Event Details
|
Event Type |
Audit Sensitive Privilege Use |
|---|---|
|
Event Description |
|
|
Event IDs |
4673, 4674 |
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|
|---|---|---|---|
|
Provider |
N/A |
N/A |
|
|
EventID |
<vmid> |
<vmid> |
|
|
Version |
N/A |
N/A |
|
|
Level |
<severity> |
<severity> |
|
|
Task |
<tag1> |
<vendorinfo> |
|
|
Opcode |
N/A |
N/A |
|
|
Keywords |
N/A |
<result>, <tag1> |
|
|
TimeCreated |
N/A |
N/A |
|
|
EventRecordID |
N/A |
N/A |
|
|
Correlation |
N/A |
N/A |
|
|
Execution |
N/A |
N/A |
|
|
Channel |
N/A |
N/A |
|
|
Computer |
<dname> |
<dname> |
|
|
EventData |
<vendorinfo>, <tag4> |
N/A |
|
|
SubjectUserSid |
N/A |
N/A |
|
|
SubjectUserName |
N/A |
<login> |
|
|
SubjectDomainName |
N/A |
<domainorigin> |
|
|
SubjectLogonId |
N/A |
<session> |
|
|
ObjectServer |
N/A |
N/A |
|
|
Account Name |
<login>, <tag2> |
N/A |
|
|
Account Domain |
<domain> |
N/A |
|
|
LogonID |
<session> |
N/A |
|
|
Service |
N/A |
<objectname> |
|
|
ObjectType |
<tag3> |
<objecttype> |
|
|
ObjectName |
<object> |
<objectname> |
|
|
HandleId |
N/A |
N/A |
|
|
AccessMask |
N/A |
N/A |
|
|
PrivilegeList |
N/A |
<subject> |
|
|
ProcessId |
<processid> |
<processid> |
|
|
ProcessName |
<process> |
<process> |
|
|
HandleId |
N/A |
<object> |
|
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1000622 |
EVID 1102, 4673, 4674 : Privileged Object Access |
Base Rule |
Object Accessed |
Access Success |
|
EVID 4673 : Fail Priv Svc Call |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
EVID 1102 : Audit Log Cleared |
Sub Rule |
Log Cleared |
Access Success |
|
|
EVID 4673 : Priv Svc Call |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4674 : Fail Priv Object Operation |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
EVID 4674 : Privileged Object Operation |
Sub Rule |
Object Accessed |
Access Success |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|
1011151 |
V 2.0 : Privilege Use Events |
Base Rule |
Object Access Attempt |
Other Audit |
|
V 2.0 : EVID 4673 : Privilege Service Call Succeed |
Sub Rule |
Object Accessed |
Access Success |
|
|
V 2.0 : EVID 4673 : Privilege Service Call Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4674 : Oper On Privileged Obj Succeed |
Sub Rule |
Object Accessed |
Access Success |
|
|
V 2.0 : EVID 4674 : Oper On Privileged Obj Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4673 : Privilege Service Call Succeed |
Sub Rule |
Object Accessed |
Access Success |
|
|
V 2.0 : EVID 4673 : Privilege Service Call Succeed |
Sub Rule |
Object Accessed |
Access Success |
|
|
V 2.0 : EVID 4673 : Privilege Service Call Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4673 : Privilege Service Call Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4674 : Oper On Privileged Obj Succeed |
Sub Rule |
Object Accessed |
Access Success |
|
|
V 2.0 : EVID 4674 : Oper On Privileged Obj Succeed |
Sub Rule |
Object Accessed |
Access Success |
|
|
V 2.0 : EVID 4674 : Oper On Privileged Obj Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4674 : Oper On Privileged Obj Succeed |
Sub Rule |
Object Accessed |
Access Success |