This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Supported data sources in behavioral analytics service
Behavioral analytics service uses the following data source to generate anomalies.
| Data source | sourcetype |
|---|---|
| Windows security logs | XmlWinEventLog, WinEventLog, windows_snare_syslogSee Windows event IDs supported in behavioral analytics service. |
The following data sources can be ingested into behavioral analytics service but do not generate anomalies. Behavioral analytics service extracts metadata from these data sources such as session data, which is used for identity resolution.
| Data source | sourcetype |
|---|---|
| AWS CloudTrail logs | aws:cloudtrail
|
| Bit9 (Carbon Black) | bit9:carbonblack:json
|
| Blue Coat ProxySG syslog for bcereportermain_vi | bluecoat:proxy:access:syslog
|
| Blue Coat ProxySG syslog for KV mode | bluecoat:proxysg:access:kv
|
| Cisco ASA firewall logs | cisco:asa
|
| Cisco ASA VPN logs | cisco:cisco_vpn
|
| CrowdStrike logs | CrowdStrike:Event:Streams:JSON
|
| Infoblox DHCP logs | infoblox:dhcp
|
| Infoblox DNS logs | infoblox:dns
|
| Infoblox ThreatProtect logs | infoblox:threatprotect
|
| McAfee Web Gateway | webgateway
|
| Microsoft Office 365 email logs | ms:o365:email
|
| Microsoft Office 365 Management Activity alerts | o365:management:activity for the following workload types:
|
| Palo Alto Networks | pan:traffic
|
| Proofpoint Tap SIEM | Proofpoint_tap_siem
|
| Proofpoint Mail logs | pps_maillog
|
| Symantec Data Loss Prevention (DLP) for email | symantec:dlp:syslog
|
| Windows sysmon logs | XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalSee Windows event IDs supported in behavioral analytics service. |
| Windows DHCP logs in CSV format for DNS data | dhcp
|
Windows event IDs supported in Splunk Behavioral Analytics
The following table summarizes the Microsoft Windows event IDs used by behavioral analytics service. See Configure Windows event logging to ensure the proper events are logged for instructions to properly log Microsoft Windows events.
| Event ID | Description | Supported for XmlWinEventLog | Supported for WinEventLog |
|---|---|---|---|
| 4103 | Windows license activation failed | Yes | Yes |
| 4104 | PowerShell script block logging | Yes | Yes |
| 4624 | An account was successfully logged on | Yes | Yes |
| 4625 | An account failed to log on | Yes | Yes |
| 4661 | A handle to an object was requested | Yes | Yes |
| 4662 | An operation was performed on an object | Yes | Yes |
| 4663 | An attempt was made to access an object | Yes | Yes |
| 4672 | Special privileges assigned to new logon | No | Yes |
| 4688 | A new process has been created | Yes | Yes |
| 4689 | A process has exited | Yes | Yes |
| 4768 | A Kerberos authentication ticket (TGT) was requested | Yes | Yes |
| 4769 | A Kerberos service ticket was requested | Yes | Yes |
| 4776 | The domain controller attempted to validate the credentials for an account | No | Yes |
| 5140 | A network share object was accessed | Yes | Yes |
| 5145 | A network share object was checked to see whether client can be granted desired access | Yes | Yes |
Data source sample events and fields mappings
Behavioral analytics service extracts and maps the values from specific fields in each data source to be used by its models. Expand each Fields and Mapping section to see how fields in raw events are mapped. The tables in the Field and Mapping section contain the following information:
| Table column | Description |
|---|---|
| Raw event field name | The original value of the field in the raw event. |
| Behavioral analytics service token name | What the field in the raw event is mapped to in behavioral analytics service. For example, the raw event may contain a field named threatURL, but the models in behavioral analytics service require a field named threat_url. |
| Behavioral analytics service entity/field type | The field used to enrich entities with assets and identities data. For example, a local_ip field in the raw event marked as dest_user/DNS in the table defines the database table used to perform the lookup, so DNS addresses are searched when performing the lookup instead of IP tables. |
| Behavioral analytics service data model | Data models in behavioral analytics service normalize data into specific categories like Authorization or Endpoint. The detections in the system run queries against this normalized data instead of running vendor-specific queries. |
XmlWinEventLog logs
Sample Event
Sample XmlWinEventLog events
4689
<?xml version="1.0" encoding="UTF-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4689</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13313</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
<EventRecordID>187030</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="144" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31365</Data>
<Data Name="Status">0x0</Data>
<Data Name="ProcessId">0xfb0</Data>
<Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data>
</EventData>
</Event>
5140
<?xml version="1.0" encoding="UTF-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4689</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13313</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
<EventRecordID>187030</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="144" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31365</Data>
<Data Name="Status">0x0</Data>
<Data Name="ProcessId">0xfb0</Data>
<Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data>
</EventData>
</Event>
5145
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5145</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12811</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" />
<EventRecordID>267092</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
-
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d34</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
<Data Name="IpPort">56926</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="RelativeTargetName">Bginfo.exe</Data>
<Data Name="AccessMask">0x100081</Data>
<Data Name="AccessList">%%1541 %%4416 %%4423</Data>
<Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data>
</EventData>
</Event>
Fields and Mapping
Fields and mapping
4103
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Provider | source_name | Endpoint_Processes | |
| Computer | dest_device/DNS endpoint_device/DNS |
Endpoint_Processes | |
| UserID | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
| Payload | process | Endpoint_Processes | |
| Use constant value of "powershell.exe" | parent_process_name process_name |
Endpoint_Processes | |
| Task | task_category (extended) | ||
| Channel | log_name (extended) | ||
| EventID | signature_id (extended) |
4104
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Provider (Name attribute) | source_name | Endpoint_Processes | |
| Computer | dest_device/DNS endpoint_device/DNS |
Endpoint_Processes | |
| Path | process_path extracted from script path process_name exgracted from script path |
Endpoint_Processes | |
| Use constant value of "powershell.exe" | parent_process_name | Endpoint_Processes | |
| Task | task_category (extended) | ||
| Channel | log_name (extended) | ||
| EventID | signature_id (extended) |
4624
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action This is a calculated field. |
Authentication | |
| Static value: "An account was successfully logged on" |
signature | Authentication | |
| EventID | signature_id | Authentication | |
| Computer | origin_device_domain | src_device/DNS | Authentication |
| FailureReason | reason | Authentication | |
| SubjectUserName | src_user/WINDOWS_ACCOUNT_NAME |
Authentication | |
| TargetUserName | src_user/WINDOWS_ACCOUNT_NAME |
Authentication | |
| TargetDomainName | dest_nt_domain | Authentication | |
| AuthenticationPackageName | auth_pkg | Authentication | |
| LogonType | authentication_type, authentication_type_name (calculated field) | Authentication | |
| LoginProcessName | authentication_method | Authentication | |
| ProcessName | app | Authentication | |
| WorkstationName | src_device/DNS | Authentication | |
| ipAddress | dest_device/IP, src_device/IP | Authentication | |
| Keywords | action This is a calculated field. |
Endpoint_Processes | |
| Static value: "Microsoft WIndows" |
vendor_product, os | Endpoint_Processes | |
| Computer | dest_devince/DNS endpoint_device/DNS |
Endpoint_Processes | |
| SubjectUserName | endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
| TargetUserName | endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
| ProcessId | process_id | Endpoint_Processes | |
| ProcessName | process_name, process_exec, process_current_directory, process_path, process If ProcessName is empty, the values of process_name and process_exec are extracted from Login Process |
Endpoint_Processes | |
| WorkstationName | dest_device/DNS, endpoint_device/DNS | Endpoint_Processes | |
| ipAddress | dest_device/IP, endpoint_device/DNS | Endpoint_Processes | |
| Task | task_category (extended) | ||
| Provider (name attribute) | aosurce_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) |
4625
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action This is a calculated field. |
Authentication | |
| Static value: "An account failed to log on" |
signature | Authentication | |
| EventID | signature_id | Authentication | |
| Computer | origin_device_domain | src_device/DNS | Authentication |
| FailureReason | reason | Authentication | |
| SubjectUserName | src_user/WINDOWS_ACCOUNT_NAME |
Authentication | |
| TargetUserName | src_user/WINDOWS_ACCOUNT_NAME |
Authentication | |
| TargetDomainName | dest_nt_domain | Authentication | |
| AuthenticationPackageName | auth_pkg | Authentication | |
| LogonType | authentication_type, authentication_type_name (calculated field) | Authentication | |
| LoginProcessName | authentication_method | Authentication | |
| ProcessName | app | Authentication | |
| WorkstationName | src_device/DNS | Authentication | |
| ipAddress | dest_device/IP, src_device/IP | Authentication | |
| Status | event_return_code This is a alculated field. |
Authentication | |
| ActiveDirectory (static value) | authentication_service | Authentication | |
| Keywords | action This is a calculated field. |
Endpoint_Processes | |
| Static value: "Microsoft WIndows" |
vendor_product, os | Endpoint_Processes | |
| Computer | dest_devince/DNS endpoint_device/DNS |
Endpoint_Processes | |
| SubjectUserName | endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
| TargetUserName | endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
| ProcessId | process_id | Endpoint_Processes | |
| ProcessName | process_name, process_exec, process_current_directory, process_path, process If ProcessName is empty, the values of process_name and process_exec are extracted from Login Process |
Endpoint_Processes | |
| WorkstationName | dest_device/DNS, endpoint_device/DNS | Endpoint_Processes | |
| ipAddress | dest_device/IP, endpoint_device/DNS | Endpoint_Processes | |
| Task | task_category (extended) | ||
| Provider (name attribute) | aosurce_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) |
4661
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| ObjectName | resource_handle | Endpoint_ResourceAccess | |
| ObjectType | resource_type | Endpoint_ResourceAccess | |
| HandleId | resource_handle_id | Endpoint_ResourceAccess | |
| AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| PrivilegeList | resource_operation_privileges | Endpoint_ResourceAccess | |
| Properties | resource_operation_properties | Endpoint_ResourceAccess | |
| RestrictedSidCount | resource_operation_restricted_sid_count | Endpoint_ResourceAccess | |
| AccessList | resource_operation_access | Endpoint_ResourceAccess | |
| ProcessId | process_id | Endpoint_Process | |
| ProcessName | process_name process_path |
Endpoint_Process | |
| event_description (calculated field) | Endpoint_ResourceAccess | ||
| Computer | dest_device/DNS endpoint_device/DNS |
Endpoint_ResourceAccess, Endpoint_Processes | |
| SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_ResourceAccess, Endpoint_Processes | |
| SubjectLogonId | logon_id | Endpoint_ResourceAccess | |
| TransactionId | resource_operation_transaction_id | Endpoint_ResourceAccess | |
| Keywords | event_status | Endpoint_ResourceAccess | |
| Computer | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
| ObjectName | resource_handle_name (extended) | Endpoint_ResourceAccess (v2) | |
| Task | task_category (extended) | ||
| Provider (name attribute) | source_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) | ||
| EventID | signature_id (extended) |
4662
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| ObjectName | resource_handle | Endpoint_ResourceAccess | |
| ObjectType | resource_type | Endpoint_ResourceAccess | |
| HandleId | resource_handle_id | Endpoint_ResourceAccess | |
| AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| Properties | resource_operation_properties | Endpoint_ResourceAccess | |
| RestrictedSidCount | resource_operation_restricted_sid_count | Endpoint_ResourceAccess | |
| AccessList | resource_operation_access | Endpoint_ResourceAccess | |
| OperationType | resource_operation_type | Endpoint_ResourceAccess | |
| event_description (calculated field) | Endpoint_ResourceAccess | ||
| Computer | dest_device/DNS | Endpoint_ResourceAccess, Endpoint_Processes | |
| SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME | Endpoint_ResourceAccess | |
| SubjectLogonId | logon_id | Endpoint_ResourceAccess | |
| Keywords | event_status | Endpoint_ResourceAccess | |
| Computer | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
| Task | task_category (extended) | ||
| Provider (name attribute) | source_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) | ||
| EventID | signature_id (extended) |
4663
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| ObjectName | resource_handle | Endpoint_ResourceAccess | |
| ObjectType | resource_type | Endpoint_ResourceAccess | |
| HandleId | resource_handle_id | Endpoint_ResourceAccess | |
| AccessList | resource_operation_access | Endpoint_ResourceAccess | |
| AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| ProcessId | process_id | Endpoint_Process | |
| ProcessName | process_name process_path |
Endpoint_Process | |
| event_description (calculated field) | Endpoint_ResourceAccess | ||
| Computer | dest_device/DNS endpoint_device/DNS |
Endpoint_ResourceAccess, Endpoint_Processes | |
| SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_ResourceAccess, Endpoint_Processes | |
| SubjectLogonId | logon_id | Endpoint_ResourceAccess | |
| Keywords | event_status | Endpoint_ResourceAccess | |
| Computer | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
| ObjectName | resource_handle_name (extended) | Endpoint_ResourceAccess (v2) | |
| Task | task_category (extended) | ||
| Provider (name attribute) | source_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) | ||
| EventID | signature_id (extended) |
4688
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| CommandLine | process | Endpoint_Process | |
| Keywords | action This is a calculated field. |
Endpoint_Processes | |
| NewProcessId | process_id | Endpoint_Processes | |
| NewProcessName | process_name process_exec process_current_directory process_path |
Endpoint_Processes | |
| Microsoft Windows (static value) | vendor_product, os | Endpoint_Processes | |
| ParentProcessName | parent_process_name | Endpoint_Processes | |
| ProcessId | parent_process_id | Endpoint_Processes | |
| TargetUserName | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
| Computer | dest_device/DNS endpoint_device/DNS |
Endpoint_Processes | |
| Task | task_category (extended) | ||
| Provider (name attribute) | source_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) | ||
| EventID | signature_id (extended) |
4689
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action This is a calculated field. |
Endpoint_Processes | |
| Microsoft Windows (static value) | vendor_product, os | Endpoint_Processes | |
| Computer | dest_device/DNS | Endpoint_Processes | |
| SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME If SubjectUserName does not contain $ at the end, then dest_user is populated. |
Endpoint_Processes | |
| ProcessId | process_id | Endpoint_Processes | |
| ProcessName | process_name process_exec process_current_directory process_path process |
Endpoint_Processes | |
| Task | task_category (extended) | ||
| Provider (name attribute) | source_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) | ||
| EventID | signature_id (extended) |
4768
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Status | action If the Status is 0x0, then the action is Successful. Otherwise, the action is Failed. |
Authentication | |
| Use the static value "Kerberos" | authentication_method | Authentication | |
| Use the static value "ActiveDirectory" | authentication_service | Authentication | |
| Use the static value "Network" | authentication_type_name | Authentication | |
| TargetUserName | dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS If TargetUserName contains a user, then dest_user is populated. If TargetUserName contains a device name, then dest_device is populated. |
Authentication | |
| Status | reason
I If Status = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"
|
Authentication | |
| Status | event_return_code | Authentication | |
| Use the static value "A Kerberos authentication ticket (TGT) was requested." | signature | Authentication | |
| EventID | signature_id | Authentication | |
| Use the static value "ActiveDirectory". | app | Authentication | |
| IpPort | dest_port | Certificates | |
| CertThumbprint | ssl_hash | Certificates | |
| CertIssuerName | ssl_issuer | Certificates | |
| CertIssuerName | ssl_issuer_common_name | Certificates | |
| CertSerialNumber | ssl_serial | Certificates | |
| Status | ssl_is_valid
|
Certificates | |
| TicketEncryptionType | ssl_signature_algorithm
| ||
| Task | task_category (extended) | ||
| Provider (name attribute) | source_name (extended) | ||
| Channel | log_name (extended) | ||
| TargetDomainName | account_domain (extended) |
4769
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action If the Keywords is 0x8020000000000000, then the action is Successful. Otherwise, the action is Failed. |
