V 2.0 : Active Directory Replica Context Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Active Directory Replica Context Events | Base Rule | General Replication Information | Information |
| V 2.0 : EVID 4928 : AD Replica Source Naming Context | Sub Rule | Configuration Loaded : Directory Services | Configuration |
| V 2.0 : EVID 4928 : Failed AD Replica Context Creation | Sub Rule | Failed Configuration | Other Audit Failure |
| V 2.0 : EVID 4929 : AD Replica Source Naming Context Removed | Sub Rule | Configuration Deleted : Directory Services | Configuration |
| V 2.0 : EVID 4929 : Failed AD Replica Context Deletion | Sub Rule | Failed Configuration | Other Audit Failure |
| V 2.0 : EVID 4930 : AD Replica Source Naming Context | Sub Rule | Configuration Modified : Directory Services | Configuration |
| V 2.0 : EVID 4930 : Failed AD Replica Context Modification | Sub Rule | Failed Configuration | Other Audit Failure |
| V 2.0 : EVID 4931 : AD Replica Destination Naming | Sub Rule | Configuration Modified : Directory Services | Configuration |
| V 2.0 : EVID 4931 : Failed AD Replica Context Modification | Sub Rule | Failed Configuration | Other Audit Failure |
| V 2.0 : EVID 4932 : AD Naming Context Synchro Begun | Sub Rule | General Active Directory Replication | Information |
| V 2.0 : EVID 4933 : AD Naming Context Sync Completed | Sub Rule | Replication Successful | Information |
| V 2.0 : EVID 4933 : AD Naming Context Sync Failed | Sub Rule | Replication Failure | Error |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
| Provider | N/A | N/A | Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
| EventID | <vmid> <tag1> | Number | The identifier that the provider used to identify the event. |
| Version | N/A | N/A | The version number of the event's definition. |
| Level | <severity> | String/Number/Text | The severity level defined in the event. |
| Task | <vendorinfo> | Text/String | The task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Opcode | N/A | N/A | The opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Keywords | <result> | Text/String | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
| TimeCreated | N/A | N/A | The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
| EventRecordID | N/A | N/A | The record number assigned to the event when it was logged. |
| Correlation | N/A | N/A | The activity identifiers that consumers can use to group related events together. |
| Execution | N/A | N/A | Contains information about the process and thread that logged the event. |
| Channel | N/A | N/A | The channel to which the event was logged. |
| Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
| DestinationDRA | N/A | N/A | The destination directory replication agent distinguished name. |
| SourceDRA | N/A | N/A | The source directory replication agent distinguished name. |
| SourceAddr | N/A | Number | DNS record of the server from which information or an update was received. |
| NamingContext | N/A | Text/String | The naming context to replicate. |
| Options | N/A | Text/String | The decimal value of DRS Options. |
| StatusCode | <responsecode> <tag2> | Number | If there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to 0. |