EVID 4717, 4718 : System Security Policy (Security)
Event Details
Event Type
Audit Authentication Policy Change
Event Description
4717(S) : System security access was granted to an account.
4718(S) : System security access was removed from an account.
Event IDs
4717, 4718
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field
LogRhythm Default
LogRhythm Default v2.0
Provider
N/A
N/A
EventID
<vmid>
<vmid>
Version
N/A
N/A
Level
<severity>
<severity>
Task
N/A
<vendorinfo>
Opcode
N/A
N/A
Keywords
<tag1>
<result>
TimeCreated
N/A
N/A
EventRecordID
N/A
N/A
Correlation
N/A
N/A
Execution
N/A
N/A
Channel
N/A
N/A
Computer
<dname>
<dname>
SubjectUserSid
N/A
N/A
SubjectUserName
<login>, <tag2>
<login>
SubjectDomainName
<domain>
<domainorigin>
SubjectLogonId
<session>
<session>
TargetSid
N/A
N/A
AccessGranted
<object>
N/A
Eventdata
<vendorinfo>
N/A
Account Name
<account>
N/A
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID
Rule Name
Rule Type
Common Event
Classification
1000638
EVID 4717, 4718 : System Security Policy
Base Rule
Policy Modified : System
Policy
EVID 4717 : System Security Granted To Account
Sub Rule
Policy Enabled : Auditing
Policy
EVID 4718 : System Security Access Removed
Sub Rule
Policy Enabled : Auditing
Policy
LogRhythm Default v2.0
Regex ID
Rule Name
Rule Type
Common Event
Classification
1011105
V 2.0 : System Security Access Modification
Base Rule
Privilege Modified
Other Audit
V 2.0 : EVID 4717 : System Security Access Granted
Sub Rule
Privilege Granted
Access Granted
V 2.0 : EVID 4718 : System Security Access Removed
Sub Rule
Privilege Revoked
Access Revoked
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