Authentication | |
| Use the static value "Kerberos" | authentication_method | Authentication | |
| Use the static value "ActiveDirectory" | authentication_service | Authentication | |
| Use the static value "Network" | authentication_type_name | Authentication | |
| Computer | origin_device_domain | origin_device/DNS | Authentication |
| Use the static value "A Kerberos service ticket was requested." | signature | Authentication | |
| EventID | signature_id | Authentication | |
| TargetUserName | dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS If TargetUserName contains a user, then dest_user is populated. If TargetUserName contains a device name, then dest_device is populated. |
Authentication | |
| TargetDomainName | dest_nt_domain | Authentication | |
| IpAddress | dest_device/IP | Authentication | |
| Status | event_return_code, reason
I If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"
|
Authentication | |
| Use the static value "ActiveDirectory". | app | Authentication |
5140
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| event_description (calculated field) | Endpoint_ResourceAccess | ||
| Task | task_category | Endpoint_ResourceAccess | |
| Provider (name attribute) | source_name | Endpoint_ResourceAccess | |
| AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| AccessList | resource_operation_accesses | Endpoint_ResourceAccess | |
| ObjectType | resource_type | Endpoint_ResourceAccess | |
| Channel | log_name | Endpoint_ResourceAccess | |
| ShareName | resource_handle | Endpoint_ResourceAccess | |
| SubjectDomainName | account_domain | Endpoint_ResourceAccess | |
| Keywords | event_status | Endpoint_ResourceAccess | |
| ShareLocalPath | resource_handle_path (extended) | Endpoint_ResourceAccess (v2) | |
| EventID | signature_id (extended) | Endpoint_ResourceAccess (v2) | |
| IpAddress | source_address (extended) | Endpoint_ResourceAccess (v2) | |
| Computer | dest_nt_domain | Endpoint_ResourceAccess (v2) | |
| IpPort | source_port (extended) | Endpoint_ResourceAccess (v2) | |
| Computer | dest_device/DNS | Endpoint_ResourceAccess | |
| SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS If SubjectUserName contains a user name then dest_user is populated. If SubjectUserName contains a device then dest_device is populated. |
Endpoint_ResourceAccess |
5145
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| event_description (calculated field) | Endpoint_ResourceAccess | ||
| Task | task_category | Endpoint_ResourceAccess | |
| Provider (name attribute) | source_name | Endpoint_ResourceAccess | |
| AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| AccessList | resource_operation_accesses | Endpoint_ResourceAccess | |
| ObjectType | resource_type | Endpoint_ResourceAccess | |
| Channel | log_name | Endpoint_ResourceAccess | |
| ShareName | resource_handle | Endpoint_ResourceAccess | |
| SubjectDomainName | account_domain | Endpoint_ResourceAccess | |
| Keywords | event_status | Endpoint_ResourceAccess | |
| RelativeTargetName | resource_handle_name (extended) | Endpoint_ResourceAccess (v2) | |
| ShareLocalPath | resource_handle_path (extended) | Endpoint_ResourceAccess (v2) | |
| EventID | signature_id (extended) | Endpoint_ResourceAccess (v2) | |
| IpAddress | source_address (extended) | Endpoint_ResourceAccess (v2) | |
| Computer | dest_nt_domain | Endpoint_ResourceAccess (v2) | |
| IpPort | source_port (extended) | Endpoint_ResourceAccess (v2) | |
| Computer | dest_device/DNS | Endpoint_ResourceAccess | |
| SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME | Endpoint_ResourceAccess |
WinEventLog logs
Sample Event
Sample WinEventLog events
4624
11/30/2020 05:33:14 PM
LogName=Security
EventCode=4624
EventType=0
ComputerName=W177-RaviR.CDSYS.LOCAL
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=33288
Keywords=Audit Success
TaskCategory=Logon
OpCode=Info
Message=An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: W177-RAVIR$
Account Domain: CDSYS
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x3c0
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
4625
09/15/2020 02:41:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=AD-server.tafadtest.local
TaskCategory=Logon
OpCode=Info
RecordNumber=57965
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: AD-SERVER$
Account Domain: TAFADTEST
Logon ID: 0x3E7
Logon Type: 5
Account For Which Logon Failed:
Security ID:
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC0000073
Sub Status: 0xC0000073
Process Information:
Caller Process ID: 0x58
Caller Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name:
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services:
Package Name (NTLM only):
Key Length: 0
4689
09/17/2020 12:20:07 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=ta-dc-w2016.crest-2012r2.com
TaskCategory=Process Termination
OpCode=Info
RecordNumber=7833323
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: TA-DC-W2016$
Account Domain: CREST-2012R2
Logon ID: 0x3E7
Process Information:
Process ID: 0xbe4
Process Name: C:\Program Files\Splunk\bin\splunk-optimize.exe
Exit Status: 0x0
4768
1/18/2017 2:49:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4768
EventType=0
Type=Information
ComputerName=uba-win11.UBA_DSlab_DOMAIN.local
TaskCategory=Kerberos Authentication Service
OpCode=Info
RecordNumber=796211636
Keywords=Audit Success
Message=A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: ad_user1
Supplied Realm Name: UBA_DSLAB_DOMAI
User ID: UBA_DSLAB_DOMAI\ad_user1
Service Information:
Service Name: krbtgt
Service ID: UBA_DSLAB_DOMAI\krbtgt
Network Information:
Client Address: ::ffff:10.141.38.92
Client Port: 49245
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x0
Ticket Encryption Type: 0x12
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
4769
09/15/2020 02:41:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4769
EventType=0
Type=Information
ComputerName=AD-server.tafadtest.local
TaskCategory=Kerberos Service Ticket Operations
OpCode=Info
RecordNumber=57966
Keywords=Audit Success
Message=A Kerberos service ticket was requested.
