Event Details
Event Type | Audit Authentication Policy Change |
---|
Event Description | |
---|
Event IDs | 4717, 4718 |
---|
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
---|
Provider | N/A | N/A |
EventID | <vmid> | <vmid> |
Version | N/A | N/A |
Level | <severity> | <severity> |
Task | N/A | <vendorinfo> |
Opcode | N/A | N/A |
Keywords | <tag1> | <result> |
TimeCreated | N/A | N/A |
EventRecordID | N/A | N/A |
Correlation | N/A | N/A |
Execution | N/A | N/A |
Channel | N/A | N/A |
Computer | <dname> | <dname> |
SubjectUserSid | N/A | N/A |
SubjectUserName | <login>, <tag2> | <login> |
SubjectDomainName | <domain> | <domainorigin> |
SubjectLogonId | <session> | <session> |
TargetSid | N/A | N/A |
AccessGranted | <object> | N/A |
Eventdata | <vendorinfo> | N/A |
Account Name | <account> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|
1000638 | EVID 4717, 4718 : System Security Policy | Base Rule | Policy Modified : System | Policy |
EVID 4717 : System Security Granted To Account | Sub Rule | Policy Enabled : Auditing | Policy |
EVID 4718 : System Security Access Removed | Sub Rule | Policy Enabled : Auditing | Policy |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|
1011105 | V 2.0 : System Security Access Modification | Base Rule | Privilege Modified | Other Audit |
V 2.0 : EVID 4717 : System Security Access Granted | Sub Rule | Privilege Granted | Access Granted |
V 2.0 : EVID 4718 : System Security Access Removed | Sub Rule | Privilege Revoked | Access Revoked |