Classification

Rule Name

Rule Type

Common Event

Classification

Certificate Services Client : Cert EnrollmentBase RuleGeneral CERT_ENROLL MessageInformation
EVID 64 : Cert Enroll Successfully Loaded PolicySub RuleSSL Certificate LoadedInformation
EVID 65 : Cert Enroll Auth SuccessSub RuleSSL Certificate VerifiedInformation

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-CertificateServicesClient-CertEnroll' Guid='{54164045-7c50-4905-963f-e5bc1eef0cca}' EventSourceName='CertEnroll'/><EventID Qualifiers='33370'>65</EventID><Version>0</Version><Level>Information</Level><Task>None</Task><Opcode></Opcode><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-08T08:19:27.000000000Z'/><EventRecordID>712980</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='_sid'/><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security UserID='_domain\_originUser'/></System><EventData><Data Name='Context'>_groupName</Data><Data Name='ServerURL'>DC=schq,DC=_domain,DC=com</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider nameMicrosoft-Windows-CertificateServicesClient-CertEnroll<vendorinfo>Text/String
Eventid65<vmid>Number
LevelInformation<severity>Text/String
Computer_destinationHostname<dname>Text/String
processid0<processid>Number
threadid_sid<session>Number
userid_domain<domain>Text/String
N/A_originUser<login>Text/String
Context_groupName<group>Text/String
N/ADC=schq,DC=_domain,DC=com<object>Text/String