source_user_sid_authority1 |
S-1-0-0 |
keyword |
Initial “authority” with SID preamble. For well-known non-domain SIDs this will be the only field contianing SID information. |
source_user_sid_authority2 |
|
keyword |
The domain authority portion of the SID |
source_user_sid_rid |
500 |
keyword |
This is the user RID |
target_user_sid_authority1 |
S-1-0-0 |
keyword |
Initial “authority” with SID preamble. For well-known non-domain SIDs this will be the only field containing SID information. |
target_user_sid_authority2 |
|
keyword |
The domain authority portion of the SID |
target_user_sid_rid |
|
keyword |
This is the user RID |
user_sid_authority1 |
|
keyword |
Initial “authority” with SID preamble. For well-known non-domain SIDs this will be the only field containing SID information. |
user_sid_authority2 |
|
keyword |
The domain authority portion of the SID |
user_sid_rid |
|
keyword |
This is the user RID |
windows_authentication_lmpackage_name |
|
keyword |
This field is defined only when the windows_authentication_package_name = “NTLM” |
windows_authentication_package_name |
|
keyword |
Authentication information from Event ID 4624/4625 |
windows_authentication_process_name |
|
keyword |
Authentication information from Event ID 4624/4625 |
windows_logon_type |
2, 3, 10 |
byte |
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 |
windows_logon_type_description |
|
keyword |
Description mapped to the logon type field |
windows_kerberos_encryption |
0x12 |
keyword |
The Windows kerberos encryption hex value |
windows_kerberos_encryption_type |
|
keyword |
Kerberos ticket encryption types https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 |
windows_kerberos_service_name |
|
keyword |
Name of service targeted for Kerberos ticket requests |