Splunk® Enterprise Security

Detect Unknown Threats with Behavioral Analytics Service

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Supported data sources in behavioral analytics service

Behavioral analytics service uses the following data source to generate anomalies.

Data source sourcetype
Windows security logs XmlWinEventLog, WinEventLog, windows_snare_syslog
See Windows event IDs supported in behavioral analytics service.

The following data sources can be ingested into behavioral analytics service but do not generate anomalies. Behavioral analytics service extracts metadata from these data sources such as session data, which is used for identity resolution.

Data source sourcetype
AWS CloudTrail logs aws:cloudtrail
Bit9 (Carbon Black) bit9:carbonblack:json
Blue Coat ProxySG syslog for bcereportermain_vi bluecoat:proxy:access:syslog
Blue Coat ProxySG syslog for KV mode bluecoat:proxysg:access:kv
Cisco ASA firewall logs cisco:asa
Cisco ASA VPN logs cisco:cisco_vpn
CrowdStrike logs CrowdStrike:Event:Streams:JSON
Infoblox DHCP logs infoblox:dhcp
Infoblox DNS logs infoblox:dns
Infoblox ThreatProtect logs infoblox:threatprotect
McAfee Web Gateway webgateway
Microsoft Office 365 email logs ms:o365:email
Microsoft Office 365 Management Activity alerts o365:management:activity for the following workload types:
  • AzureActiveDirectory
  • SecurityComplianceCenter
Palo Alto Networks pan:traffic
Proofpoint Tap SIEM Proofpoint_tap_siem
Proofpoint Mail logs pps_maillog
Symantec Data Loss Prevention (DLP) for email symantec:dlp:syslog
Windows sysmon logs XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
See Windows event IDs supported in behavioral analytics service.
Windows DHCP logs in CSV format for DNS data dhcp

Windows event IDs supported in Splunk Behavioral Analytics

The following table summarizes the Microsoft Windows event IDs used by behavioral analytics service. See Configure Windows event logging to ensure the proper events are logged for instructions to properly log Microsoft Windows events.

Event ID Description Supported for XmlWinEventLog Supported for WinEventLog
4103 Windows license activation failed Yes Yes
4104 PowerShell script block logging Yes Yes
4624 An account was successfully logged on Yes Yes
4625 An account failed to log on Yes Yes
4661 A handle to an object was requested Yes Yes
4662 An operation was performed on an object Yes Yes
4663 An attempt was made to access an object Yes Yes
4672 Special privileges assigned to new logon No Yes
4688 A new process has been created Yes Yes
4689 A process has exited Yes Yes
4768 A Kerberos authentication ticket (TGT) was requested Yes Yes
4769 A Kerberos service ticket was requested Yes Yes
4776 The domain controller attempted to validate the credentials for an account No Yes
5140 A network share object was accessed Yes Yes
5145 A network share object was checked to see whether client can be granted desired access Yes Yes

Data source sample events and fields mappings

Behavioral analytics service extracts and maps the values from specific fields in each data source to be used by its models. Expand each Fields and Mapping section to see how fields in raw events are mapped. The tables in the Field and Mapping section contain the following information:

Table column Description
Raw event field name The original value of the field in the raw event.
Behavioral analytics service token name What the field in the raw event is mapped to in behavioral analytics service. For example, the raw event may contain a field named threatURL, but the models in behavioral analytics service require a field named threat_url.
Behavioral analytics service entity/field type The field used to enrich entities with assets and identities data. For example, a local_ip field in the raw event marked as dest_user/DNS in the table defines the database table used to perform the lookup, so DNS addresses are searched when performing the lookup instead of IP tables.
Behavioral analytics service data model Data models in behavioral analytics service normalize data into specific categories like Authorization or Endpoint. The detections in the system run queries against this normalized data instead of running vendor-specific queries.

XmlWinEventLog logs

Sample Event

Sample XmlWinEventLog events

4689

<?xml version="1.0" encoding="UTF-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4689</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>13313</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8020000000000000</Keywords>
      <TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
      <EventRecordID>187030</EventRecordID>
      <Correlation />
      <Execution ProcessID="4" ThreadID="144" />
      <Channel>Security</Channel>
      <Computer>DC01.contoso.local</Computer>
      <Security />
   </System>
   <EventData>
      <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
      <Data Name="SubjectUserName">dadmin</Data>
      <Data Name="SubjectDomainName">CONTOSO</Data>
      <Data Name="SubjectLogonId">0x31365</Data>
      <Data Name="Status">0x0</Data>
      <Data Name="ProcessId">0xfb0</Data>
      <Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data>
   </EventData>
</Event>

5140

<?xml version="1.0" encoding="UTF-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4689</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>13313</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8020000000000000</Keywords>
      <TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
      <EventRecordID>187030</EventRecordID>
      <Correlation />
      <Execution ProcessID="4" ThreadID="144" />
      <Channel>Security</Channel>
      <Computer>DC01.contoso.local</Computer>
      <Security />
   </System>
   <EventData>
      <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
      <Data Name="SubjectUserName">dadmin</Data>
      <Data Name="SubjectDomainName">CONTOSO</Data>
      <Data Name="SubjectLogonId">0x31365</Data>
      <Data Name="Status">0x0</Data>
      <Data Name="ProcessId">0xfb0</Data>
      <Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data>
   </EventData>
</Event>

5145

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>5145</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12811</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8020000000000000</Keywords>
      <TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" />
      <EventRecordID>267092</EventRecordID>
      <Correlation />
      <Execution ProcessID="516" ThreadID="524" />
      <Channel>Security</Channel>
      <Computer>DC01.contoso.local</Computer>
      <Security />
   </System>
   -
   <EventData>
      <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
      <Data Name="SubjectUserName">dadmin</Data>
      <Data Name="SubjectDomainName">CONTOSO</Data>
      <Data Name="SubjectLogonId">0x38d34</Data>
      <Data Name="ObjectType">File</Data>
      <Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
      <Data Name="IpPort">56926</Data>
      <Data Name="ShareName">\\\\\*\\Documents</Data>
      <Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
      <Data Name="RelativeTargetName">Bginfo.exe</Data>
      <Data Name="AccessMask">0x100081</Data>
      <Data Name="AccessList">%%1541 %%4416 %%4423</Data>
      <Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data>
   </EventData>
</Event>

Fields and Mapping

Fields and mapping

4103

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Provider source_name Endpoint_Processes
Computer dest_device/DNS
endpoint_device/DNS
Endpoint_Processes
UserID dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
Payload process Endpoint_Processes
Use constant value of "powershell.exe" parent_process_name
process_name
Endpoint_Processes
Task task_category (extended)
Channel log_name (extended)
EventID signature_id (extended)

4104

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Provider (Name attribute) source_name Endpoint_Processes
Computer dest_device/DNS
endpoint_device/DNS
Endpoint_Processes
Path process_path extracted from script path
process_name exgracted from script path
Endpoint_Processes
Use constant value of "powershell.exe" parent_process_name Endpoint_Processes
Task task_category (extended)
Channel log_name (extended)
EventID signature_id (extended)

4624

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action

This is a calculated field.

Authentication
Static value:
"An account was successfully logged on"
signature Authentication
EventID signature_id Authentication
Computer origin_device_domain src_device/DNS Authentication
FailureReason reason Authentication
SubjectUserName
src_user/WINDOWS_ACCOUNT_NAME
Authentication
TargetUserName
src_user/WINDOWS_ACCOUNT_NAME
Authentication
TargetDomainName dest_nt_domain Authentication
AuthenticationPackageName auth_pkg Authentication
LogonType authentication_type, authentication_type_name (calculated field) Authentication
LoginProcessName authentication_method Authentication
ProcessName app Authentication
WorkstationName src_device/DNS Authentication
ipAddress dest_device/IP, src_device/IP Authentication
Keywords action

This is a calculated field.

Endpoint_Processes
Static value:
"Microsoft WIndows"
vendor_product, os Endpoint_Processes
Computer dest_devince/DNS
endpoint_device/DNS
Endpoint_Processes
SubjectUserName
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
TargetUserName
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
ProcessId process_id Endpoint_Processes
ProcessName process_name, process_exec, process_current_directory, process_path, process

If ProcessName is empty, the values of process_name and process_exec are extracted from Login Process

Endpoint_Processes
WorkstationName dest_device/DNS, endpoint_device/DNS Endpoint_Processes
ipAddress dest_device/IP, endpoint_device/DNS Endpoint_Processes
Task task_category (extended)
Provider (name attribute) aosurce_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)

4625

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action

This is a calculated field.

Authentication
Static value:
"An account failed to log on"
signature Authentication
EventID signature_id Authentication
Computer origin_device_domain src_device/DNS Authentication
FailureReason reason Authentication
SubjectUserName
src_user/WINDOWS_ACCOUNT_NAME
Authentication
TargetUserName
src_user/WINDOWS_ACCOUNT_NAME
Authentication
TargetDomainName dest_nt_domain Authentication
AuthenticationPackageName auth_pkg Authentication
LogonType authentication_type, authentication_type_name (calculated field) Authentication
LoginProcessName authentication_method Authentication
ProcessName app Authentication
WorkstationName src_device/DNS Authentication
ipAddress dest_device/IP, src_device/IP Authentication
Status event_return_code

This is a alculated field.

Authentication
ActiveDirectory (static value) authentication_service Authentication
Keywords action

This is a calculated field.

Endpoint_Processes
Static value:
"Microsoft WIndows"
vendor_product, os Endpoint_Processes
Computer dest_devince/DNS
endpoint_device/DNS
Endpoint_Processes
SubjectUserName
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
TargetUserName
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
ProcessId process_id Endpoint_Processes
ProcessName process_name, process_exec, process_current_directory, process_path, process

If ProcessName is empty, the values of process_name and process_exec are extracted from Login Process

Endpoint_Processes
WorkstationName dest_device/DNS, endpoint_device/DNS Endpoint_Processes
ipAddress dest_device/IP, endpoint_device/DNS Endpoint_Processes
Task task_category (extended)
Provider (name attribute) aosurce_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)

4661

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
ObjectName resource_handle Endpoint_ResourceAccess
ObjectType resource_type Endpoint_ResourceAccess
HandleId resource_handle_id Endpoint_ResourceAccess
AccessMask resource_operation_access_mask Endpoint_ResourceAccess
PrivilegeList resource_operation_privileges Endpoint_ResourceAccess
Properties resource_operation_properties Endpoint_ResourceAccess
RestrictedSidCount resource_operation_restricted_sid_count Endpoint_ResourceAccess
AccessList resource_operation_access Endpoint_ResourceAccess
ProcessId process_id Endpoint_Process
ProcessName process_name
process_path
Endpoint_Process
event_description (calculated field) Endpoint_ResourceAccess
Computer dest_device/DNS
endpoint_device/DNS
Endpoint_ResourceAccess, Endpoint_Processes
SubjectUserName dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_ResourceAccess, Endpoint_Processes
SubjectLogonId logon_id Endpoint_ResourceAccess
TransactionId resource_operation_transaction_id Endpoint_ResourceAccess
Keywords event_status Endpoint_ResourceAccess
Computer dest_nt_domain (extended) Endpoint_ResourceAccess (v2)
ObjectName resource_handle_name (extended) Endpoint_ResourceAccess (v2)
Task task_category (extended)
Provider (name attribute) source_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)
EventID signature_id (extended)

4662

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
ObjectName resource_handle Endpoint_ResourceAccess
ObjectType resource_type Endpoint_ResourceAccess
HandleId resource_handle_id Endpoint_ResourceAccess
AccessMask resource_operation_access_mask Endpoint_ResourceAccess
Properties resource_operation_properties Endpoint_ResourceAccess
RestrictedSidCount resource_operation_restricted_sid_count Endpoint_ResourceAccess
AccessList resource_operation_access Endpoint_ResourceAccess
OperationType resource_operation_type Endpoint_ResourceAccess
event_description (calculated field) Endpoint_ResourceAccess
Computer dest_device/DNS Endpoint_ResourceAccess, Endpoint_Processes
SubjectUserName dest_user/WINDOWS_ACCOUNT_NAME Endpoint_ResourceAccess
SubjectLogonId logon_id Endpoint_ResourceAccess
Keywords event_status Endpoint_ResourceAccess
Computer dest_nt_domain (extended) Endpoint_ResourceAccess (v2)
Task task_category (extended)
Provider (name attribute) source_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)
EventID signature_id (extended)

4663

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
ObjectName resource_handle Endpoint_ResourceAccess
ObjectType resource_type Endpoint_ResourceAccess
HandleId resource_handle_id Endpoint_ResourceAccess
AccessList resource_operation_access Endpoint_ResourceAccess
AccessMask resource_operation_access_mask Endpoint_ResourceAccess
ProcessId process_id Endpoint_Process
ProcessName process_name
process_path
Endpoint_Process
event_description (calculated field) Endpoint_ResourceAccess
Computer dest_device/DNS
endpoint_device/DNS
Endpoint_ResourceAccess, Endpoint_Processes
SubjectUserName dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_ResourceAccess, Endpoint_Processes
SubjectLogonId logon_id Endpoint_ResourceAccess
Keywords event_status Endpoint_ResourceAccess
Computer dest_nt_domain (extended) Endpoint_ResourceAccess (v2)
ObjectName resource_handle_name (extended) Endpoint_ResourceAccess (v2)
Task task_category (extended)
Provider (name attribute) source_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)
EventID signature_id (extended)

4688

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
CommandLine process Endpoint_Process
Keywords action

This is a calculated field.

Endpoint_Processes
NewProcessId process_id Endpoint_Processes
NewProcessName process_name
process_exec
process_current_directory
process_path
Endpoint_Processes
Microsoft Windows (static value) vendor_product, os Endpoint_Processes
ParentProcessName parent_process_name Endpoint_Processes
ProcessId parent_process_id Endpoint_Processes
TargetUserName dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
Computer dest_device/DNS
endpoint_device/DNS
Endpoint_Processes
Task task_category (extended)
Provider (name attribute) source_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)
EventID signature_id (extended)

4689

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action

This is a calculated field.

Endpoint_Processes
Microsoft Windows (static value) vendor_product, os Endpoint_Processes
Computer dest_device/DNS Endpoint_Processes
SubjectUserName dest_user/WINDOWS_ACCOUNT_NAME

If SubjectUserName does not contain $ at the end, then dest_user is populated.

Endpoint_Processes
ProcessId process_id Endpoint_Processes
ProcessName process_name
process_exec
process_current_directory
process_path
process
Endpoint_Processes
Task task_category (extended)
Provider (name attribute) source_name (extended)
Channel log_name (extended)
SubjectDomainName account_domain (extended)
EventID signature_id (extended)

4768

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Status action

If the Status is 0x0, then the action is Successful. Otherwise, the action is Failed.

Authentication
Use the static value "Kerberos" authentication_method Authentication
Use the static value "ActiveDirectory" authentication_service Authentication
Use the static value "Network" authentication_type_name Authentication
TargetUserName dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS

If TargetUserName contains a user, then dest_user is populated. If TargetUserName contains a device name, then dest_device is populated.

Authentication
Status reason
  • If Status = 0x0, then reason is "Success"

I If Status = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"

  • If Status = 0x1, 0x2, 0x17, 0xc000007, or 0xc0000193, then reason is "ExpiredPassword"
  • If Status = 0x18, 0xc0000064, or 0xc000006e, then reason is "RevokedCredentials"
Authentication
Status event_return_code Authentication
Use the static value "A Kerberos authentication ticket (TGT) was requested." signature Authentication
EventID signature_id Authentication
Use the static value "ActiveDirectory". app Authentication
IpPort dest_port Certificates
CertThumbprint ssl_hash Certificates
CertIssuerName ssl_issuer Certificates
CertIssuerName ssl_issuer_common_name Certificates
CertSerialNumber ssl_serial Certificates
Status ssl_is_valid
  • If Status = 0x3E or 0x3F, then ssl_is_valid is "false"
  • Otherwise, ssl_is_valid is "true"
Certificates
TicketEncryptionType ssl_signature_algorithm
  • If TicketEncryptionType = 0x1, then ssl_signature_algorithm is "DES-CBC-CRC"
  • If TicketEncryptionType = 0x3, then ssl_signature_algorithm is "DES-CBC-MD5"
  • If TicketEncryptionType = 0x11, then ssl_signature_algorithm is "AES128-CTS-HMAC-SHA1-96"
  • If TicketEncryptionType = 0x12, then ssl_signature_algorithm is "AES256-CTS-HMAC-SHA1-96"
  • If TicketEncryptionType = 0x17, then ssl_signature_algorithm is "RC4-HMAC"
  • If TicketEncryptionType = 0x18, then ssl_signature_algorithm is "RC4-HMAC-EXP"
Task task_category (extended)
Provider (name attribute) source_name (extended)
Channel log_name (extended)
TargetDomainName account_domain (extended)

4769

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action

If the Keywords is 0x8020000000000000, then the action is Successful. Otherwise, the action is Failed.

