Event Details
|
Event Type |
Audit Directory Service Access |
|---|---|
|
Event Description |
4662(S, F) : An operation was performed on an object. |
|
Event ID |
4662 |
|
Vendor Documentation |
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|
|---|---|---|---|
|
Provider |
N/A |
N/A |
|
|
EventID |
<vmid> |
<vmid> |
|
|
Version |
N/A |
N/A |
|
|
Level |
<severity> |
<severity> |
|
|
Task |
<vendorinfo>, <subject> |
<vendorinfo> |
|
|
Opcode |
N/A |
N/A |
|
|
Keywords |
<tag1> |
<result> |
|
|
TimeCreated |
N/A |
N/A |
|
|
EventRecordID |
N/A |
N/A |
|
|
Correlation |
N/A |
N/A |
|
|
Execution |
N/A |
N/A |
|
|
Channel |
N/A |
N/A |
|
|
Computer |
<dname> |
<dname> |
|
|
SubjectUserSid |
N/A |
N/A |
|
|
SubjectUserName |
<login> |
<login> |
|
|
SubjectDomainName |
<domain> |
<domainorigin> |
|
|
SubjectLogonId |
<session> |
<session> |
|
|
ObjectServer |
N/A |
<object> |
|
|
ObjectType |
N/A |
<objecttype> |
|
|
ObjectName |
<objectname> |
<objectname> |
|
|
OperationType |
<tag2> |
N/A |
|
|
HandleId |
<object> |
N/A |
|
|
AccessList |
<command>, <tag2> |
N/A |
|
|
AccessMask |
<status> |
<status> |
|
|
Properties |
N/A |
<subject> |
|
|
AdditionalInfo |
N/A |
N/A |
|
|
AdditionalInfo2 |
N/A |
N/A |
|
|
ObjectValueName |
<object> |
N/A |
|
|
Process Id |
<processid> |
N/A |
|
|
Process Name |
<process> |
N/A |
|
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1007793 |
Object Access |
Base Rule |
Object Accessed |
Access Success |
|
EVID 4662 : Operation Performed On Object Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
EVID 4658 : Handle To An Object Closed |
Sub Rule |
Object Handle Closed |
Other Audit Success |
|
|
EVID 4691 : Indirect Access To An Object Requested |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4690 : Attempt Made To Duplicate Object Handle |
Sub Rule |
Handle Duplicated |
Information |
|
|
EVID 4661 : Handle To An Object Was Requested |
Sub Rule |
Object Handle Requested |
Other Audit Success |
|
|
EVID 4985 : State Of Transaction Changed |
Sub Rule |
Transaction State Change |
Network Traffic |
|
|
EVID 4685 : State Of Transaction Changed |
Sub Rule |
Transaction State Change |
Network Traffic |
|
|
EVID 4670 : Permissions On Object Changed |
Sub Rule |
Policy Modified : Object |
Policy |
|
|
EVID 4663 : Attempt Made To Access Object |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4662 : Operation Performed On Object |
Sub Rule |
Command Executed |
Access Success |
|
|
EVID 4660 : Object Deleted |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
EVID 4658 : Handle To An Object Closed |
Sub Rule |
Object Handle Closed |
Other Audit Success |
|
|
EVID 4657 : Registry Value Modified |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 4656 : Object Open Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
EVID 4656 : Object Opened |
Sub Rule |
Object Read |
Access Success |
|
|
EVID 4663 : Read Data |
Sub Rule |
Object Read |
Access Success |
|
|
EVID 4663 : Write Data |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 4663 : Append Data |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 4663 : Read EA |
Sub Rule |
Object Read |
Access Success |
|
|
EVID 4663 : Write EA |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 4663 : Execute/Traverse |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
EVID 4663 : Delete Child |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
EVID 4663 : Read Attributes |
Sub Rule |
Object Read |
Access Success |
|
|
EVID 4663 : Write Attributes |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 4663 : DELETE |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
EVID 4663 : READ_CONTROL |
Sub Rule |
Object Read |
Access Success |
|
|
EVID 4663 : WRITE_DAC |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 4663 : WRITE_OWNER |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 4663 : SYNCHRONIZE |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 4663 : ACCESS_SYS_SEC |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 4657 : Registry Value Created |
Sub Rule |
Object Created |
Access Success |
|
|
EVID 4657 : Registry Value Deleted |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
EVID 4657: Registry Value Modified |
Sub Rule |
Object Modified |
Access Success |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1011141 |
V 2.0 : EVID 4662 : Operation Performed On AD Object |
Base Rule |
Object Accessed |
Access Success |