Skip to content

Windows AD

Windows AD

About

A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.

This data store, also known as the directory, contains information about Active Directory objects. These objects typically include shared resources such as servers, volumes, printers, and the network user and computer accounts. For more information about the Active Directory data store, see Directory data store.

Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network. Policy-based administration eases the management of even the most complex network. For more information about Active Directory security, see Security overview.

Active Directory also includes:

  • A set of rules, the schema, that defines the classes of objects and attributes contained in the directory, the constraints and limits on instances of these objects, and the format of their names. For more information about the schema, see Schema.

  • A global catalog that contains information about every object in the directory. This allows users and administrators to find directory information regardless of which domain in the directory actually contains the data. For more information about the global catalog, see The role of the global catalog.

  • A query and index mechanism, so that objects and their properties can be published and found by network users or applications. For more information about querying the directory, see Finding directory information.

  • A replication service that distributes directory data across a network. All domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain. For more information about Active Directory replication, see Replication overview.

Product Details

Vendor URL: Windows AD

Product Type: OS

Product Tier: Tier III

Integration Method: Syslog

Integration URL: Windows AD - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON and Syslog

Expected Normalization Rate: 80-90%

Data Label: WINDOWS_AD

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
AccessMask security_result.about.resource.name
AccountDomain target.administrative_domain
AccountName principal.user.roll_name
AccountName principal.user.userid
AccountToReset principal.user.userid
AccountType principal.user.roll_description
Action about.labels.value
AdditionalInfo security_result.description
Application principal.application
Arguments about.process.command_line
AttributeLDAPDisplayName target.resource.type
AttributeValue target.resource.name
AttributeValue target.user.user_display_name
AuthenticationPackage principal.application
AuthenticationPackageName security_result.about.resource.name
AuthenticationSetId target.resource.id
AuthenticationSetName target.resource.name
CallerComputerName principal.hostname
CallerProcessName principal.process.file.full_path
CalloutKey about.labels.value
CalloutName about.labels.value
Category metadata.description
ChangeType about.labels.value
Channel security_result.summary
ClientUserName target.user.userid
Command about.process.command_line
CommandLine principal.process.command_line
CommandName target.application
Conditions about.labels.value
ConnectionSecurityRuleId target.resource.id
ConnectionSecurityRuleName target.resource.name
CryptographicSetId target.resource.id
CryptographicSetName target.resource.name
DestAddress target.ip
DestPort target.port
DfsNamespace target.resource.name
Direction network.direction
Domain principal.administrative_domain
Domain target.administrative_domain
EventID metadata.product_event_type
ExecutionProcessId principal.process.pid
FilterId target.resource.id
FilterKey about.labels.value
FilterName target.resource.name
FilterRTID security_result.rule_id
FilterType about.labels.value
GroupMembership target.user.group_identifiers
GroupName target.group.group_display_name
HandleId additional.fields.value.string_value
HiveName target.registry.registry_key
HostApplication target.file.full_path
Hostname intermediary.hostname
Hostname principal.hostname
Hostname target.hostname
ImagePath target.process.file.full_path
