V 2.0 : EVID 4985 : Transaction State Changed

Vendor Documentation

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : EVID 4985 : Transaction State Changed	Base Rule	General Transaction Information	Information

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Provider	N/A	N/A	Identifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
EventID	<vmid>	N/A	The identifier that the provider used to identify the event.
Version	N/A	N/A	The version number of the event's definition.
Level	<severity>	Text/String	The severity level defined in the event.
Task	<vendorinfo>	Text/String	The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
Opcode	N/A	N/A	The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
Keywords	<result>	Text/String	A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
TimeCreated	N/A	N/A	The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute.
EventRecordID	N/A	N/A	The record number assigned to the event when it was logged.
Correlation	N/A	N/A	The activity identifiers that consumers can use to group related events together.
Execution	N/A	N/A	Contains information about the process and thread that logged the event.
Channel	N/A	N/A	The channel to which the event was logged.
Computer	<dname>	Text/String	The name of the computer on which the event occurred.
SubjectUserSid	N/A	N/A	SID of account through which the state of the transaction was changed.
SubjectUserName	<login>	Text/String	The name of the account that changed the state of the transaction.
SubjectDomainName	<domainorign>	Text/String	The subject’s domain or computer name. Formats vary, and include the following: Domain NETBIOS name. For example: CONTOSO Lowercase full domain name: contoso.local Uppercase full domain name: CONTOSO.LOCAL For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. For local user accounts, this field will contain the name of the computer or device to which this account belongs
SubjectLogonId	<session>	Text/String	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID.
TransactionId	N/A	N/A	Unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same Transaction ID.
NewState	<object>	Text/String	Identifier of the new state of the transaction.
ResourceManager	N/A	N/A	Unique GUID-Identifier of the Resource Manager which associated with this transaction.
ProcessId	<processid>	Text/String	Hexadecimal Process ID of the process through which the state of the transaction was changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
ProcessName	<process>	Text/String	Full path and the name of the executable for the process.