Event Details
|
Event Type |
Audit Logon |
|---|---|
|
Event Description |
4624(S) : An account was successfully logged on. |
|
Event ID |
4624 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|
|---|---|---|---|
|
Provider |
N/A |
N/A |
|
|
EventID |
<vmid> |
<vmid> |
|
|
Version |
N/A |
N/A |
|
|
Level |
<severity> |
<severity> |
|
|
Task |
<vendorinfo> |
<vendorinfo> |
|
|
Opcode |
N/A |
N/A |
|
|
Keywords |
N/A |
<result> |
|
|
TimeCreated |
N/A |
N/A |
|
|
EventRecordID |
N/A |
N/A |
|
|
Correlation |
N/A |
N/A |
|
|
Execution |
<processid> |
N/A |
|
|
Channel |
N/A |
N/A |
|
|
Computer |
<dname> |
<dname> |
|
|
EventData |
<vendorinfo> |
N/A |
|
|
SubjectUserSid |
N/A |
N/A |
|
|
SubjectUserName |
N/A |
N/A |
|
|
SubjectDomainName |
N/A |
N/A |
|
|
SubjectLogonId |
<session> |
N/A |
|
|
TargetUserSid |
<login>, <domain> |
N/A |
|
|
TargetUserName |
N/A |
<login>, <tag1> |
|
|
TargetDomainName |
N/A |
<domainorigin> |
|
|
TargetLogonId |
N/A |
<session> |
|
|
LogonType |
<command>, <tag3>, <sessiontype> |
<sessiontype>, <tag2> |
|
|
Security ID |
<account> |
N/A |
|
|
Account Name |
<login>, <tag2> |
N/A |
|
|
Account Domain |
<domain> |
N/A |
|
|
LogonID |
<session> |
N/A |
|
|
LogonProcessName |
N/A |
<object> |
|
|
AuthenticationPackageName |
N/A |
<objectname> |
|
|
WorkstationName |
N/A |
N/A |
|
|
LogonGuid |
N/A |
N/A |
|
|
TransmittedServices |
N/A |
N/A |
|
|
LmPackageName |
N/A |
N/A |
|
|
KeyLength |
<quantity> |
<size> |
|
|
ProcessId |
N/A |
<processid> |
|
|
ProcessName |
<process>, <object> |
<process> |
|
|
IpAddress |
<sip> |
<sip> |
|
|
Source Network Address |
<sip> |
N/A |
|
|
Source Port |
<sport> |
N/A |
|
|
IpPort |
<sport> |
<sport> |
|
|
Logon Process |
<object> |
N/A |
|
|
ImpersonationLevel |
N/A |
N/A |
|
|
RestrictedAdminMode |
N/A |
N/A |
|
|
TargetOutboundUserName |
N/A |
N/A |
|
|
TargetOutboundDomainName |
N/A |
N/A |
|
|
VirtualAccount |
N/A |
N/A |
|
|
TargetLinkedLogonId |
N/A |
N/A |
|
|
ElevatedToken |
N/A |
<tag3> |
|
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1000293 |
EVID 4624 : Logon Events |
Base Rule |
Authentication Activity |
Authentication Success |
|
General Authentication Failure |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 4624 : Authentication Success |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 11 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : System Logon Type 8 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 540 : System Logon Type 5 |
Sub Rule |
Service Logon |
Authentication Success |
|
|
EVID 540 : System Logon Type 7 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 11 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : System Logon Type 11 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 540 : System Logon Type 4 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 540 : System Logon Type 10 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 8 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 2 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 5 |
Sub Rule |
Service Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 10 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : System Logon Type 3 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 9 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 4 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 8 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : System Logon Type 3 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 7 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 7 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 9 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : System Logon Type 2 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 5 |
Sub Rule |
Service Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 8 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : System Logon Type 2 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 4 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : System Logon Type 7 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 540 : System Logon Type 9 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 10 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 2 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : System Logon Type 5 |
Sub Rule |
Service Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 11 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 4 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 4 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : System Logon Type 4 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 7 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : System Logon Type 9 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 2 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 9 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 5 |
Sub Rule |
Service Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 5 |
Sub Rule |
Service Logon |
Authentication Success |
|
|
EVID 4624 : System Logon Type 8 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 7 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 10 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 11 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 2 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 9 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : System Logon Type 11 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 4624 : System Logon Type 10 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 8 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 10 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Administrator Logon Type 2 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Administrator Logon Type 9 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Administrator Logon Type 2 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Administrator Logon Type 7 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Administrator Logon Type 8 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Administrator Logon Type 5 |
Sub Rule |
Service Logon |
Authentication Success |
|
|
