LSO - MS Windows Event Logging XML - Security

This document explains the changes required to apply new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project for the MS Windows Event Logging XML - Security log source type.

Prerequisites

Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
Enable the new MPE rules in the LogRhythm System Monitor.
- Select log source type MS Windows Event Logging XML - Security.
  
  Ensure that you select the the log source type with "XML" in the name.
- Enable log processing policy LogRhythm Default v2.0.
For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.

Support for ADFS Events

Log Source Stabilization (LSS) does not support ADFS Events with the updated MPE rules and log processing policy (LogRhythm Default v2.0). ADFS Events are supported separately with MS Windows Event Logging XML - ADFS. If you are using Microsoft Active Directory Federation Services (ADFS) and streaming ADFS logs through Windows Security log source types, we recommend using log source virtualization to stream MS Windows Event Logging XML - ADFS log messages.

For more information, see Log Source Virtualization.

Supported Log Messages

The following table lists the log message types supported in the current MPE rules. Each linked page contains detailed information on parsing changes and new log processing settings.

Log Message Type	Event Type	Event IDs
EVID 1102, 4673, 4674 : Privileged Object Access (Part 1)	Object Accessed	1102
EVID 1104 : Full File	File Operation Error	1104
EVID 4610...4622 : Package Loaded (XML - Security)	Package Information	4610, 4611, 4614, 4622
EVID 4616 : Security State Change	Session Setting Changed	4616
EVID 4624 : Logon Events	Authentication Activity	4624
EVID 4624 : Remote Interactive User Logon Success (XML - Security)	User Logon	4624
EVID 4625 : Logon Failure	Authentication Failure Activity	4625
EVID 4627 : Microsoft-Windows-Security-Auditing	Group Membership Information	4627
EVID 4634, 4647 : Logoff (XML - Security)	Authentication Activity	4634, 4647
EVID 4648 : Logon Using Explicit Credentials	User Logon	4648
EVID 4656 : Specified Object Access	Object Accessed	4656
Object Access (Part 1)	Object Accessed	4656, 4658, 4660, 4661, 4663, 4670,4691
Object Access (Part 2)	Object Accessed	4657
Object Access (Part 3)	Object Accessed	4662
EVID 4672 : Special Privileges Assigned To Logon (XML - Security)	Special Privileges Assigned To Logon	4672
EVID 4675 : SIDs Were Filtered (XML - Security)	SIDs Filtered	4675
EVID 1102, 4673, 4674 : Privileged Object Access (Part 2)	Object Accessed	4673, 4674
Microsoft Windows Security Auditing	Group Membership Information	4675, 4928, 4931, 4932, 4933
EVID 4688, 4689 : Process Startup And Shutdown (XML - Security)	Process/Service Started	4688, 4689
EVID 4697 : Service Installed	Software Installed	4697
EVID 4698 - 4702 : Scheduled Task Events	Configuration Enabled : System	4698, 4699, 4700, 4701, 4702
Account Management (Part 1)	User Account Attribute Modified	4720, 4722, 4723, 4724, 4725, 4726, 4738, 4741, 4742, 4743, 4767
Account Management (Part 2)	User Account Attribute Modified	4727 ,4731, 4734, 4737, 4759, 4760
Group Member Added/Removed	Account Added To Group	4728, 4729, 4730, 4732, 4733, 4735, 4746, 4747, 4749, 4751, 4752, 4753, 4756, 4757, 4758, 4761, 4762
Account Management Message (Part 1)	User Account Attribute Modified	4740
Account Management Message (Part 2)	User Account Attribute Modified	4754
EVID 4768 - 4771 : Kerberos Events (Part 1)	Authentication Activity	4768, 4771
EVID 4768 - 4771 : Kerberos Events (Part 2)	Authentication Activity	4769, 4770
EVID 4774: Account Logon Mapping Event (XML - Security)	General Audit Message	4774
EVID 4776 : Credential Validation Attempt	General Authentication Event	4776
EVID 4778, 4779 : Windows Session Events (XML - Security)	Authentication Activity	4778, 4779
Account Management (Part 3)	User Account Attribute Modified	4781
EVID 4800, 4801 : Workstation Locked & Unlocked (XML - Security)	General Workstation Information	4800, 4801
EVID 4907 : Audit Settings Changed	Object Attribute Modified	4907
EVID 4946-4948 : Firewall Rule Add, Mod, Del	Configuration Modified : Network Access	4946, 4947, 4948
EVID 4797 : Blank Passwords Queried (XML - Security)	General Audit Message : Other Audit	4797
EVID 4826 : Boot Configuration Data Loaded (XML - Security)	Configuration Loaded : System	4826
EVID 4985 : Transaction State Changed (XML - Security)	General Transaction Information	4985
EVID 5031 : Windows Firewall Events (Part 1) (XML - Security)	Network Traffic	5031
EVID 5058 : Key File Operation	Key File Operation	5058
EVID 5061 : Cryptographic Operation	Cryptographic Operation	5061
EVID 5136-5139, 5141 : AD Object Access (XML - Security)	Object Accessed	5136, 5137, 5138, 5139, 5141
EVID 5140, 5142-5145 : Network Share Was Accessed	Network Share Information	5140, 5142,5143, 5144, 5145
EVID 5152-5159 : Windows Firewall Events (Part 2) (XML - Security)	Network Traffic	5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159
EVID 5446-5450 : Windows Filter Platform Change (XML - Security)	Configuration Modified : Security	5446, 5447, 5448, 5449, 5450
EVID 5446: Windows Filtering Platform Callout Changed(XML - Security)	Configuration Modified : Security	5446
EVID 5448: Windows Filtering Platform Provider Changed (XML - Security)	Configuration Modified : Security	5448
EVID 5450: Windows Filtering Platform Sub-layer Changed (XML - Security)	Configuration Modified : Security	5450
EVID 6144 : Security Policy In GPO Applied	Configuration Modified : Security	6144
EVID 6272-6274 : Network Policy Server Access	General Access Control Message	6272, 6273
EVID 6281 : Code Integrity - Image Hash Invalid	Integrity Check Failed	6281
Audit PnP Activity	Configuration Modified : System	6416, 6419, 6420, 6421, 6422, 6423, 6424

Log Messages Not Available in LSO Policy

The following table lists the log message types that are not available in LSO policy.

Log Message Type	Event Type	Event IDs
EVID 104 : Event Log Cleared (XML - Security)	General Event Log Information	104
EVID 4822 : Credential Validation Information (XML - Security)	Client Authentication Failure	4822
No EVID : Login Logout Activity (XML - Security)	Login or Logout Event Executed	N/A
No EVID : AD FS Messages (XML - Security)	General Active Directory Information	N/A
Catch All : Level 1 (XML - Security)	General Information	N/A
Catch All : Level 2 (XML - Security)	General Information	N/A
Catch All : Level 3 (XML - Security)	General Audit	N/A

Log Processing Policy Updates

This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.

Changes made for LSO may impact downstream analytical components in LogRhythm. It is recommended that you review MPE policies, parsing rules, and log processing settings to assess the potential impact to your environment and custom analytical components, including saved investigations, dashboards, and fields mapped with SmartResponse Plugins.

Updates to AIE Rules

The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security. The Change Details column indicates where the new log source type was added.

AIE Rule	Change Details
NERC-CIP : Account Locked or Disabled Rule	Remove Group by of Host (Origin)

Updates to System Reports

The table below indicates changes made to System Reports using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security.

Report Name	Change Details
FISMA : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
NEI : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
NRC : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid CDE => Internet Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid DMZ => Internal Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Internet => Internal Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Internet => CDE Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Internet => DMZ Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING

Updates to System Report Templates

The table below indicates changes made to System Reports using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security.

Template Name	Change Details
Log Summary by Entity, Log Host, iApp, Event, Login, Object	Added Process field after Object. New Report name: Log Summary by Entity, Log Host, iApp, Event, Login, Object, Process

Updates to System Tails

No changes

Updates to System Investigations

No changes