This document explains the changes required to switch over and upgrade to MS Windows Event Logging XML - Security log source type to enable new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project.
Prerequisites
-
Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
-
Enable the new MPE rules in the LogRhythm System Monitor.
-
Select log source type MS Windows Event Logging XML - Security.
Ensure that you select the the log source type with "XML" in the name.
-
Enable log processing policy LogRhythm Default v2.0.
For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.
-
Support for ADFS Events
Log Source Stabilization (LSS) does not support ADFS Events with the updated MPE rules and log processing policy (LogRhythm Default v2.0). ADFS Events are supported separately with MS Windows Event Logging XML - ADFS. If you are using Microsoft Active Directory Federation Services (ADFS) and streaming ADFS logs through Windows Security log source types, we recommend using log source virtualization to stream MS Windows Event Logging XML - ADFS log messages.
For more information, see Log Source Virtualization.
Supported Log Messages
The following table lists the log message types supported in the current MPE rules. Each linked page contains detailed information on parsing changes and new log processing settings.
|
Log Message Type |
Event Type |
Event IDs |
|---|---|---|
| EVID 521 : Unable To Log Event To Security Log (Deutsch - Security) |
N/A |
521 |
|
Process/Service Startup Or Shutdown Activity |
1100, 1102, 1104, 1105, 1108 |
|
|
EVID 1102 : Privileged Object Access (Part 1) (Deutsch - Security) |
Other Events |
1102 |
|
System Starting |
4608 |
|
|
Authentication Activity |
4610, 4611, 4614, 4622 |
|
|
Time Adjusted |
4616 |
|
|
Authentication Activity |
4624 |
|
|
Authentication Activity |
4634, 4647 |
|
|
EVID 4648 : Logon Using Explicit Credentials (Deutsch - Security) |
User Logon |
4648 |
|
Object Accessed |
4656, 4658, 4660, 4661, 4663, 4670, 4691, 4818 |
|
|
Privilege Granted |
4672 |
|
| EVID 4673, 4674 : Privileged Object Access (Part 2) (Deutsch - Security) |
Audit Non-Sensitive Privilege Use |
4673, 4674 |
|
EVID 4688, 4689 : Process Startup And Shutdown (Deutsch - Security) |
Process/Service Startup Or Shutdown Activity |
4688, 4689 |
|
Policy Modified : System |
4719, 4912 |
|
|
User Account Attribute Modified |
4720, 4722, 4723, 4724, 4725, 4726, 4738, 4741, 4742, 4743, 4767, 4780, 4782 |
|
|
Group Attribute Modified |
4728, 4732 |
|
|
Audit Kerberos Authentication Service |
4768 |
|
| EVID 4769, 4770 : Kerberos Events (Part 2) (Deutsch - Security) |
Audit Kerberos Service Ticket Operations |
4769, 4770 |
|
User Logon |
4776
|
|
|
Workstation Locked |
4800, 4801, 4802, 4803 |
|
|
EVID 4902 : Per User Audit Policy Refreshed (Deutsch - Security) |
Policy Modified : Auditing |
4902 |
|
General Firewall Event |
4956, 4957 |
|
|
Network Traffic |
5024, 5033 |
|
|
EVID 5031 : Windows Firewall Events (Part 1) (Deutsch - Security) |
Audit Filtering Platform Connection |
5031 |
|
Key File Operation |
5058 |
|
|
Cryptographic Operation |
5061 |
|
| EVID 5152-5159 : Windows Firewall Events (Part 2) (Deutsch - Security) |
Audit Filtering Platform Packet Drop |
5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159 |
|
Audit File Share |
5140, 5145 |
|
|
EVID 5447 : Windows Filter Platform Change (Deutsch - Security) |
Configuration Modified : Security |
5140, 5142, 5143, 5144, 5145
|
Log Processing Policy Updates
This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.
Changes made for LSO may impact downstream analytical components in LogRhythm. It is recommended that you review MPE policies, parsing rules, and log processing settings to assess the potential impact to your environment and custom analytical components, including saved investigations, dashboards, and fields mapped with SmartResponse Plugins.
Updates to AIE Rules
The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security. The Change Details column indicates where the new log source type was added.
|
AIE Rules |
Change Details |
|---|---|
|
NERC-CIP : Account Locked or Disabled Rule |
Removed Group by of Host (Origin) |
Updates to the System Reports
The table below indicates changes made to the System Reports using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security
|
Report Name |
Change Details |
|---|---|
|
FISMA : Processes By User |
Added a new line to the Include Filter:
|
|
NEI : Processes By User |
Added a new line to the Include Filter:
|
|
NRC : Processes By User |
Added a new line to the Include Filter:
|
|
PCI-DSS : Invalid CDE => Internet Comm Details |
Added a new line to the Include Filter:
|
|
PCI-DSS : Invalid DMZ => Internal Comm Details |
Added a new line to the Include Filter:
|
|
PCI-DSS : Invalid Internet => Internal Comm Details |
Added a new line to the Include Filter:
|
|
PCI-DSS : Invalid Internet => CDE Comm Details |
Added a new line to the Include Filter:
|
|
PCI-DSS : Invalid Internet => DMZ Comm Details |
Added a new line to the Include Filter:
|
Updates to System Report Templates
The table below indicates changes made to Report Templates using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security.
|
Template Name |
Change Details |
|---|---|
|
Log Summary by Entity, Log Host, iApp, Event, Login, Object |
|
Updates to System Tails
-
No changes
Updates to System Investigations
-
No changes