Skip to main content
Skip table of contents

EVID 6416, 6419-6424 : Audit PnP Activity (Security)

Event Details

Event TypeAudit PnP Activity
Event Description
  • 6416(S) : A new external device was recognized by the system.
  • 6419(S) : A request was made to disable a device.
  • 6420(S) : A device was disabled.
  • 6421(S) : A request was made to enable a device.
  • 6422(S) : A device was enabled.
  • 6423(S) : The installation of this device is forbidden by system policy.
  • 6424(S) : The installation of this device was allowed, after having previously been forbidden by policy.
Event IDs6416 , 6419 , 6420 , 6421 , 6422 , 6423 , 6424

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field
LogRhythm Default 
LogRhythm Default v2.0
ProviderN/AN/A
EventID<vmid><vmid>
VersionN/AN/A
Level<severity><severity>
TaskN/A<vendorinfo>
OpcodeN/AN/A
Keywords<command>, <status><result>
TimeCreatedN/AN/A
EventRecordIDN/AN/A
CorrelationN/AN/A
ExecutionN/AN/A
ChannelN/AN/A
Computer<dname><dname>
SubjectUserSidN/AN/A
SubjectUserName<login><login>
SubjectDomainName<domainorigin><domainorigin>
SubjectLogonIdN/A<session>
DeviceId<vendorinfo><object>
DeviceDescription<object><objectname>
ClassIdN/AN/A
ClassName<objecttype><objecttype>
HardwareIdsN/AN/A
CompatibleIdsN/AN/A
LocationInformation<objectname>N/A
DevicenameN/AN/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1010263Audit PnP ActivityBase RuleConfiguration Modified : SystemConfiguration
EVID 6416 : New External DeviceSub RuleHardware InstalledInformation
EVID 6419 : Request To Disable DeviceSub RulePermission CheckedOther Audit
EVID 6420 : Device DisabledSub RuleConfiguration Modified : SystemConfiguration
EVID 6421 : Request To Disable DeviceSub RulePermission CheckedOther Audit
EVID 6422 : Device EnabledSub RuleConfiguration Modified : SystemConfiguration
EVID 6423 : Device Install ForbiddenSub RuleAdd Object FailureAccess Failure
EVID 6424 : Install Allowed After ForbiddenSub RuleConfiguration Modified : SystemConfiguration

LogRhythm Default v2.0


Regex IDRule NameRule TypeCommon EventClassification
1011118V 2.0 : Plug And Play EventsBase RuleGeneral Device Manager MessageInformation
V 2.0 : EVID 6416 : New External Device RecognizedSub RuleNew Device FoundInformation
V 2.0 : EVID 6419 : Request Made To Disable DeviceSub RuleDisabledInformation
V 2.0 : EVID 6420 : Device DisabledSub RuleDisabledInformation
V 2.0 : EVID 6421 : Request Made To Enable DeviceSub RuleEnabledInformation
V 2.0 : EVID 6422 : Device EnabledSub RuleEnabledInformation
V 2.0 : EVID 6423 : Installation Of Device ForbiddSub RuleInstall FailedError
V 2.0 : EVID 6424 : Device Inst After Being ForbidSub RuleHardware InstalledInformation
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close