IpAddress principal.ip
IpAddress target.ip
IpPort principal.port
IpPort target.port
KeyFilePath target.file.full_path
KeyLength extensions.auth.auth_details
KeyName target.resource.name
KeyTypeContainer target.resource.type
LayerId about.labels.value
LayerKey about.labels.value
LayerName about.labels.value
LayerRTID about.labels.value
LogonProcessName target.process.file.full_path
LogonType extensions.auth.auth_details
LogonType extensions.auth.mechanism
MappedName about.labels.value
MappingBy about.labels.value
MemberName target.user.user_display_name
MemberName target.user.userid
MemberSid target.user.windows_sid
Message metadata.description
Namespace target.file.full_path
NewProcessId target.process.pid
NewProcessName principal.process.file.full_path
NewProcessName target.process.file.full_path
NewSecurityDescriptor target.file.full_path
NewUacValue target.resource.attribute.labels
NewValue target.registry.registry_value_data
ObjectClass target.resource.type
ObjectDN target.group.group_display_name
ObjectGUID target.group.product_object_id
ObjectGUID target.resource.id
ObjectName target.file.full_path
ObjectName target.resource.name
ObjectServer target.resource.name
ObjectType target.resource_type
ObjectValueName target.registry.registry_value_name
OldUacValue principal.resource.attribute.labels
Operation metadata.description
OperationType metadata.description
OriginalSecurityDescriptor src.file.full_path
ParentProcessName principal.process.file.full_path
Payload target.process.file.full_path
PrivilegeList security_result.about.resource.name
ProcessId principal.process.pid
ProcessId target.process.pid
ProcessName principal.process.file.full_path
ProcessName target.process.file.full_path
ProfileChanged target.group.group_display_name
Properties target.resource.id
Protocol network.ip_protocol
ProviderDetails target.file.full_path
ProviderDetails target.resource.name
ProviderGuid metadata.product_log_id
ProviderKey about.labels.value
ProviderName about.labels.value
RelativeTargetName target.file.full_path
RemoteMachineID target.hostname
RuleAttr security_result.summary
RuleId security_result.rule_id
RuleId target.resource.id
RuleName security_result.rule_name
RuleName target.resource.name
SChannelName extensions.auth.auth_details
SChannelType additional.fields.value.string_value
ScriptName target.file.full_path
SecurityID principal.user.windows_sid
SecurityPackageName target.file.full_path
ServiceFileName target.process.file.full_path
ServiceName about.labels.value
ServiceName target.process.command_line
ServiceSid target.group.windows_sid
ServiceType target.application
SettingType target.resource.name
Severity security_result.severity
ShareLocalPath target.file.full_path
ShareName target.file.full_path
ShareName target.resource.name
SourceAddress principal.ip
SourceHandleId about.labels.key
SourceName principal.application
SourceName target.application
SourcePort principal.port
SourceProcessId src.process.pid
Status metadata.description
SubjectDomainName principal.administrative_domain
SubjectLogonId about.labels.value
SubjectUserName principal.user.userid
SubjectUserSid principal.user.windows_sid
SubscriptionManagerAddress target.url
TargetDomainName target.administrative_domain
TargetHandleId about.labels.key
TargetProcessId target.process.pid
TargetSid target.group.windows_sid
TargetSid target.resource.id
TargetSid target.user.windows_sid
TargetUserName target.resource.name
TargetUserName target.user.group_identifiers
TargetUserName target.user.userid
TargetUserSid target.user.windows_sid
TaskName principal.process.file.full_path
TaskName target.resource.name
ThreadID principal.process.pid
TicketEncryptionType about.resource.name
TicketOptions about.labels.value
UserID principal.user.userid
UserID principal.user.windows_sid
UserName principal.user.userid
UserName target.user.userid
UserSid principal.user.windows_sid
Weight about.labels.value
Workstation principal.hostname
WorkstationName principal.hostname
WorkstationName target.hostname

Product Event Types

Event UDM Event Classification
16 USER_RESOURCE_UPDATE_CONTENT
104 USER_RESOURCE_ACCESS
517 GENERIC_EVENT,USER_RESOURCE_UPDATE_CONTENT
529 USER_LOGIN
600 GENERIC_EVENT
601 GENERIC_EVENT,SERVICE_UNSPECIFIED
800 GENERIC_EVENT
1100 SERVICE_STOP
1102 GENERIC_EVENT,SERVICE_STOP
4103 SERVICE_START
4104 SERVICE_START
4622 FILE_UNCATEGORIZED
4624 USER_LOGIN
4625 USER_LOGIN
4627 GROUP_UNCATEGORIZED
4634 USER_LOGOUT
4648 USER_LOGIN
4656 USER_RESOURCE_ACCESS
4657 REGISTRY_MODIFICATION
4658 USER_RESOURCE_ACCESS
4660 USER_RESOURCE_DELETION
4661 USER_RESOURCE_ACCESS
4662 USER_RESOURCE_ACCESS
4663 FILE_OPEN,REGISTRY_UNCATEGORIZED,PROCESS_OPEN,USER_RESOURCE_ACCESS
4670 FILE_MODIFICATION,REGISTRY_MODIFICATION,USER_RESOURCE_UPDATE_PERMISSIONS
4672 USER_LOGIN
4673 GENERIC_EVENT
4674 GENERIC_EVENT
4688 PROCESS_LAUNCH
4689 PROCESS_TERMINATION
4690 PROCESS_UNCATEGORIZED
4697 GENERIC_EVENT,SERVICE_UNSPECIFIED
4698 SCHEDULED_TASK_CREATION
4699 SCHEDULED_TASK_DELETION
4700 SCHEDULED_TASK_ENABLE
4701 SCHEDULED_TASK_DISABLE
4702 SCHEDULED_TASK_MODIFICATION
4715 SYSTEM_AUDIT_LOG_UNCATEGORIZED
4719 SYSTEM_AUDIT_LOG_UNCATEGORIZED
4720 USER_CREATION
4722 USER_CHANGE_PERMISSIONS
4723 USER_CHANGE_PASSWORD
4724 USER_CHANGE_PASSWORD
4725 USER_CHANGE_PERMISSIONS
4726 USER_DELETION
4728 GROUP_MODIFICATION
4729 GROUP_MODIFICATION
4732 GROUP_MODIFICATION
4733 GROUP_MODIFICATION
4734 GROUP_DELETION
4735 GROUP_MODIFICATION
4737 GROUP_MODIFICATION
4738 USER_UNCATEGORIZED
4740 USER_UNCATEGORIZED
4741 USER_RESOURCE_CREATION
4742 USER_RESOURCE_UPDATE_CONTENT
4750 USER_RESOURCE_UPDATE_CONTENT
4751 USER_RESOURCE_UPDATE_CONTENT
4752 GROUP_MODIFICATION
4755 GROUP_MODIFICATION
4756 GROUP_MODIFICATION
4757 GROUP_MODIFICATION
4765 USER_RESOURCE_UPDATE_CONTENT
4767 USER_CHANGE_PERMISSIONS
4768 GENERIC_EVENT
4769 GENERIC_EVENT
4770 GENERIC_EVENT
4771 USER_LOGIN
4772 USER_LOGIN
4774 USER_UNCATEGORIZED
4776 USER_UNCATEGORIZED
4777 USER_UNCATEGORIZED
4782 FILE_READ
4794 USER_RESOURCE_UPDATE_CONTENT
4798 GROUP_UNCATEGORIZED
4799 GROUP_MODIFICATION
4800 USER_STATS
4801 USER_STATS
4946 SETTING_MODIFICATION
4948 SETTING_MODIFICATION
4950 SETTING_MODIFICATION
4957 SETTING_MODIFICATION
4964 GROUP_MODIFICATION
4985 GENERIC_EVENT
5038 FILE_UNCATEGORIZED
5042 SETTING_MODIFICATION
5045 SETTING_MODIFICATION
5048 SETTING_MODIFICATION
5058 FILE_UNCATEGORIZED,USER_RESOURCE_ACCESS
5059 FILE_UNCATEGORIZED,USER_RESOURCE_ACCESS
5061 FILE_UNCATEGORIZED,USER_RESOURCE_ACCESS
5136 GROUP_MODIFICATION,USER_RESOURCE_UPDATE_CONTENT
5140 USER_RESOURCE_ACCESS
5145 USER_RESOURCE_ACCESS
5152 NETWORK_UNCATEGORIZED
5156 NETWORK_UNCATEGORIZED
5447 SETTING_MODIFICATION
5859 SERVICE_START
5861 SERVICE_START
6006 SERVICE_STOP
7022 GENERIC_EVENT
7023 GENERIC_EVENT
7024 GENERIC_EVENT
7026 GENERIC_EVENT
7031 GENERIC_EVENT
7032 GENERIC_EVENT
7034 GENERIC_EVENT
7045 SERVICE_CREATION
8004 SYSTEM_AUDIT_LOG_UNCATEGORIZED
18452 USER_LOGIN,USER_UNCATEGORIZED
18456 STATUS_UPDATE,USER_LOGIN,USER_UNCATEGORIZED

