EVID 6272 - 6274 : Network Policy Server Access (XML - Security)
Event Details
| Event Type | Network Policy Server Access |
|---|---|
| Event Description | |
| Event IDs | 6272, 6273 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
| Provider | N/A | N/A |
| EventID | <vmid> | <vmid> |
| Version | N/A | N/A |
| Level | <severity> | <severity> |
| Task | <vendorinfo> | <vendorinfo> |
| Opcode | N/A | N/A |
| Keywords | <command> | <result> |
| TimeCreated | N/A | N/A |
| EventRecordID | N/A | N/A |
| Correlation | N/A | N/A |
| Execution | N/A | N/A |
| Channel | N/A | N/A |
| Computer | <dname> | N/A |
| SubjectUserSid | N/A | N/A |
| SubjectUserName | <login> | <login> |
| SubjectDomainName | <domain> | <domainorigin> |
| FullyQualifiedSubjectUserName | N/A | N/A |
| SubjectMachineSID | N/A | N/A |
| SubjectMachineName | N/A | N/A |
| FullyQualifiedSubjectMachineName | N/A | N/A |
| CalledStationID | <dmac> | N/A |
| CallingStationID | <smac> | <sip> <smac> |
| NASIPv4Address | N/A | N/A |
| NASIPv6Address | N/A | N/A |
| NASIdentifier | N/A | N/A |
| NASPortType | N/A | <object> |
| NASPort | N/A | N/A |
| ClientName | N/A | <dname> |
| ClientIPAddress | <sip> | <dip> |
| ProxyPolicyName | <object> | <policy> |
| NetworkPolicyName | N/A | <policy> |
| AuthenticationProvider | N/A | N/A |
| AuthenticationServer | <dname> | N/A |
| AuthenticationType | <objectname> | N/A |
| EAPType | N/A | N/A |
| AccountSessionIdentifier | N/A | N/A |
| ReasonCode | <tag1> | <responsecode> |
| Reason | N/A | <reason> |
| LoggingResult | N/A | <subject> |
| QuarantineState | N/A | <status> |
| ExtendedQuarantineState | N/A | N/A |
| QuarantineSessionID | N/A | <session> |
| QuarantineHelpURL | N/A | <url> |
| QuarantineSystemHealthResult | N/A | <subject> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
| 1007845 | EVID 6272 - 6274 : Network Policy Server Access | Base Rule | General Access Control Message | Other Audit |
| EVID 6272 : User Granted Access | Sub Rule | Access Granted Activity | Access Granted | |
| EVID 6273 : User Access Denied | Sub Rule | User Logon Failure | Authentication Failure | |
| EVID 6273 : Authentication Method Not Enabled | Sub Rule | User Logon Failure | Authentication Failure | |
| EVID 6274 : Authentication Request Discarded | Sub Rule | Authentication Failure Activity | Authentication Failure | |
| EVID 6273 : Exceeded Authentication Attempts | Sub Rule | User Logon Failure | Authentication Failure | |
| EVID 6273 : User Account Does Not Exist | Sub Rule | User Logon Failure | Authentication Failure |
LogRhythm Default v2.0
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
| 1011222 | V 2.0 : Network Policy Server Events | Base Rule | General Audit Message | Other Audit |
| V 2.0 : EVID 6272 : NPS - Access Granted To User | Sub Rule | User Logon | Authentication Success | |
| V 2.0 : EVID 6273 : NPS - Access Denied To User | Sub Rule | User Logon Failure | Authentication Failure | |
| V 2.0 : EVID 6274 : NPS - Access Request Discarded | Sub Rule | Bad Request | Warning | |
| V 2.0 : EVID 6278 : NPS- Full Access Granted To User | Sub Rule | User Logon | Authentication Success |