4799(S) : A security-enabled local group membership was enumerated.
Event IDs
4731, 4732, 4733, 4734, 4735, 4764, 4799
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field
LogRhythm Default
LogRhythm Default v2.0
Provider
N/A
N/A
EventID
<vmid>
<vmid>
Version
N/A
N/A
Level
<severity>
<severity>
Task
N/A
<vendorinfo>
Opcode
N/A
N/A
Keywords
<tag1>
<result>
TimeCreated
N/A
N/A
EventRecordID
N/A
N/A
Correlation
N/A
N/A
Execution
<processid>
N/A
Channel
N/A
N/A
Computer
<dname>
<dname>
GroupTypeChange
N/A
<action>
MemberName
N/A
<account>
MemberSid
<account>
N/A
TargetUserName
<group>
<group>
TargetDomainName
<domain>
<domainimpacted>
TargetSid
N/A
N/A
SubjectUserSid
N/A
N/A
SubjectUserName
<login>, <tag2>
<login>
SubjectDomainName
N/A
<domainorigin>
SubjectLogonId
<session>
<session>
PrivilegeList
N/A
N/A
CallerProcessId
N/A
<processid>
CallerProcessName
N/A
<process>
EventData
<vendorinfo>
N/A
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID
Rule Name
Rule Type
Common Event
Classification
1000635
Group Member Added/Removed
Base Rule
Account Added To Group
Access Granted
EVID 4728 : User Added Glbl Security Grp
Sub Rule
Account Added To Group
Access Granted
EVID 4729 : User Removed From Global Sec Grp
Sub Rule
Account Removed From Group
Access Revoked
EVID 4732 : User Added To Local Sec Grp
Sub Rule
Account Added To Group
Access Granted
EVID 4733 : User Removed From Local Sec Grp
Sub Rule
Account Removed From Group
Access Revoked
EVID 4746 : User Added To Local Dstr Grp
Sub Rule
Account Added To Group
Access Granted
EVID 4747 : User Removed From Local Dstr Grp
Sub Rule
Account Removed From Group
Access Revoked
EVID 4751 : User Added To Global Dstr Grp
Sub Rule
Account Added To Group
Access Granted
EVID 4761 : User Added To Universal Dstr Grp
Sub Rule
Account Added To Group
Access Granted
EVID 4752 : User Removed From Global Dstr Grp
Sub Rule
Account Removed From Group
Access Revoked
EVID 4756 : User Added To Univ Sec Grp
Sub Rule
Account Added To Group
Access Granted
EVID 4757 : User Removed From Univ Sec Grp
Sub Rule
Account Removed From Group
Access Revoked
EVID 4762 : User Removed From Univ Dstr Grp
Sub Rule
Account Removed From Group
Access Revoked
LogRhythm Default v2.0
Regex ID
Rule Name
Rule Type
Common Event
Classification
1011139
V 2.0 : Group Management Events
Base Rule
Group Information
Information
V 2.0 : EVID 4727 : Sec-Enable Global Group Create
Sub Rule
Group Created
Account Created
V 2.0 : EVID 4728 : Memb Add To Sec-Enable Global
Sub Rule
Account Added To Group
Access Granted
V 2.0 : EVID 4729 : Memb Remove From Sec-Enabled
Sub Rule
Account Removed From Group
Access Revoked
V 2.0 : EVID 4730 : Sec-Enable Global Group Delete
Sub Rule
Group Deleted
Account Deleted
V 2.0 : EVID 4731 : Sec-Enabled Local Group Create
Sub Rule
Group Created
Account Created
V 2.0 : EVID 4732 : Memb Add To Sec-Enable Local
Sub Rule
Account Added To Group
Access Granted
V 2.0 : EVID 4733 : Memb Remove From Sec-Enabled
Sub Rule
Account Removed From Group
Access Revoked
V 2.0 : EVID 4734 : Sec-Enable Local Group Delete
Sub Rule
Group Deleted
Account Deleted
V 2.0 : EVID 4735 : Sec-Enable Local Group Modifi
Sub Rule
Group Attribute Modified
Account Modified
V 2.0 : EVID 4737 : Sec-Enable Global Group Modifi
Sub Rule
Group Attribute Modified
Account Modified
V 2.0 : EVID 4744 : Sec-Disable Local Group Create
Sub Rule
Group Created
Account Created
V 2.0 : EVID 4745 : Sec-Disable Local Group Modifi
Sub Rule
Group Attribute Modified
Account Modified
V 2.0 : EVID 4746 : Memb Add To Sec-Disable Local
Sub Rule
Account Added To Group
Access Granted
V 2.0 : EVID 4747 : Memb Remove From Sec-Disable
Sub Rule
Account Removed From Group
Access Revoked
V 2.0 : EVID 4748 : Sec-Disable Local Group Delete
Sub Rule
Group Deleted
Account Deleted
V 2.0 : EVID 4749 : Sec-Disabl Global Group Create
Sub Rule
Group Created
Account Created
V 2.0 : EVID 4750 : Sec-Disable Global Group Modif
Sub Rule
Group Attribute Modified
Account Modified
V 2.0 : EVID 4751 : Memb Add To Sec-Disable Global
Sub Rule
Account Added To Group
Access Granted
V 2.0 : EVID 4752 : Memb Remove From Sec-Disabled
Sub Rule
Account Removed From Group
Access Revoked
V 2.0 : EVID 4753 : Sec-Disable Global Group Delet
Sub Rule
Group Deleted
Account Deleted
V 2.0 : EVID 4754 : Sec-Enabled Univ Group Create
Sub Rule
Group Created
Account Created
V 2.0 : EVID 4755 : Sec-Enable Univer Group Modifi
Sub Rule
Group Attribute Modified
Account Modified
V 2.0 : EVID 4756 : Memb Add To Sec-Enable Univer
Sub Rule
Account Added To Group
Access Granted
V 2.0 : EVID 4757 : Memb Remove From Sec-Enabled
Sub Rule
Account Removed From Group
Access Revoked
V 2.0 : EVID 4758 : Sec-Enable Global Unive Delete
Sub Rule
Group Deleted
Account Deleted
V 2.0 : EVID 4759 : Sec-Disable Unive Group Create
Sub Rule
Group Created
Account Created
V 2.0 : EVID 4760 : Sec-Disable Unive Group Modifi
Sub Rule
Group Attribute Modified
Account Modified
V 2.0 : EVID 4761 : Memb Add To Sec-Disable Univer
Sub Rule
Account Added To Group
Access Granted
V 2.0 : EVID 4762 : Memb Remove From Sec-Disable
Sub Rule
Account Removed From Group
Access Revoked
V 2.0 : EVID 4763 : Sec-Disable Global Univ Delete
Sub Rule
Group Deleted
Account Deleted
V 2.0 : EVID 4764 : Group Type Changed
Sub Rule
Group Attribute Modified
Account Modified
V 2.0 : EVID 4799 : Sec-Enable Local Group Members
Sub Rule
Object Read
Access Success
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
