Skip to content

Microsoft Netlogon

Microsoft Netlogon

About

Microsoft Netlogon also known as The Netlogon Remote Protocol is a remote procedure call (RPC) interface that is used for user and machine authentication on domain-based networks. The Netlogon Remote Protocol RPC interface is also used to replicate the database for backup domain controllers (BDCs).

The Netlogon Remote Protocol is used to maintain domain relationships from the members of a domain to the domain controller (DC), among DCs for a domain, and between DCs across domains. This RPC interface is used to discover and manage these relationships.

Product Details

Vendor URL: Microsoft Netlogon

Product Type: Identity

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Custom

Parser Details

Log Format: Syslog/CEF

Expected Normalization Rate: near 100%

Data Label: MICROSOFT_NETLOGON

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
ad.%1 target.hostname
ad.%2 target.user.userid
ad.accessList security_result.rule_name
ad.mnemonic security_result.rule_id
agt observer.ip
ahost observer.hostname
amac observer.mac
av metadata.product_version
cat security_result.category_details
categoryBehavior security_result.category_details
categoryDeviceGroup security_result.category_details
categoryObject security_result.category_details
categoryOutcome security_result.category_details
categorySignificance security_result.category_details
destinationZoneURI target.cloud.availability_zone
deviceZoneURI principal.cloud.availability_zone
dhost target.hostname
dst target.ip
dvc principal.ip
dvchost principal.hostname
eventId metadata.product_log_id
in network.received_bytes
msg metadata.description
out network.sent_bytes
principal_domain principal.administrative_domain
product metadata.product_event_type
sessionID network.session_id
severity security_result.severity_details
sourceZoneURI src.cloud.availability_zone
src src.ip

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
Default GENERIC_EVENT

Log Sample

Jan  4 19:32:09 10.0.0.0 CEF: 0|Microsoft|NETLOGON|Windows Server 2016|NETLOGON:0000|NETLOGON|Medium| eventId=0000000000 externalId=0000 art=00000000000 cat=System deviceSeverity=Error rt=00000000 oldFileHash=UTF-8| cs2=None cs3=NETLOGON cs2Label=EventlogCategory cs3Label=EventSource ahost=PROD.prod-am.OTPLACE.com agt=10.0.0.0 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/TIMEZONE: 10.0.0.0-10.255.255.255 amac=00-0-0-0-0-0 av=0.1.0.0.0 atz=America/New_York at=winc dvchost=PRODHOSTHERE dvc=0.0.0.0 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/TIMEZONE: 10.0.0.0-10.255.255.255 dtz=CST geid=0 _cefVer=0.1 ad.EventRecordID=1591790 ad.Version= ad.ThreadID= ad.Opcode= ad.ProcessID= ad.%1=000000 ad.%2=0000 aid=0000000

Sample Parsing

metadata.product_log_id = "0000000000"
metadata.event_type = "GENERIC_EVENT"
metadata.product_version = "0.1.0.0.0"
principal.hostname = "PRODHOSTHERE"
principal.ip = "0.0.0.0"
principal.administrative_domain = "prod-am.OTPLACE.com"
principal.cloud.availability_zone = "/All Zones/ArcSight System/Private Address Space Zones/TIMEZONE: 10.0.0.0-10.255.255.255"
observer.hostname = "PROD.prod-am.OTPLACE.com"
observer.ip[0] = "10.0.0.0"
observer.mac[0] = "00:0:0:0:0:0"
target.hostname = "000000"
target.user.userid = "0000"

Parser Alerting

This product currently does not have any Parser-based Alerting