Supported data sources in behavioral analytics service
This topic applies only to customers on the Splunk Cloud platform.
Behavioral analytics service uses data sources to generate anomalies.
The following table identifies the source types supported by universal forwarders:
| Data source
|
Sourcetype for universal forwarder
|
| Windows security logs |
XmlWinEventLog:Security
|
Windows event IDs supported in Splunk Behavioral Analytics
The following table summarizes the Microsoft Windows event IDs used by behavioral analytics service. See Configure Windows event logging to ensure the proper events are logged for instructions to properly log Microsoft Windows events.
| Event ID
|
Description
|
Supported for XmlWinEventLog
|
| 4103 |
Windows license activation failed |
Yes
|
| 4104 |
PowerShell script block logging |
Yes
|
| 4624 |
An account was successfully logged on |
Yes
|
| 4625 |
An account failed to log on |
Yes
|
| 4661 |
A handle to an object was requested |
Yes
|
| 4662 |
An operation was performed on an object |
Yes
|
| 4663 |
An attempt was made to access an object |
Yes
|
| 4673 |
A privileged service was called |
Yes
|
| 4688 |
A new process has been created |
Yes
|
| 4689 |
A process has exited |
Yes
|
| 5145 |
A network share object was checked to see whether client can be granted desired access |
Yes
|
Data source sample events and fields mappings
Behavioral analytics service extracts and maps the values from specific fields in each data source to be used by its models. Expand each Fields and Mapping section to see how fields in raw events are mapped. The tables in the Field and Mapping section contain the following information:
| Table column
|
Description
|
| Raw event field name
|
The original value of the field in the raw event.
|
| Behavioral analytics service token name
|
What the field in the raw event is mapped to in behavioral analytics service. For example, the raw event may contain a field named threatURL, but the models in behavioral analytics service require a field named threat_url.
|
| Behavioral analytics service entity/field type
|
The field used to enrich entities with assets and identities data. For example, a local_ip field in the raw event marked as dest_user/DNS in the table defines the database table used to perform the lookup, so DNS addresses are searched when performing the lookup instead of IP tables.
|
| Behavioral analytics service data model
|
Data models in behavioral analytics service normalize data into specific categories like Authorization or Endpoint. The detections in the system run queries against this normalized data instead of running vendor-specific queries.
|
XmlWinEventLog logs
Sample Event
Expand
Sample XmlWinEventLog events
4689
<?xml version="1.0" encoding="UTF-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4689</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13313</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
<EventRecordID>187030</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="144" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31365</Data>
<Data Name="Status">0x0</Data>
<Data Name="ProcessId">0xfb0</Data>
<Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data>
</EventData>
</Event>
5140
<?xml version="1.0" encoding="UTF-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4689</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13313</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
<EventRecordID>187030</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="144" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31365</Data>
<Data Name="Status">0x0</Data>
<Data Name="ProcessId">0xfb0</Data>
<Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data>
</EventData>
</Event>
5145
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5145</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12811</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" />
