Skip to main content
Skip table of contents

V 2.0 : MS Windows Event Logging XML - Security (Configuration Guide)

Applications that sign and verify XML digital signatures should be written according to the following best practices to avoid denial of service attacks, data loss, and compromise of private information. The list below provides general guidance; however, developers are encouraged to perform additional security analysis specific to their applications and review the latest digital signatures best practices published by the W3C.

Device Details

Device NameMS Windows Event Logging : XML - Security

Vendor

MS Windows

Device Type

MS Windows Security Applications

Supported Model Name/Number

Windows Server 2008, 2012, 2016+

Supported Software Version(s)

N/A

Collection Method

MS Windows Event Logging

Configurable Log Output?

N/A

Log Source Type

MS Windows Event Logging XML - Security

Log Processing Policy

LogRhythm Default v2.0

Exceptions

N/A

Additional Information

Microsoft Security documentation

Prerequisites

    • Deployment of application and its credentials.


Support for ADFS Events

Log Source Stabilization (LSS) does not support ADFS Events with the updated MPE rules and log processing policy (LogRhythm Default v2.0). ADFS Events are supported separately with MS Windows Event Logging XML - ADFSIf you are using Microsoft Active Directory Federation Services (ADFS) and streaming ADFS logs through Windows Security log source types, we recommend using log source virtualization to stream MS Windows Event Logging XML - ADFS log messages.

For more information, see Log Source Virtualization.

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)

Type

Product Version

Supported Schema Fields

V2.0 Account ManagementN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <account>, <domainimpacted>, <session>, <subject>, <result>, <group>, <tag1>, <tag2>, <object>, <action>, <objectname>
V2.0 Active Directory Replica Context EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <session>, <tag1>, <responsecode>
V2.0 AD Object EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <domainimpacted>, <objectname>, <object>, <objecttype>, <account>, <responsecode>
V2.0 Audit Policy ModifiedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <policy>, <objectname>, <object>, <tag2>, <action>
V2.0 Catch AllN/A<vmid>, <severity>, <vendorinfo>, <dname>, <result>, <responsecode>, <tag2>
V2.0 Certification Services EventsN/A<vmid>, <tag1>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>,
V2.0 COM+ EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>
V2.0 Credential Manager EventsN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <result>, <Quantity>
V2.0 Cryptographic File/Key OperationsN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <object>, <objecttype>, <objectname>, <policy>, <action>, <result>, <responsecode>, <tag2>
V2.0 Cryptographic Next Generation EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <tag2>
V2.0 Domain Trust InformationN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <domainimpacted>, <login>, <domainorigin>, <session>
V2.0 DPAPI EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <login>, <domainorigin>, <session>
V2.0 Event Logging Service MessagesN/A<vmid>, <severity>, <vendorinfo>, <dname>, <object>, <subject>, <result><responsecode>, <tag1>
V2.0 EVID 521 : Failed Writing Audit LogsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <responsecode>, <quantity>
