This document explains the changes required to apply new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project for the MS Windows Event Logging XML - Security log source type. 

Prerequisites

  • Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.

  • Enable the new MPE rules in the LogRhythm System Monitor.
    • Select log source type MS Windows Event Logging XML - Security.

      Ensure that you select the the log source type with "XML" in the name.

    • Enable log processing policy LogRhythm Default v2.0.

    For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.

Support for ADFS Events

Log Source Stabilization (LSS) does not support ADFS Events with the updated MPE rules and log processing policy (LogRhythm Default v2.0). ADFS Events are supported separately with MS Windows Event Logging XML - ADFSIf you are using Microsoft Active Directory Federation Services (ADFS) and streaming ADFS logs through Windows Security log source types, we recommend using log source virtualization to stream MS Windows Event Logging XML - ADFS log messages.

For more information, see Log Source Virtualization.


Supported Log Messages

The following table lists the log message types supported in the current MPE rules. Each linked page contains detailed information on parsing changes and new log processing settings.

Log Message TypeEvent TypeEvent IDs

EVID 1102 : Privileged Object Access (Part 1) (XML - Security)

Object Accessed1102

EVID 1104 : Full File (XML - Security)

File Operation Error1104

EVID 4610...4622 : Package Loaded (XML - Security)

Package Information4610, 4611, 4614, 4622

EVID 4616 : Security State Change (XML - Security)

Session Setting Changed4616

EVID 4624 : Logon Events (XML - Security)

Authentication Activity4624

EVID 4625 : Logon Failure (XML - Security)

Authentication Failure Activity4625

EVID 4627 : Microsoft-Windows-Security-Auditing (XML - Security)

Group Membership Information4627

EVID 4634, 4647 : Logoff (XML - Security)

Authentication Activity4634, 4647

EVID 4648 : Logon Using Explicit Credentials (XML - Security)

User Logon4648

EVID 4656 : Specified Object Access (XML - Security)

Object Accessed4656

EVID 4656...4691 : Object Access (Part 1) (XML - Security)

Object Accessed4656, 4658, 4660, 4661, 4663, 4670,4691

EVID 4657 : Object Access (Part 2) (XML - Security)

Object Accessed4657

EVID 4662 : Object Access (Part 3) (XML - Security)

Object Accessed4662

EVID 4672 : Special Privileges Assigned To Logon (XML - Security)

Special Privileges Assigned To Logon4672

EVID 4673, 4674 : Privileged Object Access (Part 2) (XML - Security)

Object Accessed4673, 4674

EVID 4675...4933 : Microsoft Windows Security Auditing (XML - Security)

Group Membership Information

4675, 4928, 4931, 4932, 4933

EVID 4688, 4689 : Process Startup And Shutdown (XML - Security)

Process/Service Started4688, 4689

EVID 4697 : Service Installed (XML - Security)

Software Installed4697

EVID 4698-4702 : Scheduled Task Events (XML - Security)

Configuration Enabled : System4698, 4699, 4700, 4701, 4702

EVID 4720...4767 : Account Management (Part 1) (XML - Security)

User Account Attribute Modified4720, 4722, 4723, 4724, 4725, 4726, 4738, 4741, 4742, 4743, 4767

EVID 4727...4760 : Account Management (Part 2) (XML - Security)

User Account Attribute Modified4727 ,4731, 4734, 4737, 4759, 4760

EVID 4728...4762 : Group Member Added/Removed (XML - Security)

Account Added To Group

4728, 4729, 4730, 4732, 4733, 4735, 4746, 4747, 4749, 4751, 4752, 4753, 4756, 4757, 4758, 4761, 4762

EVID 4740 : Account Management Message (Part 1) (XML - Security)

User Account Attribute Modified4740

EVID 4754 : Account Management Message (Part 2) (XML - Security)

User Account Attribute Modified4754

EVID 4768, 4771 : Kerberos Events (Part 1) (XML - Security)

Authentication Activity4768, 4771

EVID 4769, 4770 : Kerberos Events (Part 2) (XML - Security)

