Windows AD¶
About¶
A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.
Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.
This data store, also known as the directory, contains information about Active Directory objects. These objects typically include shared resources such as servers, volumes, printers, and the network user and computer accounts. For more information about the Active Directory data store, see Directory data store.
Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network. Policy-based administration eases the management of even the most complex network. For more information about Active Directory security, see Security overview.
Active Directory also includes:
-
A set of rules, the schema, that defines the classes of objects and attributes contained in the directory, the constraints and limits on instances of these objects, and the format of their names. For more information about the schema, see Schema.
-
A global catalog that contains information about every object in the directory. This allows users and administrators to find directory information regardless of which domain in the directory actually contains the data. For more information about the global catalog, see The role of the global catalog.
-
A query and index mechanism, so that objects and their properties can be published and found by network users or applications. For more information about querying the directory, see Finding directory information.
-
A replication service that distributes directory data across a network. All domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain. For more information about Active Directory replication, see Replication overview.
Product Details¶
Vendor URL: Windows AD
Product Type: OS
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Windows AD - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON and Syslog
Expected Normalization Rate: 80-90%
Data Label: WINDOWS_AD
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| AccessMask | security_result.about.resource.name |
| AccountDomain | target.administrative_domain |
| AccountName | principal.user.roll_name |
| AccountName | principal.user.userid |
| AccountToReset | principal.user.userid |
| AccountType | principal.user.roll_description |
| Action | about.labels.value |
| AdditionalInfo | security_result.description |
| Application | principal.application |
| Arguments | about.process.command_line |
| AttributeLDAPDisplayName | target.resource.type |
| AttributeValue | target.resource.name |
| AttributeValue | target.user.user_display_name |
| AuthenticationPackage | principal.application |
| AuthenticationPackageName | security_result.about.resource.name |
| AuthenticationSetId | target.resource.id |
| AuthenticationSetName | target.resource.name |
| CallerComputerName | principal.hostname |
| CallerProcessName | principal.process.file.full_path |
| CalloutKey | about.labels.value |
| CalloutName | about.labels.value |
| Category | metadata.description |
| ChangeType | about.labels.value |
| Channel | security_result.summary |
| ClientUserName | target.user.userid |
| Command | about.process.command_line |
| CommandLine | principal.process.command_line |
| CommandName | target.application |
| Conditions | about.labels.value |
| ConnectionSecurityRuleId | target.resource.id |
| ConnectionSecurityRuleName | target.resource.name |
| CryptographicSetId | target.resource.id |
| CryptographicSetName | target.resource.name |
| DestAddress | target.ip |
| DestPort | target.port |
| DfsNamespace | target.resource.name |
| Direction | network.direction |
| Domain | principal.administrative_domain |
| Domain | target.administrative_domain |
| EventID | metadata.product_event_type |
| ExecutionProcessId | principal.process.pid |
| FilterId | target.resource.id |
| FilterKey | about.labels.value |
| FilterName | target.resource.name |
| FilterRTID | security_result.rule_id |
| FilterType | about.labels.value |
| GroupMembership | target.user.group_identifiers |
| GroupName | target.group.group_display_name |
| HandleId | additional.fields.value.string_value |
| HiveName | target.registry.registry_key |
| HostApplication | target.file.full_path |
| Hostname | intermediary.hostname |
| Hostname | principal.hostname |
| Hostname | target.hostname |
| ImagePath | target.process.file.full_path |
| IpAddress | principal.ip |
| IpAddress | target.ip |
| IpPort | principal.port |
| IpPort | target.port |
| KeyFilePath | target.file.full_path |
| KeyLength | extensions.auth.auth_details |
| KeyName | target.resource.name |
| KeyTypeContainer | target.resource.type |
| LayerId | about.labels.value |
| LayerKey | about.labels.value |
| LayerName | about.labels.value |
| LayerRTID | about.labels.value |
| LogonProcessName | target.process.file.full_path |
| LogonType | extensions.auth.auth_details |
| LogonType | extensions.auth.mechanism |
| MappedName | about.labels.value |
| MappingBy | about.labels.value |
| MemberName | target.user.user_display_name |
| MemberName | target.user.userid |
| MemberSid | target.user.windows_sid |
| Message | metadata.description |
| Namespace | target.file.full_path |
| NewProcessId | target.process.pid |
| NewProcessName | principal.process.file.full_path |
| NewProcessName | target.process.file.full_path |
| NewSecurityDescriptor | target.file.full_path |
| NewUacValue | target.resource.attribute.labels |
| NewValue | target.registry.registry_value_data |
| ObjectClass | target.resource.type |
| ObjectDN | target.group.group_display_name |
| ObjectGUID | target.group.product_object_id |
| ObjectGUID | target.resource.id |
| ObjectName | target.file.full_path |
| ObjectName | target.resource.name |
| ObjectServer | target.resource.name |
| ObjectType | target.resource_type |
| ObjectValueName | target.registry.registry_value_name |
| OldUacValue | principal.resource.attribute.labels |
| Operation | metadata.description |
| OperationType | metadata.description |
| OriginalSecurityDescriptor | src.file.full_path |
| ParentProcessName | principal.process.file.full_path |
| Payload | target.process.file.full_path |
| PrivilegeList | security_result.about.resource.name |
| ProcessId | principal.process.pid |
| ProcessId | target.process.pid |
| ProcessName | principal.process.file.full_path |
| ProcessName | target.process.file.full_path |
| ProfileChanged | target.group.group_display_name |
| Properties | target.resource.id |
| Protocol | network.ip_protocol |
| ProviderDetails | target.file.full_path |
| ProviderDetails | target.resource.name |
| ProviderGuid | metadata.product_log_id |
| ProviderKey | about.labels.value |
| ProviderName | about.labels.value |
| RelativeTargetName | target.file.full_path |
| RemoteMachineID | target.hostname |
| RuleAttr | security_result.summary |
| RuleId | security_result.rule_id |
| RuleId | target.resource.id |
| RuleName | security_result.rule_name |
| RuleName | target.resource.name |
| SChannelName | extensions.auth.auth_details |
| SChannelType | additional.fields.value.string_value |
| ScriptName | target.file.full_path |
| SecurityID | principal.user.windows_sid |
| SecurityPackageName | target.file.full_path |
| ServiceFileName | target.process.file.full_path |
| ServiceName | about.labels.value |
| ServiceName | target.process.command_line |
| ServiceSid | target.group.windows_sid |
| ServiceType | target.application |
| SettingType | target.resource.name |
| Severity | security_result.severity |
| ShareLocalPath | target.file.full_path |
| ShareName | target.file.full_path |
| ShareName | target.resource.name |
| SourceAddress | principal.ip |
| SourceHandleId | about.labels.key |