Authentication
Use the static value "Kerberos" authentication_method Authentication
Use the static value "ActiveDirectory" authentication_service Authentication
Use the static value "Network" authentication_type_name Authentication
Computer origin_device_domain origin_device/DNS Authentication
Use the static value "A Kerberos service ticket was requested." signature Authentication
EventID signature_id Authentication
TargetUserName dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS

If TargetUserName contains a user, then dest_user is populated. If TargetUserName contains a device name, then dest_device is populated.

Authentication
TargetDomainName dest_nt_domain Authentication
IpAddress dest_device/IP Authentication
Status event_return_code, reason
  • If Result Code = 0x0, then reason is "Success"

I If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"

  • If Result Code = 0x1, 0x2, 0x17, 0xc0000071, or 0xc0000193, then reason is "ExpiredPassword"
  • If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "RevokedCredentials"
Authentication
Use the static value "ActiveDirectory". app Authentication

5140

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
event_description (calculated field) Endpoint_ResourceAccess
Task task_category Endpoint_ResourceAccess
Provider (name attribute) source_name Endpoint_ResourceAccess
AccessMask resource_operation_access_mask Endpoint_ResourceAccess
AccessList resource_operation_accesses Endpoint_ResourceAccess
ObjectType resource_type Endpoint_ResourceAccess
Channel log_name Endpoint_ResourceAccess
ShareName resource_handle Endpoint_ResourceAccess
SubjectDomainName account_domain Endpoint_ResourceAccess
Keywords event_status Endpoint_ResourceAccess
ShareLocalPath resource_handle_path (extended) Endpoint_ResourceAccess (v2)
EventID signature_id (extended) Endpoint_ResourceAccess (v2)
IpAddress source_address (extended) Endpoint_ResourceAccess (v2)
Computer dest_nt_domain Endpoint_ResourceAccess (v2)
IpPort source_port (extended) Endpoint_ResourceAccess (v2)
Computer dest_device/DNS Endpoint_ResourceAccess
SubjectUserName dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS

If SubjectUserName contains a user name then dest_user is populated. If SubjectUserName contains a device then dest_device is populated.

Endpoint_ResourceAccess

5145

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
event_description (calculated field) Endpoint_ResourceAccess
Task task_category Endpoint_ResourceAccess
Provider (name attribute) source_name Endpoint_ResourceAccess
AccessMask resource_operation_access_mask Endpoint_ResourceAccess
AccessList resource_operation_accesses Endpoint_ResourceAccess
ObjectType resource_type Endpoint_ResourceAccess
Channel log_name Endpoint_ResourceAccess
ShareName resource_handle Endpoint_ResourceAccess
SubjectDomainName account_domain Endpoint_ResourceAccess
Keywords event_status Endpoint_ResourceAccess
RelativeTargetName resource_handle_name (extended) Endpoint_ResourceAccess (v2)
ShareLocalPath resource_handle_path (extended) Endpoint_ResourceAccess (v2)
EventID signature_id (extended) Endpoint_ResourceAccess (v2)
IpAddress source_address (extended) Endpoint_ResourceAccess (v2)
Computer dest_nt_domain Endpoint_ResourceAccess (v2)
IpPort source_port (extended) Endpoint_ResourceAccess (v2)
Computer dest_device/DNS Endpoint_ResourceAccess
SubjectUserName dest_user/WINDOWS_ACCOUNT_NAME Endpoint_ResourceAccess

WinEventLog logs

Sample Event

Sample WinEventLog events

4624

11/30/2020 05:33:14 PM
LogName=Security
EventCode=4624
EventType=0
ComputerName=W177-RaviR.CDSYS.LOCAL
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=33288
Keywords=Audit Success
TaskCategory=Logon
OpCode=Info
Message=An account was successfully logged on.

Subject:
        Security ID:                S-1-5-18
        Account Name:                W177-RAVIR$
        Account Domain:                CDSYS
        Logon ID:                0x3E7

Logon Information:
        Logon Type:                5
        Restricted Admin Mode:        -
        Virtual Account:                No
        Elevated Token:                Yes

Impersonation Level:                Impersonation

New Logon:
        Security ID:                S-1-5-18
        Account Name:                SYSTEM
        Account Domain:                NT AUTHORITY
        Logon ID:                0x3E7
        Linked Logon ID:                0x0
        Network Account Name:        -
        Network Account Domain:        -
        Logon GUID:                {00000000-0000-0000-0000-000000000000}

Process Information:
        Process ID:                0x3c0
        Process Name:                C:\Windows\System32\services.exe

Network Information:
        Workstation Name:        -
        Source Network Address:        -
        Source Port:                -

Detailed Authentication Information:
        Logon Process:                Advapi  
        Authentication Package:        Negotiate
        Transited Services:        -
        Package Name (NTLM only):        -
        Key Length:                0

4625

09/15/2020 02:41:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=AD-server.tafadtest.local
TaskCategory=Logon
OpCode=Info
RecordNumber=57965
Keywords=Audit Failure
Message=An account failed to log on.

Subject:
        Security ID:                NT AUTHORITY\SYSTEM
        Account Name:                AD-SERVER$
        Account Domain:                TAFADTEST
        Logon ID:                0x3E7

Logon Type:                        5

Account For Which Logon Failed:
        Security ID:
        Account Name:
        Account Domain:

Failure Information:
        Failure Reason:                An Error occured during Logon.
        Status:                        0xC0000073
        Sub Status:                0xC0000073

Process Information:
        Caller Process ID:        0x58
        Caller Process Name:        C:\Windows\System32\svchost.exe

Network Information:
        Workstation Name:
        Source Network Address:
        Source Port:

Detailed Authentication Information:
        Logon Process:                Advapi  
        Authentication Package:        Negotiate
        Transited Services:
        Package Name (NTLM only):
        Key Length:                0

4689

09/17/2020 12:20:07 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=ta-dc-w2016.crest-2012r2.com
TaskCategory=Process Termination
OpCode=Info
RecordNumber=7833323
Keywords=Audit Success
Message=A process has exited.

Subject:
        Security ID:                NT AUTHORITY\SYSTEM
        Account Name:                TA-DC-W2016$
        Account Domain:                CREST-2012R2
        Logon ID:                0x3E7

Process Information:
        Process ID:        0xbe4
        Process Name:        C:\Program Files\Splunk\bin\splunk-optimize.exe
        Exit Status:        0x0

4768

1/18/2017 2:49:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4768
EventType=0
Type=Information
ComputerName=uba-win11.UBA_DSlab_DOMAIN.local
TaskCategory=Kerberos Authentication Service
OpCode=Info
RecordNumber=796211636
Keywords=Audit Success
Message=A Kerberos authentication ticket (TGT) was requested.
 
Account Information:
    Account Name:       ad_user1
    Supplied Realm Name:    UBA_DSLAB_DOMAI
    User ID:            UBA_DSLAB_DOMAI\ad_user1
Service Information:
    Service Name:       krbtgt
    Service ID:     UBA_DSLAB_DOMAI\krbtgt
Network Information:
    Client Address:     ::ffff:10.141.38.92
    Client Port:        49245
Additional Information:
    Ticket Options:     0x40810010
    Result Code:        0x0
    Ticket Encryption Type: 0x12
    Pre-Authentication Type:    2
Certificate Information:
    Certificate Issuer Name:       
    Certificate Serial Number: 
    Certificate Thumbprint:    
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

4769

09/15/2020 02:41:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4769
EventType=0
Type=Information
ComputerName=AD-server.tafadtest.local
TaskCategory=Kerberos Service Ticket Operations
OpCode=Info
RecordNumber=57966
Keywords=Audit Success
Message=A Kerberos service ticket was requested.

Account Information:
        Account Name:                AD-SERVER$@TAFADTEST.LOCAL
        Account Domain:                TAFADTEST.LOCAL
        Logon GUID:                {F76AA6AA-CAC8-7994-7552-E186207FD70F}

Service Information:
        Service Name:                AD-SERVER$
        Service ID:                TAFADTEST\AD-SERVER$

Network Information:
        Client Address:                ::1
        Client Port:                0

Additional Information:
        Ticket Options:                0x40810000
        Ticket Encryption Type:        0x12
        Failure Code:                0x0
        Transited Services:

5145

09/17/2020 02:51:04 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=ta-dc-w2016.crest-2012r2.com
TaskCategory=Detailed File Share
OpCode=Info
RecordNumber=7859663
Keywords=Audit Success
Message=A network share object was checked to see whether client can be granted desired access.
        
Subject:
        Security ID:  ACME-FR\Administrator
        Account Name:  Administrator
        Account Domain:  ACME-FR
        Logon ID:  0x74a739

Network Information:        
        Object Type:                File
        Source Address:                fe80::2d6e:7ef5:8c1e:1dcb
        Source Port:                50436
        
Share Information:
        Share Name:                \\*\SYSVOL
        Share Path:                \??\C:\Windows\SYSVOL\sysvol
        Relative Target Name:        \

Access Request Information:
        Access Mask:                0x100080
        Accesses:                SYNCHRONIZE
                                ReadAttributes
                                
Access Check Results:
        SYNCHRONIZE:        Granted by        D:(A;;0x1200a9;;;WD)
                                ReadAttributes:        Granted by        D:(A;;0x1200a9;;;WD)


Fields and Mapping

Fields and mapping

4103

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
SourceName source_name Endpoint_Processes
ComputerName dest_device/DNS
endpoint_device/DNS
Endpoint_Processes
User/Context-User
If User is NOT_TRANSLATED, use the value in Context-User
dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
Message process Endpoint_Processes
TaskCategory task_category Endpoint_Processes
Context - Script Name extract process_name from the full script name

If Script Name is empty, use the constant value "powershell.exe" as the process_name.

Endpoint_Processes
Context - Script Name extract process_path from the full script name

If Script Name is empty, leave process_path empty.

Endpoint_Processes
Use the constant value "powershell.exe" parent_process_name Endpoint_Processe

4104

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
SoruceName source_name Endpoint_Processes
ComputerName dest_device/DNS
endpoint_device/DNS
Endpoint_Processes
TaskCategory task_category Endpoint_Processes
Message process Endpoint_Processes
Path process_path extracted from script path
process_name extracted from script path
Endpoint_Processes
Use constant value of "powershell.exe" parent_process_name Endpoint_Processes

4624

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action (calculated field) Authentication
Message signature Authentication
EventCode signature_id Authentication
ComputerName origin_device_domain src_device/DNS Authentication
success (static value) reason Authentication
Account Domain dest_nt_domain src_user/WINDOWS_ACCOUNT_NAME Authentication
Account Name Authentcation
Authentication Package auth_pkg Authentication
Logon Type authentication_type
authenticaiton_type_name
(calculated field)
Authentication
Login Process authentication_method Authentication
Process Name app Authentication
Workstation Name dest_device/DNS
src_device/DNS
Authentication
Source Network Address dest_device/IP
src_device/IP
Authentication
ActiveDirectory (static value) authentication_service Authentication
Keywords action (calculated field) Endpoint_Processes
Microsoft Windows (static value) vendor_product, os Endpoint_Processes
ComputerName dest_devince/DNS
endpoint_device/DNS
Endpoint_Processes
Account Name dest_user/WINDOWS_ACOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
Process ID proces_id Endpoint_Processes
Process Name process_name
process_exec
process_current_directory
process_path
process

If Process Name is empty, the values of proces_name and process_exec can be extracted from Login Process.

