Domain [7.2] (Domain (Impacted))
The Windows or DNS domain name referenced or impacted by activity reported in the log.
This field is not available in LogRhythm versions earlier than 7.2.1.
Data Type
String
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Domain (Origin) |
Client Console Short Name | Not applicable |
Web Console Tab/Name | Domain (Impacted) |
Elasticsearch Field Name | domain |
Rule Builder Column Name | Domain |
Regex Pattern | <domain> or <domainimpacted> |
NetMon Name | Not applicable |
Field Relationships
- SIP
- SIPv4
- SIPv6
- SIPv6E
- Origin Hostname
- Origin Hostname or IP
- Origin NAT IP
- DIP
- DIPv4
- DIPv6
- DIPv6E
- Impacted Hostname
- Impacted Hostname or IP
- Impacted NAT IP
- Origin Port
- Origin NAT Port
- Impacted Port
- Impacted NAT Port
- Origin MAC Address
- Impacted MAC Address
- Origin Interface
- Impacted Interface
- Origin Domain
- Origin Login
- Impacted Account
- IANA Protocol Number
- IANA Protocol Name
Common Applications
- WebpProxy
- Network monitoring
- Active Directory
- SSO
Use Case
Correlating user activity across domains.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
Used for capturing an Active Directory Domain name.
Examples
- Windows Event Log
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4742</EventID><Version>0</Version><Level>Information</Level><Task>Computer Account Management</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-26T03:09:41.988899400Z'/><EventRecordID>2283625151</EventRecordID><Correlation/><Execution ProcessID='520' ThreadID='1140'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='ComputerAccountChange'>-</Data><Data Name='TargetUserName'>USLT0752CROBB$</Data><Data Name='TargetDomainName'>SAFAWARE</Data><Data Name='TargetSid'>SAFAWARE\ USABLDRRECFLOW01$</Data><Data Name='SubjectUserSid'>SAFAWARE\pete.store</Data><Data Name='SubjectUserName'>pete.store</Data><Data Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x14af66a2b</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>-</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x80</Data><Data Name='NewUacValue'>0x81</Data><Data Name='UserAccountControl'>
%%2080</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data><Data Name='DnsHostName'>-</Data><Data Name='ServicePrincipalNames'>-</Data></EventData></Event>
TargetDomainName is the Domain of the impacted user in this Account Management event. In Windows Event Logging, Subject refers to Origin and Target refers to Impacted.