LSO - MS Windows Event Logging - Security

This document explains the changes required to switch over and upgrade to MS Windows Event Logging XML - Security log source type to enable new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project.

Prerequisites

Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
Enable the new MPE rules in the LogRhythm System Monitor.
- Select log source type MS Windows Event Logging XML - Security.
  
  Ensure that you select the the log source type with "XML" in the name.
- Enable log processing policy LogRhythm Default v2.0.
For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.

Support for ADFS Events

Log Source Stabilization (LSS) does not support ADFS Events with the updated MPE rules and log processing policy (LogRhythm Default v2.0). ADFS Events are supported separately with MS Windows Event Logging XML - ADFS. If you are using Microsoft Active Directory Federation Services (ADFS) and streaming ADFS logs through Windows Security log source types, we recommend using log source virtualization to stream MS Windows Event Logging XML - ADFS log messages.

For more information, see Log Source Virtualization.

Supported Log Messages

The following table lists the log message types supported in the current MPE rules. Each linked page contains detailed information on parsing changes and new log processing settings.

Log Message Type	Event Type	Event IDs
Multiple EVIDs : Catch All : Level 3 (Security)	Multiple	Multiple
Multiple EVIDs : Catch All : Level 2 (Security)	Multiple	Multiple
No EVID : AD FS Messages (Security)	N/A	N/A
EVID 1102 : REST Endpoint Request Authorized (Security)	Other Events	1102
EVID 1102 : Log File Cleared (Security)	Other Events	1102
EVID 1102 : Privileged Object Access (Part 1) (Security)	Other Events	1102
EVID 1108 : Logging Service Information (Security)	Logging Service	1108
EVID 4608 : System Starting (Security)	System Starting	4608
EVID 4610...4622: Package Loaded (Security)	Audit Security System Extension	4610, 4611, 4614, 4622
EVID 4616 : System Time Was Changed (Security)	Audit Security State Change	4616
EVID 4720...4781 : Account Management (Security)	Audit User Account Management	4720, 4722, 4723, 4724, 4725, 4726, 4738, 4741, 4742, 4743, 4756, 4781
EVID 4624 : Logon Event (Security)	Audit Logon	4624
EVID 4624 : Trusted Domain Logons (Security)	Audit Logon	4624
EVID 4624 : Logon/Logoff Events (Part 1) (Security)	Logon/Logoff Events	4624
EVID 4625 : Logon/Logoff Events (Part 2) (Security)	Logon/Logoff Events	4625
EVID 4627 : Group Membership Information (Security)	Audit Group Membership	4627
EVID 4648 : Logon Using Explicit Credentials (Security)	Audit Logon	4648
EVID 4649 : Replay Attack Detected (Security)	Replay Attack Detected	4649
EVID 4653 : IPSec Main Mode Negotiation Failed (Security)	Audit Group Membership	4653
EVID 4656...4691 : Object Access (Part 1) (Security)	Audit File System	4656, 4658, 4660, 4661, 4663, 4670, 4691
EVID 4662 : Object Access (Part 2) (Security)	Audit Directory Service Access	4662
EVID 4685, 4690, 4985 : Object Access (Part 3) (Security)	Audit Handle Manipulation	4685, 4690, 4985
EVID 4657 : Object Access (Part 4) (Security)	Audit Registry	4657
EVID 4657 : Registry Key Modified (Security)	Audit Registry	4657
EVID 4663 : Object Access Auditing (Part 1) (Security)	Audit System Integrity	4663
EVID 4663 : Object Access Auditing (Part 2 ) (Security)	Audit System Integrity	4663
EVID 4672 : Special Logon Privileges (Security)	Audit Special Logon	4672
EVID 4673, 4674 : Privileged Object Access (Part 2) (Security)	Audit Sensitive Privilege Use	4673, 4674
EVID 4688, 4689 : Process Startup And Shutdown (Security)	Audit Process Creation	4688, 4689
EVID 4698-4702 : Scheduled Task Events (Security)	Audit Other Object Access Events	4698, 4699, 4700, 4701, 4702
EVID 4697 : Service Installation Attempt (Security)	Audit Security System Extension	4697
EVID 4696 : Primary Token Assigned (Security)	Audit Process Creation	4696
EVID 4703 : User Right Was Adjusted (Security)	Audit Token Right Adjusted	4703
EVID 4704, 4705 : User Right Assignment (Part 1) (Security)	Audit Authorization Policy Change	4704, 4705
EVID 4706, 4707 : Domain Trust Events (Part 1) (Security)	Audit Authentication Policy Change	4706, 4707
EVID 4716 : Domain Trust Events (Part 2) (Security)	Audit Authentication Policy Change	4716
EVID 4719, 4912 : Policy Changed (Part 1) (Security)	Audit Audit Policy Change	4719, 4912
EVID 4713, 4716 : Policy Changed (Part 2) (Security)	Audit Authentication Policy Change	4713, 4716
EVID 4739 : Policy Changed (Part 3) (Security)	Audit Authentication Policy Change	4739
EVID 4717, 4718 : System Security Policy (Security)	Audit Authentication Policy Change	4717, 4718
EVID 4717, 4718 : User Right Assignment (Part 2) (Security)	Audit Authentication Policy Change	4717, 4718
EVID 4727...4764 : Group Management (Security)	Account Security Group Management	4727, 4730, 4731, 4734, 4735, 4737, 4744, 4745, 4748, 4749, 4750, 4753, 4754, 4755, 4758, 4759, 4760, 4763, 4764
EVID 4728...4762 : Group Member Added/Removed (Security)	Audit Security Group Management	4728, 4729, 4732, 4733, 4746, 4747, 4751, 4761, 4752, 4756, 4757, 4762
EVID 4740 : Account Locked Out (Part 1) (Security)	Audit User Account Management	4740
EVID 4767 : Account Locked Out (Part 2) (Security)	Audit User Account Management	4767
EVID 4756 : User Added To Universal Security Group (Security)	Audit Security Group Management	4756
EVID 4769 : Kerberos Events (Security)	Audit Kerberos Service Ticket Operations	4769
EVID 4768, 4771 : Kerberos Events (Part 1) (Security)	Audit Kerberos Authentication Service	4768, 4771
EVID 4770 : Kerberos Events (Part 2) (Security)	Audit Kerberos Authentication Service	4770
EVID 4771 : Kerberos Pre-Authentication Failed (Security)	Audit Kerberos Authentication Service	4771
EVID 4776 : Remote Logon (Security)	Audit Credentials Logon	4776
EVID 4778, 4779 : Windows Session Events (Security)	Audit Other Logon/Logoff Events	4778, 4779
EVID 4781 : Account Name Change (Security)	Audit User Account Management	4781
EVID 4793 : Password Policy Checker API Called (Security)	Audit Other Account Management Events	4793
EVID 4798 : User Local Group Membership Enumerated (Security)	Audit User Account Management	4798
EVID 4799 : Sec-Enabled Local Group Membership Enumerated (Security)	Audit Security Group Management	4799
EVID 4816: Integrity Violation Decrypting Message (Security)	Audit System Integrity	4816
EVID 4904 : Security Event Source Registration (Security)	Audit Policy Change	4904
EVID 4907 : Audit Settings Changed (Security)	Audit Policy Change	4907
EVID 5031: Windows Firewall Events (Part 1) (Security)	Audit Filtering Platform Connection	5031
EVID 5152-5159 : Windows Firewall Events (Part 2) (Security)	Audit Filtering Platform Connection	5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159
EVID 5038 : Image Hash Of File Not Valid (Security)	Audit System Integrity	5038
EVID 5058 : Key File Operation (Security)	Key File Operation	5058
EVID 5061 : Cryptographic Operation (Security)	Audit System Integrity	5061
EVID 5136-5139, 5141 : AD Object Access (Security)	Active Directory Service Changes	5136, 5137, 5138, 5139, 5141
EVID 5140-5144 : Network Share Was Accessed (Security)	Audit Detailed File Share	5140, 5141, 5142, 5143, 5144
EVID 5145 : Share Events (Security)	Audit Detailed File Share	5145
EVID 5157 : Windows Filtering Platform (Security)	Windows Filtering Platform Connection	5157
EVID 5440-5444 : Windows Filter (Security)	Audit Filtering Platform Policy Change	5440, 5441, 5442, 5443, 5444
EVID 5888-5890 : COM+ Catalog Activity (Security)	Audit Other Object Access Events	5888, 5889, 5890
EVID 6272 : User Authentication Success (Security)	Audit Authorization Policy Change	6272
EVID 6273, 6274 : Network Policy Server Messages (Security)	Audit Network Policy Server	6273, 6274
EVID 6278 : Full Access Granted To User (Security)	Audit Authorization Policy Change	6278
EVID 6281 : Code Integrity (Security)	Code Integrity	6281
EVID 6416 : New External Device Recognized (Security)	Audit PNP Activity	6416
EVID 6416, 6419-6424 : Audit PnP Activity (Security)	Audit PNP Activity	6416, 6419, 6420, 6421, 6422, 6423, 6424

