Classification

Rule Name

Rule Type

Common Event

Classification

MS Windows Log MessagesBase RuleWindows Informational EventInformation
EVID 64 : Windows Certificate MessagesSub RuleWindows Warning EventWarning
EVID 257 : Defrag MessagesSub RuleGeneral O&O Defrag ErrorError
EVID 258 : Defarg InformationSub RuleGeneral O&O Defrag InformationInformation
EVID 1008 : Perflib Event MessageSub RuleGeneral Perflib ErrorError
EVID 4005 : Logon Process TerminatedSub RuleGeneral Winlogon InformationInformation
EVID 6000 : Winlogon InformationSub RuleGeneral Winlogon InformationInformation
EVID 6003 : Winlogon Information MessagesSub RuleGeneral Winlogon InformationInformation

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-WMI' Guid='{1edeee53-0afe-4609-b846-d8c0b2075b1f}' EventSourceName='WinMgmt'/><EventID Qualifiers='49152'>5605</EventID><Version>0</Version><Level>Warning</Level><Task>None</Task><Opcode></Opcode><Keywords>Classic</Keywords><TimeCreated SystemTime='2018-08-01T09:29:07.000000000Z'/><EventRecordID>1039786</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='_sid'/><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security/></System><EventData><Data>_domainOrigin\_originUser</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

NameMicrosoft-Windows-WMI<vendorinfo>Text/String
Eventid5605<vmid>Number
LevelWarning<severity>Text/String
Computer_destinationHostname<dname>Text/String
ThreadID_sid<session>Number
N/AN/A<process>Text/String
ProcessID0<processid>Number
N/AApplication<object>Text/String
N/AN/A<objectname>Text/String
N/AN/A<subject>Text/String
Version0<version>Number
N/AN/A<useragent>Text/String