Skip to main content
Skip table of contents

V 2.0 : Account Management

Vendor Documentation

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0: Account Management

Base Rule

General Audit Message

Other Audit

V 2.0: EVID 4720: User Account Created

Sub Rule

User Account Created

Account Created

V 2.0: EVID 4722: User Account Enabled

Sub Rule

Account Enabled

Access Granted

V 2.0 : EVID 4723 : Password Changed

Sub Rule

Password Modified

Account Modified

V 2.0 : EVID 4723 : Password Changed

Sub Rule

Password Modified

Account Modified

V 2.0 : EVID 4724 : Password Reset

Sub Rule

Password Modified

Account Modified

V 2.0 : EVID 4724 : Password Reset

Sub Rule

Password Modified

Account Modified

V 2.0 : EVID 4723 : Password Change Failed

Sub Rule

Failed Password Change Attempt

Other Audit Failure

V 2.0 : EVID 4723 : Password Change Failed

Sub Rule

Failed Password Change Attempt

Other Audit Failure

V 2.0 : EVID 4724 : Password Reset Failed

Sub Rule

Failed Password Change Attempt

Other Audit Failure

V 2.0 : EVID 4724 : Password Reset Failed

Sub Rule

Failed Password Change Attempt

Other Audit Failure

V 2.0: EVID 4725: Account Disabled

Sub Rule

Account Disabled

Access Revoked

V 2.0: EVID 4726: User Account Deleted

Sub Rule

User Account Deleted

Account Deleted

V 2.0: EVID 4738: User Account Changed

Sub Rule

User Account Attribute Modified

Account Modified

V 2.0: EVID 4741: Computer Account Created

Sub Rule

Computer Account Created

Account Created

V 2.0: EVID 4742: Computer Account Changed

Sub Rule

Computer Account Attribute Modified

Account Modified

V 2.0: EVID 4743: Computer Account Deleted

Sub Rule

Computer Account Deleted

Account Deleted

V 2.0: EVID 4767: Account Unlocked

Sub Rule

Account Unlocked

Access Granted

V 2.0: EVID 4782: Password Hash Accessed

Sub Rule

Object Accessed

Access Success

V 2.0: EVID 4780: ACL Set on Admin Account

Sub Rule

User Account Attribute Modified

Account Modified

V 2.0 : EVID 4723 : Password Changed

Sub Rule

Password Modified

Account Modified

V 2.0 : EVID 4723 : Password Change Failed

Sub Rule

Failed Password Change Attempt

Other Audit Failure

V 2.0 : EVID 4724 : Password Reset

Sub Rule

Password Modified

Account Modified

V 2.0 : EVID 4724 : Password Reset

Sub Rule

Password Modified

Account Modified

V 2.0 : EVID 4724 : Password Reset Failed

Sub Rule

Failed Password Change Attempt

Other Audit Failure

V 2.0 : EVID 4724 : Password Reset Failed

Sub Rule

Failed Password Change Attempt

Other Audit Failure

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Description

Provider

N/A

N/A

Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.

EventID

<vmid>

Number

The identifier that the provider used to identify the event.

Version

N/A

N/A

The version number of the event's definition.

Level

<severity>

Text/String

The severity level defined in the event.

Task

<vendorinfo>

Text/String

The task defined in the event. Task and Opcode attributes are typically used to identify the location in the application from where the event was logged.

Opcode

N/A

N/A

The opcode defined in the event. Task and Opcode attributes are typically used to identify the location in the application from where the event was logged.

Keywords

<result>
<tag1>

Text/String

A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).

TimeCreated

N/A

N/A

The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute.

EventRecordID

N/A 

N/A

The record number assigned to the event when it was logged.

Correlation

N/A

N/A

The activity identifiers that consumers can use to group related events together.

Execution

N/A

N/A

Contains information about the process and thread that logged the event.

Channel

N/A 

N/A

The channel to which the event was logged.

Computer

<dname>

Text/String

The name of the computer on which the event occurred.

TargetUserName

<domainimpacted>

<account>

<tag2>

Text/String

The name of the user account that was created.

TargetDomainName

<domainimpacted>

Text/String

The domain name of created user account. Formats vary, and include the following:

  • Domain NETBIOS name example: CONTOSO

  • Lowercase full domain name: contoso.local

  • Uppercase full domain name: CONTOSO.LOCAL

  • For local accounts, this field will contain the name of the computer to which this new account belongs

TargetSid

N/A 

N/A

The SID of created user account.

SubjectUserSid

N/A 

N/A

The SID of account that requested the create user account operation.

SubjectUserName

<domainorigin>

<login>

Text/String

The name of the account that requested the create user account operation.

SubjectDomainName

<domainorigin>

Text/String

The subject’s domain or computer name. Formats vary, and include the following:

  • Domain NETBIOS name example: CONTOSO

  • Lowercase full domain name: contoso.local

  • Uppercase full domain name: CONTOSO.LOCAL

  • For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is NT AUTHORITY.

  • For local user accounts, this field will contain the name of the computer or device that this account belongs

SubjectLogonId

<session>

Text/String

A hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID

PrivilegeList

<subject>

Number/Text/String

The list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.

SamAccountName

<domainimpacted>

<account>

<tag2>

N/A

The logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new user object.

DisplayName

N/A

N/A

The value of displayName attribute of new user object. It is a name displayed in the address book for a particular account .This is usually the combination of the user's first name, middle initial, and last name.

UserPrincipalName

N/A 

N/A

The internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. This parameter contains the value of userPrincipalName attribute of new user object. For local users this field is not applicable and has value “-“.

HomeDirectory

N/A 

N/A

The user's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form \\Server\Share\Directory. This parameter contains the value of homeDirectory attribute of new user object. For new local accounts this field typically has value <value not set>. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as "-".

HomePath

N/A

N/A

Specifies the drive letter to which to map the UNC path specified by homeDirectory account’s attribute. The drive letter must be specified in the form DRIVE_LETTER:. For example – H:. This parameter contains the value of homeDrive attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value <value not set>.

ScriptPath

N/A  

N/A

Specifies the path of the account’s logon script. This parameter contains the value of scriptPath attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value <value not set>.

ProfilePath

N/A 

N/A

Specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. This parameter contains the value of profilePath attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value <value not set>.

UserWorkstations

N/A 

N/A

Contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a user object. This parameter contains the value of userWorkstations attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For local users this field is not applicable and typically has value <value not set>.

PasswordLastSet

N/A 

N/A

The last time the account’s password was modified. For manually created user account, using Active Directory Users and Computers snap-in, this field typically has value <never>. This parameter contains the value of pwdLastSet attribute of new user object.

AccountExpires

<objectname>

Text/String

The date when the account expires. This parameter contains the value of accountExpires attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For manually created local and domain user accounts this field typically has value <never>.

PrimaryGroupId

<group>

Number/Text/String

Relative Identifier (RID) of user’s object primary group.
Typically, Primary Group field for new user accounts has the following values:

513 (Domain Users. For local accounts this RID means Users) – for domain and local users.

See this article https://support.microsoft.com/kb/243330 for more information. This parameter contains the value of primaryGroupID attribute of new user object.

AllowedToDelegateTo

N/A 

N/A

The list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in Delegation tab of user account, if this account has at least one SPN registered. This parameter contains the value of AllowedToDelegateTo attribute of new user object. For local user accounts this field is not applicable and typically has value “-“. For new domain user accounts it is typically has value “-“.

OldUacValue

N/A 

N/A

Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. Old UAC value always 0x0 for new user accounts. This parameter contains the previous value of userAccountControl attribute of user object.

NewUacValue

<action>

Text/String

Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the value of userAccountControl attribute of new user object.

UserAccountControl

<subject>

Text/String

Shows the list of changes in userAccountControl attribute. You will see a line of text for each change. For new user accounts, when the object for this account was created, the userAccountControl value was considered to be 0x0, and then it was changed from 0x0 to the real value for the account's userAccountControl attribute.

UserParameters

N/A 

N/A

If you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see <value changed, but not displayed> in this field in 4738: A user account was changed. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value <value not set>.

SidHistory

N/A 

N/A

Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the value of sIDHistory attribute of new user object. This parameter might not be captured in the event, and in that case appears as “-”.

LogonHours

N/A 

N/A

The hours that the account is allowed to logon to the domain. The value of logonHours attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will typically see <value not set> value for new manually created user accounts in event 4720. For new local accounts this field is not applicable and typically has value All.

DnsHostName

N/A 

N/A 

name of computer account as registered in DNS. The value of dNSHostName attribute of new computer object. For manually created computer account objects this field has value “-“.

ServicePrincipalNames

<object>

Text/string

The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of servicePrincipalName attribute of new computer object. For manually created computer objects it is typically equals “-“.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.