Event Details
| Event Type | Audit PnP Activity |
|---|
| Event Description | - 6416(S) : A new external device was recognized by the system.
- 6419(S) : A request was made to disable a device.
- 6420(S) : A device was disabled.
- 6421(S) : A request was made to enable a device.
- 6422(S) : A device was enabled.
- 6423(S) : The installation of this device is forbidden by system policy.
- 6424(S) : The installation of this device was allowed, after having previously been forbidden by policy.
|
|---|
| Event IDs | 6416 , 6419 , 6420 , 6421 , 6422 , 6423 , 6424 |
|---|
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|
| Provider | N/A | N/A |
| EventID | <vmid> | <vmid> |
| Version | N/A | N/A |
| Level | <severity> | <severity> |
| Task | N/A | <vendorinfo> |
| Opcode | N/A | N/A |
| Keywords | <command>, <status> | <result> |
| TimeCreated | N/A | N/A |
| EventRecordID | N/A | N/A |
| Correlation | N/A | N/A |
| Execution | N/A | N/A |
| Channel | N/A | N/A |
| Computer | <dname> | <dname> |
| SubjectUserSid | N/A | N/A |
| SubjectUserName | <login> | <login> |
| SubjectDomainName | <domainorigin> | <domainorigin> |
| SubjectLogonId | N/A | <session> |
| DeviceId | <vendorinfo> | <object> |
| DeviceDescription | <object> | <objectname> |
| ClassId | N/A | N/A |
| ClassName | <objecttype> | <objecttype> |
| HardwareIds | N/A | N/A |
| CompatibleIds | N/A | N/A |
| LocationInformation | <objectname> | N/A |
| Devicename | N/A | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|
| 1010263 | Audit PnP Activity | Base Rule | Configuration Modified : System | Configuration |
| EVID 6416 : New External Device | Sub Rule | Hardware Installed | Information |
| EVID 6419 : Request To Disable Device | Sub Rule | Permission Checked | Other Audit |
| EVID 6420 : Device Disabled | Sub Rule | Configuration Modified : System | Configuration |
| EVID 6421 : Request To Disable Device | Sub Rule | Permission Checked | Other Audit |
| EVID 6422 : Device Enabled | Sub Rule | Configuration Modified : System | Configuration |
| EVID 6423 : Device Install Forbidden | Sub Rule | Add Object Failure | Access Failure |
| EVID 6424 : Install Allowed After Forbidden | Sub Rule | Configuration Modified : System | Configuration |
LogRhythm Default v2.0
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
| 1011118 | V 2.0 : Plug And Play Events | Base Rule | General Device Manager Message | Information |
| V 2.0 : EVID 6416 : New External Device Recognized | Sub Rule | New Device Found | Information |
| V 2.0 : EVID 6419 : Request Made To Disable Device | Sub Rule | Disabled | Information |
| V 2.0 : EVID 6420 : Device Disabled | Sub Rule | Disabled | Information |
| V 2.0 : EVID 6421 : Request Made To Enable Device | Sub Rule | Enabled | Information |
| V 2.0 : EVID 6422 : Device Enabled | Sub Rule | Enabled | Information |
| V 2.0 : EVID 6423 : Installation Of Device Forbidd | Sub Rule | Install Failed | Error |
| V 2.0 : EVID 6424 : Device Inst After Being Forbid | Sub Rule | Hardware Installed | Information |