<EventRecordID>267092</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
-
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d34</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
<Data Name="IpPort">56926</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="RelativeTargetName">Bginfo.exe</Data>
<Data Name="AccessMask">0x100081</Data>
<Data Name="AccessList">%%1541 %%4416 %%4423</Data>
<Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data>
</EventData>
</Event>
Fields and Mapping
Expand
Fields and mapping
4103
| Raw event field name
|
Behavioral analytics service token name
|
Behavioral analytics service entity/field type
|
Behavioral analytics service data model
|
| Provider |
source_name |
|
Endpoint_Processes
|
| Computer |
|
dest_device/DNS
endpoint_device/DNS |
Endpoint_Processes
|
| UserID |
|
dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes
|
| Payload |
process |
|
Endpoint_Processes
|
| Use constant value of "powershell.exe" |
parent_process_name
process_name |
|
Endpoint_Processes
|
| Task |
task_category (extended) |
|
|
| Channel |
log_name (extended) |
|
|
| EventID |
signature_id (extended) |
|
|
4104
| Raw event field name
|
Behavioral analytics service token name
|
Behavioral analytics service entity/field type
|
Behavioral analytics service data model
|
| Provider (Name attribute) |
source_name |
|
Endpoint_Processes
|
| Computer |
|
dest_device/DNS
endpoint_device/DNS |
Endpoint_Processes
|
| Path |
process_path extracted from script path
process_name exgracted from script path |
|
Endpoint_Processes
|
| Use constant value of "powershell.exe" |
parent_process_name |
|
Endpoint_Processes
|
| Task |
task_category (extended) |
|
|
| Channel |
log_name (extended) |
|
|
| EventID |
signature_id (extended) |
|
|
4624
| Raw event field name
|
Behavioral analytics service token name
|
Behavioral analytics service entity/field type
|
Behavioral analytics service data model
|
| Keywords |
action This is a calculated field. |
|
Authentication
|
Static value:
"An account was successfully logged on" |
signature |
|
Authentication
|
| EventID |
signature_id |
|
Authentication
|
| Computer |
origin_device_domain |
src_device/DNS |
Authentication
|
| FailureReason |
reason |
|
Authentication
|
| SubjectUserName |
|
src_user/WINDOWS_ACCOUNT_NAME |
Authentication
|
| TargetUserName |
|
src_user/WINDOWS_ACCOUNT_NAME |
Authentication
|
| TargetDomainName |
dest_nt_domain |
|
Authentication
|
| AuthenticationPackageName |
auth_pkg |
|
Authentication
|
| LogonType |
authentication_type, authentication_type_name (calculated field) |
|
Authentication
|
| LoginProcessName |
authentication_method |
|
Authentication
|
| ProcessName |
app |
|
Authentication
|
| WorkstationName |
|
src_device/DNS |
Authentication
|
| ipAddress |
|
dest_device/IP, src_device/IP |
Authentication
|
| Keywords |
action This is a calculated field. |
|
Endpoint_Processes
|
Static value:
"Microsoft WIndows" |
vendor_product, os |
|
Endpoint_Processes
|
| Computer |
|
dest_devince/DNS
endpoint_device/DNS |
Endpoint_Processes
|
| SubjectUserName |
|
endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes
|
| TargetUserName |
|
endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes
|
| ProcessId |
process_id |
|
Endpoint_Processes
|
| ProcessName |
process_name, process_exec, process_current_directory, process_path, process If ProcessName is empty, the values of process_name and process_exec are extracted from Login Process |
|
Endpoint_Processes
|
| WorkstationName |
|
dest_device/DNS, endpoint_device/DNS |
Endpoint_Processes
|
| ipAddress |
|
dest_device/IP, endpoint_device/DNS |
Endpoint_Processes
|
| Task |
task_category (extended) |
|
|
| Provider (name attribute) |
aosurce_name (extended) |
|
|
| Channel |
log_name (extended) |
|
|
| SubjectDomainName |
