Windows Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.
Device Details
|
Vendor |
MS Windows Event Logging XML |
|---|---|
|
Device Type |
Microsoft-Windows-NTLM |
|
Supported Model Name/Number |
Windows Server 2008, 2012,2016 + |
|
Supported Software Version(s) |
N/A |
|
Collection Method |
MS Windows Event Logging |
|
Configurable Log Output? |
No |
|
Log Source Type |
MS Windows Event Logging XML – Microsoft-Windows-NTLM/Operational |
|
Log Processing Policy |
LogRhythm Default |
|
Exceptions |
N/A |
|
Additional Information |
N/A |
Prerequisites
A configured host. For more information, see .
Device Configuration Checklist
In Log Message Source Properties on the Flat File settings tab, set the file path to: Hostname: Microsoft-Windows-NTLM/Operational. For more information, see .
Currently Supported Log Types
|
Type |
Product Version |
Supported Schema Fields |
|---|---|---|
|
NTLM Events |
N/A |
<vendorinfo>, <vmid>, <severity>, <action>, <processid>, <session>, <sname>, <domainorigin>, <login>, <account>, <domainimpacted>, <object>, <process>, <objectname>, <account>, <domainimpacted>, <object>, <objecttype>, <objectname>, <account>, domainimpacted>, <object>, <objecttype>, <process>, <account>, <domainimpacted>, <objecttype> |
|
Account Management Messages |
N/A |
<vendorinfo>, <vmid>, <severity>, <action>, <processid>, <session>, <dname>, <domainorigin>, <login>, <account>, <domainimpacted>, <login>, <domainorigin>, <session> |
Parsed Metadata Fields
|
Product Field Name |
LogRhythm Metadata Field |
|---|---|
|
ChannelType |
<objecttype> |
|
Computer |
<dname> |
|
DomainName |
<domainimpacted> |
|
EventId |
<vmid> |
|
ExecutionProcessId |
<processid> |
|
Level |
<severity> |
|
ProcessName |
<process> |
|
ProviderName |
<vendorinfo> |
|
SChannelName |
<objectname> |
|
SecureChannelName |
<objectname> |
|
SubjectDomainName |
<domainorigin> |
|
SubjectLogonId |
<session> |
|
SubjectUserName |
<login> |
|
SUserid |
<domainorigin> and <login> |
|
TargetDomainName |
<domainimpacted> |
|
TargetUserName |
<account> |
|
Task |
<action> |
|
ThreadId |
<session> |
|
UserName |
<account> |
|
Workstation |
<object> |
|
WorkstationName |
<object> |