Account Information:
Account Name: AD-SERVER$@TAFADTEST.LOCAL
Account Domain: TAFADTEST.LOCAL
Logon GUID: {F76AA6AA-CAC8-7994-7552-E186207FD70F}
Service Information:
Service Name: AD-SERVER$
Service ID: TAFADTEST\AD-SERVER$
Network Information:
Client Address: ::1
Client Port: 0
Additional Information:
Ticket Options: 0x40810000
Ticket Encryption Type: 0x12
Failure Code: 0x0
Transited Services:
5145
09/17/2020 02:51:04 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=ta-dc-w2016.crest-2012r2.com
TaskCategory=Detailed File Share
OpCode=Info
RecordNumber=7859663
Keywords=Audit Success
Message=A network share object was checked to see whether client can be granted desired access.
Subject:
Security ID: ACME-FR\Administrator
Account Name: Administrator
Account Domain: ACME-FR
Logon ID: 0x74a739
Network Information:
Object Type: File
Source Address: fe80::2d6e:7ef5:8c1e:1dcb
Source Port: 50436
Share Information:
Share Name: \\*\SYSVOL
Share Path: \??\C:\Windows\SYSVOL\sysvol
Relative Target Name: \
Access Request Information:
Access Mask: 0x100080
Accesses: SYNCHRONIZE
ReadAttributes
Access Check Results:
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD)
ReadAttributes: Granted by D:(A;;0x1200a9;;;WD)
Fields and Mapping
Fields and mapping
4103
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| SourceName | source_name | Endpoint_Processes | |
| ComputerName | dest_device/DNS endpoint_device/DNS |
Endpoint_Processes | |
| User/Context-User If User is NOT_TRANSLATED, use the value in Context-User |
dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
| Message | process | Endpoint_Processes | |
| TaskCategory | task_category | Endpoint_Processes | |
| Context - Script Name | extract process_name from the full script name If Script Name is empty, use the constant value "powershell.exe" as the process_name. |
Endpoint_Processes | |
| Context - Script Name | extract process_path from the full script name If Script Name is empty, leave process_path empty. |
Endpoint_Processes | |
| Use the constant value "powershell.exe" | parent_process_name | Endpoint_Processe |
4104
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| SoruceName | source_name | Endpoint_Processes | |
| ComputerName | dest_device/DNS endpoint_device/DNS |
Endpoint_Processes | |
| TaskCategory | task_category | Endpoint_Processes | |
| Message | process | Endpoint_Processes | |
| Path | process_path extracted from script path process_name extracted from script path |
Endpoint_Processes | |
| Use constant value of "powershell.exe" | parent_process_name | Endpoint_Processes |
4624
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action (calculated field) | Authentication | |
| Message | signature | Authentication | |
| EventCode | signature_id | Authentication | |
| ComputerName | origin_device_domain | src_device/DNS | Authentication |
| success (static value) | reason | Authentication | |
| Account Domain | dest_nt_domain | src_user/WINDOWS_ACCOUNT_NAME | Authentication |
| Account Name | Authentcation | ||
| Authentication Package | auth_pkg | Authentication | |
| Logon Type | authentication_type authenticaiton_type_name (calculated field) |
Authentication | |
| Login Process | authentication_method | Authentication | |
| Process Name | app | Authentication | |
| Workstation Name | dest_device/DNS src_device/DNS |
Authentication | |
| Source Network Address | dest_device/IP src_device/IP |
Authentication | |
| ActiveDirectory (static value) | authentication_service | Authentication | |
| Keywords | action (calculated field) | Endpoint_Processes | |
| Microsoft Windows (static value) | vendor_product, os | Endpoint_Processes | |
| ComputerName | dest_devince/DNS endpoint_device/DNS |
Endpoint_Processes | |
| Account Name | dest_user/WINDOWS_ACOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
| Process ID | proces_id | Endpoint_Processes | |
| Process Name | process_name process_exec process_current_directory process_path process If Process Name is empty, the values of proces_name and process_exec can be extracted from Login Process. |
Endpoint_Processes | |
| Workstation Name | dest_device/DNS endpoint_device/DNS |
Endpoint_Processes | |
| Source Network Address | dest_device/IP endpoint_device/IP |
Endpoint_Processes | |
| TaskCategory | task_category (extended) | ||
| SourceName | source_name (extended) | ||
| LogName | log_name (extended) | ||
| Account Domain | account_domain (extended) |
4625
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action (calculated filed) | Authentication | |
| Message | signature | Authentication | |
| EventCode | signature_id | Authentication | |
| ComputerName | origin_device_domain | src_device/DNS | Authentication |
| Failure Reason | reason | Authentication | |
| Account Name | dest_user | src_user/WINDOWS_ACCOUNT_NAME | Authentication |
| Account Domain | dest_nt_domain | Authentcation | |
| Authentication Package | auth_pkg | Authentication | |
| Logon Type | authentication_type authenticaiton_type_name (calculated field) |
Authentication | |
| Login Process | authentication_method | Authentication | |
| Caller Process Name | app | Authentication | |
| Workstation Name | dest_device/DNS src_device/DNS |
Authentication | |
| Source Network Address | dest_device/IP src_device/IP |
Authentication | |
| Status | event_return_code (calculated field) | Authentication | |
| ActiveDirectory (static value) | authentication_service | Authentication | |
