Breadcrumbs

EVID 4675...4933 : Microsoft Windows Security Auditing (XML - Security)

Event Details

Event Type

Audit Directory Service Replication, Audit Detailed Directory Service Replication, Audit Logon

Event Description

  • 4675(S) : SIDs were filtered.

  • 4928(S, F)

    : An Active Directory replica source naming context was established.

  • 4931(S, F) : An Active Directory replica destination naming context was modified.

  • 4932(S)

    : Synchronization of a replica of an Active Directory naming context has begun.

  • 4933(S, F)

    : Synchronization of a replica of an Active Directory naming context has ended.

Event IDs

4675, 4928, 4931, 4932, 4933

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field

LogRhythm Default

LogRhythm Default v2.0

Provider

<vendorinfo>

N/A

EventID

<vmid>

<vmid>

Version

<version>

N/A

Level

<severity>

<severity>

Task

<process>

<vendorinfo>

Opcode

N/A

N/A

Keywords

<result>, <tag1>

<result>

TimeCreated

N/A

N/A

EventRecordID

N/A

N/A

Correlation

N/A

N/A

Execution

N/A

N/A

Channel

N/A

N/A

Computer

<dname>

<dname>

DestinationDRA

N/A

N/A

SourceDRA

<sname>

N/A

NamingContext

N/A

N/A

Options

N/A

N/A

SessionID

<session>

<session>

StartUSN

N/A

N/A

StatusCode

<status>

<responsecode>, <tag1>

ProcessId

<processid>

N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID

Rule Name

Rule Type

Common Event

Classification

1010539

Microsoft Windows Security Auditing

Base Rule

Group Membership Information

Information

Security Audit : Success

Sub Rule

Windows Audit Success Event

Other Audit Success

Security Audit : Failure

Sub Rule

Windows Audit Failure Event

Other Audit Failure

LogRhythm Default v2.0

Regex ID

Rule Name

Rule Type

Common Event

Classification

1011140

V 2.0 : Active Directory Replica Context Events

Base Rule

General Replication Information

Information

V 2.0 : EVID 4928 : AD Replica Source Naming Conte

Sub Rule

Configuration Loaded : Directory Services

Configuration

V 2.0 : EVID 4928 : Failed AD Replica Context Cr

Sub Rule

Failed Configuration

Other Audit Failure

V 2.0 : EVID 4929 : AD Replica Source Naming CntRe

Sub Rule

Configuration Deleted : Directory Services

Configuration

V 2.0 : EVID 4929 : Failed AD Replica Context Dlt

Sub Rule

Failed Configuration

Other Audit Failure

V 2.0 : EVID 4930 : AD Replica Source Naming Conte

Sub Rule

Configuration Modified : Directory Services

Configuration

V 2.0 : EVID 4930 : Failed AD Replica Context Modi

Sub Rule

Failed Configuration

Other Audit Failure

V 2.0 : EVID 4931 : AD Replica Destination Naming

Sub Rule

Configuration Modified : Directory Services

Configuration

V 2.0 : EVID 4931 : Failed AD Replica Context Modi

Sub Rule

Failed Configuration

Other Audit Failure

V 2.0 : EVID 4932 : AD Naming Context SynchroBegun

Sub Rule

General Active Directory Replication

Information

V 2.0 : EVID 4933 : AD Naming Context Sync Complete

Sub Rule

Replication Successful

Information

V 2.0 : EVID 4933 : AD Naming Context Sync Failed

Sub Rule

Replication Failure

Error