|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
Usergate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log name. |
endpoint_log |
|
|
Name |
Source type. |
log |
|
|
Threat Level |
Threat level. |
Available values: from 1 to 10 (the set threat level multiplied by 2). |
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1701085036026 |
|
deviceExternalId |
The unique name of the device that generated the event. |
||
|
suser |
The username. |
user1.dep.local |
|
|
msg |
The event description in the AD log. |
Group membership information Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-21-3795870133-5220325-2125745684-1103 Account Name: user1 Account Domain: DEP Logon ID: 0xA57A446 Event in sequence: 1 of 1 Group Membership: %{S-1-5-21-3795870133-5220325-2125745684-513} %{S-1-1-0} %{S-1-5-32-544} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-3795870133-5220325-2125745684-512} %{S-1-5-21-3795870133-5220325-2125745684-572} %{S-1-5-64-10} %{S-1-16-12288} The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session. |
|
|
cn1Label |
Indicates the event code in the AD log. |
logEventCode |
|
|
cn1 |
Event code. |
4627 |
|
|
cn2Label |
Indicates the event ID in the AD log. |
logEventId |
|
|
cn2 |
Event ID. |
4627 |
|
|
cn3Label |
Indicates the event type in the Windows log (System\Security\Application, etc.). |
logEventType |
|
|
cn3 |
Windows log event type. |
4 |
|
|
cs1Label |
Indicates the ID of the endpoint --- the source of the event. |
endpointId |
|
|
cs1 |
The endpoint device ID. |
16535060-5a1a-4e92-8331-239406ec34da |
|
|
cs2Label |
Indicates the name of the endpoint --- the source of the event (UserGate client, WMI sensor, etc.). |
endpointName |
|
|
cs2 |
Endpoint device name. |
dep.local |
|
|
cs3Label |
Indicates the severity of the event in the AD log. |
logLevel |
|
|
cs3 |
Event severity level. |
Audit Success |
|
|
cs4Label |
Indicates the event category code (12554 Group Membership, 12544 Logon, 14337 Kerberos Service Ticket Operations, etc.). |
logCategoryString |
|
|
cs4 |
The event's category. |
Group Membership |
|
|
cs5Label |
Indicates the Windows log file. |
logFile |
|
|
cs5 |
Windows log file |
Security |
|
|
cs6Label |
Indicates the source of the AD log. |
sourceName |
|
|
cs6 |
The source of the AD log. |
Microsoft-Windows-Security-Auditing |
|
|
flexString1Label |
Indicates the content of the event in the AD log. |
insertionString |
|
|
flexString1 |
Parameters of the AD log event after message parsing. |
['S-1-0-0', '-', '-', '0x0', 'S-1-5-21-3795870133-5220325-2125745684-1103', 'user1', 'DEP', '0x7a25a21', '3', '1', '1', '\ \ \\t\\t% {S-1-5-21-3795870133-5220325-2125745684-513}\ \ \\t\\t%{S-1-1-0}\ \ \\t\\t%{S-1-5-32-544}\ \ \\t\\t%{S-1-5-32-555}\ \ \\t\\t%{S-1-5-32-545}\ \ \\t\\t%{S-1-5-32-554}\ \ \\t\\t%{S-1-5-2}\ \ \\t\\t%{S-1-5-11} \ \ \\t\\t%{S-1-5-15}\ \ \\t\\t%{S-1-5-21-3795870133-5220325-2125745684-512}\ \ \\t\\t%{S-1-5-21-3795870133-5220325-2125745684-572}\ \ \\t\\t%{S-1-5-64-10}\ \ \\t\\t%{S-1-16-12288}'] |