Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Azure Active Directory Messages |
Base Rule |
General Audit Message |
Other Audit |
|
Logon Using DA Token |
Sub Rule |
User Logon |
Authentication Success |
|
Logon Failure Using DA Token |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
Logon Using Federated Token |
Sub Rule |
User Logon |
Authentication Success |
|
Logon Failed Using Federated Token |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
Logon Using Password |
Sub Rule |
User Logon |
Authentication Success |
|
Logon Failed Using Password |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
Add App Role Assignment Grant to User |
Sub Rule |
Successful Activity |
Other Audit Success |
|
Add App Role Assignment Grant to User Fail |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
Add App Role Assignment to Service Principal |
Sub Rule |
Successful Activity |
Other Audit Success |
|
Add App Role Assignment to Service Principal Fail |
Sub Rule |
Successful Activity |
Other Audit Success |
|
Add Application |
Sub Rule |
Software Installed |
Configuration |
|
Add Application Fail |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
Add OAuth2PermissionGrant |
Sub Rule |
Privilege Granted |
Access Granted |
|
Add OAuth2PermissionGrant Failed |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
Add Service Principal |
Sub Rule |
Successful Activity |
Other Audit Success |
|
Add Service Principal Failed |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
Add User |
Sub Rule |
User Account Created |
Account Created |
|
Add User Failed |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
Change User License |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
Change User License Failed |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
Consent to Application |
Sub Rule |
Successful Activity |
Other Audit Success |
|
Consent to Application Failed |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
Delete Group |
Sub Rule |
Group Deleted |
Account Deleted |
|
Delete Group Failed |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
Delete User |
Sub Rule |
User Account Deleted |
Account Deleted |
|
Delete User Failed |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
Reset User Password |
Sub Rule |
Password Modified |
Account Modified |
|
Reset User Password Failed |
Sub Rule |
Password Change Attempted |
Other Audit Failure |
|
Update Application |
Sub Rule |
Software Updated |
Configuration |
|
Update Application Failed |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
Update Group |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
Update Group Failed |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
Update Service Principal |
Sub Rule |
Role Attribute Modified |
Account Modified |
|
Update Service Principal Failed |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
Update User |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
Update User Failed |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
Authentication Success |
Sub Rule |
User Logon |
Authentication Success |
|
Authentication Failure |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
Add Member to Role |
Sub Rule |
Account Added to Group |
Access Granted |
|
Add Member to Group |
Sub Rule |
Account Added to Group |
Access Granted |
|
Add Member to Role |
Sub Rule |
Set Role Success |
Other Audit |
|
Add Owner to Group |
Sub Rule |
Ownership Granted |
Access Granted |
|
Add Group |
Sub Rule |
Group Created |
Account Created |
|
Remove Member from Role |
Sub Rule |
Account Removed from Group |
Access Revoked |
|
User Account Not Found |
Sub Rule |
User Not Found |
Error |
|
Set Group License |
Sub Rule |
License Allocated |
Information |
|
Add Member to Role Failed |
Sub Rule |
General Failed Activity |
Failed Activity |
|
Remove Member from Role |
Sub Rule |
General Failed Activity |
Failed Activity |
|
FlowToken Expired |
Sub Rule |
Token Not Found |
Error |
|
Redirected User Login Success |
Sub Rule |
User Logon |
Authentication Success |
|
Redirected User Login Failure |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
Fault Domain Redirected |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
|---|---|---|
|
TS |
N/A |
N/A |
|
SESSID |
<session> |
Text/String |
|
COMMAND |
<command> |
Text/String |
|
USERTYPE |
<objecttype> |
Text/String |
|
USERKEY |
<login>
|
Text/String |
|
WORKLOAD |
<process>
|
Text/String |
|
RESULTCODE |
<result>
|
Text/String |
|
OBJECT |
<account> |
Text/String |
|
USER |
<subject> |
Text/String |
|
SIP |
<sip> |
IP Address |
|
EVENTTYPE |
<vmid> |
Text/String |
|
EXTENDEDPROPERTIES "name":"targetName","value":" |
<group> |
Text/String |
|
EXTENDEDPROPERTIES "Name":"Group.DisplayName","NewValue":" |
<group> |
Text/String |
|
MODIFIEDPROPERTIES "name":"role.displayname","newvalue":" |
<group> |
Text/String |
|
MODIFIEDPROPERTIES "name":"RequestType","value":" |
<policy> |
Text/String |
|
APPLICATION |
<objectname> |
Text/String |
|
USERAGENT |
<useragent> <object> |
Text/String |
|
LOGINSTATUS |
<tag5>
|
Text/String |
|
USERDOMAIN |
N/A |
N/A |
|
ACTOR |
N/A |
N/A |
|
ACTORCONTEXTID |
N/A |
N/A |
|
ACTORIP |
N/A |
N/A |
|
INTERSYSTEMSID |
N/A |
N/A |
|
INTRASYSTEMSID |
N/A |
N/A |
|
SUPPORTTICKETID |
N/A |
N/A |
|
TARGET |
N/A |
N/A |
|
TARGETCONTEXTID |
N/A |
N/A |