V 2.0 : Group Management Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Group Management Events | Base Rule | Group Information | Information |
| V 2.0 : EVID 4727 : Sec-Enable Global Group Create | Sub Rule | Group Created | Account Created |
| V 2.0 : EVID 4728 : Member Add to Sec-Enable Global | Sub Rule | Account Added to Group | Access Granted |
| V 2.0 : EVID 4729 : Member Remove from Sec-Enabled | Sub Rule | Account Removed from Group | Access Revoked |
| V 2.0 : EVID 4730 : Sec-Enable Global Group Delete | Sub Rule | Group Deleted | Account Deleted |
| V 2.0 : EVID 4731 : Sec-Enabled Local Group Create | Sub Rule | Group Created | Account Created |
| V 2.0 : EVID 4732 : Member Add to Sec-Enable Local | Sub Rule | Account Added to Group | Access Granted |
| V 2.0 : EVID 4733 : Member Remove from Sec-Enabled | Sub Rule | Account Removed from Group | Access Revoked |
| V 2.0 : EVID 4734 : Sec-Enable Local Group Delete | Sub Rule | Group Deleted | Account Deleted |
| V 2.0 : EVID 4735 : Sec-Enable Local Group Modified | Sub Rule | Group Attribute Modified | Account Modified |
| V 2.0 : EVID 4737 : Sec-Enable Global Group Modified | Sub Rule | Group Attribute Modified | Account Modified |
| V 2.0 : EVID 4744 : Sec-Disable Local Group Create | Sub Rule | Group Created | Account Created |
| V 2.0 : EVID 4745 : Sec-Disable Local Group Modified | Sub Rule | Group Attribute Modified | Account Modified |
| V 2.0 : EVID 4746 : Member Add to Sec-Disable Local | Sub Rule | Account Added to Group | Access Granted |
| V 2.0 : EVID 4747 : Member Remove from Sec-Disable | Sub Rule | Account Removed from Group | Access Revoked |
| V 2.0 : EVID 4748 : Sec-Disable Local Group Delete | Sub Rule | Group Deleted | Account Deleted |
| V 2.0 : EVID 4749 : Sec-Disable Global Group Create | Sub Rule | Group Created | Account Created |
| V 2.0 : EVID 4750 : Sec-Disable Global Group Modified | Sub Rule | Group Attribute Modified | Account Modified |
| V 2.0 : EVID 4751 : Member Add to Sec-Disable Global | Sub Rule | Account Added to Group | Access Granted |
| V 2.0 : EVID 4752 : Member Remove from Sec-Disabled | Sub Rule | Account Removed from Group | Access Revoked |
| V 2.0 : EVID 4753 : Sec-Disable Global Group Deleted | Sub Rule | Group Deleted | Account Deleted |
| V 2.0 : EVID 4754 : Sec-Enabled Univ Group Create | Sub Rule | Group Created | Account Created |
| V 2.0 : EVID 4755 : Sec-Enable Univ Group Modified | Sub Rule | Group Attribute Modified | Account Modified |
| V 2.0 : EVID 4756 : Member Add to Sec-Enable Univ | Sub Rule | Account Added to Group | Access Granted |
| V 2.0 : EVID 4757 : Member Remove from Sec-Enabled | Sub Rule | Account Removed from Group | Access Revoked |
| V 2.0 : EVID 4758 : Sec-Enable Global Univ Delete | Sub Rule | Group Deleted | Account Deleted |
| V 2.0 : EVID 4759 : Sec-Disable Univ Group Create | Sub Rule | Group Created | Account Created |
| V 2.0 : EVID 4760 : Sec-Disable Univ Group Modifi | Sub Rule | Group Attribute Modified | Account Modified |
| V 2.0 : EVID 4761 : Member Add to Sec-Disable Univ | Sub Rule | Account Added to Group | Access Granted |
| V 2.0 : EVID 4762 : Member Remove from Sec-Disable | Sub Rule | Account Removed from Group | Access Revoked |
| V 2.0 : EVID 4763 : Sec-Disable Global Univ Delete | Sub Rule | Group Deleted | Account Deleted |
| V 2.0 : EVID 4764 : Group Type Changed | Sub Rule | Group Attribute Modified | Account Modified |
| V 2.0 : EVID 4799 : Sec-Enable Local Group Members | Sub Rule | Object Read | Access Success |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Schema Description |
|---|---|---|
| Provider | N/A | Identifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
| EventID | <vmid> | The identifier that the provider used to identify the event. |
| Version | N/A | The version number of the event's definition. |
| Level | <severity> | The severity level defined in the event. |
| Task | <vendorinfo> | The task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Opcode | N/A | The opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Keywords | <result> | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
| TimeCreated | N/A | The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
| EventRecordID | N/A | The record number assigned to the event when it was logged. |
| Correlation | N/A | The activity identifiers that consumers can use to group related events together. |
| Execution | N/A | Contains information about the process and thread that logged the event. |
| Channel | N/A | The channel to which the event was logged. |
| Computer | <dname> | The name of the computer on which the event occurred. |
| MemberName | <account> | The distinguished name of account that was added to the group. For example: CN=Auditor,CN=Users,DC=contoso,DC=local. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”. |
| MemberSid | <domainimpacted> <account> | The SID of account that was added to the group. |
| TargetUserName | <group> | The name of the group to which new member was added. |
| TargetDomainName | <domainimpacted> | The domain name of the group to which new member was added. Formats vary, and include the following:
|
| TargetSid | N/A | The SID of the group to which new member was added. |
| SubjectUserSid | <domainorigin> <login> | The SID of account that requested the add member to the group operation. |
| SubjectUserName | <login> | The name of the account that requested the add member to the group operation. |
| SubjectDomainName | <domainorigin> | The subject’s domain name. Formats vary, and include the following:
|
| SubjectLogonId | <session> | A hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID. |
| PrivilegeList | N/A | The list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. |
| CallerProcessId | <processid> | Hexadecimal Process ID of the process that enumerated the members of the group. Process ID (PID) is a number used by the operating system to uniquely identify an active process. |
| CallerProcessName | <process> | Full path and the name of the executable for the process. |
| GroupTypeChange | <action> | N/A |