V 2.0 : Certification Services Events | LogRhythm Documentation

Vendor Documentation

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Certification Services Events	Base Rule	General System Event	Information
V 2.0 : EVID 4868 : CS - Certificate Manager Denied	Sub Rule	Certificate Manager Denied Pending Cert Request	Warning
V 2.0 : EVID 4869 : Received Resubmitted Certificate	Sub Rule	Certificate Services Received Resubmitted Cert Request	Other Audit
V 2.0 : EVID 4871 : CS - CRL Publication Request	Sub Rule	Certificate Services Received Request To Publish CRL	Information
V 2.0 : EVID 4872 : CS - CRL Published	Sub Rule	Certificate Services Published CRL	Information
V 2.0 : EVID 4873 : CS - Certificate Request Extension Changed	Sub Rule	Certificate Request Extension Changed	Information
V 2.0 : EVID 4874 : CS- Certificate Request Attributes Changed	Sub Rule	Certificate Request Attributes Changed	Information
V 2.0 : EVID 4875 : CS - Shutdown Request Received	Sub Rule	Process/Service Startup Or Shutdown Activity	Startup and Shutdown
V 2.0 : EVID 4876 : CS - Backup Started	Sub Rule	Backup Active	Information
V 2.0 : EVID 4877 : CS - Backup Complete	Sub Rule	Backup Completed	Information
V 2.0 : EVID 4878 : CS - Restore Started	Sub Rule	Backup Restored	Information
V 2.0 : EVID 4879 : CS - Restore Completed	Sub Rule	Backup Restored	Information
V 2.0 : EVID 4880 : CS - Services Started	Sub Rule	Process/Service Started	Startup and Shutdown
V 2.0 : EVID 4881 : CS - Services Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
V 2.0 : EVID 4882 : CS - Security Permissions Modi	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 4883 : CS - Archived Key Retrieved	Sub Rule	Certificate Services Retrieved Archived Key	Information
V 2.0 : EVID 4884 : CS - Certificate Imported	Sub Rule	Certificate Services Imported Certificate	Information
V 2.0 : EVID 4885 : CS - Audit Filter Modified	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 4886 : CS - Certificate Request Received	Sub Rule	Certificate Services Received Certificate Request	Other Audit Success
V 2.0 : EVID 4887 : CS - Certificate Issued	Sub Rule	Certificate Services Issued Certificate	Information
V 2.0 : EVID 4888 : CS - Certificate Request Denied	Sub Rule	Certificate Services Denied Certificate Request	Warning
V 2.0 : EVID 4889 : CS - Certificate Request Status	Sub Rule	Certificate Services Set Cert Status To Pending	Information
V 2.0 : EVID 4890 : CS - Certificate Manager Settings Modified	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 4891 : CS - Configuration Entry Modified	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 4892 : CS - Property Modified	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 4893 : CS - Key Archived	Sub Rule	Certificate Services Archived A Key	Information
V 2.0 : EVID 4894 : CS - Key Imported and Archived	Sub Rule	Certificate Services Imported And Archived Key	Information
V 2.0 : EVID 4895 : CS - ADDS CA Certificate Published	Sub Rule	Certificate Services Published CA Certificate	Information
V 2.0 : EVID 4896 : CS - Rows Deleted from Database	Sub Rule	Certificate Services Database Rows Deleted	Information
V 2.0 : EVID 4897 : CS - Role Separation Enabled	Sub Rule	Configuration Modified : Application	Configuration
V 2.0 : EVID 4898 : CS - Template Loaded	Sub Rule	Certificate Services Loaded Template	Information
V 2.0 : EVID 4870 : Certificate Revoked	Sub Rule	Certificate Revocation List Added	Information

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Provider	N/A	N/A	Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
EventID	<vmid> <tag1>	Number	The identifier that the provider used to identify the event.
Version	N/A	N/A	The version number of the event's definition.
Level	<severity>	String/Number	The severity level defined in the event.
Task	<vendorinfo>	String/Number	The task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
Opcode	N/A	N/A	The opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
Keywords	<result>	Text/String	A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
TimeCreated	N/A	N/A	The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute.
EventRecordID	N/A	N/A	The record number assigned to the event when it was logged.
Correlation	N/A	N/A	The activity identifiers that consumers can use to group related events together.
Execution	N/A	N/A	Contains information about the process and thread that logged the event.
Channel	N/A	N/A	The channel to which the event was logged.
Computer	<dname>	Text/String	The name of the computer on which the event occurred.
IsBaseCRL	<status>	Text/String	N/A
PublishURLs	<url>	Text/String	N/A
Requester	<domainorigin>,<login>	Text/String	N/A
Attributes	<sname>	Text/String	N/A
SubjectKeyIdentifier	<object>	Text/String	N/A
Subject	<subject>	Text/String	N/A
TemplateInternalName	<object>	Text/String	N/A
TemplateVersion	<version>	Number	N/A
TemplateDSObjectFQDN	<subject>	Text/String	N/A