Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 : User Mgmt Events |
Base Rule |
General Audit |
Other Audit Success |
|
V 2.0 : User Account Locked Out |
Sub Rule |
Account Locked |
Access Revoked |
|
V 2.0 : Role Assigned To User Account |
Sub Rule |
Account Added To Group |
Access Granted |
|
V 2.0 : Role Removed From User Account |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
V 2.0 : User Account Created |
Sub Rule |
User Account Created |
Account Created |
|
V 2.0 : User Account Deleted |
Sub Rule |
User Account Deleted |
Account Deleted |
|
V 2.0 : User Account Creation Failed |
Sub Rule |
General Error |
Error |
|
V 2.0 : User Account Updated |
Sub Rule |
User Account Attribute Modified |
Account Modified |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
Vendor or manufacturer name. |
|
N/A |
N/A |
N/A |
Product name. |
|
N/A |
N/A |
N/A |
Product version. |
|
N/A |
N/A |
N/A |
EventID. |
|
objectid |
<object> |
Number |
The ID of the object. |
|
auditrowid |
N/A |
N/A |
The row ID from the database table. |
|
details |
<action>
|
Text/String
|
Contains a description of the action. |
|
creationtime |
N/A |
N/A |
The UTC timestamp of when the object was created. |
|
modificationtime |
N/A |
N/A |
The UTC timestamp of the last time that the object was modified. |
|
lastmodifiedby |
N/A |
N/A |
The name of the user who last modified the object. |
|
modifieruserid |
N/A |
N/A |
The unique ID of the user who last modified the object. If the ID is 0, this is a system-generated event. |
|
moduser |
<login>
|
Text/String
|
Details for the user who last modified the object. |
|
modpersona |
N/A |
N/A |
Details for the persona who last modified the object. This field is null if no persona was used. |
|
type |
N/A |
N/A |
The type of action that generated the audit entry. Values include:
|
|
objectname |
<account> |
Text/String |
The name of the object that was modified. |
|
objecttypename |
N/A |
N/A |
The type of audit entry. |
|
typename |
<tag2> |
Text/String |
The type of action that initiated the audit entry, in string form. Values include:
|
|
audittype |
<vendorinfo> |
Text/String |
The type of audit entry. |