Skip to main content
Skip table of contents

EVID 4728...4762 : Group Member Added/Removed (Security)

Event Details

Event TypeAudit Security Group Management
Event Description

  • 4731(S) : A security-enabled local group was created.

  • 4732(S) : A member was added to a security-enabled local group.

  • 4733(S) : A member was removed from a security-enabled local group.

  • 4734(S) : A security-enabled local group was deleted.

  • 4735(S) : A security-enabled local group was changed.

  • 4764(S) : A group’s type was changed.

  • 4799(S) : A security-enabled local group membership was enumerated.

Event IDs4731, 4732, 4733, 4734, 4735, 4764, 4799

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
ProviderN/AN/A
EventID<vmid><vmid>
VersionN/AN/A
Level<severity><severity>
TaskN/A<vendorinfo>
OpcodeN/AN/A
Keywords<tag1><result>
TimeCreatedN/AN/A
EventRecordIDN/AN/A
CorrelationN/AN/A
Execution<processid>N/A
ChannelN/AN/A
Computer<dname><dname>
GroupTypeChangeN/A<action>
MemberNameN/A<account>
MemberSid<account>N/A
TargetUserName<group><group>
TargetDomainName<domain><domainimpacted>
TargetSidN/AN/A
SubjectUserSidN/AN/A
SubjectUserName<login>, <tag2><login>
SubjectDomainNameN/A<domainorigin>
SubjectLogonId<session><session>
PrivilegeListN/AN/A
CallerProcessIdN/A<processid>
CallerProcessNameN/A<process>
EventData<vendorinfo>N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1000635Group Member Added/RemovedBase RuleAccount Added To GroupAccess Granted
EVID 4728 : User Added Glbl Security GrpSub RuleAccount Added To GroupAccess Granted
EVID 4729 : User Removed From Global Sec GrpSub RuleAccount Removed From GroupAccess Revoked
EVID 4732 : User Added To Local Sec GrpSub RuleAccount Added To GroupAccess Granted
EVID 4733 : User Removed From Local Sec GrpSub RuleAccount Removed From GroupAccess Revoked
EVID 4746 : User Added To Local Dstr GrpSub RuleAccount Added To GroupAccess Granted
EVID 4747 : User Removed From Local Dstr GrpSub RuleAccount Removed From GroupAccess Revoked
EVID 4751 : User Added To Global Dstr GrpSub RuleAccount Added To GroupAccess Granted
EVID 4761 : User Added To Universal Dstr GrpSub RuleAccount Added To GroupAccess Granted
EVID 4752 : User Removed From Global Dstr GrpSub RuleAccount Removed From GroupAccess Revoked
EVID 4756 : User Added To Univ Sec GrpSub RuleAccount Added To GroupAccess Granted
EVID 4757 : User Removed From Univ Sec GrpSub RuleAccount Removed From GroupAccess Revoked
EVID 4762 : User Removed From Univ Dstr GrpSub RuleAccount Removed From GroupAccess Revoked

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1011139V 2.0 : Group Management EventsBase RuleGroup InformationInformation
V 2.0 : EVID 4727 : Sec-Enable Global Group CreateSub RuleGroup CreatedAccount Created
V 2.0 : EVID 4728 : Memb Add To Sec-Enable GlobalSub RuleAccount Added To GroupAccess Granted
V 2.0 : EVID 4729 : Memb Remove From Sec-EnabledSub RuleAccount Removed From GroupAccess Revoked
V 2.0 : EVID 4730 : Sec-Enable Global Group DeleteSub RuleGroup DeletedAccount Deleted
V 2.0 : EVID 4731 : Sec-Enabled Local Group CreateSub RuleGroup CreatedAccount Created
V 2.0 : EVID 4732 : Memb Add To Sec-Enable LocalSub RuleAccount Added To GroupAccess Granted
V 2.0 : EVID 4733 : Memb Remove From Sec-EnabledSub RuleAccount Removed From GroupAccess Revoked
V 2.0 : EVID 4734 : Sec-Enable Local Group DeleteSub RuleGroup DeletedAccount Deleted
V 2.0 : EVID 4735 : Sec-Enable Local Group ModifiSub RuleGroup Attribute ModifiedAccount Modified
V 2.0 : EVID 4737 : Sec-Enable Global Group ModifiSub RuleGroup Attribute ModifiedAccount Modified
V 2.0 : EVID 4744 : Sec-Disable Local Group CreateSub RuleGroup CreatedAccount Created
V 2.0 : EVID 4745 : Sec-Disable Local Group ModifiSub RuleGroup Attribute ModifiedAccount Modified
V 2.0 : EVID 4746 : Memb Add To Sec-Disable LocalSub RuleAccount Added To GroupAccess Granted
V 2.0 : EVID 4747 : Memb Remove From Sec-DisableSub RuleAccount Removed From GroupAccess Revoked
V 2.0 : EVID 4748 : Sec-Disable Local Group DeleteSub RuleGroup DeletedAccount Deleted
V 2.0 : EVID 4749 : Sec-Disabl Global Group CreateSub RuleGroup CreatedAccount Created
V 2.0 : EVID 4750 : Sec-Disable Global Group ModifSub RuleGroup Attribute ModifiedAccount Modified
V 2.0 : EVID 4751 : Memb Add To Sec-Disable GlobalSub RuleAccount Added To GroupAccess Granted
V 2.0 : EVID 4752 : Memb Remove From Sec-DisabledSub RuleAccount Removed From GroupAccess Revoked
V 2.0 : EVID 4753 : Sec-Disable Global Group DeletSub RuleGroup DeletedAccount Deleted
V 2.0 : EVID 4754 : Sec-Enabled Univ Group CreateSub RuleGroup CreatedAccount Created
V 2.0 : EVID 4755 : Sec-Enable Univer Group ModifiSub RuleGroup Attribute ModifiedAccount Modified
V 2.0 : EVID 4756 : Memb Add To Sec-Enable UniverSub RuleAccount Added To GroupAccess Granted
V 2.0 : EVID 4757 : Memb Remove From Sec-EnabledSub RuleAccount Removed From GroupAccess Revoked
V 2.0 : EVID 4758 : Sec-Enable Global Unive DeleteSub RuleGroup DeletedAccount Deleted
V 2.0 : EVID 4759 : Sec-Disable Unive Group CreateSub RuleGroup CreatedAccount Created
V 2.0 : EVID 4760 : Sec-Disable Unive Group ModifiSub RuleGroup Attribute ModifiedAccount Modified
V 2.0 : EVID 4761 : Memb Add To Sec-Disable UniverSub RuleAccount Added To GroupAccess Granted
V 2.0 : EVID 4762 : Memb Remove From Sec-DisableSub RuleAccount Removed From GroupAccess Revoked
V 2.0 : EVID 4763 : Sec-Disable Global Univ DeleteSub RuleGroup DeletedAccount Deleted
V 2.0 : EVID 4764 : Group Type ChangedSub RuleGroup Attribute ModifiedAccount Modified
V 2.0 : EVID 4799 : Sec-Enable Local Group MembersSub RuleObject ReadAccess Success



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close