Skip to main content
Skip table of contents

EVID 4662 : Object Access (Part 3) (XML - Security)

Event Details

Event TypeAudit Directory Service Access
Event Description4662(S, F) : An operation was performed on an object.
Event ID4662
Vendor Documentationhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
ProviderN/AN/A
EventID<vmid><vmid>
VersionN/AN/A
Level<severity><severity>
Task<vendorinfo>, <subject><vendorinfo>
OpcodeN/AN/A
Keywords<tag1><result>
TimeCreatedN/AN/A
EventRecordIDN/AN/A
CorrelationN/AN/A
ExecutionN/AN/A
ChannelN/AN/A
Computer<dname><dname>
SubjectUserSidN/AN/A
SubjectUserName<login><login>
SubjectDomainName<domain><domainorigin>
SubjectLogonId<session><session>
ObjectServerN/A<object>
ObjectTypeN/A<objecttype>
ObjectName<objectname><objectname>
OperationType<tag2>N/A
HandleId<object>N/A
AccessList<command>, <tag2>N/A
AccessMask<status><status>
PropertiesN/A<subject>
AdditionalInfoN/AN/A
AdditionalInfo2N/AN/A
ObjectValueName<object>N/A
Process Id<processid>N/A
Process Name<process>N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1007793Object AccessBase RuleObject AccessedAccess Success
EVID 4662 : Operation Performed On Object FailedSub RuleAccess Object FailureAccess Failure
EVID 4658 : Handle To An Object ClosedSub RuleObject Handle ClosedOther Audit Success
EVID 4691 : Indirect Access To An Object RequestedSub RuleObject AccessedAccess Success
EVID 4690 : Attempt Made To Duplicate Object HandleSub RuleHandle DuplicatedInformation
EVID 4661 : Handle To An Object Was RequestedSub RuleObject Handle RequestedOther Audit Success
EVID 4985 : State Of Transaction ChangedSub RuleTransaction State ChangeNetwork Traffic
EVID 4685 : State Of Transaction ChangedSub RuleTransaction State ChangeNetwork Traffic
EVID 4670 : Permissions On Object ChangedSub RulePolicy Modified : ObjectPolicy
EVID 4663 : Attempt Made To Access ObjectSub RuleObject AccessedAccess Success
EVID 4662 : Operation Performed On ObjectSub RuleCommand ExecutedAccess Success
EVID 4660 : Object DeletedSub RuleObject Deleted/RemovedAccess Success
EVID 4658 : Handle To An Object ClosedSub RuleObject Handle ClosedOther Audit Success
EVID 4657 : Registry Value ModifiedSub RuleObject ModifiedAccess Success
EVID 4656 : Object Open FailedSub RuleAccess Object FailureAccess Failure
EVID 4656 : Object OpenedSub RuleObject ReadAccess Success
EVID 4663 : Read DataSub RuleObject ReadAccess Success
EVID 4663 : Write DataSub RuleObject ModifiedAccess Success
EVID 4663 : Append DataSub RuleObject ModifiedAccess Success
EVID 4663 : Read EASub RuleObject ReadAccess Success
EVID 4663 : Write EASub RuleObject ModifiedAccess Success
EVID 4663 : Execute/TraverseSub RuleAccess Granted ActivityAccess Granted
EVID 4663 : Delete ChildSub RuleObject Deleted/RemovedAccess Success
EVID 4663 : Read AttributesSub RuleObject ReadAccess Success
EVID 4663 : Write AttributesSub RuleObject ModifiedAccess Success
EVID 4663 : DELETESub RuleObject Deleted/RemovedAccess Success
EVID 4663 : READ_CONTROLSub RuleObject ReadAccess Success
EVID 4663 : WRITE_DACSub RuleObject ModifiedAccess Success
EVID 4663 : WRITE_OWNERSub RuleObject ModifiedAccess Success
EVID 4663 : SYNCHRONIZESub RuleObject ModifiedAccess Success
EVID 4663 : ACCESS_SYS_SECSub RuleObject ModifiedAccess Success
EVID 4657 : Registry Value CreatedSub RuleObject CreatedAccess Success
EVID 4657 : Registry Value DeletedSub RuleObject Deleted/RemovedAccess Success
EVID 4657: Registry Value ModifiedSub RuleObject ModifiedAccess Success

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1011141V 2.0 : EVID 4662 : Operation Performed On AD ObjectBase RuleObject AccessedAccess Success
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close