描述结果。如果出于任何原因无法完成 ME 验证处理,则会在 Windows 系统事件日志和戴尔应用程序事件日志中写入一个错误级别(或警告级别)条目,描述失败:
- 写入 Windows 系统事件日志的条目具有名为 “戴尔可信设备 |Intel ME Verification。
- 写入戴尔应用程序事件日志的条目具有名为 “可信设备 |Intel ME Verification。
事件
ME 验证插件生成以下事件:
当前事件 ID 定义与日志记录级别相关联:
- 18表示它是信息输入类型。
- 19 表示它是警告条目类型。
- 20 表示它是错误条目类型。
验证成功
ME Verification succeeded and have a Pass evaluation Event ID: 18 Level: Information Dell Trusted Device has completed an Intel ME Verification scan of the system with service tag G1CCLQ2 at 4/28/2021 2:56:08 PM. Result: PASSED
验证失败
ME Verification failed and have a Fail evaluation Event ID: 20 Level: Error Dell Trusted Device has completed an Intel ME Verification scan of the system with service tag G1CCLQ2 at 4/28/2021 2:56:08 PM. Result: FAILED
驱动程序错误
ME Verification failed and have a driver error Event ID: 20 Level: Error Dell Trusted Device has completed an Intel ME Verification scan of the system with service tag G1CCLQ2 at 4/28/2021 2:56:08 PM. Result:Error. A driver error has occurred
网络连接错误
ME Verification failed and have a network connection error Event ID: 20 Level: Error Dell Trusted Device has completed an Intel ME Verification scan of the system with service tag G1CCLQ2 at 4/28/2021 2:56:08 PM. Result:Error. A network connection error occurred
不支持的平台
ME Verification failed and have a platform unsupported error Event ID: 20 Level: Error Dell Trusted Device has completed an Intel ME Verification scan of the system with service tag G1CCLQ2 at 4/28/2021 2:56:08 PM. Result:Error. Platform not currently supported
服务器内部错误
Event ID: 20 Level: Error Dell Trusted Device has completed an Intel ME Verification scan of the system with service tag G1CCLQ2 at 4/28/2021 2:56:08 PM. Result:Error. An internal error occurred within the server
检测篡改:
ME Verification failed and have a tampering detected error Event ID: 20 Level: Error Dell Trusted Device has completed an Intel ME Verification scan of the system with service tag G1CCLQ2 at 4/28/2021 2:56:08 PM. Result:Error. Tampering has been detected
Unknown Error
ME Verification failed and have an unknown error Event ID: 20 Level: Error Dell Trusted Device has completed an Intel ME Verification scan of the system with service tag G1CCLQ2 at 4/28/2021 2:56:08 PM. Result:Error. An unknown error has occurred
参数无效
ME Verification issues a warning about invalid parameter Event ID: 19 Level: Warning Dell Trusted Device has completed an Intel ME Verification scan of the system with service tag G1CCLQ2 at 4/28/2021 2:56:08 PM. Result:Warning. The parameter is invalid
IoA 中使用的 BIOS 属性
提醒:
- 屏幕截图仅为示例,可能无法直接反映特定平台的确切 BIOS 属性。
- 此图表是动态的,因为会创建额外的 IoA。
| IoA | BIOS 屏幕截图 |
|---|---|
| SecureBoot |  |
| AttemptLegacyBoot |  |
| 启动列表 |  |
| UEFIBootPathSecurity |  |
| AutoOSThresholdRecovery |  |
| AllowBiosDowngrade |  |
| CapsuleFirmwareUpdate |  |
| BiosAutoRecovery |  |
| TPM 构造 |  |
| TPM |  |
| TPMClear |  |
| TPMPpiClearOverride |  |
| AutoOn |  |
| WakeOnLan |  |
| RemoteWipeInternalDrives |  |
| USBWake |  |
| WakeOnDock |  |
| TPMRemoteActivation | 待定 |
| AdminPwMinLen |  |
| PwdMinLen | 待定 |
| 强密码 |  |
| AdminSetupLockout |  |
| BIOSAdminPwd | 待定 |
| 清除 BIOSLog | 待定 |
| 清除PowerLog | 待定 |
| ClearThermalLog | 待定 |
| ClearChassisIntrusionWarning |  |
| ClearDellRMTLog | 待定 |
| 机箱防盗报告 |  |
| 机箱防盗 | N/A |
| 麦克风 |  |
要联系支持部门,请参阅 Dell Data Security 国际支持电话号码。
转至 TechDirect,在线生成技术支持请求。
要获得更多见解和资源,请加入戴尔安全社区论坛。
Additional Information
Affected Products
OptiPlex, XPS, Latitude, XPS, XPS Tablets, Fixed Workstations, Mobile Workstations, Dell Trusted DeviceArticle Properties
Article Number: 000233967
Article Type: How To
Last Modified: 09 Oct 2024
Version: 2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.