Skip to main content
Skip table of contents

Login > User (Origin)

The host IP that was affected by the activity (for example, target or server). Destination IP in IPv4 or IPv6 format.

Data Type

String

Aliases

UseAlias

Client Console Full Name

User (Origin)

Client Console Short Name

Not applicable

Web Console Tab/Name

User (Origin)

Elasticsearch Field Name

login

Rule Builder Column Name

Login

Regex Pattern

<login>

NetMon Name

Not applicable

Field Relationships

  • SIP
  • SIPv4
  • SIPv6
  • SIPv6E
  • Origin Hostname
  • Origin Hostname or IP
  • Origin NAT IP
  • DIP
  • DIPv4
  • DIPv6
  • DIPv6E
  • Impacted Hostname
  • Impacted Hostname or IP
  • Impacted NAT IP
  • Origin Port
  • Origin NAT Port
  • Impacted Port
  • Impacted NAT Port
  • Origin MAC Address
  • Impacted MAC Address
  • Origin Interface
  • Impacted Interface
  • Origin Domain
  • Impacted Domain
  • Impacted Account
  • IANA Protocol Number
  • IANA Protocol Name

Common Applications

Any applications, systems or devices that utilize accounts.

Use Case

Correlating or monitoring user activity.

MPE/Data Masking Manipulations

Mapped to User Identity (Origin)

Usage Standards

  • Use to indicate the user or system account that is performing altering another account or logging in to a system.
  • Use for User Accounts and System Accounts.

Examples

  • Windows Event Log

<Event xmlns='http://Host2/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4738</EventID><Version>0</Version><Level>Information</Level><Task>User Account Management</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2014-02-26T13:18:11.277015700Z'/><EventRecordID>1635656743</EventRecordID><Correlation/><Execution ProcessID='524' ThreadID='4900'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01Computer><Security/></System><EventData>A user account was changed.

Subject:

       Security ID:        Safaware\pete.store

       Account Name:       pete.store

       Account Domain:            safaware

       Logon ID:           0x7b1adb067

Target Account:

       Security ID:        S-1-5-21-2222222-22222222-22222-90119

       Account Name:       dave.store

       Account Domain:            safaware

Changed Attributes:

       SAM Account Name:   -

       Display Name:       -

       User Principal Name:       -

       Home Directory:            -

       Home Drive:         -

       Script Path:        -

       Profile Path:       -

       User Workstations:  -

       Password Last Set:  -

       Account Expires:           -

       Primary Group ID:   -

       AllowedToDelegateTo:       -

       Old UAC Value:             0x15

       New UAC Value:             0x211

       User Account Control:     

              'Password Not Required' - Disabled

              'Don't Expire Password' - Enabled

       User Parameters:    -

       SID History:        -

       Logon Hours:        -

Additional Information:

       Privileges:         -</EventData></Event>

Subject in Windows indicates Origin. In this log, the Subject Account (Origin) is modifying the Target Account (Impacted).

  • Cisco Clean Access Appliance

03 28 2010 14:55:50 1.1.1.1 <USER:INFO> Perfigo: Authentication:[00:00:00:00:00:00 ## 1.1.1.1] escribne - Successfully logged in, Provider: conncoll, L2 MAC address: 00:00:00:00:00:00, Role: Students, OS: Macintosh OSX

User logon event. Listed user is the client (origin) connecting to a server (impacted) (client-server).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.