Event Details
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
Provider |
N/A |
N/A |
|
EventID |
<vmid> |
<vmid> |
|
Version |
N/A |
N/A |
|
Level |
<severity> |
<severity> |
|
Task |
<vendorinfo> |
<vendorinfo> |
|
Opcode |
N/A |
N/A |
|
Keywords |
<command> |
<result> |
|
TimeCreated |
N/A |
N/A |
|
EventRecordID |
N/A |
N/A |
|
Correlation |
N/A |
N/A |
|
Execution |
N/A |
N/A |
|
Channel |
N/A |
N/A |
|
Computer |
<dname> |
N/A |
|
SubjectUserSid |
N/A |
N/A |
|
SubjectUserName |
<login> |
<login> |
|
SubjectDomainName |
<domain> |
<domainorigin> |
|
FullyQualifiedSubjectUserName |
N/A |
N/A |
|
SubjectMachineSID |
N/A |
N/A |
|
SubjectMachineName |
N/A |
N/A |
|
FullyQualifiedSubjectMachineName |
N/A |
N/A |
|
CalledStationID |
<dmac> |
N/A |
|
CallingStationID |
<smac> |
<sip> <smac> |
|
NASIPv4Address |
N/A |
N/A |
|
NASIPv6Address |
N/A |
N/A |
|
NASIdentifier |
N/A |
N/A |
|
NASPortType |
N/A |
<object> |
|
NASPort |
N/A |
N/A |
|
ClientName |
N/A |
<dname> |
|
ClientIPAddress |
<sip> |
<dip> |
|
ProxyPolicyName |
<object> |
<policy> |
|
NetworkPolicyName |
N/A |
<policy> |
|
AuthenticationProvider |
N/A |
N/A |
|
AuthenticationServer |
<dname> |
N/A |
|
AuthenticationType |
<objectname> |
N/A |
|
EAPType |
N/A |
N/A |
|
AccountSessionIdentifier |
N/A |
N/A |
|
ReasonCode |
<tag1> |
<responsecode> |
|
Reason |
N/A |
<reason> |
|
LoggingResult |
N/A |
<subject> |
|
QuarantineState |
N/A |
<status> |
|
ExtendedQuarantineState |
N/A |
N/A |
|
QuarantineSessionID |
N/A |
<session> |
|
QuarantineHelpURL |
N/A |
<url> |
|
QuarantineSystemHealthResult |
N/A |
<subject> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1007845 |
EVID 6272 - 6274 : Network Policy Server Access |
Base Rule |
General Access Control Message |
Other Audit |
|
EVID 6272 : User Granted Access |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
EVID 6273 : User Access Denied |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
EVID 6273 : Authentication Method Not Enabled |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
EVID 6274 : Authentication Request Discarded |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 6273 : Exceeded Authentication Attempts |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
EVID 6273 : User Account Does Not Exist |
Sub Rule |
User Logon Failure |
Authentication Failure |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1011222 |
V 2.0 : Network Policy Server Events |
Base Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 6272 : NPS - Access Granted To User |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 6273 : NPS - Access Denied To User |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 6274 : NPS - Access Request Discarded |
Sub Rule |
Bad Request |
Warning |
|
|
V 2.0 : EVID 6278 : NPS- Full Access Granted To User |
Sub Rule |
User Logon |
Authentication Success |