Event Details
Event Type | Audit Logon |
---|
Event Description | 4648(S) : A logon was attempted using explicit credentials. |
---|
Event ID | 4648 |
---|
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
---|
Provider | N/A | N/A |
EventID | <vmid> | <vmid> |
Version | N/A | N/A |
Level | <severity> | <severity> |
Task | N/A | <vendorinfo> |
Opcode | N/A | N/A |
Keywords | <tag1> | <result> |
TimeCreated | N/A | N/A |
EventRecordID | N/A | N/A |
Correlation | N/A | N/A |
Execution | N/A | N/A |
Channel | N/A | N/A |
Computer | N/A | N/A |
SubjectUserSid | N/A | N/A |
SubjectUserName | <login> | <login> |
SubjectDomainName | <domain> | <domainorigin> |
SubjectLogonId | <session> | <session> |
LogonGuid | N/A | N/A |
TargetUserName | <account> | <account> |
TargetDomainName | N/A | <domainimpacted> |
TargetLogonGuid | N/A | N/A |
TargetServerName | <dname> | <dname> |
TargetInfo | N/A | N/A |
ProcessId | <processid> | <processid> |
ProcessName | <process> | <process> |
IpAddress | <sip> | <sip> |
IpPort | <sport> | <sport> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|
1007810 | EVID 4648 : Logon Using Explicit Credentials | Base Rule | User Logon | Authentication Success |
EVID 4648 : Explicit Logon | Sub Rule | User Logon | Authentication Success |
EVID 4648 : Failed Explicit Logon | Sub Rule | User Logon Failure | Authentication Failure |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|
1011070 | V 2.0 : EVID 4648 : Logon Using Explicit Credentials | Base Rule | User Logon | Authentication Success |