Skip to main content
Skip table of contents

V 2.0 : Cryptographic File/Key Operations

Vendor Documentation

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0 : Cryptographic File/Key OperationsBase RuleCryptographic OperationOther Audit Success
V 2.0 : EVID 5058 : Failed Crypto Key File OperSub RuleUnsuccessful ActivityOther Audit Failure
V 2.0 : EVID 5058 : Crypto Key File OperationSub RuleKey File OperationOther Audit Success
V 2.0 : EVID 5059 : Failed Crypto Key File MigrationSub RuleUnsuccessful ActivityOther Audit Failure
V 2.0 : EVID 5059 : Crypto Key File MigrationSub RuleKey Migration OperationOther Audit Success
V 2.0 : EVID 5061 : Failed Cryptographic OperationSub RuleUnsuccessful ActivityOther Audit Failure
V 2.0 : EVID 5061 : Cryptographic OperationSub RuleCryptographic OperationOther Audit Success

Mapping with LogRhythm Schema  

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Provider N/A N/AIdentifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
EventID<vmid>NumberThe identifier that the provider used to identify the event.
Version N/A  N/AThe version number of the event's definition.
Level<severity>Text/StringThe severity level defined in the event.
Task<vendorinfo>Text/StringThe task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
Opcode N/A  N/AThe opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
Keywords<result>Text/StringA bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
TimeCreated N/A  N/AThe time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute.
EventRecordID N/A  N/AThe record number assigned to the event when it was logged.
Correlation N/A  N/AThe activity identifiers that consumers can use to group related events together.
Execution N/A  N/AContains information about the process and thread that logged the event.
Channel N/A  N/AThe channel to which the event was logged.
Computer<dname>Text/StringThe name of the computer on which the event occurred.
SubjectUserSid N/A  N/AThe SID of account that requested key file operation.
SubjectUserName<login>Text/StringThe name of the account that requested key file operation.
SubjectDomainName<domainorigin>Text/StringThe subject’s domain or computer name. Formats vary, and include the following:
  • Domain NETBIOS name example: CONTOSO
  • Lowercase full domain name: contoso.local
  • Uppercase full domain name: CONTOSO.LOCAL
  • For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is NT AUTHORITY.
  • For local user accounts, this field will contain the name of the computer or device that this account belongs to.
SubjectLogonId<session>NumberA hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID.
ProviderName N/A  N/AThe name of KSP through which the operation was performed. Can have one of the following values:
  • Microsoft Software Key Storage Provider
  • Microsoft Smart Card Key Storage Provider
AlgorithmName<policy>Text/StringThe name of cryptographic algorithm through which the key was used or accessed. For Read persisted key from file operation, this typically has UNKNOWN value.
KeyName<objectname>Text/StringThe name of the key (key container) with which operation was performed.
KeyType<objecttype>NumberThis field can have one of the following values:
  • User key – user’s cryptographic key.
  • Machine key – machine’s cryptographic key.
KeyFilePath<object>Text/StringThe full path and filename of the key file on which the operation was performed.
Operation<action>NumberA performed operation. Examples:
  • Write persisted key to file.
  • Read persisted key from file.
  • Delete key file.
ReturnCode<responsecode>
<tag2>
NumberHas 0x0 value for Success events. For failure events, provides a hexadecimal error code number.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.