account_domain (extended) |
|
|
4625
| Raw event field name
|
Behavioral analytics service token name
|
Behavioral analytics service entity/field type
|
Behavioral analytics service data model
|
| Keywords |
action This is a calculated field. |
|
Authentication
|
Static value:
"An account failed to log on" |
signature |
|
Authentication
|
| EventID |
signature_id |
|
Authentication
|
| Computer |
origin_device_domain |
src_device/DNS |
Authentication
|
| FailureReason |
reason |
|
Authentication
|
| SubjectUserName |
|
src_user/WINDOWS_ACCOUNT_NAME |
Authentication
|
| TargetUserName |
|
src_user/WINDOWS_ACCOUNT_NAME |
Authentication
|
| TargetDomainName |
dest_nt_domain |
|
Authentication
|
| AuthenticationPackageName |
auth_pkg |
|
Authentication
|
| LogonType |
authentication_type, authentication_type_name (calculated field) |
|
Authentication
|
| LoginProcessName |
authentication_method |
|
Authentication
|
| ProcessName |
app |
|
Authentication
|
| WorkstationName |
|
src_device/DNS |
Authentication
|
| ipAddress |
|
dest_device/IP, src_device/IP |
Authentication
|
| Status |
event_return_code This is a alculated field. |
|
Authentication
|
| ActiveDirectory (static value) |
authentication_service |
|
Authentication
|
| Keywords |
action This is a calculated field. |
|
Endpoint_Processes
|
Static value:
"Microsoft WIndows" |
vendor_product, os |
|
Endpoint_Processes
|
| Computer |
|
dest_devince/DNS
endpoint_device/DNS |
Endpoint_Processes
|
| SubjectUserName |
|
endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes
|
| TargetUserName |
|
endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes
|
| ProcessId |
process_id |
|
Endpoint_Processes
|
| ProcessName |
process_name, process_exec, process_current_directory, process_path, process If ProcessName is empty, the values of process_name and process_exec are extracted from Login Process |
|
Endpoint_Processes
|
| WorkstationName |
|
dest_device/DNS, endpoint_device/DNS |
Endpoint_Processes
|
| ipAddress |
|
dest_device/IP, endpoint_device/DNS |
Endpoint_Processes
|
| Task |
task_category (extended) |
|
|
| Provider (name attribute) |
aosurce_name (extended) |
|
|
| Channel |
log_name (extended) |
|
|
| SubjectDomainName |
account_domain (extended) |
|
|
4661
| Raw event field name
|
Behavioral analytics service token name
|
Behavioral analytics service entity/field type
|
Behavioral analytics service data model
|
| ObjectName |
resource_handle |
|
Endpoint_ResourceAccess
|
| ObjectType |
resource_type |
|
Endpoint_ResourceAccess
|
| HandleId |
resource_handle_id |
|
Endpoint_ResourceAccess
|
| AccessMask |
resource_operation_access_mask |
|
Endpoint_ResourceAccess
|
| PrivilegeList |
resource_operation_privileges |
|
Endpoint_ResourceAccess
|
| Properties |
resource_operation_properties |
|
Endpoint_ResourceAccess
|
| RestrictedSidCount |
resource_operation_restricted_sid_count |
|
Endpoint_ResourceAccess
|
| AccessList |
resource_operation_access |
|
Endpoint_ResourceAccess
|
| ProcessId |
process_id |
|
Endpoint_Process
|
| ProcessName |
process_name
process_path |
|
Endpoint_Process
|
|
event_description (calculated field) |
|
Endpoint_ResourceAccess
|
| Computer |
|
dest_device/DNS
endpoint_device/DNS |
Endpoint_ResourceAccess, Endpoint_Processes
|
| SubjectUserName |
|
dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_ResourceAccess, Endpoint_Processes
|
| SubjectLogonId |
logon_id |
|
Endpoint_ResourceAccess
|
| TransactionId |
resource_operation_transaction_id |
|
Endpoint_ResourceAccess
|
| Keywords |
event_status |
|
Endpoint_ResourceAccess
|
| Computer |
dest_nt_domain (extended) |
|
Endpoint_ResourceAccess (v2)
|
| ObjectName |
resource_handle_name (extended) |
|
Endpoint_ResourceAccess (v2)
|
| Task |
task_category (extended) |
|
|
| Provider (name attribute) |
source_name (extended) |
|
|
| Channel |
log_name (extended) |
|
|