| Keywords | action (calculated field) | Endpoint_Processes | |
| Microsoft Windows (static value) | vendor_product, os | Endpoint_Processes | |
| ComputerName | dest_devince/DNS endpoint_device/DNS |
Endpoint_Processes | |
| Account Name | dest_user/WINDOWS_ACOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
| Caller Process ID | proces_id | Endpoint_Processes | |
| Caller Process Name | process_name process_exec process_current_directory process_path process If Process Name is empty, the values of proces_name and process_exec can be extracted from Login Process. |
Endpoint_Processes | |
| Workstation Name | dest_device/DNS endpoint_device/DNS |
Endpoint_Processes | |
| Source Network Address | dest_device/IP endpoint_device/IP |
Endpoint_Processes | |
| TaskCategory | task_category (extended) | ||
| SourceName | source_name (extended) | ||
| LogName | log_name (extended) | ||
| Account Domain | account_domain (extended) |
4661
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Object Name | resource_handle | Endpoint_ResourceAccess | |
| Object Type | resource_type | Endpoint_ResourceAccess | |
| Object Server | resource_server | Endpoint_ResourceAccess | |
| Handle ID | resource_handle_id | Endpoint_ResourceAccess | |
| Access Mask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| Privileges Used for Access Check | resource_operation_privileges | Endpoint_ResourceAccess | |
| Properties | resource_operation_properties | Endpoint_ResourceAccess | |
| Restricted SID Count | resource_operation_restricted_sid_count | Endpoint_ResourceAccess | |
| Accesses | resource_operation_access | Endpoint_ResourceAccess | |
| Process Id | process_id | Endpoint_Processes | |
| Process Name | process_name process_path |
Endpoint_Processes | |
| Message | event_description | Endpoint_ResourceAccess | |
| ComputerName | dest_device/DNS endpoint_device/DNS |
Endpoint_ResourceAccess, Endpoint_Processes | |
| Account Name | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_ResourceAccess, Endpoint_Processes | |
| Logon ID | login_id | Endpoint_ResourceAccess | |
| ComputerName | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
| TaskCategory | task_category (extended) | ||
| SourceName | source_name (extended) | ||
| LogName | log_name (extended) | ||
| Account Domain | account_domain (extended) | ||
| EventCode | signature_id (extended) |
4662
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Object Name | resource_handle | Endpoint_ResourceAccess | |
| Object Type | resource_type | Endpoint_ResourceAccess | |
| Object Server | resource_server | Endpoint_ResourceAccess | |
| Handle ID | resource_handle_id | Endpoint_ResourceAccess | |
| Access Mask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| Privileges Used for Access Check | resource_operation_privileges | Endpoint_ResourceAccess | |
| Properties | resource_operation_properties | Endpoint_ResourceAccess | |
| Restricted SID Count | resource_operation_restricted_sid_count | Endpoint_ResourceAccess | |
| Accesses | resource_operation_access | Endpoint_ResourceAccess | |
| Operation Type | resource_operation_type | Endpoint_ResourceAccess | |
| Message | event_description | Endpoint_ResourceAccess | |
| ComputerName | dest_device/DNS | Endpoint_ResourceAccess | |
| Account Name | dest_user/WINDOWS_ACCOUNT_NAME | Endpoint_ResourceAccess | |
| Logon ID | login_id | Endpoint_ResourceAccess | |
| ComputerName | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
| TaskCategory | task_category (extended) | ||
| SourceName | source_name (extended) | ||
| LogName | log_name (extended) | ||
| Account Domain | account_domain (extended) | ||
| EventCode | signature_id (extended) |
4663
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Object Name | resource_handle | Endpoint_ResourceAccess | |
| Object Type | resource_type | Endpoint_ResourceAccess | |
| Object Server | resource_server | Endpoint_ResourceAccess | |
| Handle ID | resource_handle_id | Endpoint_ResourceAccess | |
| Access Mask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| Restricted SID Count | resource_operation_restricted_sid_count | Endpoint_ResourceAccess | |
| Accesses | resource_operation_access | Endpoint_ResourceAccess | |
| Process ID | process_id | Endpoint_Processes | |
| Process Name | process_name process_path |
Endpoint_Resources | |
| Message | event_description | Endpoint_ResourceAccess | |
| ComputerName | dest_device/DNS endpoint_device/DNS |
Endpoint_ResourceAccess, Endpoint_Processes | |
| Account Name | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_ResourceAccess, Endpoint_Processes | |
| Logon ID | login_id | Endpoint_ResourceAccess | |
| ComputerName | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
| Object Name | resource_handle_name (extended) ) | Endpoint_ResourceAccess (v2) | |
| TaskCategory | task_category (extended) | ||
| SourceName | source_name (extended) | ||
| LogName | log_name (extended) | ||
| Account Domain | account_domain (extended) | ||
| EventCode | signature_id (extended) |
4672
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Message | event_description | Endpoint_ResourceAccess | |
| TaskCategory | task_category | Endpoint_ResourceAccess | |
| SourceName | source_name | Endpoint_ResourceAccess | |
| Logon ID | logon_id | Endpoint_ResourceAccess | |
| Keywords | event_status | Endpoint_ResourceAccess | |
| LogName | log_name | Endpoint_ResourceAccess | |
