Skip to main content
Skip table of contents

Multiple EVIDs : Catch All : Level 3 (Security)

Event Details

Event TypeMultiple
Event DescriptionCatch all rule to handle other Windows Security Events.
Event IDsMultiple

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
Provider<subject>N/A
EventID<vmid>N/A
VersionN/AN/A
Level<severity>N/A
Task<vendorinfo>N/A
OpcodeN/AN/A
Keywords<tag1>N/A
TimeCreatedN/AN/A
EventRecordIDN/AN/A
CorrelationN/AN/A
ExecutionN/AN/A
ProcessidN/AN/A
ChannelN/AN/A
Computer<dname>N/A
EventDataN/AN/A
Security Id<login>, <domain>N/A
Logon Id<session>N/A
ObjectN/AN/A
Objectname<objectname>N/A
Objecttype<objecttype>N/A
FileName<object>N/A
Creator Process Id<parentprocessid>N/A
Group Name<group>N/A
Task Name<object>N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1000291EVID 4608 : System StartedSub RuleSystem StartedStartup and Shutdown
EVID 4903 : Per User Audit Policy SetSub RulePolicy Enabled : AuditingPolicy
EVID 4902 : Per User Audit Policy RefreshedSub RulePolicy Modified : AuditingPolicy
EVID 4663 : General Access AttemptSub RuleObject AccessedAccess Success
EVID 4616 : System Time ChangedSub RuleConfiguration Modified : SystemConfiguration
EVID 4933 : Directory Services AccessSub RuleObject AccessedAccess Success
EVID 4932 : Directory Services AccessSub RuleObject AccessedAccess Success
EVID 4931 : Directory Services AccessSub RuleObject AccessedAccess Success
General : Audit FailureSub RuleGeneral Audit FailureError
General : Audit SuccessSub RuleGeneral AuditOther Audit Success
EVID 4710 : IPSec Policy Agent StoppedSub RuleProcess/Service StoppedStartup and Shutdown
EVID 4709 : IPSec Policy Agent StartedSub RuleProcess/Service StartedStartup and Shutdown
EVID 4690 : Handle DuplicatedSub RuleHandle DuplicatedInformation
EVID 4660 : Object DeletedSub RuleObject Deleted/RemovedAccess Success
EVID 4658 : Handle ClosedSub RuleHandle ClosedInformation
EVID 4657 : Handle AllocatedSub RuleHandle AllocatedInformation
EVID 4643 : General Audit FailureSub RuleGeneral Audit FailureError
EVID 4642 : General Audit FailureSub RuleGeneral Audit FailureError
EVID 4641 : General Audit FailureSub RuleGeneral Audit FailureError
EVID 4640 : General Audit FailureSub RuleGeneral Audit FailureError
EVID 4639 : General AuditSub RuleGeneral AuditOther Audit Success
EVID 4638 : General AuditSub RuleGeneral AuditOther Audit Success
EVID 4637 : General AuditSub RuleGeneral AuditOther Audit Success
EVID 4614 : Auth Package Loaded By SAMSub RuleAuth Package Loaded By SAMOther Audit Success
EVID 4611 : Trusted Logon Process StartedSub RuleProcess/Service StartedStartup and Shutdown
EVID 4610 : Authentication Package LoadedSub RuleObject InitializedAccess Success
EVID 4609 : System ShutdownSub RuleSystem ShutdownStartup and Shutdown
Catch All : Level 3Base RuleGeneral AuditOther Audit Success
EVID 5480 : IPSEC Network Interface List FailedSub RuleIPSEC Network Interface List FailedWarning
EVID 5032 : Firewall Notification FailedSub RuleFirewall Notification FailedWarning
EVID 5028 : Firewall Service Policy Load FailedSub RuleFirewall Service Failed To Load Local PolicyWarning
EVID 5027 : Firewall Service Policy Load FailedSub RuleFirewall Service Failed To Load Local PolicyWarning
EVID 4958 : Firewall Rule Not AppliedSub RuleFirewall Rule Not AppliedWarning
EVID 4957 : Firewall Rule Not AppliedSub RuleFirewall Rule Not AppliedWarning
EVID 4953 : Firewall Rule IgnoredSub RuleFirewall Rule Ignored Due To Bad ParsingWarning
EVID 4952 : Firewall Rule IgnoredSub RuleFirewall Rule Ignored Due To VersionWarning
EVID 4951 : Firewall Rule IgnoredSub RuleFirewall Rule Ignored Due To VersionWarning
EVID 4612 : Audit Queuing Resources ExhSub RuleAudit Queuing Resources ExhaustedWarning
EVID 4978 : IPSEC Received Invalid Negot PacketSub RuleProtocol AnomalyAttack
EVID 4977 : IPSEC Received Invalid Negot PacketSub RuleProtocol AnomalyAttack
EVID 4976 : IPSEC Received Invalid Negot PacketSub RuleProtocol AnomalyAttack
EVID 4618 : Monitored Sec EventSub RuleSuspicious ActivitySuspicious
EVID 5479 : IPSEC Service StoppedSub RuleProcess/Service StoppedStartup and Shutdown
EVID 5478 : IPSEC Service StartedSub RuleProcess/Service StartedStartup and Shutdown
