V 2.0 : User Logon Failure

Vendor Documentation

https://docs.tanium.com/connect/connect/audit_reference.html

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : User Logon Failure	Base Rule	User Logon Failure	Authentication Failure

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
N/A	N/A	N/A	Vendor or manufacturer name.
N/A	N/A	N/A	Product name.
N/A	N/A	N/A	Product version.
N/A	N/A	N/A	EventID.
auditrowid	N/A	N/A	The row ID from the database table.
creationtime	N/A	N/A	The UTC timestamp of the sign-on attempt.
details	<reason> <login> <sip>	Text/String Text/String IP Address	Contains a description of the sign-on attempt. A successful sign-on shows the user, session ID, and IP address. A failed sign-on contains a reason for the failed attempt.
lastmodifiedby	N/A	N/A	Not used for this audit source.
moduser	N/A	N/A	Details of the user who initiated the sign-on attempt.
modpersona	N/A	N/A	Not used for this audit source.
modificationtime	N/A	N/A	The UTC timestamp of the sign-on attempt.
modifieruserid	N/A	N/A	The unique ID of the user who initiated the sign-on attempt. If the ID is 0, this is a system-generated event; see the details column for more information.
objectid	N/A	N/A	The ID of the user who initiated the sign-on attempt. If the ID is 0, the user does not exist; see the details column for more information.
type	N/A	N/A	The type of the sign-on event that generated the entry. Values include: 0 - New session created 1 - Unused 2 - User signed out 3 - Failed authentication
audittype	<vendorinfo>	Text/String	The type of audit entry.
objecttypename	N/A	N/A	The type of audit entry.
typename	N/A	N/A	The type of the sign-on event that generated the entry. Values include: CreateObject - New session created DeleteObject - User Logged Out FailedCreateObject - Failed authentication
objectname	N/A	N/A	Not used for this audit source.