Classification

Rule Name

Rule Type

Common Event

Classification

LogRhythm KB Admin Service
Base Rule

File Download

Information

EVID 1001 : KB Download Success

Sub RuleObject DownloadedAccess Success
EVID 1002 : KB Download SuccessSub RuleObject DownloadedAccess Success

EVID 1003 : No Deployment Record Found For License

Sub RuleDownload Object FailureAccess Failure

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='LogRhythm KB Admin Service'/><EventID Qualifiers='0'>1002</EventID><Level>Information</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-10-26T01:27:39.000000000Z'/><EventRecordID>2789007</EventRecordID><Channel>Application</Channel><Computer>_destinationhostname</Computer><Security/></System><EventData><Data>Successful download for deployment ID: 23e6e6a7-fb6e-3c91-e3d6-d076a9eae511</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider NameSuccessful download for deployment ID: 23e6e6a7-fb6e-3c91-e3d6-d076a9eae511<vendorinfo>Text/String
EventID Qualifiers1002<vmid>Number
Levelinformation<severity>Text/String
Computer_destinationhostname<dname>Text/String
N/A23e6e6a7-fb6e-3c91-e3d6-d076a9eae511<object>Text/String
N/AN/A<objectname>Text/String