This document provides a structured overview of key security-related incidents logged by ThinkShield Firmware Assurance. Events are categorized based on their nature, severity, and potential impact. Each event includes a brief description, its severity level, and key considerations for security monitoring. By analyzing these logs, administrators and security teams can:
- Detect unauthorized hardware modifications and tampering attempts.
- Identify potential firmware intrusions and security breaches.
- Monitor critical system operations, including boot processes and updates.
- Ensure compliance with security policies and forensic investigations.
BIOS Event Log
BIOS events are generated at boot through a combination of hardware monitoring, firmware diagnostics, and security checks.
1. Power On (From Year: 2023)
Summary:
- Wake-on-LAN detected – Occurs when the system powers on remotely via Wake-on-LAN, used for remote management. May indicate authorized remote access or potential unauthorized activity.
- Detected – A generic power-on event that signifies system startup by any other means than Wake-on-Lan
Default Severity: Moderate (Wake-on-LAN), Normal (Generic power-on).
Note: If unexpected Wake-on-LAN events occur, administrators should investigate network activity and other events from the device for suspicious chains of events.
2. Subcomponent Code Measurement (From Year: 2023)
Summary:
- Trusted – All firmware subcomponents passed integrity checks. No unauthorized modifications have occurred.
- Corrupted – At least one firmware subcomponent failed integrity checks, indicating potential tampering or corruption.
Severity: Normal (Trusted), High (Corrupted).
Notes:
- This event helps monitor firmware integrity, which is critical for system security.
- Administrators should immediately investigate any "Corrupted" status.
3. System Preboot Authentication (From Year: 2023)
Summary:
- Pass – Preboot authentication completed successfully.
- Fail – Authentication attempt failed, possibly due to incorrect credentials or unauthorized access attempts.
Severity: Normal (Pass), Moderate (Fail).
Note: Frequent failures may indicate brute-force attacks or unauthorized access attempts.
4. BIOS Password Change (From Year: 2023)
Summary:
- Created – A new BIOS password was set.
- Changed – The existing BIOS password was modified.
- Removed – The BIOS password was removed, potentially reducing security.
Default Severity: Normal (Created), Low (Changed), High (Removed).
Note: Password removal should be reviewed to confirm it was intentional.
5. Subcomponent Self-Healing (From Year: 2023)
Summary:
- Pass – Self-healing process was executed successfully, subcomponent was restored.
- Fail – Self-healing process failed, the issue persists.
Severity: Low (Pass), High (Fail).
Notes:
- Failed self-healing suggests deeper firmware issues requiring manual intervention.
- This event helps monitor firmware integrity, which is critical for system security.
6. BIOS Setup Configuration Change (From Year: 2023)
Summary:
- Detected – BIOS setting was modified, which could impact performance, security, or system behavior.
- BIOS Setup –BIOS setting was modified via BIOS Setup.
- WMI – BIOS setting was modified via WMI command.
Severity: Moderate.
Note: Unauthorized configuration changes should be investigated to prevent security risks.
7. Runtime Intrusion Detection of SPI Flash (From Year: 2024)
Summary:
- Detected – Detected potential intrusion or unauthorized modification of SPI flash memory.
Severity: Moderate.
Note: SPI flash memory stores firmware; unauthorized changes may indicate an attack on system integrity.
8. Device Change (From Year: 2023)
Summary:
- Attached – A new hardware device was connected to the system.
- Replaced – A previously connected device was swapped with another.
- Removed – A hardware device was disconnected from the system.
Severity: Moderate (Attached, Replaced); High (Removed).
Notes:
- Helps track unauthorized hardware modifications.
- Unexpected removals should be checked to ensure critical components remain intact.
9. System Boot (From Year: 2023)
Summary – System successfully booted up.
Severity: Low
Note: Regular system boots are expected, but unusual boot sequences may warrant investigation.
10. System Tamper (From Year: 2023)
Summary:
- Open – The system’s chassis was opened, indicating possible physical tampering.
- Close – The chassis is closed.
Severity:
- High (Open)
- Normal (Close)
Note:
Detects unauthorized physical access.
11. POST Error (From Year: 2023)
Summary:
- Detected – Hardware or firmware-related error during Power-On Self-Test (POST).
Severity: Moderate
Note: May Indicate hardware failure or misconfiguration; requires further investigation.
12. Flash Update (From Year: 2023)
Summary:
- Pass – firmware update successful.
- Fail – firmware update failed.
Severity: Low (Pass), High (Fail)
Note: Failed firmware updates may render the system unusable requiring recovery procedures.
13. Log Cleared (From Year: 2023)
Summary:
- BIOS event log menu – Logs were manually cleared from the BIOS event log.
- BIOS initialization to factory default – BIOS settings were restored to factory defaults.
- Service – Log was cleared as part of a service process.
Severity: High (BIOS event log menu), Normal (BIOS initialization to factory default, Service)
Note: Unauthorized log clearance may indicate security concealment.
14. Set On-Premise (From Year: 2023)
Summary:
- Detected – System setting change marked the device as being physically located on-premises.
Severity: Low
Notes : Relevant for enforcing enforcing location-based security policies.
15. Capsule Update (From Year: 2023)
Summary:
- Pass – Capsule update (firmware) was successful.
- Fail – Capsule update failed.
Severity: High
Note: Ensures firmware integrity and security patching. Failed updates may require manual intervention.
16. Shutdown/Reboot (From Year: 2023)
Summary:
- Detected – Shutdown or reboot event was logged.
- Severity: Normal
Note: Usually normal, but can be useful for tracking unexpected system restarts.
17. Secure Wipe (From Year: 2024)
Summary:
- Completed Successfully – Secure wipe operation was successful.
- Failed – Secure wipe operation failed.
Severity: Low (Completed Successfully), Moderate (Failed)
Note: Ensures data is permanently erased before disposal or reuse.
18. TCG PPI Operation (From Year: 2024)
Summary:
- Detected – Trusted Computing Group (TCG) Physical Presence Interface (PPI) operation was performed.
Severity: Moderate
Note:
TCG PPI operations involve security settings like enabling/disabling TPM. Unexpected changes should be reviewed.
19. HTTP Boot (From Year: 2024)
Summary:
- Detected – Network-based boot via HTTP.
Severity: Moderate
Note: Used for remote deployment. Unauthorized usage may indicate external boot attempts.
20. Device Firmware Failure (From Year: 2025)
This event indicates that a hardware component's firmware has encountered an issue, failed to initialize, or is corrupted. Possible causes include a failed firmware update, corrupt or incompatible firmware, hardware malfunction, or security policies such as Secure Boot or BIOS restrictions blocking unauthorized firmware. Currently, the following hardware components are monitored for this issue: TBT Retimer, TPM, TrackPoint, Touchpad, WLAN, and SSD0 (primary SSD).
Summary:
- TBT Retimer - FW corrupted
- TBT Retimer - Not found
- TBT Retimer - Response timeout
- TPM - FW corrupted
- TPM - Not found
- TPM - Response timeout
- Trackpoint - FW corrupted
- Trackpoint - Not found
- Trackpoint - Response timeout
- Touchpad - FW corrupted
- Touchpad - Not found
- Touchpad - Response timeout
- WLAN - FW corrupted
- WLAN - Not found
- WLAN - Response timeout
- SSD0 - FW corrupted
- SSD0 - Not found
- SSD0 - Response timeout
Severity: High
Note: this issue can result from corruption, failed updates, or hardware issues; update or reflash firmware, check BIOS settings, and replace the affected component if necessary.
OS Event Log
OS events are generated at runtime whenever the ThinkShield Firmware Assurance agent detects a changes in the system.
1. TPM PCR Change
Summary:
- Detected – A change in the Platform Configuration Registers (PCRs) was detected.
Severity: High
Notes:
- PCR changes indicate modifications to measured boot components
- Unexpected PCR changes may indicate tampering or unauthorized configuration adjustments.
- Review BIOS logs to identify reasons for changes.
2. BIOS Mode Change
Summary:
- Switched to UEFI – Firmware mode changed to UEFI.
- Switched to Legacy BIOS – Firmware mode changed to Legacy BIOS.
Severity: High
Note: BIOS mode changes can impact boot security and compatibility. It should be reviewed for unauthorized modifications.
3. BIOS Version Change
Summary:
- Detected – BIOS/UEFI firmware version changed.
Severity: High
Note: BIOS updates can introduce security fixes or vulnerabilities. Ensure updates are authorized and from a trusted source.
4. Secure Boot Status Change
Summary:
- Disabled – Secure Boot was turned off.
- Enabled – Secure Boot was turned on.
Severity: High
Note: Secure Boot ensures only signed bootloaders run. Disabling it can expose the system to malware.
5. Drive Encryption Status Change
Summary:
- Detected – Encryption status of a storage drive has changed.
Severity: High
Note: Changes in drive encryption may indicate unauthorized access attempts or security misconfigurations. Review for potential data protection risks.
6. Disk Drive Firmware Version Change
Summary:
- Detected – Firmware version of a storage drive has changed.
Severity: High
Note : Firmware updates can improve performance or security but should be verified as intentional and from a trusted source.
EC Event Log
This event is generated in runtime through communication between the Embedded Controller (EC) and the ThinkShield Firmware Assurance agent.
1. On-Demand Measurement (From Year: 2025)
Summary:
- Trusted: All firmware subcomponents successfully passed integrity checks, ensuring no unauthorized modifications have occurred.
- Corrupted: At least one firmware subcomponent failed an integrity check, indicating possible tampering or corruption.
Default Severity: Normal (Trusted), High (Corrupted).
Notes:
- This event helps monitor firmware integrity, which is essential for system security.
- Administrators should promptly investigate any "Corrupted" status.
- Admins can initiate new checks on the portal at any time.
Related Articles
Running On-demand Measurements
This feature introduces the ability to perform on-demand measurements on the device, run the measurement (verify firmware integrity) of each component, and display the latest logs on the Cloud UI. It also enables a two-step attestation of ...
Viewing and Setting Incident Severity Levels
About Incident Severity Each incident, issue, or event on ThinkShield Firmware Assurance (TSFA) is assigned a Severity Level, which indicates the level of importance and suggests potential actions needed for a specific device. These severity levels ...
Viewing Incidents Report
To access this report, navigate to the Incidents section. Here, you'll find a comprehensive list of all recorded incidents, including any issues or errors identified based on criteria set by the IT Admin. Incidents are a specific type of event that ...
Setting Incident Notifications
Incidents This feature allows users to customize their alert preferences based on the severity level of incidents: Low and higher, Moderate and higher, or High only. When an incident matches the selected severity level, users are promptly notified ...
About Device Statuses
Status The Status refers to the platform state of a device and indicates its onboarding stage. Devices can have one of three statuses: Active: The device is fully onboarded, provisioned, and actively reporting data. Pending: The device is either ...