Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|
AD FS Messages |
Base Rule |
General Active Directory Information |
Information |
|
EVID 516 : Account Locked - Too Many Attempts |
Sub Rule |
User Logon Failure : Account Locked Out |
Authentication Failure |
|
EVID 1200 : Federation Service Issued Valid Token |
Sub Rule |
Token Modified |
Other Audit Success |
|
EVID 1201 : Federation Service Failed IssuingToken |
Sub Rule |
Token Error |
Error |
|
EVID 1202 : Federation Service ValidatedCredential |
Sub Rule |
Accounts Validated |
Other Audit Success |
|
EVID 1203 : Federation Service Failed Credentials |
Sub Rule |
Request Failed To Validate |
Warning |
|
EVID 1206 : Signout Request Successfully Processed |
Sub Rule |
Logoff |
Other Audit Success |
|
EVID 1210 : Extranet Lockout Event Occurred |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
EVID 512 : Account Locked - Bad Password Attempt |
Sub Rule |
User Logon Failure : Bad Password |
Authentication Failure |
|
EVID 431 : Request Received |
Sub Rule |
Request Received |
Other Audit Success |
|
EVID 515 : Suspicious Authentication Activity |
Sub Rule |
Authentication Activity |
Authentication Success |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
|
N/A |
<vmid> |
Number |
|
N/A |
<severity> |
Text/String |
|
N/A |
<vendorinfo> |
Text/String |
|
N/A |
<sip> |
Number |
|
N/A |
<dip> |
Number |
|
N/A |
<dname> |
Text/String |
|
N/A |
<snatip> |
Number |
|
N/A |
<dnatip> |
Number |
|
N/A |
<login> |
Text/String |
|
N/A |
<account> |
Text/String |
|
N/A |
<domainorigin> |
Text/String |
|
N/A |
<domainimpacted> |
Text/String |
|
N/A |
<session> |
Text/String |
|
N/A |
<object> |
Text/String |
|
N/A |
<objecttype> |
Text/String |
|
N/A |
<subject> |
Text/String |
|
N/A |
<result> |
Text/String |
|
N/A |
<reason> |
Text/String |
|
N/A |
<size> |
Number |
|
N/A |
<useragent> |
Text/String |