Endpoint_Processes
Workstation Name dest_device/DNS
endpoint_device/DNS
Endpoint_Processes
Source Network Address dest_device/IP
endpoint_device/IP
Endpoint_Processes
TaskCategory task_category (extended)
SourceName source_name (extended)
LogName log_name (extended)
Account Domain account_domain (extended)

4625

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action (calculated filed) Authentication
Message signature Authentication
EventCode signature_id Authentication
ComputerName origin_device_domain src_device/DNS Authentication
Failure Reason reason Authentication
Account Name dest_user src_user/WINDOWS_ACCOUNT_NAME Authentication
Account Domain dest_nt_domain Authentcation
Authentication Package auth_pkg Authentication
Logon Type authentication_type
authenticaiton_type_name
(calculated field)
Authentication
Login Process authentication_method Authentication
Caller Process Name app Authentication
Workstation Name dest_device/DNS
src_device/DNS
Authentication
Source Network Address dest_device/IP
src_device/IP
Authentication
Status event_return_code (calculated field) Authentication
ActiveDirectory (static value) authentication_service Authentication
Keywords action (calculated field) Endpoint_Processes
Microsoft Windows (static value) vendor_product, os Endpoint_Processes
ComputerName dest_devince/DNS
endpoint_device/DNS
Endpoint_Processes
Account Name dest_user/WINDOWS_ACOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
Caller Process ID proces_id Endpoint_Processes
Caller Process Name process_name
process_exec
process_current_directory
process_path
process

If Process Name is empty, the values of proces_name and process_exec can be extracted from Login Process.

Endpoint_Processes
Workstation Name dest_device/DNS
endpoint_device/DNS
Endpoint_Processes
Source Network Address dest_device/IP
endpoint_device/IP
Endpoint_Processes
TaskCategory task_category (extended)
SourceName source_name (extended)
LogName log_name (extended)
Account Domain account_domain (extended)

4661

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Object Name resource_handle Endpoint_ResourceAccess
Object Type resource_type Endpoint_ResourceAccess
Object Server resource_server Endpoint_ResourceAccess
Handle ID resource_handle_id Endpoint_ResourceAccess
Access Mask resource_operation_access_mask Endpoint_ResourceAccess
Privileges Used for Access Check resource_operation_privileges Endpoint_ResourceAccess
Properties resource_operation_properties Endpoint_ResourceAccess
Restricted SID Count resource_operation_restricted_sid_count Endpoint_ResourceAccess
Accesses resource_operation_access Endpoint_ResourceAccess
Process Id process_id Endpoint_Processes
Process Name process_name
process_path
Endpoint_Processes
Message event_description Endpoint_ResourceAccess
ComputerName dest_device/DNS
endpoint_device/DNS
Endpoint_ResourceAccess, Endpoint_Processes
Account Name dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_ResourceAccess, Endpoint_Processes
Logon ID login_id Endpoint_ResourceAccess
ComputerName dest_nt_domain (extended) Endpoint_ResourceAccess (v2)
TaskCategory task_category (extended)
SourceName source_name (extended)
LogName log_name (extended)
Account Domain account_domain (extended)
EventCode signature_id (extended)

4662

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Object Name resource_handle Endpoint_ResourceAccess
Object Type resource_type Endpoint_ResourceAccess
Object Server resource_server Endpoint_ResourceAccess
Handle ID resource_handle_id Endpoint_ResourceAccess
Access Mask resource_operation_access_mask Endpoint_ResourceAccess
Privileges Used for Access Check resource_operation_privileges Endpoint_ResourceAccess
Properties resource_operation_properties Endpoint_ResourceAccess
Restricted SID Count resource_operation_restricted_sid_count Endpoint_ResourceAccess
Accesses resource_operation_access Endpoint_ResourceAccess
Operation Type resource_operation_type Endpoint_ResourceAccess
Message event_description Endpoint_ResourceAccess
ComputerName dest_device/DNS Endpoint_ResourceAccess
Account Name dest_user/WINDOWS_ACCOUNT_NAME Endpoint_ResourceAccess
Logon ID login_id Endpoint_ResourceAccess
ComputerName dest_nt_domain (extended) Endpoint_ResourceAccess (v2)
TaskCategory task_category (extended)
SourceName source_name (extended)
LogName log_name (extended)
Account Domain account_domain (extended)
EventCode signature_id (extended)

4663

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Object Name resource_handle Endpoint_ResourceAccess
Object Type resource_type Endpoint_ResourceAccess
Object Server resource_server Endpoint_ResourceAccess
Handle ID resource_handle_id Endpoint_ResourceAccess
Access Mask resource_operation_access_mask Endpoint_ResourceAccess
Restricted SID Count resource_operation_restricted_sid_count Endpoint_ResourceAccess
Accesses resource_operation_access Endpoint_ResourceAccess
Process ID process_id Endpoint_Processes
Process Name process_name
process_path
Endpoint_Resources
Message event_description Endpoint_ResourceAccess
ComputerName dest_device/DNS
endpoint_device/DNS
Endpoint_ResourceAccess, Endpoint_Processes
Account Name dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_ResourceAccess, Endpoint_Processes
Logon ID login_id Endpoint_ResourceAccess
ComputerName dest_nt_domain (extended) Endpoint_ResourceAccess (v2)
Object Name resource_handle_name (extended) ) Endpoint_ResourceAccess (v2)
TaskCategory task_category (extended)
SourceName source_name (extended)
LogName log_name (extended)
Account Domain account_domain (extended)
EventCode signature_id (extended)

4672

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Message event_description Endpoint_ResourceAccess
TaskCategory task_category Endpoint_ResourceAccess
SourceName source_name Endpoint_ResourceAccess
Logon ID logon_id Endpoint_ResourceAccess
Keywords event_status Endpoint_ResourceAccess
LogName log_name Endpoint_ResourceAccess
Account Domain account_domain Endpoint_ResourceAccess
Privileges resource_operation_privileges Endpoint_ResourceAccess
ComputerName resource_handle Endpoint_ResourceAccess
Use static value "Computer" resource_type Endpoint_ResourceAccess
ComputerName dest_device/DNS Endpoint_ResourceAccess
Account Name dest_user/WINDOWS_ACCOUNT_NAME Endpoint_ResourceAccess
EventCode signature_id (extended) Endpoint_ResourceAccess (v2)
ComputerName dest_nt_domain (extended) Endpoint_ResourceAccess (v2)

4688

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Process Command Line process Endpoint_Processes
New Process ID process_id Endpoint_Processes
New Process Name process_name
process_path
Endpoint_Processes
Creator Process Name parent_process_name Endpoint_Processes
Creator Process ID parent_process_id Endpoint_Processes
Account Name dest-user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
ComputerName dest_device/DNS
endpoint_device/DNS
Endpoint_Processes
TaskCategory task_category (extended)
SourceName source_name (extended)
LogName log_name (extended)
Account Domain account_domain (extended)
EventCode signature_id (extended)

4689

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action (calculated field) Endpoint_Processes
Microsoft Windows (static value) vendor_product
os
Endpoint_Processes
ComputerName dest_device/DNS Endpoint_Processes
Account Name dest_user/WINDOWS_ACCOUNT_NAME

If the Account Name does not contain $ at the end, then dest_user is populated.

Endpoint_Processes
Process ID process_id Endpoint_Processes
Process Name process_name
proces_exec
process_current_directory
process_path
process
Endpoint_Processes
TaskCategory task_category (extended)
SourceName source_name (extended)
LogName log_name (extended)
Account Domain account_domain (extended)
EventCode signature_id (extended)

4768

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action

This is a calculated field. If Keywords is Audit Success, then action is Successful. Otherwise, the action is Failed.

Authentication
Use the static value "Kerberos" authentication_method Authentication
Use the static value "ActiveDirectory" authentication_service Authentication
Use the static value "Network" authentication_type_name Authentication
ComputerName origin_device_domain origin_device/DNS Authentication
Message signature Authentication
EventCode signature_id Authentication
Account Name dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS

If AccountName contains a user, then dest_user is populated. If AccountName contains a device name, then dest_device is populated.

Authentication
Supplied Realm Name dest_nt_domain Authentication
Client Address dest_device/IP Authentication
Result Code event_return_code
reason
  • If Result Code = 0x0, then reason is "Success"

I If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"

  • If Result Code = 0x1, 0x2, 0x17, 0xc000007, or 0xc0000193, then reason is "ExpiredPassword"
  • If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "RevokedCredentials"
Authentication
Static value "ActiveDirectory" app Authentication
Client Port dest_port Certificates
Certificate Thumbprint ssl_hash Certificates
Certificate Issuer Name ssl_issuer
ssl_issuer_common_name
Certificates
Certificate Serial Number ssl_serial Certificates
Result Code ssl_is_valid
  • If Status = 0x3E or 0x3F, then ssl_is_valid is "false"
  • Otherwise, ssl_is_valid is "true"
Certificates
TicketEncryptionType ssl_signature_algorithm
  • If TicketEncryptionType = 0x1, then ssl_signature_algorithm is "DES-CBC-CRC"
  • If TicketEncryptionType = 0x3, then ssl_signature_algorithm is "DES-CBC-MD5"
  • If TicketEncryptionType = 0x11, then ssl_signature_algorithm is "AES128-CTS-HMAC-SHA1-96"
  • If TicketEncryptionType = 0x12, then ssl_signature_algorithm is "AES256-CTS-HMAC-SHA1-96"
  • If TicketEncryptionType = 0x17, then ssl_signature_algorithm is "RC4-HMAC"
  • If TicketEncryptionType = 0x18, then ssl_signature_algorithm is "RC4-HMAC-EXP"
TaskCategory task_category (extended)
SourceName source_name (extended)
LogName log_name (extended)

4769

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action

This is a calculated field. If Keywords is Audit Success, then action is Successful. Otherwise, the action is Failed.

Authentication
Use the static value "Kerberos" authentication_method Authentication
Use the static value "ActiveDirectory" authentication_service Authentication
Use the static value "Network" authentication_type_name Authentication
ComputerName origin_device_domain origin_device/DNS Authentication
Message signature Authentication
EventCode signature_id Authentication
Account Name dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS

If AccountName contains a user, then dest_user is populated. If AccountName contains a device name, then dest_device is populated.

Authentication
Account Domain dest_nt_domain Authentication
Client Address dest_device/IP Authentication
Failure Code event_return_code
reason
  • If Result Code = 0x0, then reason is "Success"

I If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"

  • If Result Code = 0x1, 0x2, 0x17, 0xc000007, or 0xc0000193, then reason is "ExpiredPassword"
  • If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "RevokedCredentials"
Authentication
Static value "ActiveDirectory" app Authentication
TaskCategory task_category (extended)
SourceName source_name (extended)
LogName log_name (extended)
Account Domain account_domain (extended)

4776

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action (calculated field) Authentication
NtLmSsp (static value) app
authentication_method
Authentication
ActiveDirectory (static value) Authentication
Error Code reason (calculated field)
event_return_code
Authentication
EventCode signature (calculated field)
signature_id
Authentication
Logon Account dest_user/WINDOWS_ACCOUNT_NAME Authentication
Authentication Package auth_pkg Authentication
ComputerName origin_device_name origin_device/DNS Authentication
TaskCategory task_category (extended)
SourceName source_name (extended)
LogName log_name (extended)

5140

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Message event_description Endpoint_ResourceAccess
AccessMask resource_operation_access_mask Endpoint_ResourceAccess
Accesses resource_operation_accesses Endpoint_ResourceAccess
Object Type resource_type Endpoint_ResourceAccess
Share Name resource_handle Endpoint_ResourceAccess
Keywords event_status Endpoint_ResourceAccess
ComputerName dest_nt_domain (extended) Endpoint_ResourceAccess (v2)
Share Path resource_handle_path (extended) Endpoint_ResourceAccess (v2)
Source Address source_address (extended) Endpoint_ResourceAccess (v2)
Source Port source_port (extended) Endpoint_ResourceAccess (v2)
ComputerName dest_device/DNS Endpoint_ResourceAccess
Account Name dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS

If Account Name contains a user name then dest_user is populated. If Account Name contains a device then dest_device is populated.

Endpoint_ResourceAccess
TaskCategory task_category (extended)
SourceName source_name (extended)
LogName log_name (extended)
Account Domain account_domain (extended)
EventCode signature_id (extended)

5145

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Message event_description Endpoint_ResourceAccess
AccessMask resource_operation_access_mask Endpoint_ResourceAccess
Accesses resource_operation_accesses Endpoint_ResourceAccess
Object Type resource_type Endpoint_ResourceAccess
Share Name resource_handle Endpoint_ResourceAccess
Keywords event_status Endpoint_ResourceAccess
Relative Target Name resource_handle_name (extended) Endpoint_ResourceAccess (v2)
Share Path resource_handle_path (extended) Endpoint_ResourceAccess (v2)
Source Address source_address (extended) Endpoint_ResourceAccess (v2)
ComputerName dest_nt_domain (extended) Endpoint_ResourceAccess (v2)
Source Port source_port (extended) Endpoint_ResourceAccess (v2)
ComputerName dest_device/DNS Endpoint_ResourceAccess
Account Name dest_user/WINDOWS_ACCOUNT_NAME Endpoint_ResourceAccess
TaskCategory task_category (extended)
SourceName source_name (extended)
LogName log_name (extended)
Account Domain account_domain (extended)
EventCode signature_id (extended)


windows_snare_syslog logs

Sample Event

Sample windows_snare_syslog event

Nov  08 22:35:24 SCL-S-DC01.corp.acme065.com/10.115.16.5/192.0.2.123 MSWinEventLog,1,Security,856619580,Sat Nov 08 22:35:24 2014,4624,Microsoft-Windows-Security-Auditing,NT AUTHORITY\\ANONYMOUS LOGON,N/A,Success Audit,SCL-S-DC01.corp.acme065.com,Logon,,An account was successfully logged on.    Subject:   Security ID:  S-1-0-0   Account Name:  -   Account Domain:  -   Logon ID:  0x0    Logon Type:   3    New Logon:   Security ID:  S-1-5-7   Account Name:  Bobby   Account Domain:  NT AUTHORITY   Logon ID:  0xa8e1bdeb2   Logon GUID:  {00000000-0000-0000-0000-000000000000}    Process Information:   Process ID:  0x0   Process Name:  -    Network Information:   Workstation Name: OBWL3SAADS   Source Network Address: 10.122.16.22   Source Port:  27657    Detailed Authentication Information:   Logon Process:  NtLmSsp    Authentication Package: NTLM   Transited Services: -   Package Name (NTLM only): NTLM V1   Key Length:  128    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.    The authentication information fields provide detailed information about this specific logon request.   - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.   - Transited services indicate which intermediate services have participated in this logon request.   - Package name indicates which sub-protocol was used among the NTLM protocols.   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.,856447969

Fields and Mapping

Fields and mapping

4624

Raw event field name Behavioral analytics service token name Behavioral analytics service entity/field type Behavioral analytics service data model
Keywords action (calculated field) Authentication
Message signature Authentication
EventCode signature_id Authentication
ComputerName origin_device_domain src_device/DNS Authentication
success (static value) reason Authentication
Account Domain dest_nt_domain src_user/WINDOWS_ACCOUNT_NAME Authentication
Account Name Authentcation
Authentication Package auth_pkg Authentication
Logon Type authentication_type
authenticaiton_type_name
(calculated field)
Authentication
Login Process authentication_method Authentication
Process Name app Authentication
Workstation Name dest_device/DNS
src_device/DNS
Authentication
Source Network Address dest_device/IP
src_device/IP
Authentication
ActiveDirectory (static value) authentication_service Authentication
Keywords action (calculated field) Endpoint_Processes
Microsoft Windows (static value) vendor_product, os Endpoint_Processes
ComputerName dest_devince/DNS
endpoint_device/DNS
Endpoint_Processes
Account Name dest_user/WINDOWS_ACOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME
Endpoint_Processes
Process ID proces_id Endpoint_Processes
Process Name process_name
process_exec
process_current_directory
process_path
process

If Process Name is empty, the values of proces_name and process_exec can be extracted from Login Process.

Endpoint_Processes
Workstation Name dest_device/DNS
endpoint_device/DNS
Endpoint_Processes
Source Network Address dest_device/IP
endpoint_device/IP
Endpoint_Processes
TaskCategory task_category (extended)
SourceName source_name (extended)
LogName log_name (extended)
Account Domain account_domain (extended)
Last modified on 10 January, 2022
What's new in behavioral analytics service   Supported detections in behavioral analytics service

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters