V 2.0 : EVID 4985 : Transaction State Changed
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : EVID 4985 : Transaction State Changed | Base Rule | General Transaction Information | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Provider | N/A | N/A | Identifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
| EventID | <vmid> | N/A | The identifier that the provider used to identify the event. |
| Version | N/A | N/A | The version number of the event's definition. |
| Level | <severity> | Text/String | The severity level defined in the event. |
| Task | <vendorinfo> | Text/String | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. |
| Opcode | N/A | N/A | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. |
| Keywords | <result> | Text/String | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
| TimeCreated | N/A | N/A | The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
| EventRecordID | N/A | N/A | The record number assigned to the event when it was logged. |
| Correlation | N/A | N/A | The activity identifiers that consumers can use to group related events together. |
| Execution | N/A | N/A | Contains information about the process and thread that logged the event. |
| Channel | N/A | N/A | The channel to which the event was logged. |
| Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
| SubjectUserSid | N/A | N/A | SID of account through which the state of the transaction was changed. |
| SubjectUserName | <login> | Text/String | The name of the account that changed the state of the transaction. |
| SubjectDomainName | <domainorign> | Text/String | The subject’s domain or computer name. Formats vary, and include the following:
|
| SubjectLogonId | <session> | Text/String | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID. |
| TransactionId | N/A | N/A | Unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same Transaction ID. |
| NewState | <object> | Text/String | Identifier of the new state of the transaction. |
| ResourceManager | N/A | N/A | Unique GUID-Identifier of the Resource Manager which associated with this transaction. |
| ProcessId | <processid> | Text/String | Hexadecimal Process ID of the process through which the state of the transaction was changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. |
| ProcessName | <process> | Text/String | Full path and the name of the executable for the process. |