Log Sample

<14>1 2021-10-01T11:17:35.614261-04:00 host Microsoft-Windows-Security-Auditing 532 - [NXLOG@14506 Keywords="keywords" EventType="AUDIT_SUCCESS" EventID="5145" ProviderGuid="{providerguid}" Version="0" TaskValue="12811" OpcodeValue="0" RecordNumber="recordid" ExecutionThreadID="540" Channel="Security" Category="Detailed File Share" Opcode="Info" SubjectUserSid="sid" SubjectUserName="SYSTEM" SubjectDomainName="DOMAIN" SubjectLogonId="logonid" ObjectType="File" IpAddress="10.13.100.247" IpPort="62191" ShareName="\\\\*\\SYSVOL" ShareLocalPath="\\??\\C:\\Windows\\SYSVOL_DFSR\\sysvol" RelativeTargetName="ACME.local\\Policies\\{polid}\\Machine\\registry.pol" AccessMask="0x80" AccessList="%%4423 ····" AccessReason="%%4423:·%%1801·D:(A;;0x1200a9;;;WD) ····" EventReceivedTime="2021-10-01 11:17:36" SourceModuleName="MS_AD2" SourceModuleType="im_msvistalog"] A network share object was checked to see whether client can be granted desired access.  ·  Subject:  ·Security ID:··sid  ·Account Name:··account  ·Account Domain:··ACME  ·Logon ID:··logonid    Network Information:·  ·Object Type:··File  ·Source Address:··10.13.100.247  ·Source Port:··62191  ·  Share Information:  ·Share Name:··\\*\SYSVOL  ·Share Path:··\??\C:\Windows\SYSVOL_DFSR\sysvol  ·Relative Target Name:·domain.local\Policies\{polid}\Machine\registry.pol    Access Request Information:  ·Access Mask:··0x80  ·Accesses:··ReadAttributes  ····  Access Check Results:  ·ReadAttributes:·Granted by·D:(A;;0x1200a9;;;WD)  ····  

Sample Parsing

metadata.product_log_id = "{providerguid}"
metadata.event_timestamp = "2021-10-01T15:17:35.614261Z"
metadata.event_type = "USER_RESOURCE_ACCESS"
metadata.vendor_name = "Microsoft"
metadata.product_name = "Windows"
metadata.product_event_type = "5145"
metadata.description = "Detailed"
principal.hostname = "hostname"
principal.user.userid = "SYSTEM"
principal.user.windows_sid = "sid"
principal.platform = "WINDOWS"
principal.ip = "10.13.100.247"
principal.mac = "00:50:b6:e7:c5:b1"
principal.administrative_domain = "DOMAIN"
principal.asset.hostname = "hostname"
principal.asset.ip = "10.13.100.247"
principal.asset.mac = "00:50:b6:e7:c5:b1"
target.port = 62191
target.file.full_path = "domain.local\Policies\{polid}\Machine\registry.pol"
target.resource.type = "File"
target.resource.name = "\\*\SYSVOL"
observer.hostname = "hostname"
observer.application = "Microsoft-Windows-Security-Auditing"
security_result.summary = "A network share object was checked to see whether client can be granted desired access. "
extensions.auth.mechanism = "MECHANISM_UNSPECIFIED"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon