Classification

Rule Name

Rule Type

Common Event

Classification

Catch All : Crypto API MessagesBase RuleEncryption ProcessInformation
EVID 4097 : 3rd Party Cert Auto Update SuccessSub RuleSSL Certificate LoadedInformation
EVID 4108 : 3rd Party Root Cert Delete SuccessfulSub RuleCertificate Services InformationInformation
EVID 4109 : 3rd Party Root Cert Update SuccessSub RuleCertificate Services InformationInformation
EVID 4111 : 3rd Party Root List AutoUpdate SuccessSub RuleCertificate Services InformationInformation

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-CAPI2' Guid='{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}' EventSourceName='Microsoft-Windows-CAPI2'/><EventID Qualifiers='0'>4109</EventID><Version>0</Version><Level>Information</Level><Task>None</Task><Opcode>Info</Opcode><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-17T01:20:50.979068900Z'/><EventRecordID>85278253</EventRecordID><Correlation/><Execution ProcessID='344' ThreadID='_sid'/><Channel>Application</Channel><Computer>_destinationhostname</Computer><Security/></System><EventData><Data>CN=_org Authentication CA G1, O=_org S.p.A./787920967, L=_city, C=IT</Data><Data>SHA#1234567890</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider NameMicrosoft-Windows-CAPI2<vendorinfo>Text/String
EventID Qualifiers4109<vmid>Number
LevelInformation<severity>Text/String
Execution Processid344<processid>Number/Text/String
Computer_destinationhostname<dname>Text/String
Threadid_sid<session>Number/Text/String
N/ASHA#1234567890<hash>Text/String
N/ACN=_org Authentication CA G1, O=_org S.p.A./787920967, L=_city, C=IT<object>Text/String