Event Details
|
Event Type |
Audit MPSSVC Rule-Level Policy Change |
|---|---|
|
Event Description |
|
|
Event IDs |
4946, 4947, 4948 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|
|---|---|---|---|
|
Provider |
N/A |
N/A |
|
|
EventID |
<vmid> |
<vmid> |
|
|
Version |
N/A |
N/A |
|
|
Level |
<severity> |
<severity> |
|
|
Task |
<vendorinfo> |
<vendorinfo> |
|
|
Opcode |
N/A |
N/A |
|
|
Keywords |
<command> |
<result>, <tag1> |
|
|
TimeCreated |
N/A |
N/A |
|
|
EventRecordID |
N/A |
N/A |
|
|
Correlation |
N/A |
N/A |
|
|
Execution |
N/A |
N/A |
|
|
Channel |
N/A |
N/A |
|
|
Computer |
<dname> |
<dname> |
|
|
ProfileChanged |
N/A |
<policy> |
|
|
RuleId |
<objectname> |
<object> |
|
|
RuleName |
<object> |
<objectname> |
|
|
ReasonForRejection |
N/A |
<reason> |
|
|
RuleAttr |
N/A |
<reason> |
|
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1007873 |
EVID 4946 - 4948 : Firewall Rule Add, Mod, Del |
Base Rule |
Configuration Modified : Network Access |
Configuration |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1011124 |
V 2.0 : Windows Filtering Platform Rule Events |
Base Rule |
Configuration Modified : Security |
Configuration |
|
V 2.0 : EVID 4945 : WFP - Rule Listed On Firewall Start |
Sub Rule |
Rule Listed On Firewall Start |
Information |
|
|
V 2.0 : EVID 4946 : WFP - Rule Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
V 2.0 : EVID 4947 : WFP - Rule Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 4948 : WFP - Rule Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
V 2.0 : EVID 4951 : WFP - Rule Ignored |
Sub Rule |
Firewall Rule Not Applied |
Warning |
|
|
V 2.0 : EVID 4952 : WFP - Rule Ignored |
Sub Rule |
Firewall Rule Not Applied |
Warning |
|
|
V 2.0 : EVID 4953 : WFP - Rule Ignored |
Sub Rule |
Firewall Rule Not Applied |
Warning |
|
|
V 2.0 : EVID 4956 : WFP - Active Profile Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 4957 : WFP - Rule Ignored |
Sub Rule |
Firewall Rule Not Applied |
Warning |
|
|
V 2.0 : EVID 4958 : WFP - Rule Ignored |
Sub Rule |
Firewall Rule Not Applied |
Warning |