| SourceName | principal.application |
| SourceName | target.application |
| SourcePort | principal.port |
| SourceProcessId | src.process.pid |
| Status | metadata.description |
| SubjectDomainName | principal.administrative_domain |
| SubjectLogonId | about.labels.value |
| SubjectUserName | principal.user.userid |
| SubjectUserSid | principal.user.windows_sid |
| SubscriptionManagerAddress | target.url |
| TargetDomainName | target.administrative_domain |
| TargetHandleId | about.labels.key |
| TargetProcessId | target.process.pid |
| TargetSid | target.group.windows_sid |
| TargetSid | target.resource.id |
| TargetSid | target.user.windows_sid |
| TargetUserName | target.resource.name |
| TargetUserName | target.user.group_identifiers |
| TargetUserName | target.user.userid |
| TargetUserSid | target.user.windows_sid |
| TaskName | principal.process.file.full_path |
| TaskName | target.resource.name |
| ThreadID | principal.process.pid |
| TicketEncryptionType | about.resource.name |
| TicketOptions | about.labels.value |
| UserID | principal.user.userid |
| UserID | principal.user.windows_sid |
| UserName | principal.user.userid |
| UserName | target.user.userid |
| UserSid | principal.user.windows_sid |
| Weight | about.labels.value |
| Workstation | principal.hostname |
| WorkstationName | principal.hostname |
| WorkstationName | target.hostname |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| 16 | USER_RESOURCE_UPDATE_CONTENT |
| 104 | USER_RESOURCE_ACCESS |
| 517 | GENERIC_EVENT,USER_RESOURCE_UPDATE_CONTENT |
| 529 | USER_LOGIN |
| 600 | GENERIC_EVENT |
| 601 | GENERIC_EVENT,SERVICE_UNSPECIFIED |
| 800 | GENERIC_EVENT |
| 1100 | SERVICE_STOP |
| 1102 | GENERIC_EVENT,SERVICE_STOP |
| 4103 | SERVICE_START |
| 4104 | SERVICE_START |
| 4622 | FILE_UNCATEGORIZED |
| 4624 | USER_LOGIN |
| 4625 | USER_LOGIN |
| 4627 | GROUP_UNCATEGORIZED |
| 4634 | USER_LOGOUT |
| 4648 | USER_LOGIN |
| 4656 | USER_RESOURCE_ACCESS |
| 4657 | REGISTRY_MODIFICATION |
| 4658 | USER_RESOURCE_ACCESS |
| 4660 | USER_RESOURCE_DELETION |
| 4661 | USER_RESOURCE_ACCESS |
| 4662 | USER_RESOURCE_ACCESS |
| 4663 | FILE_OPEN,REGISTRY_UNCATEGORIZED,PROCESS_OPEN,USER_RESOURCE_ACCESS |
| 4670 | FILE_MODIFICATION,REGISTRY_MODIFICATION,USER_RESOURCE_UPDATE_PERMISSIONS |
| 4672 | USER_LOGIN |
| 4673 | GENERIC_EVENT |
| 4674 | GENERIC_EVENT |
| 4688 | PROCESS_LAUNCH |
| 4689 | PROCESS_TERMINATION |
| 4690 | PROCESS_UNCATEGORIZED |
| 4697 | GENERIC_EVENT,SERVICE_UNSPECIFIED |
| 4698 | SCHEDULED_TASK_CREATION |
| 4699 | SCHEDULED_TASK_DELETION |
| 4700 | SCHEDULED_TASK_ENABLE |
| 4701 | SCHEDULED_TASK_DISABLE |
| 4702 | SCHEDULED_TASK_MODIFICATION |
| 4715 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 4719 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 4720 | USER_CREATION |
| 4722 | USER_CHANGE_PERMISSIONS |
| 4723 | USER_CHANGE_PASSWORD |
| 4724 | USER_CHANGE_PASSWORD |
| 4725 | USER_CHANGE_PERMISSIONS |
| 4726 | USER_DELETION |
| 4728 | GROUP_MODIFICATION |
| 4729 | GROUP_MODIFICATION |
| 4732 | GROUP_MODIFICATION |
| 4733 | GROUP_MODIFICATION |
| 4734 | GROUP_DELETION |
| 4735 | GROUP_MODIFICATION |
| 4737 | GROUP_MODIFICATION |
| 4738 | USER_UNCATEGORIZED |
| 4740 | USER_UNCATEGORIZED |
| 4741 | USER_RESOURCE_CREATION |
| 4742 | USER_RESOURCE_UPDATE_CONTENT |
| 4750 | USER_RESOURCE_UPDATE_CONTENT |
| 4751 | USER_RESOURCE_UPDATE_CONTENT |
| 4752 | GROUP_MODIFICATION |
| 4755 | GROUP_MODIFICATION |
| 4756 | GROUP_MODIFICATION |
| 4757 | GROUP_MODIFICATION |
| 4765 | USER_RESOURCE_UPDATE_CONTENT |
| 4767 | USER_CHANGE_PERMISSIONS |
| 4768 | GENERIC_EVENT |
| 4769 | GENERIC_EVENT |
| 4770 | GENERIC_EVENT |
| 4771 | USER_LOGIN |
| 4772 | USER_LOGIN |
| 4774 | USER_UNCATEGORIZED |
| 4776 | USER_UNCATEGORIZED |
| 4777 | USER_UNCATEGORIZED |
| 4782 | FILE_READ |
| 4794 | USER_RESOURCE_UPDATE_CONTENT |
| 4798 | GROUP_UNCATEGORIZED |
| 4799 | GROUP_MODIFICATION |
| 4800 | USER_STATS |
| 4801 | USER_STATS |
| 4946 | SETTING_MODIFICATION |
| 4948 | SETTING_MODIFICATION |
| 4950 | SETTING_MODIFICATION |
| 4957 | SETTING_MODIFICATION |
| 4964 | GROUP_MODIFICATION |
| 4985 | GENERIC_EVENT |
| 5038 | FILE_UNCATEGORIZED |
| 5042 | SETTING_MODIFICATION |
| 5045 | SETTING_MODIFICATION |
| 5048 | SETTING_MODIFICATION |
| 5058 | FILE_UNCATEGORIZED,USER_RESOURCE_ACCESS |
| 5059 | FILE_UNCATEGORIZED,USER_RESOURCE_ACCESS |
| 5061 | FILE_UNCATEGORIZED,USER_RESOURCE_ACCESS |
| 5136 | GROUP_MODIFICATION,USER_RESOURCE_UPDATE_CONTENT |
| 5140 | USER_RESOURCE_ACCESS |
| 5145 | USER_RESOURCE_ACCESS |
| 5152 | NETWORK_UNCATEGORIZED |
| 5156 | NETWORK_UNCATEGORIZED |
| 5447 | SETTING_MODIFICATION |
| 5859 | SERVICE_START |
| 5861 | SERVICE_START |
| 6006 | SERVICE_STOP |
| 7022 | GENERIC_EVENT |
| 7023 | GENERIC_EVENT |
| 7024 | GENERIC_EVENT |
| 7026 | GENERIC_EVENT |
| 7031 | GENERIC_EVENT |
| 7032 | GENERIC_EVENT |
| 7034 | GENERIC_EVENT |
| 7045 | SERVICE_CREATION |
| 8004 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 18452 | USER_LOGIN,USER_UNCATEGORIZED |
| 18456 | STATUS_UPDATE,USER_LOGIN,USER_UNCATEGORIZED |
Log Sample¶
<14>1 2021-10-01T11:17:35.614261-04:00 host Microsoft-Windows-Security-Auditing 532 - [NXLOG@14506 Keywords="keywords" EventType="AUDIT_SUCCESS" EventID="5145" ProviderGuid="{providerguid}" Version="0" TaskValue="12811" OpcodeValue="0" RecordNumber="recordid" ExecutionThreadID="540" Channel="Security" Category="Detailed File Share" Opcode="Info" SubjectUserSid="sid" SubjectUserName="SYSTEM" SubjectDomainName="DOMAIN" SubjectLogonId="logonid" ObjectType="File" IpAddress="10.13.100.247" IpPort="62191" ShareName="\\\\*\\SYSVOL" ShareLocalPath="\\??\\C:\\Windows\\SYSVOL_DFSR\\sysvol" RelativeTargetName="ACME.local\\Policies\\{polid}\\Machine\\registry.pol" AccessMask="0x80" AccessList="%%4423 ····" AccessReason="%%4423:·%%1801·D:(A;;0x1200a9;;;WD) ····" EventReceivedTime="2021-10-01 11:17:36" SourceModuleName="MS_AD2" SourceModuleType="im_msvistalog"] A network share object was checked to see whether client can be granted desired access. · Subject: ·Security ID:··sid ·Account Name:··account ·Account Domain:··ACME ·Logon ID:··logonid Network Information:· ·Object Type:··File ·Source Address:··10.13.100.247 ·Source Port:··62191 · Share Information: ·Share Name:··\\*\SYSVOL ·Share Path:··\??\C:\Windows\SYSVOL_DFSR\sysvol ·Relative Target Name:·domain.local\Policies\{polid}\Machine\registry.pol Access Request Information: ·Access Mask:··0x80 ·Accesses:··ReadAttributes ···· Access Check Results: ·ReadAttributes:·Granted by·D:(A;;0x1200a9;;;WD) ····
Sample Parsing¶
metadata.product_log_id = "{providerguid}"
metadata.event_timestamp = "2021-10-01T15:17:35.614261Z"
metadata.event_type = "USER_RESOURCE_ACCESS"
metadata.vendor_name = "Microsoft"
metadata.product_name = "Windows"
metadata.product_event_type = "5145"
metadata.description = "Detailed"
principal.hostname = "hostname"
principal.user.userid = "SYSTEM"
principal.user.windows_sid = "sid"
principal.platform = "WINDOWS"
principal.ip = "10.13.100.247"
principal.mac = "00:50:b6:e7:c5:b1"
principal.administrative_domain = "DOMAIN"
principal.asset.hostname = "hostname"
principal.asset.ip = "10.13.100.247"
principal.asset.mac = "00:50:b6:e7:c5:b1"
target.port = 62191
target.file.full_path = "domain.local\Policies\{polid}\Machine\registry.pol"
target.resource.type = "File"
target.resource.name = "\\*\SYSVOL"
observer.hostname = "hostname"
observer.application = "Microsoft-Windows-Security-Auditing"
security_result.summary = "A network share object was checked to see whether client can be granted desired access. "
extensions.auth.mechanism = "MECHANISM_UNSPECIFIED"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon