logon
Contents
logon¶
Event fields used to define/normalize metadata about logon events.
Attributes¶
Name |
Type |
Description |
Sample Value |
|---|---|---|---|
logon_authentication_lan_package_name |
string |
The name of the LAN Manager sub-package (NTLM-family protocol name) that was used during logon. Possible values are: NTLM V1, NTLM V2, LM. Only populated if Authentication Package = NTLM. |
|
logon_authentication_package_name |
string |
The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “4610: An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “4622: A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. |
|
logon_device_claims |
string |
list of device claims for new logon session |
|
logon_elevated_token |
string |
a “Yes” or “No” flag. If “Yes” then the session this event represents is elevated and has administrator privileges. |
|
logon_guid |
string |
a GUID that can help you correlate this event with another event that can contain the same Logon GUID, “4769(S, F): A Kerberos service ticket was requested event on a domain controller. It also can be used for correlation between a 4624 event and several other events (on the same computer) that can contain the same Logon GUID, “4648(S): A logon was attempted using explicit credentials” and “4964(S): Special groups have been assigned to a new logon.” |
|
logon_id |
integer |
hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID |
|
logon_impersonation_level |
string |
Impersonation level |
|
logon_key_length |
integer |
the length of NTLM Session Security key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “Authentication Package” = “Kerberos”, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using Negotiate authentication package. |
|
logon_process_name |
string |
The name of the trusted logon process that was used for the logon. See event “4611: A trusted logon process has been registered with the Local Security Authority” description for more information. |
|
logon_restricted_admin_mode |
string |
Only populated for RemoteInteractive logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10. If not a RemoteInteractive logon, then this will be “-” string. |
|
logon_transmitted_services |
string |
the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user - most commonly done by a front-end website to access an internal resource on behalf of a user. |
|
logon_type |
integer |
the type of logon which was performed |
|
logon_user_claims |
string |
list of user claims for new logon session. This field contains user claims if user account was logged in and device claims if computer account was logged in |
|
logon_user_linked_id |
integer |
A hexadecimal value of the paired logon session. If there is no other logon session associated with this logon session, then the value is “0x0”. |
|
logon_virtual_account |
string |
a “Yes” or “No” flag, which indicates if the account is a virtual account (e.g., “Managed Service Account”), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using “NetworkService”. |
|