This document explains the changes required to switch over and upgrade to MS Windows Event Logging XML - Security log source type to enable new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project.

Prerequisites

  • Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.

  • Enable the new MPE rules in the LogRhythm System Monitor.
    • Select log source type MS Windows Event Logging XML - Security.

      Ensure that you select the the log source type with "XML" in the name.

    • Enable log processing policy LogRhythm Default v2.0.

    For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.

Support for ADFS Events

Log Source Stabilization (LSS) does not support ADFS Events with the updated MPE rules and log processing policy (LogRhythm Default v2.0). ADFS Events are supported separately with MS Windows Event Logging XML - ADFSIf you are using Microsoft Active Directory Federation Services (ADFS) and streaming ADFS logs through Windows Security log source types, we recommend using log source virtualization to stream MS Windows Event Logging XML - ADFS log messages.

For more information, see Log Source Virtualization.

Supported Log Messages

The following table lists the log message types supported in the current MPE rules. Each linked page contains detailed information on parsing changes and new log processing settings.

Log Message TypesEvent TypesEvent IDs

Multiple EVIDs : Catch All : Level 1 (Français - Security)

MultipleMultiple
EVID 4624: Logon Event (Français - Security)Audit Logon4624
EVID 4625: Failed Authentication (Français - Security)Audit Account Lockout4625
EVID 4634, 4647 : Logoff Events (Français - Security)Audit Logoff4634, 4647
EVID 4648 : Logon Using Explicit Credentials (Français - Security)Audit Logon4648
EVID 4656...4691 : Object Access (Part 1) (Français - Security)Audit File System4656, 4658, 4660, 4661, 4663, 4670, 4691
EVID 4657 : Object Access (Part 4) (Français - Security)Audit Detailed File Share4657
EVID 4662 : Object Access (Part 3) (Français - Security)Audit Directory Service Access4662
EVID 4672 : Special Logon Privileges (Français - Security)Audit Special Logon4672
EVID 4674 : Privileged Object Access (Français - Security)Audit Sensitive Privilege use4673, 4674

EVID 4688 : Process Startup And Shutdown (Part 1) (Français - Security)

Audit Process Creation

4688
EVID 4689 : Process Startup And Shutdown (Part 2) (Français - Security)Audit Process Termination4689
EVID 4690 : Object Access (Part 2) (Français - Security)Audit Handle Manipulation4690

EVID 4696 : Primary Token Assigned (Français - Security)

Audit Process Creation4696

EVID 4713, 4716, 4739 : Policy Change (Part 2) (Français - Security)

Audit Authentication Policy Change

4713, 4716, 4739
EVID 4714 : Policy Change (Part 1) (Français - Security)Audit Other Policy Change Events4714
EVID 4719 : Policy Change (Part 3) (Français - Security)Audit Policy Change4719
EVID 4720...4743 : Account Management (Part 1) (Français - Security)Audit User Account Management

4720, 4722, 4723, 4724, 4725, 4726, 4738, 4741, 4742, 4743

EVID 4728...4762 : Group Member Added/Removed (Français - Security)

Best Practices For Securing Active Directory4728, 4729, 4732, 4733, 4746, 4747, 4751, 4752, 4756, 4757, 4761, 4762

EVID 4740 : Account Locked Out (Part 1) (Français - Security)

Audit User Account Management4740

EVID 4767 : Account Locked Out (Part 2) (Français - Security)

Audit User Account Management4767

EVID 4781 : Account Management (Part 2) (Français - Security)

Audit User Account Management4720, 4722, 4723, 4724, 4725, 4726, 4738, 4741, 4742, 4743, 4767, 4780, 4782
EVID 5058 : Key File Operation (Français - Security)Audit Other System Events5059, 5508
EVID 5061 : Cryptographic Operation (Français - Security)Audit System Integrity5061

EVID 5140-5144 : Share Events (Part 1) (Français - Security)

Audit File Share

5140, 5142, 5143, 5144,5145

EVID 5141 : Share Events (Part 2) (Français - Security)Audit Directory Service Changes5141
EVID 5156 : WPF Allowed Connection (Français - Security)Audit Filtering Platform Connection 5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159

EVID 5158 : WFP Permitted Bind (Français - Security)

Audit Filtering Platform Connection 5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159

Log Processing Policy Updates

This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.

Changes made for LSO may impact downstream analytical components in LogRhythm. It is recommended that you review MPE policies, parsing rules, and log processing settings to assess the potential impact to your environment and custom analytical components, including saved investigations, dashboards, and fields mapped with SmartResponse Plugins.

Updates to AIE Rules

The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security. The Change Details column indicates where the new log source type was added.

AIE RulesChange Details
NERC-CIP : Account Locked or Disabled RuleRemoved Group by of Host (Origin)

Updates to System Reports

The table below indicates changes made to System Reports using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security.

Report Name

Change Details

FISMA : Processes By User

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. Process Name
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
NEI : Processes By User

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. Process Name
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
NRC : Processes By User

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. Process Name
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid CDE => Internet Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid DMZ => Internal Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid Internet => Internal Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid Internet => CDE Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid Internet => DMZ Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING

Updates to System Report Templates

The table below indicates changes made to Report Templates using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security.

Template Name

Change Details

Log Summary by Entity, Log Host, iApp, Event, Login, Object
  • Added Process field after Object.
  • New Report name: Log Summary by Entity, Log Host, iApp, Event, Login, Object, Process

Updates to System Tails

  • No changes

Updates to System Investigations

  • No changes