MS Windows Event Logging XML – Microsoft-Windows-NTLM/Operational
Windows Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.
Device Details
Vendor | MS Windows Event Logging XML |
|---|---|
Device Type | Microsoft-Windows-NTLM |
Supported Model Name/Number | Windows Server 2008, 2012,2016 + |
Supported Software Version(s) | N/A |
Collection Method | MS Windows Event Logging |
Configurable Log Output? | No |
Log Source Type | MS Windows Event Logging XML – Microsoft-Windows-NTLM/Operational |
Log Processing Policy | LogRhythm Default |
Exceptions | N/A |
Additional Information | N/A |
Prerequisites
A configured host. For more information, see Windows Event Log Collection.
Device Configuration Checklist
In Log Message Source Properties on the Flat File settings tab, set the file path to: Hostname: Microsoft-Windows-NTLM/Operational. For more information, see Configure a Host for Local Flat File Collection.
Currently Supported Log Types
| Type | Product Version | Supported Schema Fields |
|---|---|---|
NTLM Events | N/A | <vendorinfo>, <vmid>, <severity>, <action>, <processid>, <session>, <sname>, <domainorigin>, <login>, <account>, <domainimpacted>, <object>, <process>, <objectname>, <account>, <domainimpacted>, <object>, <objecttype>, <objectname>, <account>, domainimpacted>, <object>, <objecttype>, <process>, <account>, <domainimpacted>, <objecttype> |
Account Management Messages | N/A | <vendorinfo>, <vmid>, <severity>, <action>, <processid>, <session>, <dname>, <domainorigin>, <login>, <account>, <domainimpacted>, <login>, <domainorigin>, <session> |
Parsed Metadata Fields
| Product Field Name | LogRhythm Metadata Field |
|---|---|
ChannelType | <objecttype> |
Computer | <dname> |
DomainName | <domainimpacted> |
EventId | <vmid> |
ExecutionProcessId | <processid> |
Level | <severity> |
ProcessName | <process> |
ProviderName | <vendorinfo> |
SChannelName | <objectname> |
SecureChannelName | <objectname> |
SubjectDomainName | <domainorigin> |
SubjectLogonId | <session> |
SubjectUserName | <login> |
SUserid | <domainorigin> and <login> |
TargetDomainName | <domainimpacted> |
TargetUserName | <account> |
Task | <action> |
ThreadId | <session> |
UserName | <account> |
Workstation | <object> |
WorkstationName | <object> |