| Account Domain | account_domain | Endpoint_ResourceAccess | |
| Privileges | resource_operation_privileges | Endpoint_ResourceAccess | |
| ComputerName | resource_handle | Endpoint_ResourceAccess | |
| Use static value "Computer" | resource_type | Endpoint_ResourceAccess | |
| ComputerName | dest_device/DNS | Endpoint_ResourceAccess | |
| Account Name | dest_user/WINDOWS_ACCOUNT_NAME | Endpoint_ResourceAccess | |
| EventCode | signature_id (extended) | Endpoint_ResourceAccess (v2) | |
| ComputerName | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) |
4688
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Process Command Line | process | Endpoint_Processes | |
| New Process ID | process_id | Endpoint_Processes | |
| New Process Name | process_name process_path |
Endpoint_Processes | |
| Creator Process Name | parent_process_name | Endpoint_Processes | |
| Creator Process ID | parent_process_id | Endpoint_Processes | |
| Account Name | dest-user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
| ComputerName | dest_device/DNS endpoint_device/DNS |
Endpoint_Processes | |
| TaskCategory | task_category (extended) | ||
| SourceName | source_name (extended) | ||
| LogName | log_name (extended) | ||
| Account Domain | account_domain (extended) | ||
| EventCode | signature_id (extended) |
4689
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action (calculated field) | Endpoint_Processes | |
| Microsoft Windows (static value) | vendor_product os |
Endpoint_Processes | |
| ComputerName | dest_device/DNS | Endpoint_Processes | |
| Account Name | dest_user/WINDOWS_ACCOUNT_NAME If the Account Name does not contain $ at the end, then dest_user is populated. |
Endpoint_Processes | |
| Process ID | process_id | Endpoint_Processes | |
| Process Name | process_name proces_exec process_current_directory process_path process |
Endpoint_Processes | |
| TaskCategory | task_category (extended) | ||
| SourceName | source_name (extended) | ||
| LogName | log_name (extended) | ||
| Account Domain | account_domain (extended) | ||
| EventCode | signature_id (extended) |
4768
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action This is a calculated field. If Keywords is Audit Success, then action is Successful. Otherwise, the action is Failed. |
Authentication | |
| Use the static value "Kerberos" | authentication_method | Authentication | |
| Use the static value "ActiveDirectory" | authentication_service | Authentication | |
| Use the static value "Network" | authentication_type_name | Authentication | |
| ComputerName | origin_device_domain | origin_device/DNS | Authentication |
| Message | signature | Authentication | |
| EventCode | signature_id | Authentication | |
| Account Name | dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS If AccountName contains a user, then dest_user is populated. If AccountName contains a device name, then dest_device is populated. |
Authentication | |
| Supplied Realm Name | dest_nt_domain | Authentication | |
| Client Address | dest_device/IP | Authentication | |
| Result Code | event_return_code reason
I If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"
|
Authentication | |
| Static value "ActiveDirectory" | app | Authentication | |
| Client Port | dest_port | Certificates | |
| Certificate Thumbprint | ssl_hash | Certificates | |
| Certificate Issuer Name | ssl_issuer ssl_issuer_common_name |
Certificates | |
| Certificate Serial Number | ssl_serial | Certificates | |
| Result Code | ssl_is_valid
|
Certificates | |
| TicketEncryptionType | ssl_signature_algorithm
| ||
| TaskCategory | task_category (extended) | ||
| SourceName | source_name (extended) | ||
| LogName | log_name (extended) |
4769
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action This is a calculated field. If Keywords is Audit Success, then action is Successful. Otherwise, the action is Failed. |
Authentication | |
| Use the static value "Kerberos" | authentication_method | Authentication | |
| Use the static value "ActiveDirectory" | authentication_service | Authentication | |
| Use the static value "Network" | authentication_type_name | Authentication | |
| ComputerName | origin_device_domain | origin_device/DNS | Authentication |
| Message | signature | Authentication | |
| EventCode | signature_id | Authentication | |
| Account Name | dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS If AccountName contains a user, then dest_user is populated. If AccountName contains a device name, then dest_device is populated. |
Authentication | |
| Account Domain | dest_nt_domain | Authentication | |
| Client Address | dest_device/IP | Authentication | |
| Failure Code | event_return_code reason
I If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"
|
Authentication | |
| Static value "ActiveDirectory" | app | Authentication | |
| TaskCategory | task_category (extended) | ||
| SourceName | source_name (extended) | ||
| LogName | log_name (extended) | ||
| Account Domain | account_domain (extended) |
4776
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action (calculated field) | Authentication | |
| NtLmSsp (static value) | app authentication_method |
Authentication | |
| ActiveDirectory (static value) | Authentication | ||
| Error Code | reason (calculated field) event_return_code |
Authentication | |
| EventCode | signature (calculated field) signature_id |
Authentication | |
| Logon Account | dest_user/WINDOWS_ACCOUNT_NAME | Authentication | |
