V 2.0 : User Mgmt Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : User Mgmt Events | Base Rule | General Audit | Other Audit Success |
| V 2.0 : User Account Locked Out | Sub Rule | Account Locked | Access Revoked |
| V 2.0 : Role Assigned To User Account | Sub Rule | Account Added To Group | Access Granted |
| V 2.0 : Role Removed From User Account | Sub Rule | Account Removed From Group | Access Revoked |
| V 2.0 : User Account Created | Sub Rule | User Account Created | Account Created |
| V 2.0 : User Account Deleted | Sub Rule | User Account Deleted | Account Deleted |
| V 2.0 : User Account Creation Failed | Sub Rule | General Error | Error |
| V 2.0 : User Account Updated | Sub Rule | User Account Attribute Modified | Account Modified |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | Vendor or manufacturer name. |
| N/A | N/A | N/A | Product name. |
| N/A | N/A | N/A | Product version. |
| N/A | N/A | N/A | EventID. |
| objectid | <object> | Number | The ID of the object. |
| auditrowid | N/A | N/A | The row ID from the database table. |
| details | <action> <group> <tag1> | Text/String Number Text/String | Contains a description of the action. |
| creationtime | N/A | N/A | The UTC timestamp of when the object was created. |
| modificationtime | N/A | N/A | The UTC timestamp of the last time that the object was modified. |
| lastmodifiedby | N/A | N/A | The name of the user who last modified the object. |
| modifieruserid | N/A | N/A | The unique ID of the user who last modified the object. If the ID is 0, this is a system-generated event. |
| moduser | <login> <domainorigin> | Text/String Text/String | Details for the user who last modified the object. |
| modpersona | N/A | N/A | Details for the persona who last modified the object. This field is null if no persona was used. |
| type | N/A | N/A | The type of action that generated the audit entry. Values include: 0 - Create 1 - Update 2 - Delete |
| objectname | <account> | Text/String | The name of the object that was modified. |
| objecttypename | N/A | N/A | The type of audit entry. |
| typename | <tag2> | Text/String | The type of action that initiated the audit entry, in string form. Values include:
|
| audittype | <vendorinfo> | Text/String | The type of audit entry. |