|
Field name |
Description |
Example value |
||
|---|---|---|---|---|
|
timestamp |
Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
||
|
node_name |
A name that uniquely identifies the UserGate device generating this event. |
|||
|
endpoint_id |
ID of the endpoint that is the source of the event. |
16535060-5a1a-4e92-8331-239406ec34da |
||
|
endpoint_name |
Name of the endpoint that is the source of the event. |
dep.local |
||
|
user_name |
The "User" field from AD log. |
user1.dep.local |
||
|
log_level |
The "Keywords" field from AD log. |
Audit Success |
||
|
log_category_string |
Event category code in the AD log. |
Group Membership |
||
|
log_file |
Windows log file. |
Security |
||
|
source_name |
The "Source" field from AD log. |
Microsoft-Windows-Security-Auditing |
||
|
data |
Event description in the AD log. |
Group membership information. Subject: \tSecurity ID:\t\tS-1-0-0 \tAccount Name:\t\t- \tAccount Domain:\t\t- \tLogon ID:\t\t0x0 Logon Type:\t\t\t3 New Logon: \tSecurity ID:\t\tS-1-5-21-3795870133-5220325-2125745684-1103 \tAccount Name:\t\tuser1 \tAccount Domain:\t\tDEP \tLogon ID:\t\t0x7A25A21 Event in sequence:\t\t1 of 1 Group Membership:\t\t\t \t\t%{S-1-5-21-3795870133-5220325-2125745684-513} \t\t%{S-1-1-0} \t\t%{S-1-5-32-544} \t\t%{S-1-5-32-555} \t\t%{S-1-5-32-545} \t\t%{S-1-5-32-554} \t\t%{S-1-5-2} \t\t%{S-1-5-11} \t\t%{S-1-5-15} \t\t%{S-1-5-21-3795870133-5220325-2125745684-512} \t\t%{S-1-5-21-3795870133-5220325-2125745684-572} \t\t%{S-1-5-64-10} \t\t%{S-1-16-12288} The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session. |
||
|
computer_name |
Windows node from the AD log where the event took place. |
DC1.dep.local |
||
|
insertion_string |
Parameters of the AD log event after message parsing. |
['S-1-0-0', '-', '-', '0x0', 'S-1-5-21-3795870133-5220325-2125745684-1103', 'user1', 'DEP', '0x7a25a21', '3', '1', '1', '\ \ \\t\\t% {S-1-5-21-3795870133-5220325-2125745684-513}\ \ \\t\\t%{S-1-1-0}\ \ \\t\\t%{S-1-5-32-544}\ \ \\t\\t%{S-1-5-32-555}\ \ \\t\\t%{S-1-5-32-545}\ \ \\t\\t%{S-1-5-32-554}\ \ \\t\\t%{S-1-5-2}\ \ \\t\\t%{S-1-5-11} \ \ \\t\\t%{S-1-5-15}\ \ \\t\\t%{S-1-5-21-3795870133-5220325-2125745684-512}\ \ \\t\\t%{S-1-5-21-3795870133-5220325-2125745684-572}\ \ \\t\\t%{S-1-5-64-10}\ \ \\t\\t%{S-1-16-12288}'] |
||
|
error |
Error code from the AD log that occurred while receiving data. |
0 |
||
|
status |
Error description from the AD log that occurred while receiving data. |
|||
|
counter_id |
Counter ID of the WMI sensor. |
login_logout |
||
|
log_event_code |
The "Event code" field from AD log. |
4627 |
||
|
log_event_id |
The "Event ID" field from AD log. |
4627 |
||
|
log_event_type |
Windows log even type (System/Security/Application etc.) |
4 |
||