Skip to main content
Skip table of contents

LSO - MS Windows Event Logging : Deutsch - Security

This document explains the changes required to switch over and upgrade to MS Windows Event Logging XML - Security log source type to enable new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project.

Prerequisites

  • Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.

  • Enable the new MPE rules in the LogRhythm System Monitor.
    • Select log source type MS Windows Event Logging XML - Security.

      Ensure that you select the the log source type with "XML" in the name.

    • Enable log processing policy LogRhythm Default v2.0.

    For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.

Support for ADFS Events

Log Source Stabilization (LSS) does not support ADFS Events with the updated MPE rules and log processing policy (LogRhythm Default v2.0). ADFS Events are supported separately with MS Windows Event Logging XML - ADFSIf you are using Microsoft Active Directory Federation Services (ADFS) and streaming ADFS logs through Windows Security log source types, we recommend using log source virtualization to stream MS Windows Event Logging XML - ADFS log messages.

For more information, see Log Source Virtualization.

Supported Log Messages

The following table lists the log message types supported in the current MPE rules. Each linked page contains detailed information on parsing changes and new log processing settings.

Log Message TypeEvent TypeEvent IDs
EVID 521 : Unable To Log Event To Security Log (Deutsch - Security)N/A521

EVID 1100 : Event Logging Shutdown (Deutsch - Security)

Process/Service Startup Or Shutdown Activity1100, 1102, 1104, 1105, 1108

EVID 1102 : Privileged Object Access (Part 1) (Deutsch - Security)

Other Events

1102

EVID 4608 : System Starting (Deutsch - Security)

System Starting4608

EVID 4611 : Trusted Logon Process (Deutsch - Security)

Authentication Activity4610, 4611, 4614, 4622

EVID 4616 : System Time Was Changed (Deutsch - Security)

Time Adjusted4616

EVID 4624 : Logon Event (Deutsch - Security)

Authentication Activity4624

EVID 4634, 4647 : Logoff Events (Deutsch - Security)

Authentication Activity4634, 4647

EVID 4648 : Logon Using Explicit Credentials (Deutsch - Security)

User Logon4648

EVID 4656, 4658, 4663 : Object Access (Deutsch - Security)

Object Accessed4656, 4658, 4660, 4661, 4663, 4670, 4691, 4818

EVID 4672 : Special Logon Privileges (Deutsch - Security)

Privilege Granted4672
EVID 4673, 4674 : Privileged Object Access (Part 2) (Deutsch - Security)Audit Non-Sensitive Privilege Use4673, 4674

EVID 4688, 4689 : Process Startup And Shutdown (Deutsch - Security)

Process/Service Startup Or Shutdown Activity4688, 4689

EVID 4719 : Policy Change (Deutsch - Security)

Policy Modified : System4719, 4912

EVID 4720...4738 : Account Management (Deutsch- Security)

User Account Attribute Modified4720, 4722, 4723, 4724, 4725, 4726, 4738, 4741, 4742, 4743, 4767, 4780, 4782

EVID 4728, 4732 : Group Member Added (Deutsch - Security)

Group Attribute Modified4728, 4732

EVID 4768 : Kerberos Events (Part 1) (Deutsch - Security)

Audit Kerberos Authentication Service

4768

EVID 4769, 4770 : Kerberos Events (Part 2) (Deutsch - Security)

Audit Kerberos Service Ticket Operations

4769, 4770

EVID 4776 : Remote Logon (Deutsch - Security)

User Logon4776

EVID 4800 : Workstation Locked (Deutsch - Security)

Workstation Locked4800, 4801, 4802, 4803

EVID 4902 : Per User Audit Policy Refreshed (Deutsch - Security)

Policy Modified : Auditing4902

EVID 4956, 4957 : Firewall Action (Deutsch - Security)

General Firewall Event4956, 4957

EVID 5024, 5033 : Windows Firewall (Deutsch - Security)

Network Traffic5024, 5033

EVID 5031 : Windows Firewall Events (Part 1) (Deutsch - Security)

Audit Filtering Platform Connection

5031

EVID 5058 : Key File Operation (Deutsch - Security)

Key File Operation5058

EVID 5061 : Cryptographic Operation (Deutsch - Security)

Cryptographic Operation5061
EVID 5152-5159 : Windows Firewall Events (Part 2) (Deutsch - Security)Audit Filtering Platform Packet Drop5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159

EVID 5140, 5145 : Share Events (Deutsch - Security)

Audit File Share5140, 5145

EVID 5447 : Windows Filter Platform Change (Deutsch - Security)

Configuration Modified : Security5140, 5142, 5143, 5144, 5145

Log Processing Policy Updates

This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.

Changes made for LSO may impact downstream analytical components in LogRhythm. It is recommended that you review MPE policies, parsing rules, and log processing settings to assess the potential impact to your environment and custom analytical components, including saved investigations, dashboards, and fields mapped with SmartResponse Plugins.

Updates to AIE Rules

The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security. The Change Details column indicates where the new log source type was added.

AIE Rules

Change Details

NERC-CIP : Account Locked or Disabled RuleRemoved Group by of Host (Origin)

Updates to the System Reports

The table below indicates changes made to the System Reports using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security

Report Name

Change Details

FISMA : Processes By User

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. Process Name
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
NEI : Processes By User

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. Process Name
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
NRC : Processes By User

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. Process Name
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid CDE => Internet Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid DMZ => Internal Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid Internet => Internal Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid Internet => CDE Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid Internet => DMZ Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING

Updates to System Report Templates

The table below indicates changes made to Report Templates using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security.

Template Name

Change Details

Log Summary by Entity, Log Host, iApp, Event, Login, Object
  • Added Process field after Object.
  • New Report name: Log Summary by Entity, Log Host, iApp, Event, Login, Object, Process

Updates to System Tails

  • No changes

Updates to System Investigations

  • No changes
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.