Audit Events 1
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Audit Events 1 | Base Rule | General Auditing Message | Other Audit |
| Create Session Command Failed | Sub Rule | Command Execution Failure | Access Failure |
| Close Session Failed | Sub Rule | Close Session Failed | Error |
| Authentication Failed | Sub Rule | Authentication Failure Activity | Authentication Failure |
| User Account Summary Failed | Sub Rule | General Audit Failure | Error |
| Link To File Failed | Sub Rule | Link To File Failed | Error |
| Directory Creation Failed | Sub Rule | Create Object Failure | Access Failure |
| Set Group ID Failed | Sub Rule | Modify Object Failure | Access Failure |
| File Ownership Change Failed | Sub Rule | Modify Object Failure | Access Failure |
| File Permissions Set Failed | Sub Rule | Modify Object Failure | Access Failure |
| Object Opened Failed | Sub Rule | Access Object Failure | Access Failure |
| System Call Failed | Sub Rule | Failed System Call | Error |
| Login Attempt Failed | Sub Rule | Authentication Failure Activity | Authentication Failure |
| Service Started Failed | Sub Rule | Service Start Failure | Error |
| Service Stop Failed | Sub Rule | Service Stop Failed | Error |
| Working Directory Change Failed | Sub Rule | Read Object Failure | Access Failure |
| Credentials Set Failed | Sub Rule | Authentication Failure Activity | Authentication Failure |
| Credentials Dispense Failed | Sub Rule | Failed To Dispense Credentials | Error |
| Credentials Acquire Failed | Sub Rule | Failed To Acquire Credentials | Error |
| Configuration Change Failed | Sub Rule | Modify Object Failure | Access Failure |
| Session Started For User | Sub Rule | User Logon | Authentication Success |
| User Login | Sub Rule | User Logon | Authentication Success |
| Session Closed For User | Sub Rule | Session Closed For User | Other Audit Success |
| Authentication | Sub Rule | Authentication Activity | Authentication Success |
| User Account Summary | Sub Rule | General Auditing Message | Other Audit |
| Link To File Created | Sub Rule | Object Created | Access Success |
| Directory Created | Sub Rule | Object Created | Access Success |
| File Group Changed | Sub Rule | Object Modified | Access Success |
| File Owner Changed | Sub Rule | Object Attribute Modified | Access Success |
| File Permissions Set | Sub Rule | Policy Enabled : Object | Policy |
| File Opened | Sub Rule | Object Read | Access Success |
| System Call | Sub Rule | System Call | Other Audit Success |
| Object Path Opened | Sub Rule | Object Read | Access Success |
| Login | Sub Rule | User Logon | Authentication Success |
| Service Started | Sub Rule | Process/Service Started | Startup and Shutdown |
| Service Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown |
| Working Directory Changed | Sub Rule | Command Executed | Access Success |
| Credentials Set | Sub Rule | Authentication Activity | Authentication Success |
| Credentials Dispensed | Sub Rule | Authentication Activity | Authentication Success |
| Credentials Acquired | Sub Rule | Authentication Activity | Authentication Success |
| Configuration Change | Sub Rule | Configuration Modified : System | Configuration |
| User Login Failed | Sub Rule | User Logon Failure | Authentication Failure |
| Access Vector Cache Message | Sub Rule | Object Read | Access Success |
| User Command | Sub Rule | Command Executed | Access Success |
| User Command Failed | Sub Rule | Command Execution Failure | Access Failure |
| Abnormal Process Termination | Sub Rule | Suspicious Activity | Suspicious |
| Security Label Set | Sub Rule | Object Attribute Modified | Access Success |
| Configuration Changed | Sub Rule | Configuration Modified : System | Configuration |
| Policy Loaded | Sub Rule | Policy Enabled : System | Policy |
| Mandatory Access Control Status | Sub Rule | Security Status | Activity |
| User Access Vector Cache Message | Sub Rule | General Audit Message | Other Audit |
| Authentication Check | Sub Rule | Authentication Activity | Authentication Success |
| Authentication Check Failed | Sub Rule | User Logon Failure | Authentication Failure |
| User Role Change | Sub Rule | Role Attribute Modified | Account Modified |
| User Role Change Failed | Sub Rule | Command Execution Failure | Access Failure |
| System Configuration Changed | Sub Rule | Configuration Modified : System | Configuration |
| System Configuration Change Failed | Sub Rule | Modify Object Failure | Access Failure |
| File Descriptor Pair | Sub Rule | General Auditing Message | Other Audit |
| Object Process ID | Sub Rule | Object Process ID Information | Other Audit |
| End Of Event Message | Sub Rule | General Information Log Message | Information |
| Command Executed | Sub Rule | Command Executed | Access Success |
| User Error | Sub Rule | User Error | Error |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type |
|---|---|---|
| N/A | <severity> | Number/Text |
| type | <vmid> | Number/Text |
| msg | <process> | Number |
| argc | <amount> | Number |
| a0 | <command> | Number/Text |
| a1 | <vendorinfo> | Text/String |
| a2 | <object> | Text/String |
| a3 | <objectname> | Text/String |