Event Details
|
Event Type |
Multiple |
|---|---|
|
Event Description |
Catch all rule to handle other Windows Security Events. |
|
Event IDs |
Multiple |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|
|---|---|---|---|
|
Provider |
<subject> |
N/A |
|
|
EventID |
<vmid> |
N/A |
|
|
Version |
N/A |
N/A |
|
|
Level |
<severity> |
N/A |
|
|
Task |
<vendorinfo> |
N/A |
|
|
Opcode |
N/A |
N/A |
|
|
Keywords |
<tag1> |
N/A |
|
|
TimeCreated |
N/A |
N/A |
|
|
EventRecordID |
N/A |
N/A |
|
|
Correlation |
N/A |
N/A |
|
|
Execution |
N/A |
N/A |
|
|
Processid |
N/A |
N/A |
|
|
Channel |
N/A |
N/A |
|
|
Computer |
<dname> |
N/A |
|
|
EventData |
N/A |
N/A |
|
|
Security Id |
<login>, <domain> |
N/A |
|
|
Logon Id |
<session> |
N/A |
|
|
Object |
N/A |
N/A |
|
|
Objectname |
<objectname> |
N/A |
|
|
Objecttype |
<objecttype> |
N/A |
|
|
FileName |
<object> |
N/A |
|
|
Creator Process Id |
<parentprocessid> |
N/A |
|
|
Group Name |
<group> |
N/A |
|
|
Task Name |
<object> |
N/A |
|
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1000291 |
EVID 4608 : System Started |
Sub Rule |
System Started |
Startup and Shutdown |
|
EVID 4903 : Per User Audit Policy Set |
Sub Rule |
Policy Enabled : Auditing |
Policy |
|
|
EVID 4902 : Per User Audit Policy Refreshed |
Sub Rule |
Policy Modified : Auditing |
Policy |
|
|
EVID 4663 : General Access Attempt |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4616 : System Time Changed |
Sub Rule |
Configuration Modified : System |
Configuration |
|
|
EVID 4933 : Directory Services Access |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4932 : Directory Services Access |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4931 : Directory Services Access |
Sub Rule |
Object Accessed |
Access Success |
|
|
General : Audit Failure |
Sub Rule |
General Audit Failure |
Error |
|
|
General : Audit Success |
Sub Rule |
General Audit |
Other Audit Success |
|
|
EVID 4710 : IPSec Policy Agent Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 4709 : IPSec Policy Agent Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 4690 : Handle Duplicated |
Sub Rule |
Handle Duplicated |
Information |
|
|
EVID 4660 : Object Deleted |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
EVID 4658 : Handle Closed |
Sub Rule |
Handle Closed |
Information |
|
|
EVID 4657 : Handle Allocated |
Sub Rule |
Handle Allocated |
Information |
|
|
EVID 4643 : General Audit Failure |
Sub Rule |
General Audit Failure |
Error |
|
|
EVID 4642 : General Audit Failure |
Sub Rule |
General Audit Failure |
Error |
|
|
EVID 4641 : General Audit Failure |
Sub Rule |
General Audit Failure |
Error |
|
|
EVID 4640 : General Audit Failure |
Sub Rule |
General Audit Failure |
Error |
|
|
EVID 4639 : General Audit |
Sub Rule |
General Audit |
Other Audit Success |
|
|
EVID 4638 : General Audit |
Sub Rule |
General Audit |
Other Audit Success |
|
|
EVID 4637 : General Audit |
Sub Rule |
General Audit |
Other Audit Success |
|
|
EVID 4614 : Auth Package Loaded By SAM |
Sub Rule |
Auth Package Loaded By SAM |
Other Audit Success |
|
|
EVID 4611 : Trusted Logon Process Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 4610 : Authentication Package Loaded |
Sub Rule |
Object Initialized |
Access Success |
|
|
EVID 4609 : System Shutdown |
Sub Rule |
System Shutdown |
Startup and Shutdown |
|
|
Catch All : Level 3 |
Base Rule |
General Audit |
Other Audit Success |
|
|
EVID 5480 : IPSEC Network Interface List Failed |
Sub Rule |
IPSEC Network Interface List Failed |
Warning |
|
|
EVID 5032 : Firewall Notification Failed |
Sub Rule |
Firewall Notification Failed |
Warning |
|
|
EVID 5028 : Firewall Service Policy Load Failed |
Sub Rule |
Firewall Service Failed To Load Local Policy |
Warning |
|
|
EVID 5027 : Firewall Service Policy Load Failed |
Sub Rule |
Firewall Service Failed To Load Local Policy |
Warning |
|
|
EVID 4958 : Firewall Rule Not Applied |
Sub Rule |
Firewall Rule Not Applied |
Warning |
|
|
EVID 4957 : Firewall Rule Not Applied |
Sub Rule |
Firewall Rule Not Applied |
Warning |
|
|
EVID 4953 : Firewall Rule Ignored |
Sub Rule |
Firewall Rule Ignored Due To Bad Parsing |
Warning |
|
|
EVID 4952 : Firewall Rule Ignored |
Sub Rule |
Firewall Rule Ignored Due To Version |
Warning |
|
|
EVID 4951 : Firewall Rule Ignored |
Sub Rule |
Firewall Rule Ignored Due To Version |
Warning |
|
|
EVID 4612 : Audit Queuing Resources Exh |
Sub Rule |
Audit Queuing Resources Exhausted |
Warning |
|
|
EVID 4978 : IPSEC Received Invalid Negot Packet |
Sub Rule |
Protocol Anomaly |
Attack |
|
|
EVID 4977 : IPSEC Received Invalid Negot Packet |
Sub Rule |
Protocol Anomaly |
Attack |
|
|
EVID 4976 : IPSEC Received Invalid Negot Packet |
Sub Rule |
Protocol Anomaly |
Attack |
|
|
EVID 4618 : Monitored Sec Event |
Sub Rule |
Suspicious Activity |
Suspicious |
|
|
EVID 5479 : IPSEC Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 5478 : IPSEC Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 5121 : OCSP Responder Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 5120 : OCSP Responder Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 5034 : Firewall Driver Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 5033 : Firewall Driver Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 5025 : Firewall Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 5024 : Firewall Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 4881 : Certificate Services Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 4880 : Certificate Services Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 4875 : Cert Svcs Shutdown Request |
Sub Rule |
Process/Service Stopping |
Startup and Shutdown |
|
|
EVID 4689 : Process Exited |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 4688 : New Process Created |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 6144 : GPO Security Policy Applied |
Sub Rule |
Policy Enabled : Domain |
Policy |
|
|
EVID 5473 : IPSEC Policy Applied |
Sub Rule |
Policy Enabled : Network |
Policy |
|
|
EVID 5471 : IPSEC Policy Applied |
Sub Rule |
Policy Enabled : Network |
Policy |
|
|
EVID 5468 : IPSEC Policy Changes Applied |
Sub Rule |
Policy Modified : Network |
Policy |
|
|
EVID 5467 : Polled For IPSEC Policy Changes |
Sub Rule |
Polled For IPSEC Policy Changes |
Information |
|
|
EVID 5466 : IPSEC Policy Changes Applied |
Sub Rule |
Policy Modified : Network |
Policy |
|
|
EVID 5465 : IPSEC Policy Reloaded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 5464 : IPSEC Policy Changes Applied |
Sub Rule |
Policy Modified : Network |
Policy |
|
|
EVID 5463 : Polled For IPSEC Policy Changes |
Sub Rule |
Polled For IPSEC Policy Changes |
Information |
|
|
EVID 5460 : IPSEC Policy Applied |
Sub Rule |
Policy Enabled : Network |
Policy |
|
|
EVID 5459 : IPSEC Policy Applied |
Sub Rule |
Policy Enabled : Network |
Policy |
|
|
EVID 5457 : IPSEC Policy Applied |
Sub Rule |
Policy Enabled : Network |
Policy |
|
|
EVID 5456 : IPSEC Policy Applied |
Sub Rule |
Policy Enabled : Network |
Policy |
|
|
EVID 4954 : Firewall Group Policy Settings Changed |
Sub Rule |
Policy Modified : Domain |
Policy |
|
|
EVID 4912 : Per-User Audit Policy Changed |
Sub Rule |
Policy Modified : Auditing |
Policy |
|
|
EVID 4910 : TBS Group Policy Settings Changed |
Sub Rule |
Policy Modified : Domain |
Policy |
|
|
EVID 4909 : TBS Local Policy Settings Changed |
Sub Rule |
Policy Modified : System |
Policy |
|
|
EVID 4907 : Audit Settings On Object Changed |
Sub Rule |
Policy Modified : Auditing |
Policy |
|
|
EVID 4906 : CrashOnAuditFail Value Changed |
Sub Rule |
Policy Modified : Auditing |
Policy |
|
|
EVID 4897 : Role Separation Enabled |
Sub Rule |
Policy Modified : System |
Policy |
|
|
EVID 4885 : Cert Svcs Audit Filter Changed |
Sub Rule |
Policy Modified : Auditing |
Policy |
|
|
EVID 4882 : Cert Svcs Sec Permissions Changed |
Sub Rule |
Policy Modified : System |
Policy |
|
|
EVID 4867 : Trusted Forest Entry Modified |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4866 : Trusted Forest Entry Removed |
Sub Rule |
Trust Relationship Revoked |
Access Revoked |
|
|
EVID 4865 : Trusted Forest Entry Added |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4780 : Admins Account ACL Set |
Sub Rule |
Policy Enabled : User/Password |
Policy |
|
|
EVID 4739 : Domain Policy Changed |
Sub Rule |
Policy Modified : Domain |
Policy |
|
|
EVID 4719 : Sys Audit Policy Changed |
Sub Rule |
Policy Modified : Auditing |
Policy |
|
|
EVID 4716 : Trusted Domain Info Modified |
Sub Rule |
Policy Modified : Domain |
Policy |
|
|
EVID 4715 : Object Audit Policy Changed |
Sub Rule |
Policy Modified : Object |
Policy |
|
|
EVID 4714 : Encrypted Data Recovery Policy Changed |
Sub Rule |
Policy Modified : Encryption |
Policy |
|
|
EVID 4713 : Kerberos Policy Changed |
Sub Rule |
Policy Modified : System |
Policy |
|
|
EVID 4707 : Trusted Domain Removed |
Sub Rule |
Trust Relationship Revoked |
Access Revoked |
|
|
EVID 4706 : Trusted Domain Added |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4670 : Object Permissions Changed |
Sub Rule |
Policy Modified : Object |
Policy |
|
|
EVID 4964 : Special Groups Assigned To New Logon |
Sub Rule |
Special Groups Assigned To New Logon |
Other Audit Success |
|
|
EVID 4886 : Cert Svcs Certificate Request |
Sub Rule |
Certificate Services Received Certificate Request |
Other Audit Success |
|
|
EVID 4779 : Win Session Disconnect |
Sub Rule |
Session Disconnected |
Other Audit Success |
|
|
EVID 4778 : Win Session Reconnect |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4776 : Credentials Validation |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4774 : Account Mapped For Logon |
Sub Rule |
Account Mapped For Logon |
Other Audit Success |
|
|
EVID 4770 : Kerberos Svc Ticket Renewed |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4769 : Kerberos Svc Ticket Requested |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4768 : Kerberos Auth Ticket Requested |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4765 : Add SID History |
Sub Rule |
Configuration Modified : System |
Configuration |
|
|
EVID 4672 : Special Privs Assigned To New Logon |
Sub Rule |
Privilege Granted |
Access Granted |
|
|
EVID 4661 : Object Handle Requested |
Sub Rule |
Object Handle Requested |
Other Audit Success |
|
|
EVID 4655 : IPSEC Security Assoc Ended |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4651 : IPSEC Sec Assoc Established |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4650 : IPSEC Sec Assoc Established |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 5474 : IPSEC Policy Application Failed |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
|
EVID 5472 : IPSEC Policy Application Failed |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
|
EVID 5462 : IPSEC Policy Application Failed |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
|
EVID 5461 : IPSEC Policy Application Failed |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
|
EVID 5458 : IPSEC Policy Application Failed |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
|
EVID 5378 : Credential Delegation Disallowed |
Sub Rule |
Credential Delegation Disallowed |
Other Audit Failure |
|
|
EVID 4888 : Cert Svcs Denied Certificate Request |
Sub Rule |
Certificate Services Denied Certificate Request |
Warning |
|
|
EVID 4868 : Cert Man Denied Pending Request |
Sub Rule |
Certificate Manager Denied Pending Cert Request |
Warning |
|
|
EVID 4777 : Credentials Validation Failed |
Sub Rule |
User Logon Failure : Bad Password |
Authentication Failure |
|
|
EVID 4775 : Account Map For Logon Failed |
Sub Rule |
Account Logon Mapping Failed |
Other Audit Failure |
|
|
EVID 4766 : Add SID History Failed |
Sub Rule |
General Audit Failure |
Error |
|
|
EVID 4654 : IPSEC Negotiation Failed |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
EVID 4653 : IPSEC Negotiation Failed |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
EVID 4652 : IPSEC Negotiation Failed |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
EVID 6276 : Network Policy Server Quarantined User |
Sub Rule |
Network Policy Server Quarantined User |
Other Audit |
|
|
EVID 6275 : Network Policy Svr Discarded Request |
Sub Rule |
Network Policy Server Discarded Request |
Other Audit |
|
|
EVID 6274 : Network Policy Svr Discarded Request |
Sub Rule |
Network Policy Server Discarded Request |
Other Audit |
|
|
EVID 5633 : Wired Network Authentication Request |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 5632 : WLAN Authentication Request |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 5069 : Cryptographic Func Prop Op Attempt |
Sub Rule |
Cryptographic Function Property Operation Attempt |
Other Audit |
|
|
EVID 5068 : Cryptographic Funct Provider Op Atmt |
Sub Rule |
Cryptographic Function Provider Operation Attempt |
Other Audit |
|
|
EVID 5066 : Cryptographic Function Op Attempted |
Sub Rule |
Cryptographic Function Operation Attempted |
Other Audit |
|
|
EVID 5064 : Cryptographic Context Op Attempted |
Sub Rule |
Cryptographic Context Operation Attempted |
Other Audit |
|
|
EVID 5063 : Cryptographic Provider Op Attempted |
Sub Rule |
Cryptographic Provider Operation Attempted |
Other Audit |
|
|
EVID 4869 : Cert Svcs Rcvd Resubmitted Cert Req |
Sub Rule |
Certificate Services Rcvd Resubmitted Cert Request |
Other Audit |
|
|
EVID 4801 : Workstation Unlocked |
Sub Rule |
Workstation Unlocked |
Other Audit Success |
|
|
EVID 4800 : Workstation Locked |
Sub Rule |
Workstation Locked |
Other Audit Success |
|
|
EVID 4711 : General Audit Message |
Sub Rule |
General Audit Message |
Other Audit |
|
|
EVID 4696 : Primary Token Assigned |
Sub Rule |
Primary Token Assigned |
Information |
|
|
EVID 4675 : SIDs Filtered |
Sub Rule |
SIDs Filtered |
Other Audit |
|
|
EVID 5712 : RPC Attempted |
Sub Rule |
Remote Procedure Call Attempt |
Network Traffic |
|
|
EVID 5452 : IPSEC Security Association Ended |
Sub Rule |
IPSEC Security Association Ended |
Network Traffic |
|
|
EVID 5451 : IPSEC Security Association Established |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
EVID 5125 : Request Submitted To OCSP Responder |
Sub Rule |
Request Submitted To OCSP Responder |
Network Traffic |
|
|
EVID 4985 : Transaction State Change |
Sub Rule |
Transaction State Change |
Network Traffic |
|
|
EVID 5453 : IPSEC Negotiation Failed |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 5159 : Filtering Denied Port Bind |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 5157 : Filtering Blocked Connection |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 5155 : Filtering Blocked App From Listening |
Sub Rule |
Application Blocked From Listening For Connections |
Warning |
|
|
EVID 5153 : Filtering Blocked Packet |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 5152 : Filtering Blocked Packet |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 5031 : Firewall Blocked Connection To App |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 4984 : IPSEC Negotiation Failed |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 4983 : IPSEC Negotiation Failed |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 4963 : IPSEC Dropped Inbound Packet |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 4962 : IPSEC Dropped Inbound Packet |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 4961 : IPSEC Dropped Inbound Packet |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 4960 : IPSEC Dropped Inbound Packet |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
EVID 5158 : Filtering Permitted Port Bind |
Sub Rule |
Permitted Bind To Local Port |
Information |
|
|
EVID 5156 : Filtering Allowed Connection |
Sub Rule |
Traffic Allowed by Host Firewall |
Network Allow |
|
|
EVID 5154 : Filtering Allowed App To Listen |
Sub Rule |
Application Allowed To Listen For Connections |
Information |
|
|
EVID 4615 : Invalid Use Of LPC Port |
Sub Rule |
Unauthorized Activity |
Misuse |
|
|
EVID 5444 : Filtering Platform Startup State |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
EVID 5443 : Filtering Platform Startup State |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
EVID 5442 : Filtering Platform Startup State |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
EVID 5441 : Filtering Platform Startup State |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
EVID 5440 : Filtering Platform Startup State |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
EVID 5377 : Credentials Restored From Backup |
Sub Rule |
Credentials Restored From Backup |
Information |
|
|
EVID 5376 : Credentials Backed Up |
Sub Rule |
Credentials Backed Up |
Information |
|
|
EVID 5062 : Cryptographic Self Test Performed |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
|
EVID 5056 : Cryptographic Self Test Performed |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
|
EVID 4945 : Rule Listed On Firewall Start |
Sub Rule |
Rule Listed On Firewall Start |
Information |
|
|
EVID 4944 : Active Firewall Policy On Start |
Sub Rule |
Active Firewall Policy On Start |
Information |
|
|
EVID 4900 : Cert Svcs Template Sec Updated |
Sub Rule |
Certificate Services Template Security Updated |
Information |
|
|
EVID 4899 : Cert Svcs Template Updated |
Sub Rule |
Certificate Services Updated Template |
Information |
|
|
EVID 4898 : Cert Svcs Template Loaded |
Sub Rule |
Certificate Services Loaded Template |
Information |
|
|
EVID 4896 : Cert Svcs DB Rows Deleted |
Sub Rule |
Certificate Services Database Rows Deleted |
Information |
|
|
EVID 4895 : Cert Svcs Published CA Cert |
Sub Rule |
Certificate Services Published CA Certificate |
Information |
|
|
EVID 4894 : Cert Svcs Imported & Archived Key |
Sub Rule |
Certificate Services Imported And Archived Key |
Information |
|
|
EVID 4893 : Cert Svcs Archived A Key |
Sub Rule |
Certificate Services Archived A Key |
Information |
|
|
EVID 4889 : Cert Svcs Cert Status To Pending |
Sub Rule |
Certificate Services Set Cert Status To Pending |
Information |
|
|
EVID 4884 : Cert Svcs Imported Certificate |
Sub Rule |
Certificate Services Imported Certificate |
Information |
|
|
EVID 4883 : Cert Svcs Retrieved Archived Key |
Sub Rule |
Certificate Services Retrieved Archived Key |
Information |
|
|
EVID 4879 : Cert Svcs Restore Completed |
Sub Rule |
Certificate Services Restore Completed |
Information |
|
|
EVID 4878 : Cert Svcs Restore Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 4877 : Cert Svcs Backup Complete |
Sub Rule |
Certificate Services Backup Completed |
Information |
|
|
EVID 4876 : Cert Svcs Backup Started |
Sub Rule |
Certificate Services Backup Started |
Information |
|
|
EVID 4874 : Certificate Request Attributes Changed |
Sub Rule |
Certificate Request Attributes Changed |
Information |
|
|
EVID 4873 : Certificate Request Extension Changed |
Sub Rule |
Certificate Request Extension Changed |
Information |
|
|
EVID 4872 : Cert Svcs Published CRL |
Sub Rule |
Certificate Services Published CRL |
Information |
|
|
EVID 4871 : Cert Svcs Request CRL |
Sub Rule |
Certificate Svcs Received Request To Publish CRL |
Information |
|
|
EVID 4803 : Screen Saver Dismissed |
Sub Rule |
Screen Saver Dismissed |
Information |
|
|
EVID 4802 : Screen Saver Invoked |
Sub Rule |
Screen Saver Invoked |
Information |
|
|
EVID 4793 : Password Policy Checker API Called |
Sub Rule |
Policy Modified : Object |
Policy |
|
|
EVID 4621 : Recovered From Crash On Audit Fail |
Sub Rule |
Crash On Audit Fail Recovered |
Information |
|
|
EVID 6145 : GPO Security Policy Application Error |
Sub Rule |
GPO Security Policy Application Error |
Error |
|
|
EVID 5485 : IPSEC Filter Processing Failed |
Sub Rule |
IPSEC Filter Processing Failed |
Error |
|
|
EVID 5483 : IPSEC Service Failed To Start |
Sub Rule |
IPSEC Service Failed To Start |
Error |
|
|
EVID 5477 : Failed To Load Quick Mode Filter |
Sub Rule |
Failed To Load Quick Mode Filter |
Error |
|
|
EVID 5057 : Cryptographic Self Test Failed |
Sub Rule |
Cryptographic Self Test Failed |
Error |
|
|
EVID 5050 : Programmatic Firewall Disable Attempt |
Sub Rule |
Programmatic Firewall Disable Attempted |
Error |
|
|
EVID 4965 : IPSEC Received Bad Packet |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
EVID 4936 : AD Replication Failure Ends |
Sub Rule |
AD Replication Failure Ends |
Error |
|
|
EVID 4935 : AD Replication Failure Begins |
Sub Rule |
AD Replication Failure Begins |
Error |
|
|
EVID 4864 : Namespace Collision |
Sub Rule |
Namespace Collision |
Error |
|
|
EVID 4816 : RPC Integrity Violation |
Sub Rule |
RPC Integrity Violation |
Error |
|
|
EVID 4712 : IPSEC Service Failure |
Sub Rule |
IPSEC Service Serious Failure |
Error |
|
|
EVID 5484 : IPSEC Service Error Caused Shutdown |
Sub Rule |
IPSEC Service Error Caused Shutdown |
Critical |
|
|
EVID 5038 : Possible Disk Error |
Sub Rule |
Computed Hash Match Failure |
Error |
|
|
EVID 5037 : Firewall Driver Critical Condition |
Sub Rule |
Firewall Driver Critical Condition |
Critical |
|
|
EVID 5035 : Firewall Driver Startup Failed |
Sub Rule |
Firewall Driver Startup Failed |
Critical |
|
|
EVID 5030 : Firewall Service Failed To Start |
Sub Rule |
Firewall Service Failed To Start |
Critical |
|
|
EVID 5029 : Firewall Driver Init Failed |
Sub Rule |
Firewall Driver Init Failed |
Critical |
|
|
EVID 5450 : Filtering Platform Sub-Layer Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 5449 : Filtering Platform Prov Context Chng |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 5448 : Filtering Platform Provider Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 5447 : Filtering Platform Filter Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 5446 : Filtering Platform Callout Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 5127 : OCSP Revoc Provider Updated Revoc Info |
Sub Rule |
OCSP Revocation Provider Updated Revocation Info |
Information |
|
|
EVID 5126 : OCSP Updated Signing Certificate |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 5124 : OCSP Responder Sec Setting Updated |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 5123 : OCSP Responder Configuration Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 5122 : OCSP Responder Configuration Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 5070 : Cryptographic Funct Prop Mod Attempted |
Sub Rule |
Cryptographic Function Property Mod Attempt |
Warning |
|
|
EVID 5067 : Cryptographic Function Mod Attempted |
Sub Rule |
Cryptographic Function Modification Attempted |
Warning |
|
|
EVID 5065 : Cryptographic Context Mod Attempted |
Sub Rule |
Cryptographic Context Modification Attempted |
Warning |
|
|
EVID 5049 : IPSEC Security Association Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 5048 : IPSEC Crypto Set Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 5047 : IPSEC Crypto Set Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 5046 : IPSEC Crypto Set Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
EVID 5045 : IPSEC Connection Security Rule Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 5044 : IPSEC Conn Security Rule Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 5043 : IPSEC Connection Security Rule Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
EVID 5042 : IPSEC Authentication Set Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 5041 : IPSEC Authentication Set Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 5040 : IPSEC Authentication Set Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
EVID 4982 : IPSEC Security Mode Assoc Established |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4981 : IPSEC Security Mode Assoc Established |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4980 : IPSEC Security Mode Assoc Established |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4979 : IPSEC Security Mode Assoc Established |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
EVID 4956 : Firewall Changed Active Profile |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 4950 : Firewall Settings Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 4949 : Firewall Settings Restored To Default |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 4948 : Firewall Exception Rule Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 4947 : Firewall Exception Rule Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 4946 : Firewall Exception Rule Added |
Sub Rule |
Configuration Loaded : Network Access |
Configuration |
|
|
EVID 4937 : Lingering Object Removed From Replica |
Sub Rule |
Configuration Deleted : System |
Configuration |
|
|
EVID 4934 : AD Object Attributes Replicated |
Sub Rule |
AD Object Attributes Replicated |
Information |
|
|
EVID 4930 : AD Replica Src Naming Context Modified |
Sub Rule |
Configuration Modified : Directory Services |
Configuration |
|
|
EVID 4929 : AD Replica Src Naming Context Removed |
Sub Rule |
Configuration Deleted : Directory Services |
Configuration |
|
|
EVID 4928 : AD Replica Src Naming Context Estab |
Sub Rule |
Configuration Loaded : Directory Services |
Configuration |
|
|
EVID 4908 : Special Groups Logon Table Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 4905 : Sec Event Source Un-Registered |
Sub Rule |
Configuration Disabled : Security |
Configuration |
|
|
EVID 4904 : Sec Event Source Registered |
Sub Rule |
Configuration Enabled : Security |
Configuration |
|
|
EVID 4892 : Cert Svcs Property Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 4891 : Cert Svcs Config Entry Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 4890 : Cert Svcs Settings Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
EVID 4794 : DS Restore Mode Admin Password Set |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
EVID 4702 : Scheduled Task Updated |
Sub Rule |
Configuration Enabled : System |
Configuration |
|
|
EVID 4701 : Scheduled Task Disabled |
Sub Rule |
Configuration Disabled : System |
Configuration |
|
|
EVID 4700 : Scheduled Task Enabled |
Sub Rule |
Configuration Enabled : System |
Configuration |
|
|
EVID 4699 : Scheduled Task Deleted |
Sub Rule |
Configuration Deleted : System |
Configuration |
|
|
EVID 4698 : Scheduled Task Created |
Sub Rule |
Configuration Enabled : System |
Configuration |
|
|
EVID 4697 : Service Installed |
Sub Rule |
Software Installed |
Configuration |
|
|
EVID 4667 : Application - Client Context Deleted |
Sub Rule |
Configuration Deleted : Application |
Configuration |
|
|
EVID 4665 : Application - Client Context Created |
Sub Rule |
Configuration Enabled : Application |
Configuration |
|
|
EVID 4622 : Security Package Loaded By SAM |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
EVID 4648 : Logon Using Explicit Credentials |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4647 : Logoff |
Sub Rule |
User Logoff |
Authentication Success |
|
|
EVID 4634 : Logoff |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4624 : Authentication |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4773 : Kerberos Service Ticket Request Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 4772 : Kerberos Ticket Request Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 4771 : Failed Pre-Authentication |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 4625 : Authentication Failure |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 4649 : Replay Attack |
Sub Rule |
General Attack Activity |
Attack |
|
|
EVID 6280 : User Account Unlocked |
Sub Rule |
Account Unlocked |
Access Granted |
|
|
EVID 6279 : User Account Locked Out |
Sub Rule |
Account Locked |
Access Revoked |
|
|
EVID 4791 : Basic App Group Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4784 : Basic App Group Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4781 : Account Name Change |
Sub Rule |
User Account Name Modified |
Account Modified |
|
|
EVID 4767 : User Account Unlocked |
Sub Rule |
Account Unlocked |
Access Granted |
|
|
EVID 4764 : Group Type Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4760 : Universal Dstr Grp Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4755 : Universal Sec Grp Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4750 : Global Dstr Grp Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4745 : Local Dstr Grp Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4742 : Computer Account Changed |
Sub Rule |
Computer Account Attribute Modified |
Account Modified |
|
|
EVID 4740 : User Account Locked Out |
Sub Rule |
Account Locked |
Access Revoked |
|
|
EVID 4738 : User Account Changed |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
|
EVID 4737 : Global Security Group Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4735 : Local Security Group Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
EVID 4725 : User Account Disabled |
Sub Rule |
Account Disabled |
Access Revoked |
|
|
EVID 4724 : Password Reset |
Sub Rule |
Password Modified |
Account Modified |
|
|
EVID 4723 : Password Change Attempted |
Sub Rule |
Password Modified |
Account Modified |
|
|
EVID 4722 : User Account Enabled |
Sub Rule |
Account Enabled |
Access Granted |
|
|
EVID 4792 : LDAP Query Group Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4789 : Basic App Group Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4763 : Universal Dstr Grp Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4758 : Universal Sec Grp Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4753 : Global Dstr Grp Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4748 : Local Dstr Grp Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4743 : Computer Account Deleted |
Sub Rule |
Computer Account Deleted |
Account Deleted |
|
|
EVID 4734 : Local Security Group Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4730 : Global Security Group Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
EVID 4726 : User Account Deleted |
Sub Rule |
User Account Deleted |
Account Deleted |
|
|
EVID 4790 : LDAP Query Group Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4783 : Basic App Group Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4759 : Universal Dstr Grp Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4754 : Universal Sec Grp Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4749 : Global Dstr Grp Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4744 : Local Dstr Grp Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4741 : Computer Account Created |
Sub Rule |
Computer Account Created |
Account Created |
|
|
EVID 4731 : Local Security Group Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4727 : Global Security Group Created |
Sub Rule |
Group Created |
Account Created |
|
|
EVID 4720 : User Account Created |
Sub Rule |
User Account Created |
Account Created |
|
|
EVID 6278 : Network Policy Server Granted Access |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
EVID 6277 : Network Policy Server Granted Access |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
EVID 6272 : Network Policy Server Granted Access |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
EVID 5890 : COM+ Object Added |
Sub Rule |
Object Added |
Access Success |
|
|
EVID 5889 : COM+ Object Deleted |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
EVID 5888 : COM+ Object Modified |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 5141 : Directory Service Object Deleted |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
EVID 5140 : Network Share Object Accessed |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 5139 : Directory Service Object Moved |
Sub Rule |
Object Moved |
Access Success |
|
|
EVID 5138 : Directory Service Object Restored |
Sub Rule |
Directory Service Object Restored |
Other Audit Success |
|
|
EVID 5137 : Directory Service Object Created |
Sub Rule |
Object Created |
Access Success |
|
|
EVID 5136 : Directory Service Object Modified |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 5061 : Cryptographic Operation |
Sub Rule |
Cryptographic Operation |
Other Audit Success |
|
|
EVID 5059 : Key Migration Operation |
Sub Rule |
Key Migration Operation |
Other Audit Success |
|
|
EVID 5058 : Key File Operation |
Sub Rule |
Key File Operation |
Other Audit Success |
|
|
EVID 5051 : File Virtualized |
Sub Rule |
File Virtualized |
Other Audit Success |
|
|
EVID 5039 : Registry Key Virtualized |
Sub Rule |
Registry Key Virtualized |
Other Audit Success |
|
|
EVID 4782 : Password Hash Accessed |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4695 : Auditable Protected Data Unprotected |
Sub Rule |
Auditable Protected Data Unprotected |
Other Audit Success |
|
|
EVID 4694 : Auditable Protected Data Protected |
Sub Rule |
Auditable Protected Data Protected |
Other Audit Success |
|
|
EVID 4693 : Data Protection Master Key Recovered |
Sub Rule |
Data Protection Master Key Recovered |
Other Audit Success |
|
|
EVID 4692 : Data Protection Master Key Backed Up |
Sub Rule |
Data Protection Master Key Backup Attempt |
Other Audit Success |
|
|
EVID 4691 : Indirect Object Access |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4674 : Privileged Object Operation |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4673 : Privileged Service Called |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4668 : Application Initialization Failed |
Sub Rule |
Application Initialization Failed |
Critical |
|
|
EVID 4668 : Application Initialized |
Sub Rule |
Object Initialized |
Access Success |
|
|
EVID 4666 : Application Operation Failed |
Sub Rule |
Command Execution Failure |
Access Failure |
|
|
EVID 4666 : Application Operation |
Sub Rule |
Application Operation |
Other Audit Success |
|
|
EVID 4664 : Hard Link Creation Attempt |
Sub Rule |
Hard Link Creation Attempt |
Other Audit Success |
|
|
EVID 4662 : Failed Object Operation |
Sub Rule |
Failed Object Operation |
Error |
|
|
EVID 4662 : Object Operation |
Sub Rule |
Object Operation |
Other Audit Success |
|
|
EVID 4660 : Object Delete Failed |
Sub Rule |
Delete/Remove Object Failure |
Access Failure |
|
|
EVID 4659 : Object Opened For Delete |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
EVID 4657 : Registry Value Modification Failed |
Sub Rule |
Modify Object Failure |
Access Failure |
|
|
EVID 4656 : Object Open Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
EVID 4656 : Object Opened |
Sub Rule |
Object Read |
Access Success |
|
|
EVID 4870 : Cert Svcs Revoked Certificate |
Sub Rule |
Access Revoked Activity |
Access Revoked |
|
|
EVID 4788 : Non-Member Removed Basic App Group |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4786 : Usr Removed From Basic App Group |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4762 : User Rmvd From Univ Dstr Grp |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4757 : Usr Rmvd From Univ Sec Grp |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4752 : Usr Rmvd From Global Dstr Grp |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4747 : User Rmvd From Local Dstr Grp |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4733 : Usr Rmvd From Local Sec Grp |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4729 : User Removed Glbl Security Group |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
EVID 4718 : Sys Sec Access Removed |
Sub Rule |
Access Revoked Activity |
Access Revoked |
|
|
EVID 4705 : User Right Removed |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
|
EVID 4887 : Cert Svcs Issued Certificate |
Sub Rule |
Certificate Services Issued Certificate |
Information |
|
|
EVID 4787 : Non-Member Added Basic App Group |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4785 : Usr Added To Basic App Group |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4761 : Usr Added To Univ Dstr Grp |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4756 : Usr Added To Univ Sec Grp |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4751 : Usr Added Global Dstr Grp |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4746 : User Added Local Dstr Group |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4732 : Usr Added To Local Sec Grp |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4728 : User Added Glbl Security Grp |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
EVID 4717 : Sys Sec Access Granted |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
EVID 4704 : User Right Assigned |
Sub Rule |
Privilege Granted |
Access Granted |
|
|
EVID 6273 : Network Policy Server Denied Access |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
EVID 5060 : Verification Operation Failed |
Sub Rule |
Command Execution Failure |
Access Failure |
|
|
EVID 4671 : App Blocked Ordinal Access Attempt |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
EVID 1102 : Audit Log Cleared |
Sub Rule |
Log Cleared |
Access Success |
|
|
EVID 1100 : Logging Service Shut Down |
Sub Rule |
Process/Service Stopping |
Startup and Shutdown |
|
|
EVID 4797 : Query For Blank Password |
Sub Rule |
Query Information |
Information |
|
|
EVID 5380 : Vault Find Credential |
Sub Rule |
MS Windows User Rights Access Credential |
Other Audit |
|
|
EVID 5382 : Credential Were Read |
Sub Rule |
Object Read |
Access Success |
LogRhythm Default v2.0
There are no changes for LogRhythm Default v2.0.