| SubjectDomainName |
account_domain (extended) |
|
|
| EventID |
signature_id (extended) |
|
|
4662
| Raw event field name
|
Behavioral analytics service token name
|
Behavioral analytics service entity/field type
|
Behavioral analytics service data model
|
| ObjectName |
resource_handle |
|
Endpoint_ResourceAccess
|
| ObjectType |
resource_type |
|
Endpoint_ResourceAccess
|
| HandleId |
resource_handle_id |
|
Endpoint_ResourceAccess
|
| AccessMask |
resource_operation_access_mask |
|
Endpoint_ResourceAccess
|
| Properties |
resource_operation_properties |
|
Endpoint_ResourceAccess
|
| RestrictedSidCount |
resource_operation_restricted_sid_count |
|
Endpoint_ResourceAccess
|
| AccessList |
resource_operation_access |
|
Endpoint_ResourceAccess
|
| OperationType |
resource_operation_type |
|
Endpoint_ResourceAccess
|
|
event_description (calculated field) |
|
Endpoint_ResourceAccess
|
| Computer |
|
dest_device/DNS |
Endpoint_ResourceAccess, Endpoint_Processes
|
| SubjectUserName |
|
dest_user/WINDOWS_ACCOUNT_NAME |
Endpoint_ResourceAccess
|
| SubjectLogonId |
logon_id |
|
Endpoint_ResourceAccess
|
| Keywords |
event_status |
|
Endpoint_ResourceAccess
|
| Computer |
dest_nt_domain (extended) |
|
Endpoint_ResourceAccess (v2)
|
| Task |
task_category (extended) |
|
|
| Provider (name attribute) |
source_name (extended) |
|
|
| Channel |
log_name (extended) |
|
|
| SubjectDomainName |
account_domain (extended) |
|
|
| EventID |
signature_id (extended) |
|
|
4663
| Raw event field name
|
Behavioral analytics service token name
|
Behavioral analytics service entity/field type
|
Behavioral analytics service data model
|
| ObjectName |
resource_handle |
|
Endpoint_ResourceAccess
|
| ObjectType |
resource_type |
|
Endpoint_ResourceAccess
|
| HandleId |
resource_handle_id |
|
Endpoint_ResourceAccess
|
| AccessList |
resource_operation_access |
|
Endpoint_ResourceAccess
|
| AccessMask |
resource_operation_access_mask |
|
Endpoint_ResourceAccess
|
| ProcessId |
process_id |
|
Endpoint_Process
|
| ProcessName |
process_name
process_path |
|
Endpoint_Process
|
|
event_description (calculated field) |
|
Endpoint_ResourceAccess
|
| Computer |
|
dest_device/DNS
endpoint_device/DNS |
Endpoint_ResourceAccess, Endpoint_Processes
|
| SubjectUserName |
|
dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_ResourceAccess, Endpoint_Processes
|
| SubjectLogonId |
logon_id |
|
Endpoint_ResourceAccess
|
| Keywords |
event_status |
|
Endpoint_ResourceAccess
|
| Computer |
dest_nt_domain (extended) |
|
Endpoint_ResourceAccess (v2)
|
| ObjectName |
resource_handle_name (extended) |
|
Endpoint_ResourceAccess (v2)
|
| Task |
task_category (extended) |
|
|
| Provider (name attribute) |
source_name (extended) |
|
|
| Channel |
log_name (extended) |
|
|
| SubjectDomainName |
account_domain (extended) |
|
|
| EventID |
signature_id (extended) |
|
|
4688
| Raw event field name
|
Behavioral analytics service token name
|
Behavioral analytics service entity/field type
|
Behavioral analytics service data model
|
| CommandLine |
process |
|
Endpoint_Process
|
| Keywords |
action This is a calculated field. |
|
Endpoint_Processes
|
| NewProcessId |
process_id |
|
Endpoint_Processes
|
| NewProcessName |
process_name
process_exec
process_current_directory
process_path |
|
Endpoint_Processes
|
| Microsoft Windows (static value) |
vendor_product, os |
|
Endpoint_Processes
|
| ParentProcessName |
parent_process_name |
|
Endpoint_Processes
|
| ProcessId |
parent_process_id |
|
Endpoint_Processes
|
| TargetUserName |
|
dest_user/WINDOWS_ACCOUNT_NAME
endpoint_user/WINDOWS_ACCOUNT_NAME |
Endpoint_Processes
|
| Computer |
|
dest_device/DNS
endpoint_device/DNS |
Endpoint_Processes
|
| Task |
task_category (extended) |
|
|
| Provider (name attribute) |
source_name (extended) |
|
|
| Channel |
log_name (extended) |
|
|
| SubjectDomainName |
account_domain (extended) |
|
|
| EventID |
signature_id (extended) |
|
|
4689
| Raw event field name
|
Behavioral analytics service token name
|
Behavioral analytics service entity/field type
|
Behavioral analytics service data model
|
| Keywords |
action This is a calculated field. |
|
Endpoint_Processes
|
| Microsoft Windows (static value) |
vendor_product, os |
|
Endpoint_Processes
|
| Computer |
|
dest_device/DNS |
Endpoint_Processes
|
| SubjectUserName |
|
dest_user/WINDOWS_ACCOUNT_NAME If SubjectUserName does not contain $ at the end, then dest_user is populated. |
Endpoint_Processes
|
| ProcessId |
process_id |
|
Endpoint_Processes
|
| ProcessName |
process_name
process_exec
process_current_directory
process_path
process |
|
Endpoint_Processes
|
| Task |
task_category (extended) |
|
|
| Provider (name attribute) |
source_name (extended) |
|
|
| Channel |
log_name (extended) |
|
|
| SubjectDomainName |
account_domain (extended) |
|
|
| EventID |
signature_id (extended) |
|
|
4768
| Raw event field name
|
Behavioral analytics service token name
|
Behavioral analytics service entity/field type
|
Behavioral analytics service data model
|
| Status |
action If the Status is 0x0, then the action is Successful. Otherwise, the action is Failed. |
Authentication
|
| Use the static value "Kerberos" |
authentication_method |
|
Authentication
|
| Use the static value "ActiveDirectory" |
authentication_service |
|
Authentication
|
| Use the static value "Network" |
authentication_type_name |
|
Authentication
|
| TargetUserName |
|
dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS If TargetUserName contains a user, then dest_user is populated. If TargetUserName contains a device name, then dest_device is populated. |
Authentication
|
| Status
|
reason
I If Status = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"
If Status = 0x1, 0x2, 0x17, 0xc000007, or 0xc0000193, then reason is "ExpiredPassword" If Status = 0x18, 0xc0000064, or 0xc000006e, then reason is "RevokedCredentials"
|
|
Authentication
|
| Status |
event_return_code |
|
Authentication
|
| Use the static value "A Kerberos authentication ticket (TGT) was requested." |
signature |
|
Authentication
|
| EventID |
signature_id |
|
Authentication
|
| Use the static value "ActiveDirectory". |
app |
|
Authentication
|
| IpPort |
dest_port |
|
Certificates
|
| CertThumbprint |
ssl_hash |
|
Certificates
|
| CertIssuerName |
ssl_issuer |
|
Certificates
|
| CertIssuerName |
ssl_issuer_common_name |
|
Certificates
|
| CertSerialNumber |
ssl_serial |
|
Certificates
|
| Status
|
ssl_is_valid
If Status = 0x3E or 0x3F, then ssl_is_valid is "false" Otherwise, ssl_is_valid is "true"
|
|
Certificates
|
| TicketEncryptionType
|
ssl_signature_algorithm
If TicketEncryptionType = 0x1, then ssl_signature_algorithm is "DES-CBC-CRC" If TicketEncryptionType = 0x3, then ssl_signature_algorithm is "DES-CBC-MD5" If TicketEncryptionType = 0x11, then ssl_signature_algorithm is "AES128-CTS-HMAC-SHA1-96" If TicketEncryptionType = 0x12, then ssl_signature_algorithm is "AES256-CTS-HMAC-SHA1-96" If TicketEncryptionType = 0x17, then ssl_signature_algorithm is "RC4-HMAC" If TicketEncryptionType = 0x18, then ssl_signature_algorithm is "RC4-HMAC-EXP"
|
| Task |
task_category (extended) |
|
|
| Provider (name attribute) |
source_name (extended) |
|
|
| Channel |
log_name (extended) |
|
|
| TargetDomainName |
account_domain (extended) |
|
|
4769
| Raw event field name
|
Behavioral analytics service token name
|
Behavioral analytics service entity/field type
|
Behavioral analytics service data model
|
| Keywords |
action If the Keywords is 0x8020000000000000, then the action is Successful. Otherwise, the action is Failed. |
Authentication
|
| Use the static value "Kerberos" |
authentication_method |
|
Authentication
|
| Use the static value "ActiveDirectory" |
authentication_service |
|
Authentication
|
| Use the static value "Network" |
authentication_type_name |
|
Authentication
|
| Computer |
origin_device_domain |
origin_device/DNS |
Authentication
|
| Use the static value "A Kerberos service ticket was requested." |
signature |
|
Authentication
|
| EventID |
signature_id |
|
Authentication
|
| TargetUserName |
|
dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS If TargetUserName contains a user, then dest_user is populated. If TargetUserName contains a device name, then dest_device is populated. |
Authentication
|
| TargetDomainName |
dest_nt_domain |
|
Authentication
|
| IpAddress |
|
dest_device/IP |
Authentication
|
| Status
|
event_return_code, reason
I If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"
If Result Code = 0x1, 0x2, 0x17, 0xc0000071, or 0xc0000193, then reason is "ExpiredPassword" If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "RevokedCredentials"
|
|
Authentication
|
| Use the static value "ActiveDirectory". |
app |
|
Authentication
|
5140
| Raw event field name
|
Behavioral analytics service token name
|
Behavioral analytics service entity/field type
|
Behavioral analytics service data model
|
|
event_description (calculated field) |
|
Endpoint_ResourceAccess
|
| Task |
task_category |
|
Endpoint_ResourceAccess
|
| Provider (name attribute) |
source_name |
|
Endpoint_ResourceAccess
|
| AccessMask |
resource_operation_access_mask |
|
Endpoint_ResourceAccess
|
| AccessList |
resource_operation_accesses |
|
Endpoint_ResourceAccess
|
| ObjectType |
resource_type |
|
Endpoint_ResourceAccess
|
| Channel |
log_name |
|
Endpoint_ResourceAccess
|
| ShareName |
resource_handle |
|
Endpoint_ResourceAccess
|
| SubjectDomainName |
account_domain |
|
Endpoint_ResourceAccess
|
| Keywords |
event_status |
|
Endpoint_ResourceAccess
|
| ShareLocalPath |
resource_handle_path (extended) |
|
Endpoint_ResourceAccess (v2)
|
| EventID |
signature_id (extended) |
|
Endpoint_ResourceAccess (v2)
|
| IpAddress |
source_address (extended) |
|
Endpoint_ResourceAccess (v2)
|
| Computer |
dest_nt_domain |
|
Endpoint_ResourceAccess (v2)
|
| IpPort |
source_port (extended) |
|
Endpoint_ResourceAccess (v2)
|
| Computer |
|
dest_device/DNS |
Endpoint_ResourceAccess
|
| SubjectUserName |
|
dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS If SubjectUserName contains a user name then dest_user is populated. If SubjectUserName contains a device then dest_device is populated. |
Endpoint_ResourceAccess
|
5145
| Raw event field name
|
Behavioral analytics service token name
|
Behavioral analytics service entity/field type
|
Behavioral analytics service data model
|
|
event_description (calculated field) |
|
Endpoint_ResourceAccess
|
| Task |
task_category |
|
Endpoint_ResourceAccess
|
| Provider (name attribute) |
source_name |
|
Endpoint_ResourceAccess
|
| AccessMask |
resource_operation_access_mask |
|
Endpoint_ResourceAccess
|
| AccessList |
resource_operation_accesses |
|
Endpoint_ResourceAccess
|
| ObjectType |
resource_type |
|
Endpoint_ResourceAccess
|
| Channel |
log_name |
|
Endpoint_ResourceAccess
|
| ShareName |
resource_handle |
|
Endpoint_ResourceAccess
|
| SubjectDomainName |
account_domain |
|
Endpoint_ResourceAccess
|
| Keywords |
event_status |
|
Endpoint_ResourceAccess
|
| RelativeTargetName |
resource_handle_name (extended) |
|
Endpoint_ResourceAccess (v2)
|
| ShareLocalPath |
resource_handle_path (extended) |
|
Endpoint_ResourceAccess (v2)
|
| EventID |
signature_id (extended) |
|
Endpoint_ResourceAccess (v2)
|
| IpAddress |
source_address (extended) |
|
Endpoint_ResourceAccess (v2)
|
| Computer |
dest_nt_domain |
|
Endpoint_ResourceAccess (v2)
|
| IpPort |
source_port (extended) |
|
Endpoint_ResourceAccess (v2)
|
| Computer |
|
dest_device/DNS |
Endpoint_ResourceAccess
|
| SubjectUserName |
|
dest_user/WINDOWS_ACCOUNT_NAME |
Endpoint_ResourceAccess
|
Download manual
Feedback submitted, thanks!