Authentication (3002)

Authentication events report authentication session activities such as user attempts a logon or logoff, successfully or otherwise.

Category: Identity & Access Management
Extends: iam
UID: 3002

Attributes

Classification

activity_id

Type: integer_t
Requirement: required
Values:
- 0 - Unknown: The event activity is unknown.
- 1 - Logon: A new logon session was requested.
- 2 - Logoff: A logon session was terminated and no longer exists.
- 3 - Authentication Ticket: A Kerberos authentication ticket (TGT) was requested.
- 4 - Service Ticket Request: A Kerberos service ticket was requested.
- 5 - Service Ticket Renew: A Kerberos service ticket was renewed.
- 6 - Preauth: A preauthentication stage was engaged.
- 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.

The normalized identifier of the activity that triggered the event.

category_uid

Type: integer_t
Requirement: required
Values:
- 3 - Identity & Access Management: Identity & Access Management (IAM) events relate to the supervision of the system’s authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.

The category unique identifier of the event.

class_uid

Type: integer_t
Requirement: required
Values:
- 3002 - Authentication: Authentication events report authentication session activities such as user attempts a logon or logoff, successfully or otherwise.

The unique identifier of a class. A class describes the attributes available in an event.

severity_id

Type: integer_t
Requirement: required
Values:
- 0 - Unknown: The event/finding severity is unknown.
- 1 - Informational: Informational message. No action required.
- 2 - Low: The user decides if action is needed.
- 3 - Medium: Action is required but the situation is not serious at this time.
- 4 - High: Action is required immediately.
- 5 - Critical: Action is required immediately and the scope is broad.
- 6 - Fatal: An error occurred but it is too late to take remedial action.
- 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.

The normalized identifier of the event/finding severity.The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.

type_uid

Type: long_t
Requirement: required
Values:
- 300200 - Authentication: Unknown
- 300201 - Authentication: Logon: A new logon session was requested.
- 300202 - Authentication: Logoff: A logon session was terminated and no longer exists.
- 300203 - Authentication: Authentication Ticket: A Kerberos authentication ticket (TGT) was requested.
- 300204 - Authentication: Service Ticket Request: A Kerberos service ticket was requested.
- 300205 - Authentication: Service Ticket Renew: A Kerberos service ticket was renewed.
- 300206 - Authentication: Preauth: A preauthentication stage was engaged.
- 300299 - Authentication: Other

The event/finding type ID. It identifies the event’s semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.

activity_name

Type: string_t
Requirement: optional

The event activity name, as defined by the activity_id.

category_name

Type: string_t
Requirement: optional

The event category name, as defined by category_uid value: Identity & Access Management.

class_name

Type: string_t
Requirement: optional

The event class name, as defined by class_uid value: Authentication.

severity

Type: string_t
Requirement: optional

The event/finding severity, normalized to the caption of the severity_id value. In the case of ‘Other’, it is defined by the source.

type_name

Type: string_t
Requirement: optional

The event/finding type name, as defined by the type_uid.

Context

metadata

Type: metadata
Requirement: required

The metadata associated with the event or a finding.

actor

Type: actor
Requirement: optional

The actor that requested the authentication.

api cloud

Type: api
Requirement: optional

Describes details about a typical API (Application Programming Interface) call.

auth_factors

Type: auth_factor
Requirement: optional

Describes a category of methods used for identity verification in an authentication attempt.

enrichments

Type: enrichment
Requirement: optional

The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

http_request

Type: http_request
Requirement: optional

Details about the underlying HTTP request.

is_cleartext

Type: boolean_t
Requirement: optional

Indicates whether the credentials were passed in clear text.

Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user’s logon password was passed to the authentication package in clear text.

is_new_logon

Type: boolean_t
Requirement: optional

Indicates logon is from a device not seen before or a first time account logon.

logon_process

Type: process
Requirement: optional

The trusted process that validated the authentication credentials.

raw_data

Type: string_t
Requirement: optional

The raw event/finding data as received from the source.

unmapped

Type: object
Requirement: optional

The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.

Occurrence

time

Type: timestamp_t
Requirement: required

The normalized event occurrence time or the finding creation time.

timezone_offset

Type: integer_t
Requirement: recommended

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

count

Type: integer_t
Requirement: optional

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

duration

Type: integer_t
Requirement: optional

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

end_time

Type: timestamp_t
Requirement: optional

The end time of a time period, or the time of the most recent event included in the aggregate event.

end_time_dt datetime

Type: datetime_t
Requirement: optional

The end time of a time period, or the time of the most recent event included in the aggregate event.

start_time

Type: timestamp_t
Requirement: optional

The start time of a time period, or the time of the least recent event included in the aggregate event.

start_time_dt datetime

Type: datetime_t
Requirement: optional

The start time of a time period, or the time of the least recent event included in the aggregate event.

time_dt datetime

Type: datetime_t
Requirement: optional

The normalized event occurrence time or the finding creation time.

