V 2.0 : Object Access Events | LogRhythm Documentation

Vendor Documentation

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Object Access Events	Base Rule	General Audit Message	Other Audit
V 2.0 : EVID 4656 : Object Handle Opened	Sub Rule	Object Accessed	Access Success
V 2.0 : EVID 4656 : Failed to Open Object	Sub Rule	Access Object Failure	Access Failure
V 2.0 : EVID 4658 : Object Handle Closed	Sub Rule	Object Handle Closed	Other Audit Success
V 2.0 : EVID 4660 : Object Deleted	Sub Rule	Object Deleted/Removed	Access Success
V 2.0 : EVID 4661 : Object Handle Opened	Sub Rule	Object Accessed	Access Success
V 2.0 : EVID 4661 : Failed to Open Object	Sub Rule	Access Object Failure	Access Failure
V 2.0 : EVID 4663 : Operation Performed On Object	Sub Rule	Object Accessed	Access Success
V 2.0 : EVID 4670 : Object Permissions Changed	Sub Rule	Policy Modified : Object	Policy
V 2.0 : EVID 4818 : Central Access Policy Difference	Sub Rule	Object Operation	Other Audit Success
V 2.0 : EVID 4691 : ALPC Port Accessed	Sub Rule	Object Accessed	Access Success
V 2.0 : EVID 4656 : Object Handle Opened	Sub Rule	Object Accessed	Access Success
V 2.0 : EVID 4656 : Failed to Open Object	Sub Rule	Access Object Failure	Access Failure
V 2.0 : EVID 4659 : Object Open for Deletion	Sub Rule	Object Accessed	Access Success

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Provider	N/A	N/A	Identifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
EventID	<vmid>	Number	The identifier that the provider used to identify the event.
Version	N/A	N/A	The version number of the event's definition.
Level	<severity>	String/Number	The severity level defined in the event.
Task	<vendorinfo>	String/Number	The task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
Opcode	N/A	N/A	The opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
Keywords	<result> <tag1>	Text/String	A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
TimeCreated	N/A	N/A	The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute.
EventRecordID	N/A	N/A	The record number assigned to the event when it was logged.
Correlation	N/A	N/A	The activity identifiers that consumers can use to group related events together.
Execution	N/A	N/A	Contains information about the process and thread that logged the event.
Channel	N/A	N/A	The channel to which the event was logged.
Computer	<dname>	Text/String	The name of the computer on which the event occurred.
SubjectUserSid	N/A	N/A	The SID of account that requested a handle to an object.
SubjectUserName	<login>	N/A	The name of the account that requested a handle to an object.
SubjectDomainName	<domainorigin>	Text/String	The subject’s domain or computer name. Formats vary, and include the following: Domain NETBIOS name example: CONTOSO Lowercase full domain name: contoso.local Uppercase full domain name: CONTOSO.LOCAL For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is NT AUTHORITY. For local user accounts, this field will contain the name of the computer or device that this account belongs to.
SubjectLogonId	<session>	Text/String	A hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID.
ObjectServer	<object>	Text/String	The Security value for this event.
ObjectType	<objecttype>	Text/String	The type of an object that was accessed during the operation.
ObjectName	<objectname>	Text/String	The name and other identifying information for the object for which access was requested. For example, for a file, the path would be included.
HandleId	N/A	N/A	A hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID.
TransactionId	N/A	Text/String/Number	The unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same Transaction ID.
AccessList	<subject>	Text/String/Number	The list of access rights which were requested by Subject\Security ID. These access rights depend on ObjectType.
AccessReason	N/A	N/A	The list of access check results. The format of this varies, depending on the object. For kernel objects, this field does not apply.
AccessMask	<status>	Text/String/Number	A hexadecimal mask for the requested or performed operation.
PrivilegeList	N/A	N/A	The list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-” string.
RestrictedSidCount	N/A	Number	Number of restricted SIDs in the token. Applicable to only specific ObjectTypes.
ProcessId	<processid>	Number	A hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
ProcessName	<process>	Text/String	The full path and the name of the executable for the process.
ResourceAttributes	N/A	Text/String	The attributes associated with the object. For some objects, the field does not apply and “-“ is displayed.