Authentication Activity4769, 4770

EVID 4776 : Credential Validation Attempt (XML - Security)

General Authentication Event4776

EVID 4778, 4779 : Windows Session Events (XML - Security)

Authentication Activity4778, 4779

EVID 4781 : Account Management (Part 3) (XML - Security)

User Account Attribute Modified4781

EVID 4800, 4801 : Workstation Locked & Unlocked (XML - Security)

General Workstation Information4800, 4801

EVID 4907 : Audit Settings Changed (XML - Security)

Object Attribute Modified4907

EVID 4946-4948 : Firewall Rule Add, Mod, Del (XML - Security)

Configuration Modified : Network Access4946, 4947, 4948

EVID 5031 : Windows Firewall Events (Part 1) (XML - Security)

Network Traffic5031

EVID 5058 : Key File Operation (XML - Security)

Key File Operation5058

EVID 5061 : Cryptographic Operation (XML - Security)

Cryptographic Operation5061

EVID 5136-5139, 5141 : AD Object Access (XML - Security)

Object Accessed5136, 5137, 5138, 5139, 5141

EVID 5140, 5142-5145 : Network Share Was Accessed (XML - Security)

Network Share Information5140, 5142,5143, 5144, 5145
EVID 5152-5159 : Windows Firewall Events (Part 2) (XML - Security)Network Traffic

5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159

EVID 5446-5450 : Windows Filter Platform Change (XML - Security)

Configuration Modified : Security5446, 5447, 5448, 5449, 5450

EVID 6144 : Security Policy In GPO Applied (XML - Security)

Configuration Modified : Security6144

EVID 6272, 6273 : Network Policy Server Access (XML - Security)

General Access Control Message6272, 6273

EVID 6281 : Code Integrity - Image Hash Invalid (XML - Security)

Integrity Check Failed6281

EVID 6416, 6419-6424 : Audit PnP Activity (XML - Security)

Configuration Modified : System6416, 6419, 6420, 6421, 6422, 6423, 6424

Log Messages Not Available in LSO Policy

The following table lists the log message types that are not available in LSO policy.

Log Message TypeEvent TypeEvent IDs

EVID 104 : Event Log Cleared (XML - Security)

General Event Log Information104

EVID 4822 : Credential Validation Information (XML - Security)

Client Authentication Failure4822
No EVID : Login Logout Activity (XML - Security)Login or Logout Event ExecutedN/A
No EVID : AD FS Messages (XML - Security)General Active Directory InformationN/A
Catch All : Level 1 (XML - Security)General InformationN/A
Catch All : Level 2 (XML - Security)General InformationN/A
Catch All : Level 3 (XML - Security)General AuditN/A

Log Processing Policy Updates

This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.

Changes made for LSO may impact downstream analytical components in LogRhythm. It is recommended that you review MPE policies, parsing rules, and log processing settings to assess the potential impact to your environment and custom analytical components, including saved investigations, dashboards, and fields mapped with SmartResponse Plugins.

Updates to AIE Rules

The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security. The Change Details column indicates where the new log source type was added.

AIE RuleChange Details
NERC-CIP : Account Locked or Disabled RuleRemove Group by of Host (Origin)

Updates to System Reports

The table below indicates changes made to System Reports using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security.

Report Name

Change Details

FISMA : Processes By User

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. Process Name
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
NEI : Processes By User

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. Process Name
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
NRC : Processes By User

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. Process Name
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid CDE => Internet Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid DMZ => Internal Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid Internet => Internal Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid Internet => CDE Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid Internet => DMZ Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING

Updates to System Report Templates

The table below indicates changes made to System Reports using the new policy LogRhythm Default v2.0 with log source type MS Windows Event Logging XML - Security.

Template Name

Change Details

Log Summary by Entity, Log Host, iApp, Event, Login, Object
  • Added Process field after Object.
  • New Report name: Log Summary by Entity, Log Host, iApp, Event, Login, Object, Process

Updates to System Tails

  • No changes

Updates to System Investigations

  • No changes