V2.0 EVID 4616 - System Time ChangedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <process>, <processid>
V 2.0 : Network Logon SuccessN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <tag1>, <domainorigin>, <session>, <tag2>, <sessiontype>, <object>, <objectname>, <objecttype>, <size>, <processid>, <process>, <sport>, <account>, <tag3>
V2.0 EVID 4625 : Use Account Logon FailureN/A<vmid>, <severity>, <vendorinfo>, <dname>, <sip>, <sport>, <login>, <domainorigin>, <sessiontype>, <process>, <processId>, <object>, <objectname>, <result>, <responsecode>, <size>, <tag1>, <tag2>
V2.0 EVID 4627 - Group Membership InformationN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <sessiontype>
V2.0 EVID 4634/4647 : Account Logoff EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag2>, <dname>, <login>, <tag1>, <domainorigin>, <session>, <sessiontype>, <tag3>
V2.0 EVID 4648 : Logon Using Explicit CredentialsN/A<vmid>, <severity>, <vendorinfo>, <dname>, <sip>, <sport>, <login>, <domainorigin>, <account>, <domainimpacted>, <session>, <process>, <processId>, <result>
V2.0 EVID 4657 : Registry Value ModifiedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <object>, <subject>, <processid>, <process>
V2.0 EVID 4662 - Operation Performed On AD ObjeN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <object>, <objecttype> , <subject>
V2.0 EVID 4670 : Object Permissions ChangedN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <process>, <processid>, <object>, <objectname>, <objecttype>, <result>
V2.0 EVID 4672 : Special Privilgs Asignd To LgnN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <result>, <command>
V2.0 EVID 4675 : SIDs Were FilteredN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>
V2.0 EVID 4696 : Token Assigned To ProcessN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>
V2.0 EVID 4697 : Service InstalledN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <objectname>, <object>, <status>, <account>
V2.0 EVID 4703 : User Rights AdjustedN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <account>, <domainImpacted>, <session>, <process>, <processid>, <result>
V2.0 EVID 4704 & 4705 - User Rights AssignmentN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <account>, <domainImpacted>, <session>, <subject>, <result>
V2.0 EVID 4739 : Domain Policy ModifiedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <policy>, <domainimpacted>, <login>, <domainorigin>, <session>
V2.0 EVID 4740 : User Account LockoutN/A<vmid>, <severity>, <vendorinfo>, <dname>, <sname>, <login>, <domainorigin>, <account>, <session>, <result>, <tag1>
V2.0 EVID 4768-4771 Kerberos TGT Failure MessageN/A<vmid>, <severity>, <vendorinfo>, <sip>, <dname>, <sport>, <login>, <domainorigin>, <process>, <result>, <responsecode>, <tag1>, <tag2>, <tag3>, <policy>, <sessiontype>, <subject>
V2.0 EVID 4769-4770 Kerberos TGS MessagesN/A<vmid>, <severity>, <vendorinfo>, <sip>, <dname>, <sport>, <login>, <domainorigin>, <process>, <policy>, <command>, <result>, <responsecode>, <tag1>, <tag3>, <account>
V2.0 EVID 4774: Account Logon Mapping EventN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1> , <dname>, <account>
V 2.0 : EVID 4776 : Credentials Validation Of AccN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <objectname>, <domainorigin>, <login>, <tag1>, <sip>, <sname>, <status>, <tag2>
V2.0 EVID 4778 & 4779 : Windows Station SessionN/A<vmid>, <severity>, <vendorinfo>, <sip>, <sname>, <dname>, <login>, <domainorigin>, <session>, <result>, <sessiontype>
V2.0 EVID 4781 : User Account Name ChangedN/A

<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>,, <account>, <domainimpacted>, <session>, <object>, <result>, <tag1>

V2.0 EVID 4793 : Pswd Policy Checking API Called

N/A

<vmid>, <severity>, <vendorinfo>, <sip>, <result>, <sname>, <login>, <domainorigin>, <session>, <dname>, <account>

V2.0 EVID 4794 : DS Restore Mode Admin Pwd SetN/A<vmid>, <severity>, <vendorinfo>, <dname>, <sname>, <login>, <domainorigin>, <session>, <result>, <status>, <tag1>
V2.0 EVID 4798 : User's Local Group Membership EnN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>,, <account>, <domainimpacted>, <session>, <process>, <processId>, <result>
V2.0 EVID 4797 : Blank Passwords QueriedN/A<vmid>, <severity>, <vendorinfo>, <result> , <dname>, <login>, <domainorigin>, <account>
V2.0 EVID 4800-4803 : Lock And Unlock EventsN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <result>, <tag1>
V2.0 EVID 4826 : Boot Configuration Data LoadedN/A<vmid>, <severity>, <vendorinfo>, <result> , <dname>, <policy>,  <status>
V2.0 EVID 4950 : WFP - Setting ChangedN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <policy>, <object>, <command>
V2.0 EVID 4964 : Special Groups Assigned To LogonN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <account>, <domainimpacted>, <session>, <result>, <group>
V2.0 EVID 4985 : Transaction State ChangedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <object> ,<processid>, <processname>
V2.0 EVID 5031 : WFP - Application BlockedN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <process>
V2.0 EVID 5038 : Image Hash Of File Not ValidN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <object>
V2.0 EVID 5156 : WFP - Connection PermittedN/A<vmid>, <severity>, <vendorinfo>, <result>, <processid>, <process>, <sip>, <sport>, <dip>, <dport>, <protnum>
V2.0 EVID 5157 : WFP - Connection BlockedN/A<vmid> , <severity>, <vendorinfo>, <result>, <processid>, <process>, <sip>, <sport>, <dip>, <dport>, <protnum>
V2.0 EVID 5446: Windows Filtering Platform Call N/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <processid>, <login>, <object> 
V2.0 EVID 5448: Windows Filtering Platform Provider ChangedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <processid>, <login>, <object> 
V 2.0 EVID 5449 : Windows Filtering Platform Provider Context ChangedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <process>, <domainimpacted>, <account>, <action> 
V2.0 EVID 5450: Windows Filtering Platform Sub-layer ChangedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <processid>, <login>, <object>
V2.0 EVID 5632 : WLAN Authentication FailureN/A<vmid>, <severity>, <vendorinfo>, <sname>, <smac>, <dmac>, <login>, <domainorigin>, <session>, <result>, <reason>, <tag1>, <tag2>
V2.0 EVID 5633 :Wired Network Authentication FailN/A<vmid>, <severity>, <vendorinfo>, <sname>, <login>, <domainorigin>, <session>, <result>, <reason>, <tag1>
V2.0 EVID 6279 : NPS - User Account LockedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <account>, <domainimpacted> 
V2.0 EVID 6281 : File Integrity FailureN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <object>
V2.0 General Policy Change EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>
V2.0 Group Management EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <account>, <action>, <group>, <domainimpacted>, <login>, <domainorigin>, <session>, <processid>, <process>
V2.0 Local Security Authority Package Mgmt EventN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <objectname>, <login>, <domainorigin>, <session>, <object>
V2.0 Network Policy Server EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <login>, <domainorigin>, <sip>, <smac>, <object>, <dname>, <dip>, <policy>, <responsecode>, <reason>, <subject>, <status>, <session>, <url>
V2.0 Network Share EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <objecttype>, <sip>, <sport>, <objectname>
V2.0 Object Access EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <objectname>, <processid>, <process>, <object>, <status>, <subject>, <tag1>
V2.0 Object Auditing Settings ModifiedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <objectname>, <object>, <processid>, <process>
V2.0 Plug And Play EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <objectname>, <object>
V2.0 Privilege Use EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <objecttype>, <object>, <subject>, <processid>, <process>
V2.0 Process Creation/Termination EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <processid>, <object>, <process>, <parentprocessid>, <command>, <account>, <domainimpacted>, <parentprocesspath>, <parentprocessname>
V2.0 Remote Interactive User Logon SuccessN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <tag1>, <domainorigin>, <session>, <tag2>, <sessiontype>, <object>, <objectname>, <objecttype>, <size>, <processid>, <process>, <sip>, <sport>, <tag3>, <account>
V2.0 Scheduled Task EventsN/A<vmid>, <tag1>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <sessiontype>, <command>, <object>, <objectname>, <processid>, <parentprocessid>
V2.0 Security Event Source EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <object>, <processid>, <process>
V2.0 Successful Account Logon EventsN/A<EventId>, <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <tag1>, <domainorigin>, <session>, <tag2>, <sessiontype>, <object>, <objectname>, <sname>, <objecttype>, <size>, <processid>, <process>, <sport>, <account>, <tag3>
V2.0 System Security Access ModificationN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>
V2.0 Trusted Forest MessagesN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <domainimpacted>, <login>, <domainorigin>, <session>
V2.0 Windows Filtering Platform Rule EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <policy>, <reason>, <object>, <objectname>
V2.0 Windows Firewall Connection EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <processid>, <process>, <sip>, <sport>, <dip>, <dport>, <protnum>

Revision History

KB Version

Log Type

Change TypeDetails

KB 7.1.591.0

MS Windows Event Logging XML - Security

New Log Source Optimization (LSO) policy: LogRhythm Default v2.0Optimized new log processing policy for MS Windows Event Logging XML - Security.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close