| Authentication Package | auth_pkg | Authentication | |
| ComputerName | origin_device_name | origin_device/DNS | Authentication |
| TaskCategory | task_category (extended) | ||
| SourceName | source_name (extended) | ||
| LogName | log_name (extended) |
5140
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Message | event_description | Endpoint_ResourceAccess | |
| AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| Accesses | resource_operation_accesses | Endpoint_ResourceAccess | |
| Object Type | resource_type | Endpoint_ResourceAccess | |
| Share Name | resource_handle | Endpoint_ResourceAccess | |
| Keywords | event_status | Endpoint_ResourceAccess | |
| ComputerName | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
| Share Path | resource_handle_path (extended) | Endpoint_ResourceAccess (v2) | |
| Source Address | source_address (extended) | Endpoint_ResourceAccess (v2) | |
| Source Port | source_port (extended) | Endpoint_ResourceAccess (v2) | |
| ComputerName | dest_device/DNS | Endpoint_ResourceAccess | |
| Account Name | dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS If Account Name contains a user name then dest_user is populated. If Account Name contains a device then dest_device is populated. |
Endpoint_ResourceAccess | |
| TaskCategory | task_category (extended) | ||
| SourceName | source_name (extended) | ||
| LogName | log_name (extended) | ||
| Account Domain | account_domain (extended) | ||
| EventCode | signature_id (extended) |
5145
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Message | event_description | Endpoint_ResourceAccess | |
| AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| Accesses | resource_operation_accesses | Endpoint_ResourceAccess | |
| Object Type | resource_type | Endpoint_ResourceAccess | |
| Share Name | resource_handle | Endpoint_ResourceAccess | |
| Keywords | event_status | Endpoint_ResourceAccess | |
| Relative Target Name | resource_handle_name (extended) | Endpoint_ResourceAccess (v2) | |
| Share Path | resource_handle_path (extended) | Endpoint_ResourceAccess (v2) | |
| Source Address | source_address (extended) | Endpoint_ResourceAccess (v2) | |
| ComputerName | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
| Source Port | source_port (extended) | Endpoint_ResourceAccess (v2) | |
| ComputerName | dest_device/DNS | Endpoint_ResourceAccess | |
| Account Name | dest_user/WINDOWS_ACCOUNT_NAME | Endpoint_ResourceAccess | |
| TaskCategory | task_category (extended) | ||
| SourceName | source_name (extended) | ||
| LogName | log_name (extended) | ||
| Account Domain | account_domain (extended) | ||
| EventCode | signature_id (extended) |
windows_snare_syslog logs
Sample Event
Sample windows_snare_syslog event
Nov 08 22:35:24 SCL-S-DC01.corp.acme065.com/10.115.16.5/192.0.2.123 MSWinEventLog,1,Security,856619580,Sat Nov 08 22:35:24 2014,4624,Microsoft-Windows-Security-Auditing,NT AUTHORITY\\ANONYMOUS LOGON,N/A,Success Audit,SCL-S-DC01.corp.acme065.com,Logon,,An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-7 Account Name: Bobby Account Domain: NT AUTHORITY Logon ID: 0xa8e1bdeb2 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: OBWL3SAADS Source Network Address: 10.122.16.22 Source Port: 27657 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.,856447969
Fields and Mapping
Fields and mapping
4624
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action (calculated field) | Authentication | |
| Message | signature | Authentication | |
| EventCode | signature_id | Authentication | |
| ComputerName | origin_device_domain | src_device/DNS | Authentication |
| success (static value) | reason | Authentication | |
| Account Domain | dest_nt_domain | src_user/WINDOWS_ACCOUNT_NAME | Authentication |
| Account Name | Authentcation | ||
| Authentication Package | auth_pkg | Authentication | |
| Logon Type | authentication_type authenticaiton_type_name (calculated field) |
Authentication | |
| Login Process | authentication_method | Authentication | |
| Process Name | app | Authentication | |
| Workstation Name | dest_device/DNS src_device/DNS |
Authentication | |
| Source Network Address | dest_device/IP src_device/IP |
Authentication | |
| ActiveDirectory (static value) | authentication_service | Authentication | |
| Keywords | action (calculated field) | Endpoint_Processes | |
| Microsoft Windows (static value) | vendor_product, os | Endpoint_Processes | |
| ComputerName | dest_devince/DNS endpoint_device/DNS |
Endpoint_Processes | |
| Account Name | dest_user/WINDOWS_ACOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes | |
| Process ID | proces_id | Endpoint_Processes | |
| Process Name | process_name process_exec process_current_directory process_path process If Process Name is empty, the values of proces_name and process_exec can be extracted from Login Process. |
Endpoint_Processes | |
| Workstation Name | dest_device/DNS endpoint_device/DNS |
Endpoint_Processes | |
| Source Network Address | dest_device/IP endpoint_device/IP |
Endpoint_Processes | |
| TaskCategory | task_category (extended) | ||
| SourceName | source_name (extended) | ||
| LogName | log_name (extended) | ||
| Account Domain | account_domain (extended) |
Last modified on 10 January, 2022
| What's new in behavioral analytics service | Supported detections in behavioral analytics service |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0
Download manual
Feedback submitted, thanks!