Applications that sign and verify XML digital signatures should be written according to the following best practices to avoid denial of service attacks, data loss, and compromise of private information. The list below provides general guidance; however, developers are encouraged to perform additional security analysis specific to their applications and review the latest digital signatures best practices published by the W3C.

Device Details

Device NameMS Windows Event Logging : XML - Security

Vendor

MS Windows

Device Type

MS Windows Security Applications

Supported Model Name/Number

Windows Server 2008, 2012, 2016+

Supported Software Version(s)

N/A

Collection Method

MS Windows Event Logging

Configurable Log Output?

N/A

Log Source Type

MS Windows Event Logging XML - Security

Log Processing Policy

LogRhythm Default v2.0

Exceptions

N/A

Additional Information

Microsoft Security documentation

Prerequisites

    • Deployment of application and its credentials.


Support for ADFS Events

Log Source Stabilization (LSS) does not support ADFS Events with the updated MPE rules and log processing policy (LogRhythm Default v2.0). ADFS Events are supported separately with MS Windows Event Logging XML - ADFSIf you are using Microsoft Active Directory Federation Services (ADFS) and streaming ADFS logs through Windows Security log source types, we recommend using log source virtualization to stream MS Windows Event Logging XML - ADFS log messages.

For more information, see Log Source Virtualization.

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)

Type

Product Version

Supported Schema Fields

V 2.0 : Catch All (Security)N/A<vmid>, <severity>, <vendorinfo>, <dname>, <result>, <responsecode>, <tag2>
V 2.0 : Account ManagementN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <account>, <domainimpacted>, <session>, <subject>, <result>, <group>, <tag1>, <tag2>
V 2.0 : Active Directory Replica Context EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <session>, <tag1>, <responsecode>
V 2.0 : AD Object EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <domainimpacted>, <objectname>, <object>, <objecttype>
V 2.0 : Audit Policy ModifiedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <policy>, <objectname>, <object>, <tag2>, <action>
V 2.0 : Certification Services EventsN/A<vmid>, <tag1>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>,
V 2.0 : COM+ EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>
V 2.0 : Credential Manager EventsN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <result>, <Quantity>
V 2.0 : Cryptographic File/Key OperationsN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <object>, <objecttype>, <objectname>, <policy>, <action>, <result>, <responsecode>, <tag2>
V 2.0 : Cryptographic Next Generation EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <tag2>
V 2.0 : Domain Trust InformationN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <domainimpacted>, <login>, <domainorigin>, <session>
V 2.0 : DPAPI EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <login>, <domainorigin>, <session>
V 2.0 : Event Logging Service MessagesN/A<vmid>, <severity>, <vendorinfo>, <dname>, <object>, <subject>, <result><responsecode>, <tag1>
V 2.0 : EVID 521 : Failed Writing Audit LogsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <responsecode>,<quantity>
V 2.0 : EVID 4616 : System Time ChangedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <process>, <processid>
V 2.0 : EVID 4625 : Use Account Logon FailureN/A<vmid>, <severity>, <vendorinfo>, <dname>, <sip>, <sport>, <login>, <domainorigin>, <sessiontype>, <process>, <processId>, <object>, <objectname>, <result>, <responsecode>, <size>, <tag1>, <tag2>
V 2.0 : EVID 4627 : Group Membership InformationN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <sessiontype>
V 2.0 : EVID 4634/4647 : Account Logoff EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag2>, <dname>, <login>, <tag1>, <domainorigin>, <session>, <sessiontype>, <tag3>
V 2.0 : EVID 4648 : Logon Using Explicit CredentialsN/A<vmid>, <severity>, <vendorinfo>, <dname>, <sip>, <sport>, <login>, <domainorigin>, <account>, <domainimpacted>, <session>, <process>, <processId>, <result>
V 2.0 : EVID 4657 : Registry Value ModifiedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <object>, <subject>, <processid>, <process>
V 2.0 : EVID 4662 : Operation Performed on AD ObjectN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <object>, <objecttype> , <subject>
V 2.0 : EVID 4670 : Object Permissions ChangedN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <process>, <processid>, <object>, <objectname>, <objecttype>, <result>
V 2.0 : EVID 4672 : Special Privilgs Asignd To LgnN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <result>, <command>
V 2.0 : EVID 4675 : SIDs Were Filtered            N/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>
V 2.0 : EVID 4696 : Token Assigned to ProcessN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>
V 2.0 EVID: 4697 - Service InstalledN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <objectname>, <object>, <status>, <account>
V 2.0 : EVID 4703 : User Rights AdjustedN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <account>, <domainImpacted>, <session>, <process>, <processid>, <result>
V2.0 EVID 4704 & 4705 - User Rights AssignmentN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <account>, <domainImpacted>, <session>, <subject>, <result>
V 2.0 : EVID 4739 : Domain Policy ModifiedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <policy>, <domainimpacted>, <login>, <domainorigin>, <session>
V 2.0 : EVID 4740 : User Account LockoutN/A<vmid>, <severity>, <vendorinfo>, <dname>, <sname>, <login>, <domainorigin>, <account>, <session>, <result>, <tag1>
V 2.0 : EVID 4768, 4771 : Kerberos TGT Failure MessageN/A<vmid>, <severity>, <vendorinfo>, <sip>, <dname>, <sport>, <login>, <domainorigin>, <process>, <result>, <responsecode>, <tag1>, <tag2>, <tag3>
V 2.0 : EVID 4769, 4770 : Kerberos TGS MessagesN/A<vmid>, <severity>, <vendorinfo>, <sip>, <dname>, <sport>, <login>, <domainorigin>, <process>, <policy>, <command>, <result>, <responsecode>, <tag1>, <tag3>
V 2.0 : EVID 4774 : Account Logon Mapping Event            N/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1> , <dname>, <account>
V 2.0 : EVID 4776 : Credentials Validation Of AccountN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <result>, <status>, <tag1>, <tag2>, <tag3>
V 2.0 EVID 4778 & 4779 : Windows Station SessionN/A<vmid>, <severity>, <vendorinfo>, <sip>, <sname>, <dname>, <login>, <domainorigin>, <session>, <result>, <sessiontype>
V 2.0 : EVID 4781 : User Account Name ChangedN/A

<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>,, <account>, <domainimpacted>, <session>, <object>, <result>, <tag1>

V 2.0 : EVID 4793 : Password Policy Checking API Called

N/A

<vmid>, <severity>, <vendorinfo>, <sip>, <result>, <sname>, <login>, <domainorigin>, <session>, <dname>, <account>

V 2.0 : EVID 4794 : DS Restore Mode Admin Password SetN/A<vmid>, <severity>, <vendorinfo>, <dname>, <sname>, <login>, <domainorigin>, <session>, <result>, <status>, <tag1>
V 2.0 : EVID 4798 : User's Local Group MembershipN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>,, <account>, <domainimpacted>, <session>, <process>, <processId>, <result>
V 2.0 : EVID 4797 : Blank Passwords Queried            N/A<vmid>, <severity>, <vendorinfo>, <result> , <dname>, <login>, <domainorigin>, <account>
V 2.0 : EVID 4800-4803 : Lock and Unlock EventsN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <session>, <result>, <tag1>
V 2.0 : EVID 4826 : Boot Configuration Data Loaded           N/A<vmid>, <severity>, <vendorinfo>, <result> , <dname>,<policy>,  <status>
V 2.0 : EVID 4950 : WFP - Setting ChangedN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <policy>, <object>, <command>
V 2.0 : EVID 4964 : Special Groups Assigned to LogN/A<vmid>, <severity>, <vendorinfo>, <dname>, <login>, <domainorigin>, <account>, <domainimpacted>, <session>, <result>, <group>
V 2.0 : EVID 4985 : Transaction State Changed           N/A<vmid>, <severity>, <vendorinfo>,<result>, <dname>, <login>, <domainorigin>, <session>,<object> ,<processid>, <processname>
V 2.0 : EVID 5031 : WFP - Application Blocked

