Microsoft Netlogon¶
About¶
Microsoft Netlogon also known as The Netlogon Remote Protocol is a remote procedure call (RPC) interface that is used for user and machine authentication on domain-based networks. The Netlogon Remote Protocol RPC interface is also used to replicate the database for backup domain controllers (BDCs).
The Netlogon Remote Protocol is used to maintain domain relationships from the members of a domain to the domain controller (DC), among DCs for a domain, and between DCs across domains. This RPC interface is used to discover and manage these relationships.
Product Details¶
Vendor URL: Microsoft Netlogon
Product Type: Identity
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Custom
Parser Details¶
Log Format: Syslog/CEF
Expected Normalization Rate: near 100%
Data Label: MICROSOFT_NETLOGON
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| ad.%1 | target.hostname |
| ad.%2 | target.user.userid |
| ad.accessList | security_result.rule_name |
| ad.mnemonic | security_result.rule_id |
| agt | observer.ip |
| ahost | observer.hostname |
| amac | observer.mac |
| av | metadata.product_version |
| cat | security_result.category_details |
| categoryBehavior | security_result.category_details |
| categoryDeviceGroup | security_result.category_details |
| categoryObject | security_result.category_details |
| categoryOutcome | security_result.category_details |
| categorySignificance | security_result.category_details |
| destinationZoneURI | target.cloud.availability_zone |
| deviceZoneURI | principal.cloud.availability_zone |
| dhost | target.hostname |
| dst | target.ip |
| dvc | principal.ip |
| dvchost | principal.hostname |
| eventId | metadata.product_log_id |
| in | network.received_bytes |
| msg | metadata.description |
| out | network.sent_bytes |
| principal_domain | principal.administrative_domain |
| product | metadata.product_event_type |
| sessionID | network.session_id |
| severity | security_result.severity_details |
| sourceZoneURI | src.cloud.availability_zone |
| src | src.ip |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Default | GENERIC_EVENT |
Log Sample¶
Jan 4 19:32:09 10.0.0.0 CEF: 0|Microsoft|NETLOGON|Windows Server 2016|NETLOGON:0000|NETLOGON|Medium| eventId=0000000000 externalId=0000 art=00000000000 cat=System deviceSeverity=Error rt=00000000 oldFileHash=UTF-8| cs2=None cs3=NETLOGON cs2Label=EventlogCategory cs3Label=EventSource ahost=PROD.prod-am.OTPLACE.com agt=10.0.0.0 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/TIMEZONE: 10.0.0.0-10.255.255.255 amac=00-0-0-0-0-0 av=0.1.0.0.0 atz=America/New_York at=winc dvchost=PRODHOSTHERE dvc=0.0.0.0 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/TIMEZONE: 10.0.0.0-10.255.255.255 dtz=CST geid=0 _cefVer=0.1 ad.EventRecordID=1591790 ad.Version= ad.ThreadID= ad.Opcode= ad.ProcessID= ad.%1=000000 ad.%2=0000 aid=0000000
Sample Parsing¶
metadata.product_log_id = "0000000000"
metadata.event_type = "GENERIC_EVENT"
metadata.product_version = "0.1.0.0.0"
principal.hostname = "PRODHOSTHERE"
principal.ip = "0.0.0.0"
principal.administrative_domain = "prod-am.OTPLACE.com"
principal.cloud.availability_zone = "/All Zones/ArcSight System/Private Address Space Zones/TIMEZONE: 10.0.0.0-10.255.255.255"
observer.hostname = "PROD.prod-am.OTPLACE.com"
observer.ip[0] = "10.0.0.0"
observer.mac[0] = "00:0:0:0:0:0"
target.hostname = "000000"
target.user.userid = "0000"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon