This document explains the changes required to switch over and upgrade to MS Windows Event Logging XML - Security log source type to enable new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project.
Prerequisites
-
Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
-
Enable the new MPE rules in the LogRhythm System Monitor.
-
Select log source type MS Windows Event Logging XML - Security.
Ensure that you select the the log source type with "XML" in the name.
-
Enable log processing policy LogRhythm Default v2.0.
For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.
-
Support for ADFS Events
Log Source Stabilization (LSS) does not support ADFS Events with the updated MPE rules and log processing policy (LogRhythm Default v2.0). ADFS Events are supported separately with MS Windows Event Logging XML - ADFS. If you are using Microsoft Active Directory Federation Services (ADFS) and streaming ADFS logs through Windows Security log source types, we recommend using log source virtualization to stream MS Windows Event Logging XML - ADFS log messages.
For more information, see Log Source Virtualization.
Supported Log Messages
The following table lists the log message types supported in the current MPE rules. Each linked page contains detailed information on parsing changes and new log processing settings.
|
Log Message Type |
Event Type |
Event IDs |
|---|---|---|
|
Multiple |
Multiple |
|
|
Multiple |
Multiple |
|
|
N/A |
N/A |
|
| EVID 1102 : REST Endpoint Request Authorized (Security) |
Other Events |
1102 |
|
Other Events |
1102 |
|
|
Other Events |
1102 |
|
| EVID 1108 : Logging Service Information (Security) |
Logging Service |
1108 |
| EVID 4608 : System Starting (Security) |
System Starting |
4608 |
| EVID 4610...4622: Package Loaded (Security) |
Audit Security System Extension |
4610, 4611, 4614, 4622 |
| EVID 4616 : System Time Was Changed (Security) |
Audit Security State Change |
4616 |
| EVID 4720...4781 : Account Management (Security) |
Audit User Account Management |
4720, 4722, 4723, 4724, 4725, 4726, 4738, 4741, 4742, 4743, 4756, 4781 |
| EVID 4624 : Logon Event (Security) |
Audit Logon |
4624 |
| EVID 4624 : Trusted Domain Logons (Security) |
Audit Logon |
4624 |
| EVID 4624 : Logon/Logoff Events (Part 1) (Security) |
Logon/Logoff Events |
4624 |
| EVID 4625 : Logon/Logoff Events (Part 2) (Security) |
Logon/Logoff Events |
4625 |
|
Audit Group Membership |
4627 |
|
|
Audit Logon |
4648 |
|
| EVID 4649 : Replay Attack Detected (Security) |
Replay Attack Detected |
4649 |
|
Audit Group Membership |
4653 |
|
|
Audit File System |
4656, 4658, 4660, 4661, 4663, 4670, 4691 |
|
| EVID 4662 : Object Access (Part 2) (Security) |
Audit Directory Service Access |
4662 |
| EVID 4685, 4690, 4985 : Object Access (Part 3) (Security) |
Audit Handle Manipulation |
4685, 4690, 4985 |
|
Audit Registry |
4657 |
|
| EVID 4657 : Registry Key Modified (Security) |
Audit Registry |
4657 |
| EVID 4663 : Object Access Auditing (Part 1) (Security) |
Audit System Integrity |
4663 |
| EVID 4663 : Object Access Auditing (Part 2 ) (Security) |
Audit System Integrity |
4663 |
| EVID 4672 : Special Logon Privileges (Security) |
Audit Special Logon |
4672 |
| EVID 4673, 4674 : Privileged Object Access (Part 2) (Security) |
Audit Sensitive Privilege Use |
4673, 4674 |
|
Audit Process Creation |
4688, 4689 |
|
| EVID 4698-4702 : Scheduled Task Events (Security) |
Audit Other Object Access Events |
4698, 4699, 4700, 4701, 4702 |
| EVID 4697 : Service Installation Attempt (Security) |
Audit Security System Extension |
4697 |
| EVID 4696 : Primary Token Assigned (Security) |
Audit Process Creation |
4696 |
|
Audit Token Right Adjusted |
4703 |
|
| EVID 4704, 4705 : User Right Assignment (Part 1) (Security) |
Audit Authorization Policy Change |
4704, 4705 |
| EVID 4706, 4707 : Domain Trust Events (Part 1) (Security) |
Audit Authentication Policy Change |
4706, 4707 |
| EVID 4716 : Domain Trust Events (Part 2) (Security) |
