Classification

Rule Name

Rule Type

Common Event

Classification

Catch All : System Restore MessagesBase RuleGeneral Backup InformationInformation
EVID 8194 : System Restore Point CreatedSub RuleBackup SucceededInformation
EVID 8212 : System Restore InformationSub RuleGeneral Backup InformationInformation

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='System Restore'/><EventID Qualifiers='0'>8194</EventID><Level>Information</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-15T18:46:16.000000000Z'/><EventRecordID>38102</EventRecordID><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security/></System><EventData><Data>C:\WINDOWS\system32\msiexec.exe /V</Data><Data>Removed LogRhythm Console.</Data><Binary>00000000A1010000970100000000000022CE28677C6DDA79E28C1C000000000000000000</Binary></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in log message

Log Value

LogRhythm Schema

Data Type

Provider nameSystem Restore<vendorinfo>Text/String
Qualifiers8194<vmid>Number
levelInformation<severity>Text/String
N/AN/A<processid>Number
N/AN/A<session>Number
Computer_destinationHostname<dname>Text/String
EventDataC:\WINDOWS\system32\msiexec.exe /V<command>Text/String
N/ARemoved LogRhythm Console<action>Text/String