This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field
LogRhythm Default
LogRhythm Default v2.0
Provider
N/A
N/A
EventID
<vmid>
<vmid>
Version
N/A
N/A
Level
<severity>
<severity>
Task
<vendorinfo>
<vendorinfo>
Opcode
N/A
N/A
Keywords
N/A
<result>
TimeCreated
N/A
N/A
EventRecordID
N/A
N/A
Correlation
N/A
N/A
Execution
N/A
N/A
Channel
N/A
N/A
Computer
<dname>
<dname>
Security
N/A
N/A
State
<action>, <tag1>
<action>, <tag1>
Version
<version>
N/A
SchemaVersion
N/A
N/A
UserId
<domain>, <login>
N/A
RuleName
<policy>
<policy>
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID
Rule Name
Rule Type
Common Event
Classification
1009723
EVID 4 : Sysmon Stopped
Sub Rule
Process/Service Stopped
Startup and Shutdown
EVID 4 : Sysmon Started
Sub Rule
Process/Service Started
Startup and Shutdown
EVID 4 : Sysmon Service Started/Stopped
Base Rule
Process/Service Startup Or Shutdown Activity
Startup and Shutdown
LogRhythm Default v2.0
Regex ID
Rule Name
Rule Type
Common Event
Classification
1011221
V 2.0 : EVID 4 : Sysmon Service State Changed
Base Rule
Process/Service Startup Or Shutdown Activity
Startup and Shutdown
V 2.0 : EVID 4 : Sysmon Service Started
Sub Rule
Process/Service Started
Startup and Shutdown
V 2.0 : EVID 4 : Sysmon Service Stopped
Sub Rule
Process/Service Stopped
Startup and Shutdown
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
