endpoint-authentication
April 24, 2024 · View on GitHub
Description
A part of an identification process to an endpoint that is not the login
Parameters
| Parameter | Value |
|---|---|
| Subject | endpoint |
| Activity | authentication |
| Activity Type | endpoint-authentication |
| Pretty Name | Endpoint Authentication |
Legacy Names
| Success | Fail |
|---|---|
| authentication-successful kerberos-logon nac-logon | authentication-failed kerberos-logon nac-failed-logon |
Fields
The possible fields for this activity type will vary depending on whether the activity was a success or a fail.
endpoint-authentication:success
| Field | Core | Detection | Informational |
|---|---|---|---|
| tgs_service_name | ✓ | ||
| auth_type | ✓ | ||
| domain | ✓ | ||
| domain_user_name | |||
| user | ✓ | ✓ |
endpoint-authentication:fail
| Field | Core | Detection | Informational |
|---|---|---|---|
| auth_type | ✓ | ||
| failure_code | ✓ | ||
| domain | ✓ | ||
| domain_user_name | |||
| failure_reason | ✓ | ||
| logon_type | ✓ | ||
| user | ✓ | ✓ |