V 2.0 : Account Management
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0: Account Management | Base Rule | General Audit Message | Other Audit |
| V 2.0: EVID 4720: User Account Created | Sub Rule | User Account Created | Account Created |
| V 2.0: EVID 4722: User Account Enabled | Sub Rule | Account Enabled | Access Granted |
| V 2.0: EVID 4723: Password Changed | Sub Rule | Password Modified | Account Modified |
| V 2.0: EVID 4724: Password Reset | Sub Rule | Password Modified | Account Modified |
| V 2.0: EVID 4723: Password Change Failed | Sub Rule | Password Change Attempted | Other Audit Failure |
| V 2.0: EVID 4724: Password Reset Failed | Sub Rule | Password Change Attempted | Other Audit Failure |
| V 2.0: EVID 4725: Account Disabled | Sub Rule | Account Disabled | Access Revoked |
| V 2.0: EVID 4726: User Account Deleted | Sub Rule | User Account Deleted | Account Deleted |
| V 2.0: EVID 4738: User Account Changed | Sub Rule | User Account Attribute Modified | Account Modified |
| V 2.0: EVID 4741: Computer Account Created | Sub Rule | Computer Account Created | Account Created |
| V 2.0: EVID 4742: Computer Account Changed | Sub Rule | Computer Account Attribute Modified | Account Modified |
| V 2.0: EVID 4743: Computer Account Deleted | Sub Rule | Computer Account Deleted | Account Deleted |
| V 2.0: EVID 4767: Account Unlocked | Sub Rule | Account Unlocked | Access Granted |
| V 2.0: EVID 4782: Password Hash Accessed | Sub Rule | Object Accessed | Access Success |
| V 2.0: EVID 4780: ACL Set on Admin Account | Sub Rule | User Account Attribute Modified | Account Modified |
| V 2.0: EVID 4723: Password Changed | Sub Rule | Password Modified | Account Modified |
| V 2.0: EVID 4723: Password Change Failed | Sub Rule | Password Change Attempted | Other Audit Failure |
| V 2.0: EVID 4724: Password Reset | Sub Rule | Password Modified | Account Modified |
| V 2.0: EVID 4724: Password Reset | Sub Rule | Password Modified | Account Modified |
| V 2.0: EVID 4724: Password Reset Failed | Sub Rule | Password Change Attempted | Other Audit Failure |
| V 2.0: EVID 4724: Password Reset Failed | Sub Rule | Password Change Attempted | Other Audit Failure |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Description |
|---|---|---|---|
| Provider | N/A | N/A | Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
| EventID | <vmid> | Number | The identifier that the provider used to identify the event. |
| Version | N/A | N/A | The version number of the event's definition. |
| Level | <severity> | Text/String | The severity level defined in the event. |
| Task | <vendorinfo> | Text/String | The task defined in the event. Task and Opcode attributes are typically used to identify the location in the application from where the event was logged. |
| Opcode | N/A | N/A | The opcode defined in the event. Task and Opcode attributes are typically used to identify the location in the application from where the event was logged. |
| Keywords | <result> <tag1> | Text/String | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
| TimeCreated | N/A | N/A | The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
| EventRecordID | N/A | N/A | The record number assigned to the event when it was logged. |
| Correlation | N/A | N/A | The activity identifiers that consumers can use to group related events together. |
| Execution | N/A | N/A | Contains information about the process and thread that logged the event. |
| Channel | N/A | N/A | The channel to which the event was logged. |
| Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
| TargetUserName | <domainimpacted> <account> <tag2> | Text/String | The name of the user account that was created. |
| TargetDomainName | <domainimpacted> | Text/String | The domain name of created user account. Formats vary, and include the following:
|
| TargetSid | N/A | N/A | The SID of created user account. |
| SubjectUserSid | N/A | N/A | The SID of account that requested the create user account operation. |
| SubjectUserName | <domainorigin> <login> | Text/String | The name of the account that requested the create user account operation. |
| SubjectDomainName | <domainorigin> | Text/String | The subject’s domain or computer name. Formats vary, and include the following:
|
| SubjectLogonId | <session> | Text/String | A hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID |
| PrivilegeList | <subject> | Number/Text/String | The list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. |
| SamAccountName | <domainimpacted> <account> <tag2> | N/A | The logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new user object. |
| DisplayName | N/A | N/A | The value of displayName attribute of new user object. It is a name displayed in the address book for a particular account .This is usually the combination of the user's first name, middle initial, and last name. |
