V 2.0 : Authentication Success Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Authentication Success Events | Base Rule | General Authentication Event | Other Audit |
| V 2.0 : User Logon Success | Sub Rule | User Logon | Authentication Success |
| V 2.0 : User Account LogOff | Sub Rule | User Logoff | Authentication Success |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | Vendor or manufacturer name. |
| N/A | N/A | N/A | Product name. |
| N/A | N/A | N/A | Product version. |
| N/A | N/A | N/A | EventID. |
| auditrowid | N/A | N/A | The row ID from the database table. |
| creationtime | N/A | N/A | The UTC timestamp of the sign-on attempt. |
| details | <login> <session> <sessiontype> <sip> | String Number String IP Address | Contains a description of the sign-on attempt. A successful sign-on shows the user, session ID, and IP address. A failed sign-on contains a reason for the failed attempt. |
| lastmodifiedby | N/A | N/A | Not used for this audit source. |
| moduser | N/A | N/A | Details of the user who initiated the sign-on attempt. |
| modpersona | N/A | N/A | Not used for this audit source. |
| modificationtime | N/A | N/A | The UTC timestamp of the sign-on attempt. |
| modifieruserid | N/A | N/A | The unique ID of the user who initiated the sign-on attempt. If the ID is 0, this is a system-generated event; see the details column for more information. |
| objectid | N/A | N/A | The ID of the user who initiated the sign-on attempt. If the ID is 0, the user does not exist; see the details column for more information. |
| type | N/A | N/A | The type of the sign-on event that generated the entry. Values include: 0 - New session created 1 - Unused 2 - User signed out 3 - Failed authentication |
| audittype | <vendorinfo> | Text/String | The type of audit entry. |
| objecttypename | N/A | N/A | The type of audit entry. |
| typename | <tag1> | Text/String | The type of the sign-on event that generated the entry. Values include:
|
| objectname | N/A | N/A | Not used for this audit source. |