EVID 5121 : OCSP Responder Service StoppedSub RuleProcess/Service StoppedStartup and Shutdown
EVID 5120 : OCSP Responder Service StartedSub RuleProcess/Service StartedStartup and Shutdown
EVID 5034 : Firewall Driver StoppedSub RuleProcess/Service StoppedStartup and Shutdown
EVID 5033 : Firewall Driver StartedSub RuleProcess/Service StartedStartup and Shutdown
EVID 5025 : Firewall Service StoppedSub RuleProcess/Service StoppedStartup and Shutdown
EVID 5024 : Firewall Service StartedSub RuleProcess/Service StartedStartup and Shutdown
EVID 4881 : Certificate Services StoppedSub RuleProcess/Service StoppedStartup and Shutdown
EVID 4880 : Certificate Services StartedSub RuleProcess/Service StartedStartup and Shutdown
EVID 4875 : Cert Svcs Shutdown RequestSub RuleProcess/Service StoppingStartup and Shutdown
EVID 4689 : Process ExitedSub RuleProcess/Service StoppedStartup and Shutdown
EVID 4688 : New Process CreatedSub RuleProcess/Service StartedStartup and Shutdown
EVID 6144 : GPO Security Policy AppliedSub RulePolicy Enabled : DomainPolicy
EVID 5473 : IPSEC Policy AppliedSub RulePolicy Enabled : NetworkPolicy
EVID 5471 : IPSEC Policy AppliedSub RulePolicy Enabled : NetworkPolicy
EVID 5468 : IPSEC Policy Changes AppliedSub RulePolicy Modified : NetworkPolicy
EVID 5467 : Polled For IPSEC Policy ChangesSub RulePolled For IPSEC Policy ChangesInformation
EVID 5466 : IPSEC Policy Changes AppliedSub RulePolicy Modified : NetworkPolicy
EVID 5465 : IPSEC Policy ReloadedSub RuleAuthentication ActivityAuthentication Success
EVID 5464 : IPSEC Policy Changes AppliedSub RulePolicy Modified : NetworkPolicy
EVID 5463 : Polled For IPSEC Policy ChangesSub RulePolled For IPSEC Policy ChangesInformation
EVID 5460 : IPSEC Policy AppliedSub RulePolicy Enabled : NetworkPolicy
EVID 5459 : IPSEC Policy AppliedSub RulePolicy Enabled : NetworkPolicy
EVID 5457 : IPSEC Policy AppliedSub RulePolicy Enabled : NetworkPolicy
EVID 5456 : IPSEC Policy AppliedSub RulePolicy Enabled : NetworkPolicy
EVID 4954 : Firewall Group Policy Settings ChangedSub RulePolicy Modified : DomainPolicy
EVID 4912 : Per-User Audit Policy ChangedSub RulePolicy Modified : AuditingPolicy
EVID 4910 : TBS Group Policy Settings ChangedSub RulePolicy Modified : DomainPolicy
EVID 4909 : TBS Local Policy Settings ChangedSub RulePolicy Modified : SystemPolicy
EVID 4907 : Audit Settings On Object ChangedSub RulePolicy Modified : AuditingPolicy
EVID 4906 : CrashOnAuditFail Value ChangedSub RulePolicy Modified : AuditingPolicy
EVID 4897 : Role Separation EnabledSub RulePolicy Modified : SystemPolicy
EVID 4885 : Cert Svcs Audit Filter ChangedSub RulePolicy Modified : AuditingPolicy
EVID 4882 : Cert Svcs Sec Permissions ChangedSub RulePolicy Modified : SystemPolicy
EVID 4867 : Trusted Forest Entry ModifiedSub RuleTrust Relationship EstablishedAccess Granted
EVID 4866 : Trusted Forest Entry RemovedSub RuleTrust Relationship RevokedAccess Revoked
EVID 4865 : Trusted Forest Entry AddedSub RuleTrust Relationship EstablishedAccess Granted
EVID 4780 : Admins Account ACL SetSub RulePolicy Enabled : User/PasswordPolicy
EVID 4739 : Domain Policy ChangedSub RulePolicy Modified : DomainPolicy
EVID 4719 : Sys Audit Policy ChangedSub RulePolicy Modified : AuditingPolicy
EVID 4716 : Trusted Domain Info ModifiedSub RulePolicy Modified : DomainPolicy
EVID 4715 : Object Audit Policy ChangedSub RulePolicy Modified : ObjectPolicy
EVID 4714 : Encrypted Data Recovery Policy ChangedSub RulePolicy Modified : EncryptionPolicy
EVID 4713 : Kerberos Policy ChangedSub RulePolicy Modified : SystemPolicy
EVID 4707 : Trusted Domain RemovedSub RuleTrust Relationship RevokedAccess Revoked
EVID 4706 : Trusted Domain AddedSub RuleTrust Relationship EstablishedAccess Granted
EVID 4670 : Object Permissions ChangedSub RulePolicy Modified : ObjectPolicy
EVID 4964 : Special Groups Assigned To New LogonSub RuleSpecial Groups Assigned To New LogonOther Audit Success
EVID 4886 : Cert Svcs Certificate RequestSub RuleCertificate Services Received Certificate RequestOther Audit Success
EVID 4779 : Win Session DisconnectSub RuleSession DisconnectedOther Audit Success
EVID 4778 : Win Session ReconnectSub RuleUser LogonAuthentication Success
EVID 4776 : Credentials ValidationSub RuleAuthentication ActivityAuthentication Success
EVID 4774 : Account Mapped For LogonSub RuleAccount Mapped For LogonOther Audit Success
EVID 4770 : Kerberos Svc Ticket RenewedSub RuleAuthentication ActivityAuthentication Success
EVID 4769 : Kerberos Svc Ticket RequestedSub RuleAuthentication ActivityAuthentication Success
EVID 4768 : Kerberos Auth Ticket RequestedSub RuleAuthentication ActivityAuthentication Success
EVID 4765 : Add SID HistorySub RuleConfiguration Modified : SystemConfiguration
EVID 4672 : Special Privs Assigned To New LogonSub RulePrivilege GrantedAccess Granted
EVID 4661 : Object Handle RequestedSub RuleObject Handle RequestedOther Audit Success
EVID 4655 : IPSEC Security Assoc EndedSub RuleAuthentication ActivityAuthentication Success
EVID 4651 : IPSEC Sec Assoc EstablishedSub RuleTrust Relationship EstablishedAccess Granted
EVID 4650 : IPSEC Sec Assoc EstablishedSub RuleTrust Relationship EstablishedAccess Granted
EVID 5474 : IPSEC Policy Application FailedSub RuleIPSEC Policy Application FailedOther Audit Failure
EVID 5472 : IPSEC Policy Application FailedSub RuleIPSEC Policy Application FailedOther Audit Failure
EVID 5462 : IPSEC Policy Application FailedSub RuleIPSEC Policy Application FailedOther Audit Failure
EVID 5461 : IPSEC Policy Application FailedSub RuleIPSEC Policy Application FailedOther Audit Failure
EVID 5458 : IPSEC Policy Application FailedSub RuleIPSEC Policy Application FailedOther Audit Failure
EVID 5378 : Credential Delegation DisallowedSub RuleCredential Delegation DisallowedOther Audit Failure
EVID 4888 : Cert Svcs Denied Certificate RequestSub RuleCertificate Services Denied Certificate RequestWarning
EVID 4868 : Cert Man Denied Pending RequestSub RuleCertificate Manager Denied Pending Cert RequestWarning
EVID 4777 : Credentials Validation FailedSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
EVID 4775 : Account Map For Logon FailedSub RuleAccount Logon Mapping FailedOther Audit Failure
EVID 4766 : Add SID History FailedSub RuleGeneral Audit FailureError
EVID 4654 : IPSEC Negotiation FailedSub RuleIPSEC Negotiation FailedError
EVID 4653 : IPSEC Negotiation FailedSub RuleIPSEC Negotiation FailedError
EVID 4652 : IPSEC Negotiation FailedSub RuleIPSEC Negotiation FailedError
EVID 6276 : Network Policy Server Quarantined UserSub RuleNetwork Policy Server Quarantined UserOther Audit
EVID 6275 : Network Policy Svr Discarded RequestSub RuleNetwork Policy Server Discarded RequestOther Audit
EVID 6274 : Network Policy Svr Discarded RequestSub RuleNetwork Policy Server Discarded RequestOther Audit
EVID 5633 : Wired Network Authentication RequestSub RuleAuthentication ActivityAuthentication Success
EVID 5632 : WLAN Authentication RequestSub RuleAuthentication ActivityAuthentication Success
EVID 5069 : Cryptographic Func Prop Op AttemptSub RuleCryptographic Function Property Operation AttemptOther Audit
EVID 5068 : Cryptographic Funct Provider Op AtmtSub RuleCryptographic Function Provider Operation AttemptOther Audit
EVID 5066 : Cryptographic Function Op AttemptedSub RuleCryptographic Function Operation AttemptedOther Audit
EVID 5064 : Cryptographic Context Op AttemptedSub RuleCryptographic Context Operation AttemptedOther Audit
EVID 5063 : Cryptographic Provider Op AttemptedSub RuleCryptographic Provider Operation AttemptedOther Audit
EVID 4869 : Cert Svcs Rcvd Resubmitted Cert ReqSub RuleCertificate Services Rcvd Resubmitted Cert RequestOther Audit
EVID 4801 : Workstation UnlockedSub RuleWorkstation UnlockedOther Audit Success
EVID 4800 : Workstation LockedSub RuleWorkstation LockedOther Audit Success
EVID 4711 : General Audit MessageSub RuleGeneral Audit MessageOther Audit
EVID 4696 : Primary Token AssignedSub RulePrimary Token AssignedInformation
EVID 4675 : SIDs FilteredSub RuleSIDs FilteredOther Audit
EVID 5712 : RPC AttemptedSub RuleRemote Procedure Call AttemptNetwork Traffic
EVID 5452 : IPSEC Security Association EndedSub RuleIPSEC Security Association EndedNetwork Traffic
EVID 5451 : IPSEC Security Association EstablishedSub RuleIPSEC Security Association EstablishedNetwork Traffic
EVID 5125 : Request Submitted To OCSP ResponderSub RuleRequest Submitted To OCSP ResponderNetwork Traffic
EVID 4985 : Transaction State ChangeSub RuleTransaction State ChangeNetwork Traffic
EVID 5453 : IPSEC Negotiation FailedSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 5159 : Filtering Denied Port BindSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 5157 : Filtering Blocked ConnectionSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 5155 : Filtering Blocked App From ListeningSub RuleApplication Blocked From Listening For ConnectionsWarning
EVID 5153 : Filtering Blocked PacketSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 5152 : Filtering Blocked PacketSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 5031 : Firewall Blocked Connection To AppSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 4984 : IPSEC Negotiation FailedSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 4983 : IPSEC Negotiation FailedSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 4963 : IPSEC Dropped Inbound PacketSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 4962 : IPSEC Dropped Inbound PacketSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 4961 : IPSEC Dropped Inbound PacketSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 4960 : IPSEC Dropped Inbound PacketSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 5158 : Filtering Permitted Port BindSub RulePermitted Bind To Local PortInformation
EVID 5156 : Filtering Allowed ConnectionSub RuleTraffic Allowed by Host FirewallNetwork Allow
EVID 5154 : Filtering Allowed App To ListenSub RuleApplication Allowed To Listen For ConnectionsInformation
EVID 4615 : Invalid Use Of LPC PortSub RuleUnauthorized ActivityMisuse
EVID 5444 : Filtering Platform Startup StateSub RuleFiltering Platform Startup StateInformation
EVID 5443 : Filtering Platform Startup StateSub RuleFiltering Platform Startup StateInformation
EVID 5442 : Filtering Platform Startup StateSub RuleFiltering Platform Startup StateInformation
EVID 5441 : Filtering Platform Startup StateSub RuleFiltering Platform Startup StateInformation
EVID 5440 : Filtering Platform Startup StateSub RuleFiltering Platform Startup StateInformation
EVID 5377 : Credentials Restored From BackupSub RuleCredentials Restored From BackupInformation
EVID 5376 : Credentials Backed UpSub RuleCredentials Backed UpInformation
EVID 5062 : Cryptographic Self Test PerformedSub RuleCryptographic Self Test PerformedInformation
EVID 5056 : Cryptographic Self Test PerformedSub RuleCryptographic Self Test PerformedInformation
EVID 4945 : Rule Listed On Firewall StartSub RuleRule Listed On Firewall StartInformation
EVID 4944 : Active Firewall Policy On StartSub RuleActive Firewall Policy On StartInformation
EVID 4900 : Cert Svcs Template Sec UpdatedSub RuleCertificate Services Template Security UpdatedInformation
EVID 4899 : Cert Svcs Template UpdatedSub RuleCertificate Services Updated TemplateInformation
EVID 4898 : Cert Svcs Template LoadedSub RuleCertificate Services Loaded TemplateInformation
EVID 4896 : Cert Svcs DB Rows DeletedSub RuleCertificate Services Database Rows DeletedInformation
EVID 4895 : Cert Svcs Published CA CertSub RuleCertificate Services Published CA CertificateInformation
EVID 4894 : Cert Svcs Imported & Archived KeySub RuleCertificate Services Imported And Archived KeyInformation
EVID 4893 : Cert Svcs Archived A KeySub RuleCertificate Services Archived A KeyInformation
EVID 4889 : Cert Svcs Cert Status To PendingSub RuleCertificate Services Set Cert Status To PendingInformation
EVID 4884 : Cert Svcs Imported CertificateSub RuleCertificate Services Imported CertificateInformation
EVID 4883 : Cert Svcs Retrieved Archived KeySub RuleCertificate Services Retrieved Archived KeyInformation
EVID 4879 : Cert Svcs Restore CompletedSub RuleCertificate Services Restore CompletedInformation
EVID 4878 : Cert Svcs Restore StartedSub RuleProcess/Service StartedStartup and Shutdown
EVID 4877 : Cert Svcs Backup CompleteSub RuleCertificate Services Backup CompletedInformation
EVID 4876 : Cert Svcs Backup StartedSub RuleCertificate Services Backup StartedInformation
EVID 4874 : Certificate Request Attributes ChangedSub RuleCertificate Request Attributes ChangedInformation
EVID 4873 : Certificate Request Extension ChangedSub RuleCertificate Request Extension ChangedInformation
EVID 4872 : Cert Svcs Published CRLSub RuleCertificate Services Published CRLInformation
