ADFSReports Log Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
ADFSReports Log Messages | Base Rule | General Information Log Message | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
N/A | <severity> | Text/String | N/A |
Category | <object> | Text/String | N/A |
REPORT_PROFILE | <objectname> | Text/String | N/A |
USERNAME | <account> | Text/String | N/A |
CLIENT_MC_NAME | N/A | N/A | N/A |
CLIENT_HOST_NAME | <dname> | Text/String | N/A |
TIME_GENERATED | N/A | N/A | N/A |
RECORD_NUMBER | N/A | N/A | N/A |
EVENT_TYPE | N/A | N/A | N/A |
EVENT_TYPE_TEXT | <status> | Text/String | N/A |
DOMAIN | <domainorigin> | Text/String | N/A |
SOURCE | <login> | Text/String | N/A |
USER_SID | <session> | Text/String | N/A |
EVENT_NUMBER | N/A | N/A | N/A |
REMARKS | <reason> | Text/String | N/A |
LOGON_ID | N/A | N/A | N/A |
LOGON_TYPE | N/A | N/A | N/A |
LOGON_TYPE_TEXT | N/A | N/A | N/A |
LOGON_PROCESS | <process> | Text/String | N/A |
AUTHENTICATION_PACKAGE | N/A | N/A | N/A |
CALLER_USER_NAME | N/A | N/A | N/A |
CALLER_USER_DOMAIN | N/A | N/A | N/A |
SOURCE_PORT | <sport> | Number | N/A |
FORMAT_MESSAGE | <subject> | Text/String | N/A |
CALLER_PROCESS_ID | N/A | N/A | N/A |
CALLER_PROCESS_NAME | N/A | N/A | N/A |
IMPERSONATION_LEVEL | N/A | N/A | N/A |
RELYING_PARTY | N/A | N/A | N/A |
TOKEN_TYPE | N/A | N/A | N/A |
INSIDE_CORPORATE_NETWORK | N/A | N/A | N/A |
IP_ADDRESS | N/A | N/A | N/A |
ISSUED_CLAIMS | N/A | N/A | N/A |
CALLER_IDENTITY | N/A | N/A | N/A |
HOST_NAME | N/A | N/A | N/A |
ERROR_CODE | <responsecode> | Number | N/A |
ERROR_CODE_TEXT | <objecttype> | Text/String | N/A |
USER_SAM_ACCOUNT_NAME | N/A | N/A | N/A |
USER_DISPLAY_NAME | N/A | N/A | N/A |
USER_PRINCIPAL_NAME | N/A | N/A | N/A |
USER_GUID | N/A | N/A | N/A |
USER_DISTINGUISH_NAME | N/A | N/A | N/A |
USER_NAME_OU_GUID | N/A | N/A | N/A |
USER_DEPARTMENT | N/A | N/A | N/A |
USER_MANAGER_NAME | N/A | N/A | N/A |
CALLER_LOGON_ID | N/A | N/A | N/A |
FAILURE_STATUS | N/A | N/A | N/A |
FAILURE_SUB_STATUS | N/A | N/A | N/A |
KEY_LENGTH | N/A | N/A | N/A |
NTLM_PACKAGE_NAME | N/A | N/A | N/A |
TRANSITED_SERVICES | N/A | N/A | N/A |
WORKSTATION_NAME | N/A | N/A | N/A |
CALLER_SAM_ACCOUNT_NAME | N/A | N/A | N/A |
CALLER_DISPLAY_NAME | N/A | N/A | N/A |
CALLER_USER_PRINCIPAL_NAME | N/A | N/A | N/A |
CALLER_USER_GUID | N/A | N/A | N/A |
CALLER_DISTINGUISH_NAME | N/A | N/A | N/A |
CALLER_USER_OU_GUID | N/A | N/A | N/A |
CALLER_USER_DEPARTMENT | N/A | N/A | N/A |
CALLER_USER_MANAGER_NAME | N/A | N/A | N/A |
CLIENT_HOST_DOMAIN_NAME | N/A | N/A | N/A |
IS_MFA_PERFORMED | N/A | N/A | N/A |
PROXY_NAME | N/A | N/A | N/A |
PROTOCOL_NAME | <protname> | Text/String | N/A |
ENDPOINT_NAME | N/A | N/A | N/A |
USER_AGENT_NAME | N/A | N/A | N/A |
MFA_DEVICE_ID | N/A | N/A | N/A |
MFA_DEVICE_AUTHENTICATION | N/A | N/A | N/A |
MFA_METHOD | N/A | N/A | N/A |
CORRELATION_ID | N/A | N/A | N/A |
BAD_PASSWORD_COUNT | N/A | N/A | N/A |
LAST_BAD_PASSWORD_ATTEMPT | N/A | N/A | N/A |
LOCKOUT_WINDOW | N/A | N/A | N/A |
SOURCE_NAME | <sname> | Text/String | N/A |
LOG_FILE_NAME | N/A | N/A | N/A |
KEYWORDS_NAME | N/A | N/A | N/A |
TASK_CATEGORY_NAME | N/A | N/A | N/A |
TASK_CATEGORY_ID | N/A | N/A | N/A |
EXTRA_COLUMN1 | N/A | N/A | N/A |
EXTRA_COLUMN2 | N/A | N/A | N/A |
EXTRA_COLUMN3 | N/A | N/A | N/A |
EXTRA_COLUMN4 | N/A | N/A | N/A |
EXTRA_COLUMN5 | N/A | N/A | N/A |
EXTRA_COLUMN6 | N/A | N/A | N/A |
EXTRA_COLUMN7 | N/A | N/A | N/A |
EXTRA_COLUMN8 | N/A | N/A | N/A |
EXTRA_COLUMN9 | N/A | N/A | N/A |
EXTRA_COLUMN10 | N/A | N/A | N/A |
CONFIGURED_DOMAIN_NAME | N/A | N/A | N/A |