N/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <process>
V 2.0 : EVID 5446: Windows Filtering Platform Call            N/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <processid>, <login>,<object> 
V 2.0 : EVID 5448: Windows Filtering Platform Provider Changed           N/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <processid>, <login>,<object> 
V2.0 : EVID 5450: Windows Filtering Platform Sub-layer Changed           N/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <processid>, <login>,<object>
V 2.0 : EVID 5632 : WLAN Authentication FailureN/A<vmid>, <severity>, <vendorinfo>, <sname>, <smac>, <dmac>, <login>, <domainorigin>, <session>, <result>, <reason>, <tag1>, <tag2>
V 2.0 : EVID 5633 : Wired Network Authentication FailedN/A<vmid>, <severity>, <vendorinfo>, <sname>, <login>, <domainorigin>, <session>, <result>, <reason>, <tag1>
V 2.0 : EVID 6281 : File Integrity FailureN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <object>
V 2.0 : General Policy Change EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>
V 2.0 : Group Management EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <account>, <action>, <group>, <domainimpacted>, <login>, <domainorigin>, <session>, <processid>, <process>
V 2.0 : Local Security Authority Package Management EventN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <objectname>, <login>, <domainorigin>, <session>, <object>
V 2.0 : Network Policy Server EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <dmac>, <smac>, <objecttype>, <dip>, <policy>, <responsecode>, <reason>
V 2.0 : Network Share EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <objecttype>, <sip>, <sport>, <objectname>
V 2.0 : Object Access EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <objectname>, <processid>, <process>, <object>
V 2.0 : Object Auditing Settings ModifiedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <objectname>, <object>, <processid>, <process>
V 2.0 : Plug and Play EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objecttype>, <objectname>, <object>
V 2.0 : Privilege Use EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <objecttype>, <object>, <subject>, <processid>, <process>
V 2.0 : Process Creation/Termination EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <processid>, <process>, <parentprocessid>, <command>, <account>, <domainimpacted>, <parentprocessname>
V 2.0 : Scheduled Task EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <sessiontype>,<command>, <objectname>
V 2.0 : Security Event Source EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>, <objectname>, <object>, <processid>, <process>
V2.0: Successful Account Logon EventsN/A<vmid>, <severity>, <vendorinfo>, <dname>, <sip>, <sport>, <login>, <domainorigin>, <session>, <sessiontype>, <process>, <processId>, <object>, <objectname>, <result>, <size>, <tag1>, <tag2>, <tag3>
V 2.0 : System Security Access ModificationN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <login>, <domainorigin>, <session>
V 2.0 : Trusted Forest MessagesN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <domainimpacted>, <login>, <domainorigin>, <session>
V 2.0 : Windows Filtering Platform Rule EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <policy>, <reason>, <object>, <objectname>
V 2.0 : Windows Firewall Connection EventsN/A<vmid>, <severity>, <vendorinfo>, <result>, <tag1>, <dname>, <processid>, <process>, <sip>, <sport>, <dip>, <dport>, <protnum>
V 2.0 : EVID 5157 : WFP - Connection BlockedN/A<vmid> , <severity>, <vendorinfo>, <result>, <processid>, <process>, <sip>, <sport>, <dip>, <dport>, <protnum>
V 2.0 : EVID 5156 : WFP - Connection PermittedN/A<vmid>, <severity>, <vendorinfo>, <result>, <processid>, <process>, <sip>, <sport>, <dip>, <dport>, <protnum>
V 2.0 : EVID 5038 : Image Hash Of File Not ValidN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <object>
V 2.0 : EVID 6279 : NPS - User Account LockedN/A<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <account>, <domainimpacted> 

Revision History

KB Version

Log Type

Change TypeDetails

KB 7.1.591.0

MS Windows Event Logging XML - Security

New Log Source Optimization (LSO) policy: LogRhythm Default v2.0Optimized new log processing policy for MS Windows Event Logging XML - Security.