Event Details
|
Event Type |
Audit Logon |
|---|---|
|
Event Description |
4648 : A logon was attempted using explicit credentials. |
|
Event ID |
4648 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|
|---|---|---|---|
|
Provider |
N/A |
N/A |
|
|
EventID |
<vmid> |
<vmid> |
|
|
Version |
N/A |
N/A |
|
|
Level |
<severity> |
<severity> |
|
|
Task |
N/A |
<vendorinfo> |
|
|
Opcode |
N/A |
N/A |
|
|
Keywords |
<tag1> |
<result>, <tag1> |
|
|
TimeCreated |
N/A |
N/A |
|
|
EventRecordID |
N/A |
N/A |
|
|
Correlation |
N/A |
N/A |
|
|
Execution |
N/A |
N/A |
|
|
Processid |
N/A |
N/A |
|
|
Channel |
N/A |
N/A |
|
|
Computer |
<dname> |
<dname> |
|
|
InterfaceName |
N/A |
N/A |
|
|
SubjecrUserName |
<login>, <account> |
<login> |
|
|
SubjecttDomainName |
<domain> |
<domainorigin> |
|
|
SubjectSid |
N/A |
N/A |
|
|
LogonGuid |
<session> |
<session> |
|
|
TargetUserName |
N/A |
<account> |
|
|
TargetDomainName |
N/A |
<domainimpacted> |
|
|
TargetLogonGuid |
N/A |
N/A |
|
|
TargetServerName |
<dinterface> |
<dname> |
|
|
TargetInfo |
N/A |
N/A |
|
|
ProcessId |
<processid> |
<processid> |
|
|
ProcessName |
<process> |
<process> |
|
|
IpAddress |
<sip> |
<sip> |
|
|
IpPort |
<sport> |
<sport> |
|
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1004629 |
EVID 4648 : Using Explicit Credentials |
Base Rule |
User Logon |
Audit :Authentication Success |
|
EVID 4648 : Explicit Logon |
Sub Rule |
User Logon |
Authentication Success |
|
|
EVID 4648 : Failed Explicit Logon |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1011070 |
V 2.0 : EVID 4648 : Logon Using Explicit Crdntials |
Base Rule |
User Logon |
Authentication Success |
|
V 2.0 : EVID 4648 : Failed Explicit Logon |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 : EVID 4648 : Failed Explicit Logon |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 : EVID 4648 : Failed Explicit Logon |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 : EVID 4648 : Failed Explicit Logon |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |