Chat now with support
Chat with Support

We are currently experiencing phone issues. We are working to get services restored.

Change Auditor for Logon Activity 7.2 - Event Reference Guide

Azure Active Directory Sign-Ins

Change Auditor audits activities in the Azure Active Directory that correspond to the events in the Sign-ins report in the Azure Active Directory portal.

Failed Azure Active Directory
sign-in 

Created when a user fails to sign-in to an application. The event details show the user whose attempt failed, their location, and the application they attempted to access.

Medium

Successful Azure Active Directory sign-in

Created when a user successfully signs-in to an application. The event details show the user whose attempt failed, their location, and the application they attempted to access.

Low

Azure Active Directory - sign-in event

 

Generic sign-in event with a dynamically constructed event description (What statement). The event is created when sign-in activity is detected that does not have a corresponding event defined in Change Auditor.

Low

Azure Active Directory Sign-in Risk Event

Change Auditor audits activities in the Azure Active Directory that correspond to the events in the Risky sign-ins report in the Azure Active Directory portal.

Active risk event detected

Created when a new risk event is detected with an active state.

High

Active risk event status changed to closed

Created when an active risk event is closed as a result of being marked as:

This event helps you to understand why a risk event has been manually closed.

Low

Closed risk event status changed to active

Created when a closed risk event is reactivated.

High

Closed risk event detected

 

Created when a new risk event is detected with a closed state. This can happen if the risk event has been marked as resolved, a false positive, set to ignore, closed (remediated), closed (login blocked), closed (automatic multi-factor authentication), or closed (multiple reasons) before it has been detected by Change Auditor for the first time.

Low

Domain Controller Authentication

Kerberos user ticket that exceeds the maximum ticket lifetime detected

A Kerberos user ticket can be used to verify your identity and gain access to specific resources or services in your domain. A golden ticket is a forged Kerberos ticket.

An attack using a golden ticket is extremely dangerous due to the forged identity, elevated access it allows, and because it can be reused over its lifetime (10 years by default).

This event is created when the Kerberos Ticket Lifetime value in agent configuration is exceeded indicating a possible golden ticket attack.

High

User authenticated through Kerberos

Created when a user successfully authenticated to a domain controller using Kerberos authentication. (Disabled by default)

Medium

User failed to authenticate through Kerberos

Created when a user failed to authenticate to a domain controller using Kerberos authentication.

Medium

User authenticated through NTLM

Created when a user successfully authenticated to a domain controller using NTLM authentication. (Disabled by default)

Low

User failed to authenticate through NTLM

Created when a user failed to authenticate to a domain controller using NTLM authentication.

Medium

Logon Session

A user session took place

Created when a user session took place on a monitored computer.

Medium

A user session was ended by the screensaver turning on

Created when a user session is ended because the screensaver turned on.

Medium

A user session was ended by user locking the computer

Created when a user session is ended because the user locked up the computer.

Medium

A user session was ended by user logging off

Created when a user session is ended because the user logged off.

Medium

A user session was ended by user stopping a terminal services connection

Created when a user session is ended because the user stopped a terminal services connection.

Medium

A user session was ended due to computer shutdown

Created when a user session is ended because a user has shut down or restarted the computer.

Medium

A user session was ended due to user switch

Created when a user session is ended because a different user has logged on.

Medium

A user session was started

Created when a user session is started on a monitored computer.

Medium

A user session was started before the start of the user session monitoring service

Created when a new user session is started before the user session monitoring service is started.

Medium

A user session was started by user exiting screensaver mode

Created when a new user session is started because the user exited the screensaver mode.

Medium

A user session was started by user making a terminal services connection

Created when a new user session is started because a user logged in through a terminal services connection.

Medium

A user session was started by user unlocking the computer

Created when a new user session is started because the user unlocked the computer.

Medium

A user session was started due to user switch

Created when a new user session is started because a different user has logged on.

Medium

An incorrectly finished user session was found

Created when an incorrectly finished user session is found when the user session monitoring service is started.

Medium

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating