AD FS Messages
Classification
| Rule Name | Rule Type | Common Event | Classification |
| AD FS Messages | Base Rule | General Active Directory Information | Information |
| EVID 516 : Account Locked - Too Many Attempts | Sub Rule | User Logon Failure : Account Locked Out | Authentication Failure |
| EVID 1200 : Federation Service Issued Valid Token | Sub Rule | Token Modified | Other Audit Success |
| EVID 1201 : Federation Service Failed IssuingToken | Sub Rule | Token Error | Error |
| EVID 1202 : Federation Service ValidatedCredential | Sub Rule | Accounts Validated | Other Audit Success |
| EVID 1203 : Federation Service Failed Credentials | Sub Rule | Request Failed To Validate | Warning |
| EVID 1206 : Signout Request Successfully Processed | Sub Rule | Logoff | Other Audit Success |
| EVID 1210 : Extranet Lockout Event Occurred | Sub Rule | Authentication Failure Activity | Authentication Failure |
| EVID 512 : Account Locked - Bad Password Attempt | Sub Rule | User Logon Failure : Bad Password | Authentication Failure |
| EVID 431 : Request Received | Sub Rule | Request Received | Other Audit Success |
| EVID 515 : Suspicious Authentication Activity | Sub Rule | Authentication Activity | Authentication Success |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type |
| N/A | <vmid> | Number |
| N/A | <severity> | Text/String |
| N/A | <vendorinfo> | Text/String |
| N/A | <sip> | Number |
| N/A | <dip> | Number |
| N/A | <dname> | Text/String |
| N/A | <snatip> | Number |
| N/A | <dnatip> | Number |
| N/A | <login> | Text/String |
| N/A | <account> | Text/String |
| N/A | <domainorigin> | Text/String |
| N/A | <domainimpacted> | Text/String |
| N/A | <session> | Text/String |
| N/A | <object> | Text/String |
| N/A | <objecttype> | Text/String |
| N/A | <subject> | Text/String |
| N/A | <result> | Text/String |
| N/A | <reason> | Text/String |
| N/A | <size> | Number |
| N/A | <useragent> | Text/String |