Breadcrumbs

EVID 6416, 6419-6424 : Audit PnP Activity (Security)

Event Details

Event Type

Audit PnP Activity

Event Description

  • 6416(S) : A new external device was recognized by the system.

  • 6419(S) : A request was made to disable a device.

  • 6420(S) : A device was disabled.

  • 6421(S) : A request was made to enable a device.

  • 6422(S) : A device was enabled.

  • 6423(S) : The installation of this device is forbidden by system policy.

  • 6424(S) : The installation of this device was allowed, after having previously been forbidden by policy.

Event IDs

6416 , 6419 , 6420 , 6421 , 6422 , 6423 , 6424

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field

LogRhythm Default 

LogRhythm Default v2.0

Provider

N/A

N/A

EventID

<vmid>

<vmid>

Version

N/A

N/A

Level

<severity>

<severity>

Task

N/A

<vendorinfo>

Opcode

N/A

N/A

Keywords

<command>, <status>

<result>

TimeCreated

N/A

N/A

EventRecordID

N/A

N/A

Correlation

N/A

N/A

Execution

N/A

N/A

Channel

N/A

N/A

Computer

<dname>

<dname>

SubjectUserSid

N/A

N/A

SubjectUserName

<login>

<login>

SubjectDomainName

<domainorigin>

<domainorigin>

SubjectLogonId

N/A

<session>

DeviceId

<vendorinfo>

<object>

DeviceDescription

<object>

<objectname>

ClassId

N/A

N/A

ClassName

<objecttype>

<objecttype>

HardwareIds

N/A

N/A

CompatibleIds

N/A

N/A

LocationInformation

<objectname>

N/A

Devicename

N/A

N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID

Rule Name

Rule Type

Common Event

Classification

1010263

Audit PnP Activity

Base Rule

Configuration Modified : System

Configuration

EVID 6416 : New External Device

Sub Rule

Hardware Installed

Information

EVID 6419 : Request To Disable Device

Sub Rule

Permission Checked

Other Audit

EVID 6420 : Device Disabled

Sub Rule

Configuration Modified : System

Configuration

EVID 6421 : Request To Disable Device

Sub Rule

Permission Checked

Other Audit

EVID 6422 : Device Enabled

Sub Rule

Configuration Modified : System

Configuration

EVID 6423 : Device Install Forbidden

Sub Rule

Add Object Failure

Access Failure

EVID 6424 : Install Allowed After Forbidden

Sub Rule

Configuration Modified : System

Configuration

LogRhythm Default v2.0


Regex ID

Rule Name

Rule Type

Common Event

Classification

1011118

V 2.0 : Plug And Play Events

Base Rule

General Device Manager Message

Information

V 2.0 : EVID 6416 : New External Device Recognized

Sub Rule

New Device Found

Information

V 2.0 : EVID 6419 : Request Made To Disable Device

Sub Rule

Disabled

Information

V 2.0 : EVID 6420 : Device Disabled

Sub Rule

Disabled

Information

V 2.0 : EVID 6421 : Request Made To Enable Device

Sub Rule

Enabled

Information

V 2.0 : EVID 6422 : Device Enabled

Sub Rule

Enabled

Information

V 2.0 : EVID 6423 : Installation Of Device Forbidd

Sub Rule

Install Failed

Error

V 2.0 : EVID 6424 : Device Inst After Being Forbid

Sub Rule

Hardware Installed

Information