Log Messages Not Available in LSO Policy

The following table lists the log message types that are not available in LSO policy.

Log Message Types	Event Type	Event IDs
No EVID : AV Messages	N/A	1000, 1001, 1013, 1116, 1117, 2000, 2001, 2002, 2010
No EVID : HTTP Response Dispatched	N/A	404
No EVID : MS Exchange Messaging Policies	N/A	N/A
No EVID : MSSQL Login With Authentication	N/A	18453
EVID 104 : Quota Limit Reached (Security)	N/A	N/A
EVID 299, 500 - 503 : Instance ID Information (Security)	N/A	299, 500, 501, 502, 503, 325
EVID 304 : Failed To Issue Token (Security)	N/A	304
EVID 307 : Federation Service Configuration Change (Security)	N/A	307
EVID 403 : HTTP Request (Security)	N/A	403
EVID 410 : Request Context Headers Present (Security)	N/A	410
EVID 411 : Token Validation Failed	N/A	411
EVID 412 : Token Authenticated Successfully	N/A	412
EVID 413 : Token Processing Error	N/A	413
EVID 521 : Unable To Log Event To Security Log	N/A	521
EVID 1074 : Shutdown Events (Security)	N/A	1074
EVID 1116, 1117 : Endpoint Protection Messages (Security)	N/A	1116, 1117
EVID 3033 : CodeIntegrity Operation Messages	N/A	N/A
EVID 5165 : Filtering Platform Allowed Connection (Security)	N/A	5165
EVID 8222 : Shadow Copy Created	N/A	8222
EVID 8223 : Shadow Copy Imported	N/A	8223
EVID 10560 : ASP NET Token Audit	N/A	N/A
EVID 26401 : SDK Operations	N/A	N/A
EVID 33205 : MS SQL Server Messages	N/A	33205

Log Processing Policy Updates

This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.

Changes made for LSO may impact downstream analytical components in LogRhythm. It is recommended that you review MPE policies, parsing rules, and log processing settings to assess the potential impact to your environment and custom analytical components, including saved investigations, dashboards, and fields mapped with SmartResponse Plugins.

Updates to AIE Rules

The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security. The Change Details column indicates where the new log source type was added.

AIE Rule	Change Details
NERC-CIP : Account Locked or Disabled Rule	Removed Group by of Host (Origin)

Updates to the System Reports

The table below indicates changes made to the System Reports using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security

Report Name	Change Details
FISMA : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
NEI : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
NRC : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid CDE => Internet Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid DMZ => Internal Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Inet => Intrn Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Internet => CDE Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Internet => DMZ Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING

Updates to the System Report Templates

The table below indicates changes made to Report Templates using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security.

Template Name	Change Details
Log Summary by Entity, Log Host, iApp, Event, Login, Object	Added Process field after Object. New Report name: Log Summary by Entity, Log Host, iApp, Event, Login, Object, Process

Updates to System Tails

No changes

Updates to System Investigations

No changes