Classification

Rule Name

Rule Type

Common Event

Classification

EVID 1530 : Registry Key Still In UseBase RuleClose Object FailureAccess Failure

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-User Profiles Service' Guid='{89b1e9f0-5aff-44a6-9b44-0a07a7ce5845}'/><EventID>1530</EventID><Version>0</Version><Level>Warning</Level><Task>None</Task><Opcode>Info</Opcode><Keywords></Keywords><TimeCreated SystemTime='2016-11-18T23:54:43.170411100Z'/><EventRecordID>716262</EventRecordID><Correlation/><Execution ProcessID='956' ThreadID='_sid'/><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security UserID='_domain\_originUser'/></System><EventData Name='EVENT_HIVE_LEAK'><Data Name='Detail'>1 user registry handles leaked from \Registry\User\_domain\_originUser:
Process 12 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\_domain\_originUser\Printers\DevModePerUser
</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider nameMicrosoft-Windows-User Profiles Service<vendorinfo>Text/String
Eventid1530<vmid>Number
LevelWarning<severity>Text/String
Computer_destinationHostname<dname>Text/String
processid956<processid>Number
threadid_sid<session>Number/String
userid_domain<domain>Text/String
N/A_originUser<login>Text/String
detail1<quantity>Number
processsvchost.exe<process>Text/String
N/A\REGISTRY\USER\_domain\_originUser\Printers\DevModePerUser<object>Text/String