Audit Authentication Policy Change |
4716 |
| EVID 4719, 4912 : Policy Changed (Part 1) (Security) |
Audit Audit Policy Change |
4719, 4912 |
| EVID 4713, 4716 : Policy Changed (Part 2) (Security) |
Audit Authentication Policy Change |
4713, 4716 |
| EVID 4739 : Policy Changed (Part 3) (Security) |
Audit Authentication Policy Change |
4739 |
| EVID 4717, 4718 : System Security Policy (Security) |
Audit Authentication Policy Change |
4717, 4718 |
|
EVID 4717, 4718 : User Right Assignment (Part 2) (Security) |
Audit Authentication Policy Change |
4717, 4718 |
| EVID 4727...4764 : Group Management (Security) |
Account Security Group Management |
4727, 4730, 4731, 4734, 4735, 4737, 4744, 4745, 4748, 4749, 4750, 4753, 4754, 4755, 4758, 4759, 4760, 4763, 4764 |
| EVID 4728...4762 : Group Member Added/Removed (Security) |
Audit Security Group Management |
4728, 4729, 4732, 4733, 4746, 4747, 4751, 4761, 4752, 4756, 4757, 4762 |
| EVID 4740 : Account Locked Out (Part 1) (Security) |
Audit User Account Management |
4740 |
| EVID 4767 : Account Locked Out (Part 2) (Security) |
Audit User Account Management |
4767 |
| EVID 4756 : User Added To Universal Security Group (Security) |
Audit Security Group Management |
4756 |
|
Audit Kerberos Service Ticket Operations |
4769 |
|
|
Audit Kerberos Authentication Service |
4768, 4771 |
|
|
Audit Kerberos Authentication Service |
4770 |
|
|
Audit Kerberos Authentication Service |
4771 |
|
|
Audit Credentials Logon |
4776 |
|
| EVID 4778, 4779 : Windows Session Events (Security) |
Audit Other Logon/Logoff Events |
4778, 4779 |
| EVID 4781 : Account Name Change (Security) |
Audit User Account Management |
4781 |
| EVID 4793 : Password Policy Checker API Called (Security) |
Audit Other Account Management Events |
4793 |
|
EVID 4798 : User Local Group Membership Enumerated (Security) |
Audit User Account Management |
4798 |
|
EVID 4799 : Sec-Enabled Local Group Membership Enumerated (Security) |
Audit Security Group Management |
4799 |
|
EVID 4816: Integrity Violation Decrypting Message (Security) |
Audit System Integrity |
4816 |
| EVID 4904 : Security Event Source Registration (Security) |
Audit Policy Change |
4904 |
| EVID 4907 : Audit Settings Changed (Security) |
Audit Policy Change |
4907 |
| EVID 5031: Windows Firewall Events (Part 1) (Security) |
Audit Filtering Platform Connection |
5031 |
| EVID 5152-5159 : Windows Firewall Events (Part 2) (Security) |
Audit Filtering Platform Connection |
5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159 |
| EVID 5038 : Image Hash Of File Not Valid (Security) |
Audit System Integrity |
5038 |
| EVID 5058 : Key File Operation (Security) |
Key File Operation |
5058 |
| EVID 5061 : Cryptographic Operation (Security) |
Audit System Integrity |
5061 |
| EVID 5136-5139, 5141 : AD Object Access (Security) |
Active Directory Service Changes |
5136, 5137, 5138, 5139, 5141 |
| EVID 5140-5144 : Network Share Was Accessed (Security) |
Audit Detailed File Share |
5140, 5141, 5142, 5143, 5144 |
|
Audit Detailed File Share |
5145 |
|
| EVID 5157 : Windows Filtering Platform (Security) |
Windows Filtering Platform Connection |
5157 |
| EVID 5440-5444 : Windows Filter (Security) |
Audit Filtering Platform Policy Change |
5440, 5441, 5442, 5443, 5444 |
| EVID 5888-5890 : COM+ Catalog Activity (Security) |
Audit Other Object Access Events |
5888, 5889, 5890 |
| EVID 6272 : User Authentication Success (Security) |
Audit Authorization Policy Change |
6272 |
| EVID 6273, 6274 : Network Policy Server Messages (Security) |
Audit Network Policy Server |
6273, 6274 |
| EVID 6278 : Full Access Granted To User (Security) |
Audit Authorization Policy Change |
6278 |
| EVID 6281 : Code Integrity (Security) |
Code Integrity |
6281 |
|
Audit PNP Activity |
6416 |
|
|
Audit PNP Activity |
6416, 6419, 6420, 6421, 6422, 6423, 6424 |
Log Messages Not Available in LSO Policy
The following table lists the log message types that are not available in LSO policy.
|
Log Message Types |
Event Type |
Event IDs |
|---|---|---|
|
No EVID : AV Messages |
N/A |
1000, 1001, 1013, 1116, 1117, 2000, 2001, 2002, 2010 |
|
No EVID : HTTP Response Dispatched |
N/A |
404 |
|
No EVID : MS Exchange Messaging Policies |
N/A |
N/A |
|
No EVID : MSSQL Login With Authentication |
N/A |
18453 |
|
EVID 104 : Quota Limit Reached (Security) |
N/A |
N/A |
|
EVID 299, 500 - 503 : Instance ID Information (Security) |
N/A |
299, 500, 501, 502, 503, 325 |
|
EVID 304 : Failed To Issue Token (Security) |
N/A |
304 |
|
EVID 307 : Federation Service Configuration Change (Security) |
N/A |
307 |
|
EVID 403 : HTTP Request (Security) |
N/A |
403 |
|
EVID 410 : Request Context Headers Present (Security) |
N/A |
410 |
|
EVID 411 : Token Validation Failed |
N/A |
411 |
|
EVID 412 : Token Authenticated Successfully |
N/A |
412 |
|
EVID 413 : Token Processing Error |
N/A |
413 |
|
EVID 521 : Unable To Log Event To Security Log |
N/A |
521 |
|
EVID 1074 : Shutdown Events (Security) |
N/A |
1074 |
|
EVID 1116, 1117 : Endpoint Protection Messages (Security) |
N/A |
1116, 1117 |
|
EVID 3033 : CodeIntegrity Operation Messages |
N/A |
N/A |
|
EVID 5165 : Filtering Platform Allowed Connection (Security) |
N/A |
5165 |
|
EVID 8222 : Shadow Copy Created |
N/A |
8222 |
|
EVID 8223 : Shadow Copy Imported |
N/A |
8223 |
|
EVID 10560 : ASP NET Token Audit |
N/A |
N/A |
|
EVID 26401 : SDK Operations |
N/A |
N/A |
|
EVID 33205 : MS SQL Server Messages |
N/A |
33205 |
Log Processing Policy Updates
This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.
Changes made for LSO may impact downstream analytical components in LogRhythm. It is recommended that you review MPE policies, parsing rules, and log processing settings to assess the potential impact to your environment and custom analytical components, including saved investigations, dashboards, and fields mapped with SmartResponse Plugins.
Updates to AIE Rules
The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security. The Change Details column indicates where the new log source type was added.
|
AIE Rule |
Change Details |
|---|---|
|
NERC-CIP : Account Locked or Disabled Rule |
Removed Group by of Host (Origin) |
Updates to the System Reports
The table below indicates changes made to the System Reports using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security
|
Report Name |
Change Details |
|---|---|
|
FISMA : Processes By User |
Added a new line to the Include Filter:
|
|
NEI : Processes By User |
Added a new line to the Include Filter:
|
|
NRC : Processes By User |
Added a new line to the Include Filter:
|
|
PCI-DSS : Invalid CDE => Internet Comm Details |
Added a new line to the Include Filter:
|
|
PCI-DSS : Invalid DMZ => Internal Comm Details |
Added a new line to the Include Filter:
|
|
PCI-DSS : Invalid Inet => Intrn Comm Details |
Added a new line to the Include Filter:
|
|
PCI-DSS : Invalid Internet => CDE Comm Details |
Added a new line to the Include Filter:
|
|
PCI-DSS : Invalid Internet => DMZ Comm Details |
Added a new line to the Include Filter:
|
Updates to the System Report Templates
The table below indicates changes made to Report Templates using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security.
|
Template Name |
Change Details |
|---|---|
|
Log Summary by Entity, Log Host, iApp, Event, Login, Object |
|
Updates to System Tails
-
No changes
Updates to System Investigations
-
No changes