EVID 4871 : Cert Svcs Request CRLSub RuleCertificate Svcs Received Request To Publish CRLInformation
EVID 4803 : Screen Saver DismissedSub RuleScreen Saver DismissedInformation
EVID 4802 : Screen Saver InvokedSub RuleScreen Saver InvokedInformation
EVID 4793 : Password Policy Checker API CalledSub RulePolicy Modified : ObjectPolicy
EVID 4621 : Recovered From Crash On Audit FailSub RuleCrash On Audit Fail RecoveredInformation
EVID 6145 : GPO Security Policy Application ErrorSub RuleGPO Security Policy Application ErrorError
EVID 5485 : IPSEC Filter Processing FailedSub RuleIPSEC Filter Processing FailedError
EVID 5483 : IPSEC Service Failed To StartSub RuleIPSEC Service Failed To StartError
EVID 5477 : Failed To Load Quick Mode FilterSub RuleFailed To Load Quick Mode FilterError
EVID 5057 : Cryptographic Self Test FailedSub RuleCryptographic Self Test FailedError
EVID 5050 : Programmatic Firewall Disable AttemptSub RuleProgrammatic Firewall Disable AttemptedError
EVID 4965 : IPSEC Received Bad PacketSub RuleIPSEC Received Bad PacketError
EVID 4936 : AD Replication Failure EndsSub RuleAD Replication Failure EndsError
EVID 4935 : AD Replication Failure BeginsSub RuleAD Replication Failure BeginsError
EVID 4864 : Namespace CollisionSub RuleNamespace CollisionError
EVID 4816 : RPC Integrity ViolationSub RuleRPC Integrity ViolationError
EVID 4712 : IPSEC Service FailureSub RuleIPSEC Service Serious FailureError
EVID 5484 : IPSEC Service Error Caused ShutdownSub RuleIPSEC Service Error Caused ShutdownCritical
EVID 5038 : Possible Disk ErrorSub RuleComputed Hash Match FailureError
EVID 5037 : Firewall Driver Critical ConditionSub RuleFirewall Driver Critical ConditionCritical
EVID 5035 : Firewall Driver Startup FailedSub RuleFirewall Driver Startup FailedCritical
EVID 5030 : Firewall Service Failed To StartSub RuleFirewall Service Failed To StartCritical
EVID 5029 : Firewall Driver Init FailedSub RuleFirewall Driver Init FailedCritical
EVID 5450 : Filtering Platform Sub-Layer ChangedSub RuleConfiguration Modified : ApplicationConfiguration
EVID 5449 : Filtering Platform Prov Context ChngSub RuleConfiguration Modified : SecurityConfiguration
EVID 5448 : Filtering Platform Provider ChangedSub RuleConfiguration Modified : ApplicationConfiguration
EVID 5447 : Filtering Platform Filter ChangedSub RuleConfiguration Modified : ApplicationConfiguration
EVID 5446 : Filtering Platform Callout ChangedSub RuleConfiguration Modified : ApplicationConfiguration
EVID 5127 : OCSP Revoc Provider Updated Revoc InfoSub RuleOCSP Revocation Provider Updated Revocation InfoInformation
EVID 5126 : OCSP Updated Signing CertificateSub RuleConfiguration Modified : SecurityConfiguration
EVID 5124 : OCSP Responder Sec Setting UpdatedSub RuleConfiguration Modified : SecurityConfiguration
EVID 5123 : OCSP Responder Configuration ChangedSub RuleConfiguration Modified : ApplicationConfiguration
EVID 5122 : OCSP Responder Configuration ChangedSub RuleConfiguration Modified : ApplicationConfiguration
EVID 5070 : Cryptographic Funct Prop Mod AttemptedSub RuleCryptographic Function Property Mod AttemptWarning
EVID 5067 : Cryptographic Function Mod AttemptedSub RuleCryptographic Function Modification AttemptedWarning
EVID 5065 : Cryptographic Context Mod AttemptedSub RuleCryptographic Context Modification AttemptedWarning
EVID 5049 : IPSEC Security Association DeletedSub RuleConfiguration Deleted : SecurityConfiguration
EVID 5048 : IPSEC Crypto Set DeletedSub RuleConfiguration Deleted : SecurityConfiguration
EVID 5047 : IPSEC Crypto Set ModifiedSub RuleConfiguration Modified : SecurityConfiguration
EVID 5046 : IPSEC Crypto Set AddedSub RuleConfiguration Loaded : SecurityConfiguration
EVID 5045 : IPSEC Connection Security Rule DeletedSub RuleConfiguration Deleted : SecurityConfiguration
EVID 5044 : IPSEC Conn Security Rule ModifiedSub RuleConfiguration Modified : SecurityConfiguration
EVID 5043 : IPSEC Connection Security Rule AddedSub RuleConfiguration Loaded : SecurityConfiguration
EVID 5042 : IPSEC Authentication Set DeletedSub RuleConfiguration Deleted : SecurityConfiguration
EVID 5041 : IPSEC Authentication Set ModifiedSub RuleConfiguration Modified : SecurityConfiguration
EVID 5040 : IPSEC Authentication Set AddedSub RuleConfiguration Loaded : SecurityConfiguration
EVID 4982 : IPSEC Security Mode Assoc EstablishedSub RuleTrust Relationship EstablishedAccess Granted
EVID 4981 : IPSEC Security Mode Assoc EstablishedSub RuleTrust Relationship EstablishedAccess Granted
EVID 4980 : IPSEC Security Mode Assoc EstablishedSub RuleTrust Relationship EstablishedAccess Granted
EVID 4979 : IPSEC Security Mode Assoc EstablishedSub RuleTrust Relationship EstablishedAccess Granted
EVID 4956 : Firewall Changed Active ProfileSub RuleConfiguration Modified : SecurityConfiguration
EVID 4950 : Firewall Settings ChangedSub RuleConfiguration Modified : SecurityConfiguration
EVID 4949 : Firewall Settings Restored To DefaultSub RuleConfiguration Modified : SecurityConfiguration
EVID 4948 : Firewall Exception Rule DeletedSub RuleConfiguration Deleted : SecurityConfiguration
EVID 4947 : Firewall Exception Rule ModifiedSub RuleConfiguration Modified : SecurityConfiguration
EVID 4946 : Firewall Exception Rule AddedSub RuleConfiguration Loaded : Network AccessConfiguration
EVID 4937 : Lingering Object Removed From ReplicaSub RuleConfiguration Deleted : SystemConfiguration
EVID 4934 : AD Object Attributes ReplicatedSub RuleAD Object Attributes ReplicatedInformation
EVID 4930 : AD Replica Src Naming Context ModifiedSub RuleConfiguration Modified : Directory ServicesConfiguration
EVID 4929 : AD Replica Src Naming Context RemovedSub RuleConfiguration Deleted : Directory ServicesConfiguration
EVID 4928 : AD Replica Src Naming Context EstabSub RuleConfiguration Loaded : Directory ServicesConfiguration
EVID 4908 : Special Groups Logon Table ModifiedSub RuleConfiguration Modified : SecurityConfiguration
EVID 4905 : Sec Event Source Un-RegisteredSub RuleConfiguration Disabled : SecurityConfiguration
EVID 4904 : Sec Event Source RegisteredSub RuleConfiguration Enabled : SecurityConfiguration
EVID 4892 : Cert Svcs Property ChangedSub RuleConfiguration Modified : ApplicationConfiguration
EVID 4891 : Cert Svcs Config Entry ChangedSub RuleConfiguration Modified : ApplicationConfiguration
EVID 4890 : Cert Svcs Settings ChangedSub RuleConfiguration Modified : ApplicationConfiguration
EVID 4794 : DS Restore Mode Admin Password SetSub RuleConfiguration Modified : SecurityConfiguration
EVID 4702 : Scheduled Task UpdatedSub RuleConfiguration Enabled : SystemConfiguration
EVID 4701 : Scheduled Task DisabledSub RuleConfiguration Disabled : SystemConfiguration
EVID 4700 : Scheduled Task EnabledSub RuleConfiguration Enabled : SystemConfiguration
EVID 4699 : Scheduled Task DeletedSub RuleConfiguration Deleted : SystemConfiguration
EVID 4698 : Scheduled Task CreatedSub RuleConfiguration Enabled : SystemConfiguration
EVID 4697 : Service InstalledSub RuleSoftware InstalledConfiguration
EVID 4667 : Application - Client Context DeletedSub RuleConfiguration Deleted : ApplicationConfiguration
EVID 4665 : Application - Client Context CreatedSub RuleConfiguration Enabled : ApplicationConfiguration
EVID 4622 : Security Package Loaded By SAMSub RuleConfiguration Loaded : SecurityConfiguration
EVID 4648 : Logon Using Explicit CredentialsSub RuleUser LogonAuthentication Success
EVID 4647 : LogoffSub RuleUser LogoffAuthentication Success
EVID 4634 : LogoffSub RuleAuthentication ActivityAuthentication Success
EVID 4624 : AuthenticationSub RuleUser LogonAuthentication Success
EVID 4773 : Kerberos Service Ticket Request FailedSub RuleAuthentication Failure ActivityAuthentication Failure
EVID 4772 : Kerberos Ticket Request FailedSub RuleAuthentication Failure ActivityAuthentication Failure
EVID 4771 : Failed Pre-AuthenticationSub RuleAuthentication Failure ActivityAuthentication Failure
EVID 4625 : Authentication FailureSub RuleAuthentication Failure ActivityAuthentication Failure
EVID 4649 : Replay AttackSub RuleGeneral Attack ActivityAttack
EVID 6280 : User Account UnlockedSub RuleAccount UnlockedAccess Granted
EVID 6279 : User Account Locked OutSub RuleAccount LockedAccess Revoked
EVID 4791 : Basic App Group ChangedSub RuleGroup Attribute ModifiedAccount Modified
EVID 4784 : Basic App Group ChangedSub RuleGroup Attribute ModifiedAccount Modified
EVID 4781 : Account Name ChangeSub RuleUser Account Name ModifiedAccount Modified
EVID 4767 : User Account UnlockedSub RuleAccount UnlockedAccess Granted
EVID 4764 : Group Type ChangedSub RuleGroup Attribute ModifiedAccount Modified
EVID 4760 : Universal Dstr Grp ChangedSub RuleGroup Attribute ModifiedAccount Modified
EVID 4755 : Universal Sec Grp ChangedSub RuleGroup Attribute ModifiedAccount Modified
EVID 4750 : Global Dstr Grp ChangedSub RuleGroup Attribute ModifiedAccount Modified
EVID 4745 : Local Dstr Grp ChangedSub RuleGroup Attribute ModifiedAccount Modified
EVID 4742 : Computer Account ChangedSub RuleComputer Account Attribute ModifiedAccount Modified
EVID 4740 : User Account Locked OutSub RuleAccount LockedAccess Revoked
EVID 4738 : User Account ChangedSub RuleUser Account Attribute ModifiedAccount Modified
EVID 4737 : Global Security Group ChangedSub RuleGroup Attribute ModifiedAccount Modified
EVID 4735 : Local Security Group ChangedSub RuleGroup Attribute ModifiedAccount Modified
EVID 4725 : User Account DisabledSub RuleAccount DisabledAccess Revoked
EVID 4724 : Password ResetSub RulePassword ModifiedAccount Modified
EVID 4723 : Password Change AttemptedSub RulePassword ModifiedAccount Modified
EVID 4722 : User Account EnabledSub RuleAccount EnabledAccess Granted
EVID 4792 : LDAP Query Group DeletedSub RuleGroup DeletedAccount Deleted
EVID 4789 : Basic App Group DeletedSub RuleGroup DeletedAccount Deleted
EVID 4763 : Universal Dstr Grp DeletedSub RuleGroup DeletedAccount Deleted
EVID 4758 : Universal Sec Grp DeletedSub RuleGroup DeletedAccount Deleted
EVID 4753 : Global Dstr Grp DeletedSub RuleGroup DeletedAccount Deleted
EVID 4748 : Local Dstr Grp DeletedSub RuleGroup DeletedAccount Deleted
EVID 4743 : Computer Account DeletedSub RuleComputer Account DeletedAccount Deleted
EVID 4734 : Local Security Group DeletedSub RuleGroup DeletedAccount Deleted
EVID 4730 : Global Security Group DeletedSub RuleGroup DeletedAccount Deleted
EVID 4726 : User Account DeletedSub RuleUser Account DeletedAccount Deleted
EVID 4790 : LDAP Query Group CreatedSub RuleGroup CreatedAccount Created
EVID 4783 : Basic App Group CreatedSub RuleGroup CreatedAccount Created
EVID 4759 : Universal Dstr Grp CreatedSub RuleGroup CreatedAccount Created
EVID 4754 : Universal Sec Grp CreatedSub RuleGroup CreatedAccount Created
EVID 4749 : Global Dstr Grp CreatedSub RuleGroup CreatedAccount Created
EVID 4744 : Local Dstr Grp CreatedSub RuleGroup CreatedAccount Created
EVID 4741 : Computer Account CreatedSub RuleComputer Account CreatedAccount Created
EVID 4731 : Local Security Group CreatedSub RuleGroup CreatedAccount Created
EVID 4727 : Global Security Group CreatedSub RuleGroup CreatedAccount Created
EVID 4720 : User Account CreatedSub RuleUser Account CreatedAccount Created
EVID 6278 : Network Policy Server Granted AccessSub RuleAccess Granted ActivityAccess Granted
EVID 6277 : Network Policy Server Granted AccessSub RuleAccess Granted ActivityAccess Granted
EVID 6272 : Network Policy Server Granted AccessSub RuleAccess Granted ActivityAccess Granted
EVID 5890 : COM+ Object AddedSub RuleObject AddedAccess Success
EVID 5889 : COM+ Object DeletedSub RuleObject Deleted/RemovedAccess Success
EVID 5888 : COM+ Object ModifiedSub RuleObject ModifiedAccess Success
EVID 5141 : Directory Service Object DeletedSub RuleObject Deleted/RemovedAccess Success
EVID 5140 : Network Share Object AccessedSub RuleObject AccessedAccess Success
EVID 5139 : Directory Service Object MovedSub RuleObject MovedAccess Success
EVID 5138 : Directory Service Object RestoredSub RuleDirectory Service Object RestoredOther Audit Success
EVID 5137 : Directory Service Object CreatedSub RuleObject CreatedAccess Success
EVID 5136 : Directory Service Object ModifiedSub RuleObject ModifiedAccess Success
EVID 5061 : Cryptographic OperationSub RuleCryptographic OperationOther Audit Success
EVID 5059 : Key Migration OperationSub RuleKey Migration OperationOther Audit Success
EVID 5058 : Key File OperationSub RuleKey File OperationOther Audit Success
EVID 5051 : File VirtualizedSub RuleFile VirtualizedOther Audit Success
EVID 5039 : Registry Key VirtualizedSub RuleRegistry Key VirtualizedOther Audit Success
EVID 4782 : Password Hash AccessedSub RuleObject AccessedAccess Success
EVID 4695 : Auditable Protected Data UnprotectedSub RuleAuditable Protected Data UnprotectedOther Audit Success
EVID 4694 : Auditable Protected Data ProtectedSub RuleAuditable Protected Data ProtectedOther Audit Success
EVID 4693 : Data Protection Master Key RecoveredSub RuleData Protection Master Key RecoveredOther Audit Success
EVID 4692 : Data Protection Master Key Backed UpSub RuleData Protection Master Key Backup AttemptOther Audit Success
EVID 4691 : Indirect Object AccessSub RuleObject AccessedAccess Success
EVID 4674 : Privileged Object OperationSub RuleObject AccessedAccess Success
EVID 4673 : Privileged Service CalledSub RuleObject AccessedAccess Success
EVID 4668 : Application Initialization FailedSub RuleApplication Initialization FailedCritical
EVID 4668 : Application InitializedSub RuleObject InitializedAccess Success
EVID 4666 : Application Operation FailedSub RuleCommand Execution FailureAccess Failure
EVID 4666 : Application OperationSub RuleApplication OperationOther Audit Success
EVID 4664 : Hard Link Creation AttemptSub RuleHard Link Creation AttemptOther Audit Success
EVID 4662 : Failed Object OperationSub RuleFailed Object OperationError
EVID 4662 : Object OperationSub RuleObject OperationOther Audit Success
EVID 4660 : Object Delete FailedSub RuleDelete/Remove Object FailureAccess Failure
EVID 4659 : Object Opened For DeleteSub RuleObject Deleted/RemovedAccess Success
EVID 4657 : Registry Value Modification FailedSub RuleModify Object FailureAccess Failure
EVID 4656 : Object Open FailedSub RuleAccess Object FailureAccess Failure
EVID 4656 : Object OpenedSub RuleObject ReadAccess Success
EVID 4870 : Cert Svcs Revoked CertificateSub RuleAccess Revoked ActivityAccess Revoked
EVID 4788 : Non-Member Removed Basic App GroupSub RuleAccount Removed From GroupAccess Revoked
EVID 4786 : Usr Removed From Basic App GroupSub RuleAccount Removed From GroupAccess Revoked
EVID 4762 : User Rmvd From Univ Dstr GrpSub RuleAccount Removed From GroupAccess Revoked
EVID 4757 : Usr Rmvd From Univ Sec GrpSub RuleAccount Removed From GroupAccess Revoked
EVID 4752 : Usr Rmvd From Global Dstr GrpSub RuleAccount Removed From GroupAccess Revoked
EVID 4747 : User Rmvd From Local Dstr GrpSub RuleAccount Removed From GroupAccess Revoked
EVID 4733 : Usr Rmvd From Local Sec GrpSub RuleAccount Removed From GroupAccess Revoked
EVID 4729 : User Removed Glbl Security GroupSub RuleAccount Removed From GroupAccess Revoked
EVID 4718 : Sys Sec Access RemovedSub RuleAccess Revoked ActivityAccess Revoked
EVID 4705 : User Right RemovedSub RuleUser Account Attribute ModifiedAccount Modified
EVID 4887 : Cert Svcs Issued CertificateSub RuleCertificate Services Issued CertificateInformation
EVID 4787 : Non-Member Added Basic App GroupSub RuleAccount Added To GroupAccess Granted
EVID 4785 : Usr Added To Basic App GroupSub RuleAccount Added To GroupAccess Granted
EVID 4761 : Usr Added To Univ Dstr GrpSub RuleAccount Added To GroupAccess Granted
EVID 4756 : Usr Added To Univ Sec GrpSub RuleAccount Added To GroupAccess Granted
EVID 4751 : Usr Added Global Dstr GrpSub RuleAccount Added To GroupAccess Granted
EVID 4746 : User Added Local Dstr GroupSub RuleAccount Added To GroupAccess Granted
EVID 4732 : Usr Added To Local Sec GrpSub RuleAccount Added To GroupAccess Granted
EVID 4728 : User Added Glbl Security GrpSub RuleAccount Added To GroupAccess Granted
EVID 4717 : Sys Sec Access GrantedSub RuleAccess Granted ActivityAccess Granted
EVID 4704 : User Right AssignedSub RulePrivilege GrantedAccess Granted
EVID 6273 : Network Policy Server Denied AccessSub RuleAccess Object FailureAccess Failure
EVID 5060 : Verification Operation FailedSub RuleCommand Execution FailureAccess Failure
EVID 4671 : App Blocked Ordinal Access AttemptSub RuleAccess Object FailureAccess Failure
EVID 1102 : Audit Log ClearedSub RuleLog ClearedAccess Success
EVID 1100 : Logging Service Shut DownSub RuleProcess/Service StoppingStartup and Shutdown
EVID 4797 : Query For Blank PasswordSub RuleQuery InformationInformation
EVID 5380 : Vault Find CredentialSub RuleMS Windows User Rights Access CredentialOther Audit
EVID 5382 : Credential Were ReadSub RuleObject ReadAccess Success

LogRhythm Default v2.0

There are no changes for LogRhythm Default v2.0.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.