| UserPrincipalName | N/A | N/A | The internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. This parameter contains the value of userPrincipalName attribute of new user object. For local users this field is not applicable and has value “-“. |
| HomeDirectory | N/A | N/A | The user's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form \\Server\Share\Directory. This parameter contains the value of homeDirectory attribute of new user object. For new local accounts this field typically has value <value not set>. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as "-". |
| HomePath | N/A | N/A | Specifies the drive letter to which to map the UNC path specified by homeDirectory account’s attribute. The drive letter must be specified in the form DRIVE_LETTER:. For example – H:. This parameter contains the value of homeDrive attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value <value not set>. |
| ScriptPath | N/A | N/A | Specifies the path of the account’s logon script. This parameter contains the value of scriptPath attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value <value not set>. |
| ProfilePath | N/A | N/A | Specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. This parameter contains the value of profilePath attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value <value not set>. |
| UserWorkstations | N/A | N/A | Contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a user object. This parameter contains the value of userWorkstations attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For local users this field is not applicable and typically has value <value not set>. |
| PasswordLastSet | N/A | N/A | The last time the account’s password was modified. For manually created user account, using Active Directory Users and Computers snap-in, this field typically has value <never>. This parameter contains the value of pwdLastSet attribute of new user object. |
| AccountExpires | <objectname> | Text/String | The date when the account expires. This parameter contains the value of accountExpires attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For manually created local and domain user accounts this field typically has value <never>. |
| PrimaryGroupId | <group> | Number/Text/String | Relative Identifier (RID) of user’s object primary group. Typically, Primary Group field for new user accounts has the following values: 513 (Domain Users. For local accounts this RID means Users) – for domain and local users. See this article https://support.microsoft.com/kb/243330 for more information. This parameter contains the value of primaryGroupID attribute of new user object. |
| AllowedToDelegateTo | N/A | N/A | The list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in Delegation tab of user account, if this account has at least one SPN registered. This parameter contains the value of AllowedToDelegateTo attribute of new user object. For local user accounts this field is not applicable and typically has value “-“. For new domain user accounts it is typically has value “-“. |
| OldUacValue | N/A | N/A | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. Old UAC value always 0x0 for new user accounts. This parameter contains the previous value of userAccountControl attribute of user object. |
| NewUacValue | <action> | Text/String | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the value of userAccountControl attribute of new user object. |
| UserAccountControl | <subject> | Text/String | Shows the list of changes in userAccountControl attribute. You will see a line of text for each change. For new user accounts, when the object for this account was created, the userAccountControl value was considered to be 0x0, and then it was changed from 0x0 to the real value for the account's userAccountControl attribute. |
| UserParameters | N/A | N/A | If you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see <value changed, but not displayed> in this field in 4738: A user account was changed. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value <value not set>. |
| SidHistory | N/A | N/A | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the value of sIDHistory attribute of new user object. This parameter might not be captured in the event, and in that case appears as “-”. |
| LogonHours | N/A | N/A | The hours that the account is allowed to logon to the domain. The value of logonHours attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will typically see <value not set> value for new manually created user accounts in event 4720. For new local accounts this field is not applicable and typically has value All. |
| DnsHostName | N/A | N/A | name of computer account as registered in DNS. The value of dNSHostName attribute of new computer object. For manually created computer account objects this field has value “-“. |
| ServicePrincipalNames | <object> | Text/string | The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of servicePrincipalName attribute of new computer object. For manually created computer objects it is typically equals “-“. |