Audit Events 2
Classification
Rule Name | Rule Type | Classification | Common event |
|---|---|---|---|
| Audit Events 2 | Base Rule | General Auditing Message | Other Audit |
| System Configuration Change Failed | Sub Rule | Modify Object Failure | Access Failure |
| System Configuration Changed | Sub Rule | Configuration Modified : System | Configuration |
| User Role Change Failed | Sub Rule | Command Execution Failure | Access Failure |
| User Role Change | Sub Rule | Role Attribute Modified | Account Modified |
| Authentication Check Failed | Sub Rule | User Logon Failure | Authentication Failure |
| Authentication Check | Sub Rule | Authentication Activity | Authentication Success |
| User Access Vector Cache Message | Sub Rule | General Audit Message | Other Audit |
| Mandatory Access Control Status | Sub Rule | Security Status | Activity |
| Policy Loaded | Sub Rule | Policy Enabled : System | Policy |
| Configuration Changed | Sub Rule | Configuration Modified : System | Configuration |
| Security Label Set | Sub Rule | Object Attribute Modified | Access Success |
| Abnormal Process Termination | Sub Rule | Suspicious Activity | Suspicious |
| User Command Failed | Sub Rule | Command Execution Failure | Access Failure |
| User Command | Sub Rule | Command Executed | Access Success |
| Access Vector Cache Message | Sub Rule | Object Read | Access Success |
| User Login Failed | Sub Rule | User Logon Failure | Authentication Failure |
| Configuration Change | Sub Rule | Configuration Modified : System | Configuration |
| Credentials Acquired | Sub Rule | Authentication Activity | Authentication Success |
| Credentials Dispensed | Sub Rule | Authentication Activity | Authentication Success |
| Credentials Set | Sub Rule | Authentication Activity | Authentication Success |
| Working Directory Changed | Sub Rule | Command Executed | Access Success |
| Service Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown |
| Service Started | Sub Rule | Process/Service Started | Startup and Shutdown |
| Login | Sub Rule | User Logon | Authentication Success |
| Object Path Opened | Sub Rule | Object Read | Access Success |
| System Call | Sub Rule | System Call | Other Audit Success |
| File Opened | Sub Rule | Object Read | Access Success |
| File Permissions Set | Sub Rule | Policy Enabled : Object | Policy |
| File Owner Changed | Sub Rule | Object Attribute Modified | Access Success |
| File Group Changed | Sub Rule | Object Modified | Access Success |
| Directory Created | Sub Rule | Object Created | Access Success |
| Link To File Created | Sub Rule | Object Created | Access Success |
| User Account Summary | Sub Rule | General Auditing Message | Other Audit |
| Authentication | Sub Rule | Authentication Activity | Authentication Success |
| Session Closed For User | Sub Rule | Session Closed For User | Other Audit Success |
| User Login | Sub Rule | User Logon | Authentication Success |
| Session Started For User | Sub Rule | User Logon | Authentication Success |
| Configuration Change Failed | Sub Rule | Modify Object Failure | Access Failure |
| Credentials Acquire Failed | Sub Rule | Failed To Acquire Credentials | Error |
| Credentials Dispense Failed | Sub Rule | Failed To Dispense Credentials | Error |
| Credentials Set Failed | Sub Rule | Authentication Failure Activity | Authentication Failure |
| Working Directory Change Failed | Sub Rule | Read Object Failure | Access Failure |
| Service Stop Failed | Sub Rule | Service Stop Failed | Error |
| Service Started Failed | Sub Rule | Service Start Failure | Error |
| Login Attempt Failed | Sub Rule | Authentication Failure Activity | Authentication Failure |
| System Call Failed | Sub Rule | Failed System Call | Error |
| Object Opened Failed | Sub Rule | Access Object Failure | Access Failure |
| File Permissions Set Failed | Sub Rule | Modify Object Failure | Access Failure |
| File Ownership Change Failed | Sub Rule | Modify Object Failure | Access Failure |
| Set Group ID Failed | Sub Rule | Modify Object Failure | Access Failure |
| Directory Creation Failed | Sub Rule | Create Object Failure | Access Failure |
| Link To File Failed | Sub Rule | Link To File Failed | Error |
| User Account Summary Failed | Sub Rule | General Audit Failure | Error |
| Authentication Failed | Sub Rule | Authentication Failure Activity | Authentication Failure |
| Close Session Failed | Sub Rule | Close Session Failed | Error |
| Create Session Command Failed | Sub Rule | Command Execution Failure | Access Failure |
| User Error | Sub Rule | User Error | Error |
| Command Executed | Sub Rule | Command Executed | Access Success |
| End Of Event Message | Sub Rule | General Information Log Message | Information |
| Object Process ID | Sub Rule | Object Process ID Information | Other Audit |
| File Descriptor Pair | Sub Rule | General Auditing Message | Other Audit |
| User Logout | Sub Rule | User Logoff | Authentication Success |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type |
|---|---|---|
| type | <vmid> | Text/String |
| msg | <subject> | Number/String |
| auid | <account> | Number |
| pid | <process> | Number |
| cwd | <object> | Text/String |
| syscall | <tag3> | Text/String |
| success | <tag2> | Text/String |
| ogid | <group> | Text/String |
| hostname | <sname> | Number |
| addr | <sip> | Number |
| terminal | <session> | Text/String |
| op | <tag1> | Text/String |