| Field Name | Example Values | Field Type | Notes |
|---|---|---|---|
source_user_sid_authority1
|
S-1-0-0 | keyword | Initial “authority” with SID preamble. For well-known non-domain SIDs this will be the only field contianing SID information. |
source_user_sid_authority2
|
keyword | The domain authority portion of the SID | |
source_user_sid_rid
|
500 | keyword | This is the user RID |
target_user_sid_authority1
|
S-1-0-0 | keyword | Initial “authority” with SID preamble. For well-known non-domain SIDs this will be the only field containing SID information. |
target_user_sid_authority2
|
keyword | The domain authority portion of the SID | |
target_user_sid_rid
|
keyword | This is the user RID | |
user_sid_authority1
|
keyword | Initial “authority” with SID preamble. For well-known non-domain SIDs this will be the only field containing SID information. | |
user_sid_authority2
|
keyword | The domain authority portion of the SID | |
user_sid_rid
|
keyword | This is the user RID | |
windows_authentication_lmpackage_name
|
keyword | This field is defined only when the windows_authentication_package_name = “NTLM” |
|
windows_authentication_package_name
|
keyword | Authentication information from Event ID 4624/4625 | |
windows_authentication_process_name
|
keyword | Authentication information from Event ID 4624/4625 | |
windows_logon_type
|
2, 3, 10 | byte | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 |
windows_logon_type_description
|
keyword | Description mapped to the logon type field | |
windows_kerberos_encryption
|
0x12 | keyword | The Windows kerberos encryption hex value |
windows_kerberos_encryption_type
|
keyword | Kerberos ticket encryption types | |
windows_kerberos_service_name
|
keyword | Name of service targeted for Kerberos ticket requests |
The following content is part of the Graylog Illuminate 6.3 documentation. If you are using another version of Illuminate, please switch to your version. For versions prior to 4.0, please see the legacy documentation.
