LSO - MS Windows Event Logging : Español - Security

This document explains the changes required to switch over and upgrade to MS Windows Event Logging XML - Security log source type to enable new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project.

Prerequisites

Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
Enable the new MPE rules in the LogRhythm System Monitor.
- Select log source type MS Windows Event Logging XML - Security.
  
  Ensure that you select the the log source type with "XML" in the name.
- Enable log processing policy LogRhythm Default v2.0.
For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.

Support for ADFS Events

Log Source Stabilization (LSS) does not support ADFS Events with the updated MPE rules and log processing policy (LogRhythm Default v2.0). ADFS Events are supported separately with MS Windows Event Logging XML - ADFS. If you are using Microsoft Active Directory Federation Services (ADFS) and streaming ADFS logs through Windows Security log source types, we recommend using log source virtualization to stream MS Windows Event Logging XML - ADFS log messages.

For more information, see Log Source Virtualization.

Supported Log Messages

The following table lists the log message types supported in the current MPE rules. Each linked page contains detailed information on parsing changes and new log processing settings.

Log Message Type	Event Type	Event IDs
Multiple EVIDs : Catch All : Level 3 (Español - Security)	Multiple	Multiple
EVID 4624 : Logon Event (Español - Security)	Audit Logon	4624
EVID 4625 : Failed Authentication (Español - Security)	Audit Logon	4625
EVID 4634, 4647: Logoff Events (Español - Security)	Audit Logoff	4634, 4647
EVID 4648 : Logon Using Explicit Credentials (Español - Security)	Audit Logon	4648
EVID 4663 : File Messages (Español - Security)	Audit File System	4656, 4658, 4660, 4661, 4663, 4670, 4691, 4818
EVID 4672 : Special Logon Privileges (Español - Security)	Audit Special Logon	4672
EVID 4688, 4689 : Process Startup And Shutdown (Español - Security)	Audit Process Creation/Termination	4688, 4689
EVID 4768, 4771 : Kerberos Events (Part1) (Español - Security)	Audit Kerberos Authentication Service	4768, 4771
EVID 4769, 4770 : Kerberos Events (Part2) (Español - Security)	Audit Kerberos Service Ticket Operations	4769, 4770
EVID 4776 : Remote Logon (Español - Security)	Audit Credential Validation	4776
EVID 4904 : Security Event Source Registration (Español - Security)	Audit Audit Policy Change	4904, 4905

Log Processing Policy Updates

This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.

Changes made for LSO may impact downstream analytical components in LogRhythm. It is recommended that you review MPE policies, parsing rules, and log processing settings to assess the potential impact to your environment and custom analytical components, including saved investigations, dashboards, and fields mapped with SmartResponse Plugins.

Updates to AIE Rules

The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security. The Change Details column indicates where the new log source type was added.

AIE Rules	Change Details
NERC-CIP : Account Locked or Disabled Rule	Removed Group by of Host (Origin)

Updates to System Reports

The table below indicates changes made to the System Reports using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security.

Report Name	Change Details
FISMA : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
NEI : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
NRC : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid CDE => Internet Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid DMZ => Internal Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Internet => Internal Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Internet => CDE Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Internet => DMZ Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING

Updates to System Report Templates

The table below indicates changes made to Report Templates using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security.

Template Name	Change Details
Log Summary by Entity, Log Host, iApp, Event, Login, Object	Added Process field after Object. New Report name: Log Summary by Entity, Log Host, iApp, Event, Login, Object, Process

Updates to System Tails

No changes

Updates to System Investigations

No changes