V 2.0 : MS Windows Event Logging XML - Security (Configuration Guide)
Applications that sign and verify XML digital signatures should be written according to the following best practices to avoid denial of service attacks, data loss, and compromise of private information. The list below provides general guidance; however, developers are encouraged to perform additional security analysis specific to their applications and review the latest digital signatures best practices published by the W3C.
Device Details
Device Name | MS Windows Event Logging: XML - Security |
|---|---|
Vendor | MS Windows |
Device Type | MS Windows Security Applications |
Supported Model Name/Number | Windows Server 2008, 2012, 2016+ |
Supported Software Version(s) | N/A |
Collection Method | MS Windows Event Logging |
Configurable Log Output? | N/A |
Log Source Type | MS Windows Event Logging XML - Security |
Log Processing Policy | LogRhythm Default v2.0 |
Exceptions | N/A |
Additional Information |
Prerequisites
Deployment of application and its credentials.
Support for ADFS Events
Log Source Stabilization (LSS) does not support ADFS Events with the updated MPE rules and log processing policy (LogRhythm Default v2.0). ADFS Events are supported separately with MS Windows Event Logging XML - ADFS. Suppose you use Microsoft Active Directory Federation Services (ADFS) and stream ADFS logs through Windows Security log source types, we recommend using log source virtualization to stream MS Windows Event Logging XML - ADFS log messages.
For more information, see Log Source Virtualization.
Supported Log Messages
(List of LR Tags used to parse the log information for each message type)
Type | Product Version | Supported Schema Fields |
|---|---|---|
V2.0 Account Management | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <account>, <domainimpacted>, <session>, <subject>, <result>, <group>, <tag1>, <tag2>, <object>, <action>, <objectname> |
V2.0 Active Directory Replica Context Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <session>, <tag1>, <responsecode> |
V2.0 AD Object Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <domainimpacted>, <objectname>, <object>, <objecttype>, <account>, <responsecode> |
V2.0 Audit Policy Modified | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <policy>, <objectname>, <object>, <tag2>, <action> |
V2.0 Catch-All | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <result>, <responsecode>, <tag2> |
V2.0 Certification Services Events | N/A | <vmid>, <tag1>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, |
V2.0 COM+ Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype> |
V2.0 Credential Manager Events | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <result>, <Quantity> |
V2.0 Cryptographic File/Key Operations | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <object>, <objecttype>, <objectname>, <policy>, <action>, <result>, <responsecode>, <tag2> |
V2.0 Cryptographic Next Generation Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <tag2> |
V2.0 Domain Trust Information | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <domainimpacted>, <login>, <domainorigin>, <session> |
V2.0 DPAPI Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <login>, <domainorigin>, <session> |
V2.0 Event Logging Service Messages | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <object>, <subject>, <result><responsecode>, <tag1> |
V2.0 EVID 521: Failed Writing Audit Logs | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <responsecode>, <quantity> |
V2.0 EVID 4616 - System Time Changed | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <process>, <processid> |
V 2.0: Network Logon Success | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <tag1>, <domainorigin>, <session>, <tag2>, <sessiontype>, <object>, <objectname>, <objecttype>, <size>, <processid>, <process>, <sport>, <account>, <tag3> |
V2.0 EVID 4625: Use Account Logon Failure | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <tag1>, <domainorigin>, <responsecode>, <tag2>, <reason>, <status>, <sessiontype>, <tag3>, <object>, <objectname>, <sname>, <objecttype>, <size>, <processid>, <process>, <sip>, <sport> |
V 2.0: EVID 4625 10:Remote Use Account Logon Fail | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <account>, <tag1>, <domainimpacted>, <responsecode>, <tag2>, <reason>, <status>, <sessiontype>, <tag3>, <object>, <objectname>, <objecttype>, <size>, <processid>, <process>, <sip>, <sport> |
V 2.0: EVID 4625 3:Remote Use Account Logon Fail | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <account>, <tag1>, <domainimpacted>, <responsecode>, <tag2>, <reason>, <status>, <sessiontype>, <tag3>, <object>, <objectname>, <objecttype>, <size>, <processid>, <process>, <sip>, <sport> |
V2.0 EVID 4627 - Group Membership Information | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <sessiontype> |
V2.0 EVID 4634/4647: Account Logoff Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <tag2>, <dname>, <login>, <tag1>, <domainorigin>, <session>, <sessiontype>, <tag3> |
V2.0 EVID 4648: Logon Using Explicit Credentials | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <sip>, <sport>, <login>, <domainorigin>, <account>, <domainimpacted>, <session>, <process>, <processId>, <result> |
V2.0 EVID 4657: Registry Value Modified | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <object>, <subject>, <processid>, <process> |
V2.0 EVID 4662 - Operation Performed On AD Obje | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <object>, <objecttype> , <subject> |
V2.0 EVID 4670: Object Permissions Changed | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <process>, <processid>, <object>, <objectname>, <objecttype>, <result> |
V2.0 EVID 4672: Special Privilgs Asignd To Lgn | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <result>, <command> |
V2.0 EVID 4675: SIDs Were Filtered | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin> |
V2.0 EVID 4696: Token Assigned To Process | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname> |
V2.0 EVID 4697: Service Installed | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <objectname>, <object>, <status>, <account> |
V2.0 EVID 4703: User Rights Adjusted | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <account>, <domainImpacted>, <session>, <process>, <processid>, <result> |
V2.0 EVID 4704 & 4705 - User Rights Assignment | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <account>, <domainImpacted>, <session>, <subject>, <result> |
V2.0 EVID 4739: Domain Policy Modified | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <policy>, <domainimpacted>, <login>, <domainorigin>, <session> |
V2.0 EVID 4740: User Account Lockout | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <sname>, <login>, <domainorigin>, <account>, <session>, <result>, <tag1> |
V 2.0 : EVID 4768-4771 : Kerberos TGT Failure Msg | N/A | <vmid>, <severity>, <vendorinfo>, <sip>, <dname>, <sport>, <login>, <domainorigin>, <process>, <command>, <result>, <responsecode>, <tag1>, <tag2>, <tag3>, <policy>, <sessiontype>, <subject> |
V2.0 EVID 4769-4770 Kerberos TGS Messages | N/A | <vmid>, <severity>, <vendorinfo>, <sip>, <dname>, <sport>, <login>, <domainorigin>, <process>, <policy>, <command>, <result>, <responsecode>, <tag1>, <tag3>, <account> |
V2.0 EVID 4774: Account Logon Mapping Event | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <tag1> , <dname>, <account> |
V 2.0: EVID 4776: Credentials Validation Of Acc | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <objectname>, <domainorigin>, <login>, <tag1>, <sip>, <sname>, <status>, <tag2> |
V2.0 EVID 4778 & 4779: Windows Station Session | N/A | <vmid>, <severity>, <vendorinfo>, <sip>, <sname>, <dname>, <login>, <domainorigin>, <session>, <result>, <sessiontype> |
V2.0 EVID 4781: User Account Name Changed | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>,, <account>, <domainimpacted>, <session>, <object>, <result>, <tag1> |
V2.0 EVID 4793: Pswd Policy Checking API Called | N/A | <vmid>, <severity>, <vendorinfo>, <sip>, <result>, <sname>, <login>, <domainorigin>, <session>, <dname>, <account> |
V2.0 EVID 4794: DS Restore Mode Admin Pwd Set | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <sname>, <login>, <domainorigin>, <session>, <result>, <status>, <tag1> |
V2.0 EVID 4798: User's Local Group Membership En | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>,, <account>, <domainimpacted>, <session>, <process>, <processId>, <result> |
V2.0 EVID 4797: Blank Passwords Queried | N/A | <vmid>, <severity>, <vendorinfo>, <result> , <dname>, <login>, <domainorigin>, <account> |
V2.0 EVID 4800-4803: Lock And Unlock Events | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <result>, <tag1> |
V2.0 EVID 4826: Boot Configuration Data Loaded | N/A | <vmid>, <severity>, <vendorinfo>, <result> , <dname>, <policy>, <status> |
V2.0 EVID 4950: WFP - Setting Changed | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <policy>, <object>, <command> |
V2.0 EVID 4964: Special Groups Assigned To Logon | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <account>, <domainimpacted>, <session>, <result>, <group> |
V2.0 EVID 4985: Transaction State Changed | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <object> ,<processid>, <processname> |
V2.0 EVID 5031: WFP - Application Blocked | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <process> |
V2.0 EVID 5038: Image Hash Of File Not Valid | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <object> |
V2.0 EVID 5156: WFP - Connection Permitted | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <processid>, <process>, <sip>, <sport>, <dip>, <dport>, <protnum> |
V2.0 EVID 5157: WFP - Connection Blocked | N/A | <vmid> , <severity>, <vendorinfo>, <result>, <processid>, <process>, <sip>, <sport>, <dip>, <dport>, <protnum> |
V2.0 EVID 5446: Windows Filtering Platform Call | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <processid>, <login>, <object> |
V2.0 EVID 5448: Windows Filtering Platform Provider Changed | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <processid>, <login>, <object> |
V 2.0 EVID 5449: Windows Filtering Platform Provider Context Changed | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <processid>, <domainimpacted>, <account>, <action> |
V2.0 EVID 5450: Windows Filtering Platform Sub-layer Changed | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <processid>, <login>, <object> |
V2.0 EVID 5632: WLAN Authentication Failure | N/A | <vmid>, <severity>, <vendorinfo>, <sname>, <smac>, <dmac>, <login>, <domainorigin>, <session>, <result>, <reason>, <tag1>, <tag2> |
V2.0 EVID 5633: Wired Network Authentication Fail | N/A | <vmid>, <severity>, <vendorinfo>, <sname>, <login>, <domainorigin>, <session>, <result>, <reason>, <tag1> |
V2.0 EVID 6279: NPS - User Account Locked | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <account>, <domainimpacted> |
V2.0 EVID 6281: File Integrity Failure | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <object> |
V2.0 General Policy Change Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session> |
V2.0 Group Management Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <account>, <action>, <group>, <domainimpacted>, <login>, <domainorigin>, <session>, <processid>, <process> |
V2.0 Local Security Authority Package Mgmt Event | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <objectname>, <login>, <domainorigin>, <session>, <object> |
V2.0 Network Policy Server Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <login>, <domainorigin>, <sip>, <smac>, <object>, <dname>, <dip>, <policy>, <responsecode>, <reason>, <subject>, <status>, <session>, <url> |
V2.0 Network Share Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <objecttype>, <sip>, <sport>, <objectname> |
V2.0 Object Access Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <objectname>, <processid>, <process>, <object>, <status>, <subject>, <tag1> |
V2.0 Object Auditing Settings Modified | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <objectname>, <object>, <processid>, <process> |
V2.0 Plug And Play Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <objectname>, <object> |
V2.0 Privilege Use Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <objecttype>, <object>, <subject>, <processid>, <process> |
V2.0 Process Creation/Termination Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <processid>, <object>, <process>, <parentprocessid>, <command>, <account>, <domainimpacted>, <parentprocesspath>, <parentprocessname> |
V2.0 Remote Interactive User Logon Success | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <tag1>, <domainorigin>, <session>, <tag2>, <sessiontype>, <object>, <objectname>, <objecttype>, <size>, <processid>, <process>, <sip>, <sport>, <tag3>, <account> |
V2.0 Scheduled Task Events | N/A | <vmid>, <tag1>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <sessiontype>, <command>, <object>, <objectname>, <result>, <processid>, <parentprocessid>, <subject> |
V2.0 Security Event Source Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <object>, <processid>, <process> |
V2.0 Successful Account Logon Events | N/A | <EventId>, <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <tag1>, <domainorigin>, <session>, <tag2>, <sessiontype>, <object>, <objectname>, <sname>, <objecttype>, <size>, <processid>, <process>, <sport>, <account>, <tag3> |
V2.0 System Security Access Modification | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session> |
V2.0 Trusted Forest Messages | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <domainimpacted>, <login>, <domainorigin>, <session> |
V2.0 Windows Filtering Platform Rule Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <policy>, <reason>, <object>, <objectname> |
V2.0 Windows Firewall Connection Events | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <processid>, <process>, <sip>, <sport>, <dip>, <dport>, <protnum> |
V 2.0 : EVID 4698 : Scheduled Task Created | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <subject>, <status>, <sessiontype>, <command>, <object>, <objectname>, <processid>, <parentprocessid> |
V 2.0 : EVID 4699 : Scheduled Task Deleted | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <subject>, <status>, <sessiontype>, <command>, <object>, <objectname>, <processid>, <parentprocessid> |
V 2.0 : EVID 4700 : Scheduled Task Enabled | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <subject>, <status>, <sessiontype>, <command>, <object>, <objectname>, <processid>, <parentprocessid> |
V 2.0 : EVID 4701 : Scheduled Task Disabled | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <subject>, <status>, <sessiontype>, <command>, <object>, <objectname>, <processid>, <parentprocessid> |
V 2.0 : EVID 4702 : Scheduled Task Updated | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <subject>, <status>, <sessiontype>, <command>, <object>, <objectname>, <processid>, <parentprocessid> |
Revision History
KB Version | Log Type | Change Type | Details |
|---|---|---|---|
KB 7.1.591.0 | MS Windows Event Logging XML - Security | New Log Source Optimization (LSO) policy: LogRhythm Default v2.0 | Optimized new log processing policy for MS Windows Event Logging XML - Security. |