EVID 540 : Administrator Logon Type 5 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Administrator Logon Type 7 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Administrator Logon Type 4 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Administrator Logon Type 4 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Administrator Logon Type 9 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Administrator Logon Type 11 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Administrator Logon Type 11 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Administrator Logon Type 10 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Administrator Logon Type 10 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Administrator Logon Type 8 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : User Logon Type 10 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : User Logon Type 11 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : User Logon Type 9 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : User Logon Type 8 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : User Logon Type 2 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : User Logon Type 5 |
Sub Rule |
Service Logon |
Authentication Success |
|
|
EVID 4624 : User Logon Type 4 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : User Logon Type 7 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : User Logon Type 9 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : User Logon Type 10 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : User Logon Type 11 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : User Logon Type 7 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : User Logon Type 5 |
Sub Rule |
Service Logon |
Authentication Success |
|
|
EVID 540 : User Logon Type 4 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : User Logon Type 2 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : User Logon Type 8 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 3 |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 540 : Administrator Logon Type 3 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Administrator Logon Type 3 |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4624 : System Logon Type 3 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 4624 : User Logon Type 3 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : Anonymous Logon Type 3 |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 3 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : Anonymous Logon Type 3 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 540 : System Logon Type 3 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 540 : User Logon Type 3 |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4624 : User Logon Type 3 |
Sub Rule |
User Logon |
Authentication Success |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1011067 |
V 2.0 : Successful Account Logon Events |
Base Rule |
General Authentication Event |
Other Audit |
|
V 2.0 : EVID 4624 : Elevated Computer Logon Success |
Sub Rule |
Administration Session Started |
Other Audit Success |
|
|
V 2.0 : EVID 4624 : Computer Logon Success |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Elevated User Logon Success |
Sub Rule |
Administration Session Started |
Other Audit Success |
|
|
V 2.0 : EVID 4624 : Interactive User Logon Success |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Elevated Computer Logon Success |
Sub Rule |
Administration Session Started |
Other Audit Success |
|
|
V 2.0 : EVID 4624 : Computer Logon Success |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Elevated User Logon Success |
Sub Rule |
Administration Session Started |
Other Audit Success |
|
|
V 2.0 : EVID 4624 : Interactive User Logon Success |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Network User Logon Success |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Batch User Logon Success |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Service User Logon Success |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Workstation Unlocked |
Sub Rule |
Workstation Unlocked |
Other Audit Success |
|
|
V 2.0 : EVID 4624 : Network Cleartext Usr Logon Succ |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : User New Logon Session Created |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Remote Intractive Usr Logon Succ |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Cached Interactive Usr Logon Succ |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Administrator Logon Type 10 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Administrator Logon Type 11 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Administrator Logon Type 2 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Administrator Logon Type 3 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Administrator Logon Type 4 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Administrator Logon Type 7 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Administrator Logon Type 8 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Administrator Logon Type 9 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Administrator Logon Type 5 |
Sub Rule |
Service Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Anonymous Logon Type 10 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Anonymous Logon Type 11 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Anonymous Logon Type 2 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Anonymous Logon Type 3 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Anonymous Logon Type 4 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Anonymous Logon Type 7 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Anonymous Logon Type 8 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Anonymous Logon Type 9 |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : Anonymous Logon Type 5 |
Sub Rule |
Service Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : System Logon Type 10 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : System Logon Type 11 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : System Logon Type 2 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : System Logon Type 3 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : System Logon Type 4 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : System Logon Type 7 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : System Logon Type 8 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : System Logon Type 9 |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
V 2.0 : EVID 4624 : System Logon Type 5 |
Sub Rule |
Service Logon |
Authentication Success |