EVID 6416, 6419-6424 : Audit PnP Activity (Security)
Event Details
Event Type | Audit PnP Activity |
---|---|
Event Description |
|
Event IDs | 6416 , 6419 , 6420 , 6421 , 6422 , 6423 , 6424 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
---|---|---|
Provider | N/A | N/A |
EventID | <vmid> | <vmid> |
Version | N/A | N/A |
Level | <severity> | <severity> |
Task | N/A | <vendorinfo> |
Opcode | N/A | N/A |
Keywords | <command>, <status> | <result> |
TimeCreated | N/A | N/A |
EventRecordID | N/A | N/A |
Correlation | N/A | N/A |
Execution | N/A | N/A |
Channel | N/A | N/A |
Computer | <dname> | <dname> |
SubjectUserSid | N/A | N/A |
SubjectUserName | <login> | <login> |
SubjectDomainName | <domainorigin> | <domainorigin> |
SubjectLogonId | N/A | <session> |
DeviceId | <vendorinfo> | <object> |
DeviceDescription | <object> | <objectname> |
ClassId | N/A | N/A |
ClassName | <objecttype> | <objecttype> |
HardwareIds | N/A | N/A |
CompatibleIds | N/A | N/A |
LocationInformation | <objectname> | N/A |
Devicename | N/A | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|---|
1010263 | Audit PnP Activity | Base Rule | Configuration Modified : System | Configuration |
EVID 6416 : New External Device | Sub Rule | Hardware Installed | Information | |
EVID 6419 : Request To Disable Device | Sub Rule | Permission Checked | Other Audit | |
EVID 6420 : Device Disabled | Sub Rule | Configuration Modified : System | Configuration | |
EVID 6421 : Request To Disable Device | Sub Rule | Permission Checked | Other Audit | |
EVID 6422 : Device Enabled | Sub Rule | Configuration Modified : System | Configuration | |
EVID 6423 : Device Install Forbidden | Sub Rule | Add Object Failure | Access Failure | |
EVID 6424 : Install Allowed After Forbidden | Sub Rule | Configuration Modified : System | Configuration |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
1011118 | V 2.0 : Plug And Play Events | Base Rule | General Device Manager Message | Information |
V 2.0 : EVID 6416 : New External Device Recognized | Sub Rule | New Device Found | Information | |
V 2.0 : EVID 6419 : Request Made To Disable Device | Sub Rule | Disabled | Information | |
V 2.0 : EVID 6420 : Device Disabled | Sub Rule | Disabled | Information | |
V 2.0 : EVID 6421 : Request Made To Enable Device | Sub Rule | Enabled | Information | |
V 2.0 : EVID 6422 : Device Enabled | Sub Rule | Enabled | Information | |
V 2.0 : EVID 6423 : Installation Of Device Forbidd | Sub Rule | Install Failed | Error | |
V 2.0 : EVID 6424 : Device Inst After Being Forbid | Sub Rule | Hardware Installed | Information |