Primary

cloud cloud

Type: cloud
Requirement: required

Describes details about the Cloud environment where the event was originally created or logged.

user

Type: user
Requirement: required

The subject (user/role or account) to authenticate.

auth_protocol

Type: string_t
Requirement: recommended

The authentication protocol as defined by the caption of ‘auth_protocol_id’. In the case of ‘Other’, it is defined by the event source.

auth_protocol_id

Type: integer_t
Requirement: recommended
Values:
- 0 - Unknown: The authentication protocol is unknown.
- 1 - NTLM
- 2 - Kerberos
- 3 - Digest
- 4 - OpenID
- 5 - SAML
- 6 - OAUTH 2.0
- 7 - PAP
- 8 - CHAP
- 9 - EAP
- 10 - RADIUS
- 99 - Other: The authentication protocol is not mapped. See the auth_protocol attribute, which contains a data source specific value.

The normalized identifier of the authentication protocol used to create the user session.

certificate

Type: certificate
Requirement: recommended

The certificate associated with the authentication or pre-authentication (Kerberos).

device host

Type: device
Requirement: recommended

An addressable device, computer system or host.

dst_endpoint

Type: network_endpoint
Requirement: recommended

The endpoint to which the authentication was targeted.

is_mfa

Type: boolean_t
Requirement: recommended

Indicates whether Multi Factor Authentication was used during authentication.

is_remote

Type: boolean_t
Requirement: recommended

The attempted authentication is over a remote connection.

logon_type

Type: string_t
Requirement: recommended

The logon type, normalized to the caption of the logon_type_id value. In the case of ‘Other’, it is defined by the event source.

logon_type_id

Type: integer_t
Requirement: recommended
Values:
- 0 - Unknown: The logon type is unknown.
- 1 - System: Used only by the System account, for example at system startup.
- 2 - Interactive: A local logon to device console.
- 3 - Network: A user or device logged onto this device from the network.
- 4 - Batch: A batch server logon, where processes may be executing on behalf of a user without their direct intervention.
- 5 - OS Service: A logon by a service or daemon that was started by the OS.
- 7 - Unlock: A user unlocked the device.
- 8 - Network Cleartext: A user logged on to this device from the network. The user’s password in the authentication package was not hashed.
- 9 - New Credentials: A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
- 10 - Remote Interactive: A remote logon using Terminal Services or remote desktop application.
- 11 - Cached Interactive: A user logged on to this device with network credentials that were stored locally on the device and the domain controller was not contacted to verify the credentials.
- 12 - Cached Remote Interactive: Same as Remote Interactive. This is used for internal auditing.
- 13 - Cached Unlock: Workstation logon.
- 99 - Other: The logon type is not mapped. See the logon_type attribute, which contains a data source specific value.

The normalized logon type identifier.

message

Type: string_t
Requirement: recommended

The description of the event/finding, as defined by the source.

observables

Type: observable
Requirement: recommended

The observables associated with the event or a finding.

service

Type: service
Requirement: recommended

The service or gateway to which the user or process is being authenticated

session

Type: session
Requirement: recommended

The authenticated user or service session.

src_endpoint

Type: network_endpoint
Requirement: recommended

Details about the source of the IAM activity.

status

Type: string_t
Requirement: recommended

The event status, normalized to the caption of the status_id value. In the case of ‘Other’, it is defined by the event source.

status_code

Type: string_t
Requirement: recommended

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of ‘Failure Code’, e.g. 0x18.

status_detail

Type: string_t
Requirement: recommended

The details about the authentication request. For example, possible details for Windows logon or logoff events are:

Success
LOGOFF_USER_INITIATED
LOGOFF_OTHER
Failure
USER_DOES_NOT_EXIST
INVALID_CREDENTIALS
ACCOUNT_DISABLED
ACCOUNT_LOCKED_OUT
PASSWORD_EXPIRED

status_id

Type: integer_t
Requirement: recommended
Values:
- 0 - Unknown: The status is unknown.
- 1 - Success
- 2 - Failure
- 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

The normalized identifier of the event status.