Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 : Cryptographic File/Key Operations |
Base Rule |
Cryptographic Operation |
Other Audit Success |
|
V 2.0 : EVID 5058 : Failed Crypto Key File Oper |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
V 2.0 : EVID 5058 : Crypto Key File Operation |
Sub Rule |
Key File Operation |
Other Audit Success |
|
V 2.0 : EVID 5059 : Failed Crypto Key File Migration |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
V 2.0 : EVID 5059 : Crypto Key File Migration |
Sub Rule |
Key Migration Operation |
Other Audit Success |
|
V 2.0 : EVID 5061 : Failed Cryptographic Operation |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
V 2.0 : EVID 5061 : Cryptographic Operation |
Sub Rule |
Cryptographic Operation |
Other Audit Success |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
Provider |
N/A |
N/A |
Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
|
EventID |
<vmid> |
Number |
The identifier that the provider used to identify the event. |
|
Version |
N/A |
N/A |
The version number of the event's definition. |
|
Level |
<severity> |
Text/String |
The severity level defined in the event. |
|
Task |
<vendorinfo> |
Text/String |
The task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
|
Opcode |
N/A |
N/A |
The opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
|
Keywords |
<result> |
Text/String |
A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
|
TimeCreated |
N/A |
N/A |
The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
|
EventRecordID |
N/A |
N/A |
The record number assigned to the event when it was logged. |
|
Correlation |
N/A |
N/A |
The activity identifiers that consumers can use to group related events together. |
|
Execution |
N/A |
N/A |
Contains information about the process and thread that logged the event. |
|
Channel |
N/A |
N/A |
The channel to which the event was logged. |
|
Computer |
<dname> |
Text/String |
The name of the computer on which the event occurred. |
|
SubjectUserSid |
N/A |
N/A |
The SID of account that requested key file operation. |
|
SubjectUserName |
<login> |
Text/String |
The name of the account that requested key file operation. |
|
SubjectDomainName |
<domainorigin> |
Text/String |
The subject’s domain or computer name. Formats vary, and include the following:
|
|
SubjectLogonId |
<session> |
Number |
A hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID. |
|
ProviderName |
N/A |
N/A |
The name of KSP through which the operation was performed. Can have one of the following values:
|
|
AlgorithmName |
<policy> |
Text/String |
The name of cryptographic algorithm through which the key was used or accessed. For Read persisted key from file operation, this typically has UNKNOWN value. |
|
KeyName |
<objectname> |
Text/String |
The name of the key (key container) with which operation was performed. |
|
KeyType |
<objecttype> |
Number |
This field can have one of the following values:
|
|
KeyFilePath |
<object> |
Text/String |
The full path and filename of the key file on which the operation was performed. |
|
Operation |
<action> |
Number |
A performed operation. Examples:
|
|
ReturnCode |
<responsecode>
|
Number |
Has 0x0 value for Success events. For failure events, provides a hexadecimal error code number. |