Breadcrumbs

EVID 4675 : SIDs Were Filtered

Event Details

Event Type

SIDs Were Filtered

Event Description

4675(S) : SIDs Were Filtered.

Event ID

4675

Vendor Documentation

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4675

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field

LogRhythm Default

LogRhythm Default v2.0

Provider

<vendorinfo>

N/A

EventID

<vmid>

<vmid>

Version

<version>

N/A

Level

<severity>

<severity>

Task

<process>

<vendorinfo>

Opcode

N/A

N/A

Keywords

<result>, <tag1>

<result>

TimeCreated

N/A

N/A

EventRecordID

N/A

N/A

Correlation

N/A

N/A

Execution

N/A

N/A

Processid

<processid>

N/A

CN

<sname>

N/A

Sessionid

<session>

N/A

status code

<status>

N/A

Channel

N/A

N/A

Computer

 <dname>

<dname>

TargetUserSid

N/A

<domainorigin>, <login>

TargetUserName

N/A

N/A

TargetDomainName

N/A

N/A

TdoDirection

N/A

N/A

TdoAttributes

N/A

N/A

TdoType

N/A

N/A

TdoSid

N/A

N/A

SidList

N/A

N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID

Rule Name

Rule Type

Common Event

Classification

1010539

Microsoft Windows Security Auditing

Base Rule

Group Membership Information

Information

Security Audit : Success

Sub Rule

Windows Audit Success Event

Other Audit Success

Security Audit : Failure

Sub Rule

Windows Audit Failure Event

Other Audit Failure

LogRhythm Default v2.0

Regex ID

Rule Name

Rule Type

Common Event

Classification
1012324

V 2.0 : EVID 4675 : SIDs Were Filtered

Base Rule

SIDs Filtered

Other Audit