| source_user_sid_authority1 |
S-1-0-0 |
keyword |
Initial “authority” with SID preamble. For well-known non-domain SIDs this will be the only field contianing SID information. |
| source_user_sid_authority2 |
|
keyword |
The domain authority portion of the SID |
| source_user_sid_rid |
500 |
keyword |
This is the user RID |
| target_user_sid_authority1 |
S-1-0-0 |
keyword |
Initial “authority” with SID preamble. For well-known non-domain SIDs this will be the only field containing SID information. |
| target_user_sid_authority2 |
|
keyword |
The domain authority portion of the SID |
| target_user_sid_rid |
|
keyword |
This is the user RID |
| user_sid_authority1 |
|
keyword |
Initial “authority” with SID preamble. For well-known non-domain SIDs this will be the only field containing SID information. |
| user_sid_authority2 |
|
keyword |
The domain authority portion of the SID |
| user_sid_rid |
|
keyword |
This is the user RID |
| windows_authentication_lmpackage_name |
|
keyword |
This field is defined only when the windows_authentication_package_name = “NTLM” |
| windows_authentication_package_name |
|
keyword |
Authentication information from Event ID 4624/4625 |
| windows_authentication_process_name |
|
keyword |
Authentication information from Event ID 4624/4625 |
| windows_logon_type |
2, 3, 10 |
byte |
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 |
| windows_logon_type_description |
|
keyword |
Description mapped to the logon type field |
| windows_kerberos_encryption |
0x12 |
keyword |
The Windows kerberos encryption hex value |
| windows_kerberos_encryption_type |
|
keyword |
Kerberos ticket encryption types https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 |
| windows_kerberos_service_name |
|
keyword |
Name of service targeted for Kerberos ticket requests |