V 2.0 : Network Policy Server Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Network Policy Server Events | Base Rule | General Audit Message | Other Audit |
| V 2.0 : EVID 6272 : NPS - Access Granted to User | Sub Rule | User Logon | Authentication Success |
| V 2.0 : EVID 6273 : NPS - Access Denied to User | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 6274 : NPS - Access Request Discarded | Sub Rule | Bad Request | Warning |
| V 2.0 : EVID 6278 : NPS - Full Access Granted to User | Sub Rule | User Logon | Authentication Success |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Provider | N/A | N/A | Identifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
| EventID | <vmid> | Number | The identifier that the provider used to identify the event. |
| Version | N/A | N/A | The version number of the event's definition. |
| Level | <severity> | String/Number | The severity level defined in the event. |
| Task | <vendorinfo> | String/Number | The task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Opcode | N/A | N/A | The opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Keywords | <result> | Text/String | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
| TimeCreated | N/A | N/A | The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
| EventRecordID | N/A | N/A | The record number assigned to the event when it was logged. |
| Correlation | N/A | N/A | The activity identifiers that consumers can use to group related events together. |
| Execution | N/A | N/A | Contains information about the process and thread that logged the event. |
| Channel | N/A | N/A | The channel to which the event was logged. |
| Computer | N/A | N/A | The name of the computer on which the event occurred. |
| SubjectUserSid | N/A | N/A | N/A |
| SubjectUserName | <login> | Text/String | The user identity, as specified by the user. |
| SubjectDomainName | <domainorigin> | Text/String | N/A |
| FullyQualifiedSubjectUserName | N/A | N/A | The user name in canonical format (this is an IAS-internal attribute). |
| SubjectMachineSID | N/A | N/A | N/A |
| SubjectMachineName | N/A | N/A | N/A |
| FullyQualifiedSubjectMachineName | N/A | N/A | N/A |
| CalledStationID | N/A | N/A | The phone number dialed by the user. |
| CallingStationID | <sip> <smac> | IP Address Text/String | The phone number from which the call originated. |
| NASIPv4Address | N/A | N/A | The IP address of the network access server originating the request. |
| NASIPv6Address | N/A | N/A | The IP address of the network access server originating the request. |
| NASIdentifier | N/A | N/A | The text that identifies the network access server originating the request. |
| NASPortType | <object> | Text/String | The type of physical port that is used by the network access server originating the request. |
| NASPort | N/A | Number | The physical port number of the network access server originating the request. |
| ClientName | <dname> | Text/String | The friendly name for the RADIUS client (this is an IAS-internal attribute). |
| ClientIPAddress | <dip> | IP Address | The IP address of the RADIUS client (this is an IAS-internal attribute). |
| ProxyPolicyName | <policy> | Text/String | The name of the connection request policy that matched the connection request. |
| NetworkPolicyName | <policy> | Text/String | The friendly name of the network policy that either granted or denied access. This attribute is logged in Access-Accept and Access-Reject messages. If a user is rejected because none of the network policies matched, then this attribute is blank. |
| AuthenticationProvider | N/A | N/A | A string value that corresponds to Provider-Type. Possible values are "None" for a Provider-Type value of 0, "Windows" for a Provider-Type value of 1, and "Radius Proxy" for Provider-Type value of 2. |
| AuthenticationServer | N/A | N/A | N/A |
| AuthenticationType | N/A | N/A | The authentication scheme, which is used to verify the user. |
| EAPType | N/A | N/A | The friendly name of the EAP-based authentication method that was used by the access client and NPS server during the authentication process. For example, if the client and server use Extensible Authentication Protocol (EAP) and the EAP type MS-CHAP v2, the value of EAP-Friendly-Name is Microsoft Secured Password (EAP-MSCHAPv2). |
| AccountSessionIdentifier | N/A | N/A | The unique numeric string that identifies the server session. |
| ReasonCode | <responsecode> | Number | N/A |
| Reason | <reason> | Text/String | N/A |
| LoggingResult | <subject> | Text/String | N/A |
| QuarantineState | <status> | Text/String | N/A |
| ExtendedQuarantineState | N/A | N/A | N/A |
| QuarantineSessionID | <session> | Text/String | N/A |
| QuarantineHelpURL | <url> | Text/String | N/A |
| QuarantineSystemHealthResult | <subject> | Text/String | N/A |