Latch Event Monitor: New tool to integrate Latch with Windows Events

Thursday, March 27, 2014

Latch Event Monitor is a tool that monitors events in Windows and gives the user the possibility of tracking in a very granular way Windows logs, and react accordingly to a preconfigured Latch response. 

This means that Latch Event Monitor will ask Latch servers what to do when a certain event is generated in a Windows machine. So the administrator has a tool to potentially react to events, and modify the behavior and scripts launched in any way, at any moment, just sliding a bar from his mobile device.

How it works

Latch Event Monitor works as a service and has a GUI to configure it. That means it still works and monitors logs even when no user is logged in. The service is constantly monitoring any event with the characteristics given by the user. When it occurs, it asks Latch servers and reacts in the way that the user has configured it.

It may as well be used as an alerting system, with no action associated to an event. So if an event occurs, a blocking message is sent by Latch to the mobile device, but no action is taken.

Latch Event Monitor with some configured rules

How to install it

No special instructions. Just accept the license and choose the path. If , for the sake of security, you do not want the service to run as SYSTEM, you may change it to whatever account you wish, as long as it has privileges to run as a service, and network access. More about how to achieve this, in the manual.

A config file is created in XML format. This file contains sensitive information. Take care with the permissions specially in shared computers.

Pairing with Latch

First of all, a Latch account has to be set with a pairing token. Go to Latch management and add the App ID and secret. A timeout is specified here. This means that if the computer is not connected to a network or, for any other reason it cannot get a response from Latch in the specified time limit (0 milliseconds by default which corresponds to no timeout) the "no response" action is applied.

How to add and configure an event

Each monitored event, may have this fileds:
  • Name (optional): Any name given to the event that is going to be monitored. The name is representative only to better identify the event on the list.
  • Log: Log tree source that Windows uses to classify logs. It is the same one you can find in eventvwr.msc. The success of your monitoring depends on this, so carefully choose which source you use. It is important to understand that some sources requires more privileges, like, for instance, "Security" so make sure that the account which the service runs under has such privileges. You have as many logs to choose from as Windows offers in eventvwr.msc
  • Source (optional): This field represents the source of event, present in eventvwr.msc. It's optional.
  • Message: The text generated with an event goes through a matching system that can be used to discard or allow some events. If the string set matches, the Latch query will be launched. This is treated as a string, so "Starts with", "Contains"... may be used to match.
  • Event ID: If the event id matches, it will go through the process of checking the string in the message body.
  • Operation ID: The operation ID used in Latch.
  • Actions.Open (optional): If the Latch query responds with an "on", the process specified here will be launched, with the specified argument set (optional). 
  • Actions.Closed (optional): If the Latch query responds with an "off", the process specified here will be launched, with the specified argument set (optional).
  • Actions.No response (optional): If the Latch query doesn't respond (because there's no connectivity, for instance, after the timeout declared in "Latch settings"), the process specified here will be launched, with the specified argument set (optional). 
Event details with VNC example

In a following post, we will talk about some examples.

The tool is available in C# and may be freely downloaded from:

We encourage you to use it.

Eleven Paths on "Digital Futures" video series

Thursday, March 6, 2014

Telefonica Digital produces a video series called Digital Futures, which are publicly available here On the latest episode, some relevant people from the world of security gives us some insights. The episode features our very own Jose Palazón, from Eleven Paths.

In this episode of Digital Futures, they have quizzed an ethical hacker, top researcher, cyber forensics pro and security guru on trends in hacking and cyber security that we all need to look out for, both as a business or a consumer. The video is in English with Spanish subtitles.

This is a special longer version on cyber security, and is featuring relevant people like David Day (senior lecturer and Consultant, information security and forensics in Sheffield Hallam University), Eduard Lucas (Senior editor at The Economist author of The Snowden Operation: Inside the West's Greatest Intelligence Disaster), and Tim Holman, (CEO at 2-sec and president of ISSA-UK). And of course, Jose Palazón, responsible for Latch working properly.