• Torne-se um profissional do portal
• Download
• Imprimir
• Meus downloads ()

• Suporte
• Documentação técnica
• Change Auditor for Logon Activity 7.2
• Change Auditor for Logon Activity 7.2 - Event Reference Guide

Change Auditor for Logon Activity 7.2 - Event Reference Guide

Navegação de conteúdo  

Introduction Change Auditor for Logon Activity Events

Active Directory Federation Services - Sign-in Authentication Activity Azure Active Directory Sign-Ins Azure Active Directory Sign-in Risk Event Domain Controller Authentication Logon Session

• Viewing Topics 5 - 8 of 8

×

Azure Active Directory Sign-Ins

Change Auditor audits activities in the Azure Active Directory that correspond to the events in the Sign-ins report in the Azure Active Directory portal.

Table 3. Azure Active Directory Sign-in events

Event	Description	Severity
Failed Azure Active Directory sign-in	Created when a user fails to sign-in to an application. The event details show the user whose attempt failed, their location, and the application they attempted to access.	Medium
Successful Azure Active Directory sign-in	Created when a user successfully signs-in to an application. The event details show the user whose attempt failed, their location, and the application they attempted to access.	Low
Azure Active Directory - sign-in event	Generic sign-in event with a dynamically constructed event description (What statement). The event is created when sign-in activity is detected that does not have a corresponding event defined in Change Auditor.	Low

Azure Active Directory Sign-in Risk Event

Change Auditor audits activities in the Azure Active Directory that correspond to the events in the Risky sign-ins report in the Azure Active Directory portal.

Table 4. Azure Active Directory Sign-in risk events

Event	Description	Severity
Active risk event detected	Created when a new risk event is detected with an active state.	High
Active risk event status changed to closed	Created when an active risk event is closed as a result of being marked as: • Resolved: The issue has been addressed and has been safely closed. • False positive: The issue has been incorrectly identified as a risk and has been safely closed. • Ignore: The issue has been removed from the active list. This event helps you to understand why a risk event has been manually closed.	Low
Closed risk event status changed to active	Created when a closed risk event is reactivated.	High
Closed risk event detected	Created when a new risk event is detected with a closed state. This can happen if the risk event has been marked as resolved, a false positive, set to ignore, closed (remediated), closed (login blocked), closed (automatic multi-factor authentication), or closed (multiple reasons) before it has been detected by Change Auditor for the first time.	Low

Domain Controller Authentication

NOTE: Domain Controller Authentication events are only available with the Change Auditor for Logon Activity User auditing module. They are not available with the Change Auditor for Logon Activity Workstation auditing module.

NOTE: The following Domain Controller Authentication events do not require Windows system provided auditing enabled and are recorded in Change Auditor even if they are not recorded in the Windows Event log: • User authenticated through Kerberos • User failed to authenticate through Kerberos

 

Table 5. Domain Controller Authentication events

Event	Description	Severity
Kerberos user ticket that exceeds the maximum ticket lifetime detected	A Kerberos user ticket can be used to verify your identity and gain access to specific resources or services in your domain. A golden ticket is a forged Kerberos ticket. An attack using a golden ticket is extremely dangerous due to the forged identity, elevated access it allows, and because it can be reused over its lifetime (10 years by default). This event is created when the Kerberos Ticket Lifetime value in agent configuration is exceeded indicating a possible golden ticket attack.	High
User authenticated through Kerberos	Created when a user successfully authenticated to a domain controller using Kerberos authentication. (Disabled by default)	Medium
User failed to authenticate through Kerberos	Created when a user failed to authenticate to a domain controller using Kerberos authentication.	Medium
User authenticated through NTLM	Created when a user successfully authenticated to a domain controller using NTLM authentication. (Disabled by default)	Low
User failed to authenticate through NTLM	Created when a user failed to authenticate to a domain controller using NTLM authentication.	Medium

Logon Session

NOTE: Logon Session events for servers are available with the Change Auditor for Logon Activity User auditing module. Logon Session events for workstations require the Change Auditor for Logon Activity Workstation auditing module and workstation agents to be deployed to the workstations to be monitored.

 

Table 6. Logon Session events

Event	Description	Severity
A user session took place	Created when a user session took place on a monitored computer.	Medium
A user session was ended by the screensaver turning on	Created when a user session is ended because the screensaver turned on.	Medium
A user session was ended by user locking the computer	Created when a user session is ended because the user locked up the computer.	Medium
A user session was ended by user logging off	Created when a user session is ended because the user logged off.	Medium
A user session was ended by user stopping a terminal services connection	Created when a user session is ended because the user stopped a terminal services connection.	Medium
A user session was ended due to computer shutdown	Created when a user session is ended because a user has shut down or restarted the computer.	Medium
A user session was ended due to user switch	Created when a user session is ended because a different user has logged on.	Medium
A user session was started	Created when a user session is started on a monitored computer.	Medium
A user session was started before the start of the user session monitoring service	Created when a new user session is started before the user session monitoring service is started.	Medium
A user session was started by user exiting screensaver mode	Created when a new user session is started because the user exited the screensaver mode.	Medium
A user session was started by user making a terminal services connection	Created when a new user session is started because a user logged in through a terminal services connection.	Medium
A user session was started by user unlocking the computer	Created when a new user session is started because the user unlocked the computer.	Medium
A user session was started due to user switch	Created when a new user session is started because a different user has logged on.	Medium
An incorrectly finished user session was found	Created when an incorrectly finished user session is found when the user session monitoring service is started.	Medium

•  Voltar
• Viewing Topics 5 - 8 of 8
• Avançar 

Procurar este documento Procurar todos os documentos para esta versão do produto Procurar todos os documentos para este produto Procurar todos os documentos

×

 Bem-vindo ao Suporte

Você pode encontrar ajuda de suporte on-line para *produto* da Quest em um local de suporte afiliado. Clique em Continue (Continuar) para ser direcionado ao conteúdo de suporte correto e à assistência a *produto*.

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação

© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center