Breadcrumbs

Domain [7.2] (Domain (Impacted))

The Windows or DNS domain name referenced or impacted by activity reported in the log.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type

String

Aliases

Use

Alias

Client Console Full Name

Domain (Origin)

Client Console Short Name

Not applicable

Web Console Tab/Name

Domain (Impacted)

Elasticsearch Field Name

domain

Rule Builder Column Name

Domain

Regex Pattern

<domain> or <domainimpacted>

NetMon Name

Not applicable

Field Relationships

  • SIP
  • SIPv4
  • SIPv6
  • SIPv6E
  • Origin Hostname
  • Origin Hostname or IP
  • Origin NAT IP
  • DIP
  • DIPv4
  • DIPv6
  • DIPv6E
  • Impacted Hostname
  • Impacted Hostname or IP
  • Impacted NAT IP


  • Origin Port
  • Origin NAT Port
  • Impacted Port
  • Impacted NAT Port
  • Origin MAC Address
  • Impacted MAC Address
  • Origin Interface
  • Impacted Interface
  • Origin Domain
  • Origin Login
  • Impacted Account
  • IANA Protocol Number
  • IANA Protocol Name

Common Applications

  • WebpProxy

  • Network monitoring

  • Active Directory

  • SSO

Use Case

Correlating user activity across domains.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

Used for capturing an Active Directory Domain name.

Examples

  • Windows Event Log

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4742</EventID><Version>0</Version><Level>Information</Level><Task>Computer Account Management</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-26T03:09:41.988899400Z'/><EventRecordID>2283625151</EventRecordID><Correlation/><Execution ProcessID='520' ThreadID='1140'/><Channel>Security</Channel><Computer> USABLDRRECFLOW01</Computer><Security/></System><EventData><Data Name='ComputerAccountChange'>-</Data><Data Name='TargetUserName'>USLT0752CROBB$</Data><Data Name='TargetDomainName'>SAFAWARE</Data><Data Name='TargetSid'>SAFAWARE\ USABLDRRECFLOW01$</Data><Data Name='SubjectUserSid'>SAFAWARE\pete.store</Data><Data Name='SubjectUserName'>pete.store</Data><Data Name='SubjectDomainName'>SAFAWARE</Data><Data Name='SubjectLogonId'>0x14af66a2b</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>-</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x80</Data><Data Name='NewUacValue'>0x81</Data><Data Name='UserAccountControl'>

              %%2080</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data><Data Name='DnsHostName'>-</Data><Data Name='ServicePrincipalNames'>-</Data></EventData></Event>

TargetDomainName is the Domain of the impacted user in this Account Management event. In Windows Event Logging, Subject refers to Origin and Target refers to Impacted.