Chat now with support
Chat with Support

IT Security Search 11.3 - User Guide

Event Field Reference

The following topics provide details about fields that you can use in search queries, organized by data-providing system:

Enterprise Reporter Event Fields

The following are lists of fields that occur in Enterprise Reporter events, organized by type of returned object. You can use these fields in your search queries.

NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can use any of these fields in your search queries.

Computers

Field Name

In UI

Example Value

Details

AccountFullName

No

MAIN\HOUDEVW04$

SAMAccountDomain\SAMAccountName of the relevant computer account

AccountSid

No

S-1-5-21-636461855-
2365528612-2953867313-5163

Security identifier (SID) of the computer account

ComputerName

Yes

achtung.main.mycompany.corp

Short or NetBIOS name for the computer

Description

Yes

Serial , AOPEN_, AWRDACPI, 1002MHz, 1002MHz, 3072MB RAM

Description for the computer

DistinguishedName

No

CN=HOUITW09,
OU=Houston,
OU=AMER,
OU=Production Computers,
DC=main,
DC=mycompany,
DC=corp

Distinguished name for domain computer

Domain

Yes

 

Same as DomainName

DomainName

No

main.mycompany.corp

Fully qualified domain name

Groups

No

Pre-Windows 2000 Compatible Access;Cert Publishers

List of groups (in common name format) where the computer account is a member explicitly

HasGroups

No

True

True if this computer account is a member of any group

IsHidden

No

False

True if the server is visible to other computers in the same network; otherwise, false

Location

Yes

US/Houston

Location of domain computer

ManagedByDisplayName

No

Patricia Lum

The display name of account by which the domain computer is managed

ManagedByType

No

Users

Type of account by which the domain computer is managed; Users or Groups

Name

Yes

achtung

NetBIOS name of the computer

NetBiosName

No

IRVWEBW05

NetBIOS name for domain computer

NumLogons

No

291

Number of times the domain computer was logged into

OSName

No

Windows Server 2003

Full name of the computer's operating system

OSServicePack

No

Service Pack 1

Service pack name for the computer's operating system

OSVersion

No

5.2 (3790)

Operating system version number for the computer

OU_CanonicalName

No

main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers

Canonical name for organizational unit

OU_DistinguishedName

No

OU=Cary,
OU=AMER,
OU=Production Computers,
DC=main,
DC=mycompany,
DC=corp

Distinguished name for organizational unit

RelatedOU

No

 

Same as OU_CanonicalName

Scope

Yes

Active Directory

Active Directory or Workgroup

Source

Yes

Enterprise Reporter

Enterprise Reporter (data source)

State

Yes

Current

Current or Deleted

Where

No

 

Same as ComputerName, NetBiosName

Who

No

 

Same as ManagedByFullName, ManagedByDisplayName

Files

Field Name

In UI

Example Value

Details

Computer

Yes

 

Same as ComputerName

ComputerName

No

WST9240.main.mycompany.corp

Short or NetBIOS name for the computer

DomainName

Yes

MAIN

NetBIOS name for domain

Extension

Yes

.exe

Extension of the file

File

Yes

TestConsol.exe

File or folder name

FullAccountName

Yes

WST9240\Administrators

SAMAccountDomain\SAMAccountName of owner account

OU_CanonicalName

Yes

main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers

Canonical name for organizational unit (for domain users only)

Owner

Yes

 

Same as FullAccountName, OwnerSid

Owner Domain

No

 

Same as SAMOwnerDomain

OwnerSid

No

S-1-5-32-544

Security identifier (SID) of the owner account

OwnerType

No

Groups

Owner account type: Users or Groups

Path

Yes

D:\Images\59491\

Full path of the folder or file; based on the collection options, the value could be in the format c:\folder or \\computer\shared\Folder

Permission

No

 

Same as PermissionsText

PermissionsText

No

WST9240\Remote Desktop Users: Allow List folder/read data, Create files/Write data, Create folders/append data, Read extended attributes, Write extended attributes, Traverse folder/execute file, Read attributes, Write attributes, Read permissions Inherite

Semicolon-delimited list of permission/ Account: access_ type [Allow|Deny] inheritance[Inherited|Explicit]

RelatedOU

No

 

Same as OU_CanonicalName

SAMOwnerDomain

No

WST9240

SAM account name of owner account's domain

SAMOwnerName

No

Administrators

SAM account name of owner account

Size

Yes

31335914

Size in bytes of the NTFS object

Source

Yes

Enterprise Reporter

Enterprise Reporter (data source)

Type

Yes

File

File or Folder; Folder if the NTFS object is a folder; otherwise, File

What

No

 

Same as PermissionsText

Where

No

 

Same as ComputerName

Who

No

 

Same as PermissionsText

Groups

Field Name

In UI

Example Value

Details

AccountSid

No

S-1-5-21-636461855-
2365528612-
2953867313-107634

Security identifier (SID) of the account

AdminDisplayName

No

Administrator

Admin display name for the domain group; name is displayed on admin screens

CanonicalName

No

main.mycompany.corp/Groups/
RD/MCDL.RD.CRDHub.APAC.AU

The name of the domain group in canonical format

CommonName

No

Development Users

Common name for domain group

Description

Yes

Owner: CLIVE_HERRY

Description of the group

DisplayName

No

AA_Accounting

Display or common name for the group

DistinguishedName

No

CN=MCDL.RD.CRDHub.APAC.AU,OU=RD,
OU=Groups,DC=main,DC=mycompany,DC=corp

Distinguished name for domain group or SAM account name for a local user (computer\username)

Domain

Yes

 

Same as DomainName

DomainName

Yes

main.mycompany.corp

Fully qualified domain name for domain accounts or computer's NetBios Name for local

E-mail

Yes

 

Same as EmailAddress

EmailAddress

No

BC5796F842DD49CD8F4@
sales.mycompany.com

Email address for the group

Friendly Name

Yes

 

Same as FriendlyName

FriendlyName

No

AA_Accounting (MAIN\FB430EAC2D2E4)

Friendly name for the group

FullAccountName

No

MAIN\Office.AMER.US.Boston

domain\group; group is a SAM account name, domain is the SAM account name of a domain or NetBIOS name of a computer

FullName

No

Development Users

Full name for domain group

Groups

No

MCDL.PreSales.NAC.DatabasePerf;
MCDL.Sales.DBPerformance.SR.NA

Common or SAM account names of groups (semicolon-separated) that are explicitly members

HasGroups

No

False

True if this group has members of type "group"

HasUsers

No

True

True if this group has members of type "user"

HomePage

No

http://homepage

Primary home page for domain group

Info

No

Created as part of the ChangeBase Mail migration by Charles Arrot

Informational notes on the domain group

IsSecurityEnabled

No

Security

Security or Distribution

Managed By

No

 

Same as ManagedByDisplayName, ManagedByFullName

ManagedByDisplayName

No

Owen Range

Display name or Common name of account by which the domain group is managed

ManagedByFullName

No

CN=Sarah Quash,OU=Employees,
DC=main,DC=mycompany,DC=corp

Account (distinguished name) by which the domain group is managed

ManagedByType

No

Users

Type of account by which the domain group is managed; Users or Groups

Name

Yes

 

Same as DisplayName

Nested Groups

No

 

Same as Groups

Organizational Unit

Yes

 

Same as OU_CanonicalName

OU_CanonicalName

No

main.mycompany.corp/Groups/Sales

Canonical name for organizational unit

OU_DistinguishedName

No

OU=Sales,OU=Groups,DC=main,
DC=mycompany,DC=corp

Distinguished name for organizational unit

RelatedOU

No

 

Same as OU_CanonicalName

SAMAccountDomain

No

MAIN

SAM account name for the account's domain  for domain's groups or NetBIOS name of the computer for computer's groups

SAMAccountName

No

MCDL.RD.CRDHub.APAC.AU

SAM account name for the account

Scope

Yes

Universal

One of the following:

  • Builtin local
  • Global
  • Domain local
  • Local
  • Universal
  • SQL Login
  • Well Known
  • Unknown

SIDHistory

No

S-1-5-21-329068152-
688789844-
839522115-10863

List of previous security identifiers (SID) used if the domain group was moved from other domains

Source

Yes

Enterprise Reporter

Enterprise Reporter (data source)

State

Yes

Current

Current or Deleted

Type

Yes

 

Same as IsSecurityEnabled

Url

No

http://group

URL addresses of websites for the domain group

Users

No

Zoe Ucchini;Peter Omelo

Common or SAM account names of users (semicolon-separated) that are explicitly members

Where

No

 

Same as DomainName

Who

No

 

Same as Users, UsersAccounts, ManagedByFullName, ManagedByDisplayName

OUs

Field Name

In UI

Example Value

Details

AppliesTo

No

 

Same as PermissionsText

CanonicalName

Yes

main.mycompany.corp/Builtin

Canonical name for organizational unit

ContainerType

No

Container

Type of container: Container or Organizational Unit

Description

Yes

Default container for upgraded computer accounts

 

DistinguishedName

No

Description for organizational unit

Distinguished name for organizational unit

Domain

Yes

 

Same as DomainName

DomainName

No

main.mycompany.corp

Fully qualified domain name

HasPermissions

No

True

True or False; True if PermissionsText is not empty

Managed By

Yes

 

Same as ManagedByFullName,ManagedByDisplayName

ManagedByDisplayName

No

MCDL.RD.ITSearch

Display or common name of management account

ManagedByFullName

No

CN=MCDL.RD.ITSearch,OU=RD,OU=Groups,
DC=main,DC=mycompany,DC=corp

The account (distinguished name) by which the organizational unit is managed

ManagedByType

No

Groups

Management account type; Users or Groups

Name

Yes

Computers

Common short name for organizational unit

NumberOfComputers

No

4

Number of domain computers in organizational unit

NumberOfContacts

No

5

Number of contacts in organizational unit

NumberOfGroups

No

3

Number of domain groups in organizational unit

NumberOfOtherObjects

No

6

Number of other domain objects in organizational unit

NumberOfUsers

No

2

 

Permission

No

 

Same as PermissionsText

PermissionsText

No

NT AUTHORITY\SELF: Allow Read Property, Write Property for location [Descendant computer objects] Inherited;NT AUTHORITY\SELF: Allow Read Property, Write Property for defender-tokenData [Descendant defender-tokenLicenseClass objects] Inherited

Semicolon-separated list of permission/ account: access_ type [Allow|Deny] inheritance[Inherited|Explicit]

RelatedOU

No

 

Same as CanonicalName

Source

Yes

Enterprise Reporter

Enterprise Reporter (data source)

State

Yes

Current

Current or Deleted

What

No

 

Same as PermissionsText

Where

No

 

Same as DomainName

Who

No

 

Same as ManagedByFullName,PermissionsText

Shares

Field Name

In UI

Example Value

Details

Comment

Yes

Docs share

Comment for the share

Computer

Yes

 

Same as ComputerName

ComputerName

No

WST9240.main.mycompany.corp

NetBIOS name of the computer

FullOwnerName

No

WST9240\Administrators

SAMAccountDomain\SAMAccountName of owner account

Local Path

Yes

 

Same as SharePath

Name

Yes

 

Same as ShareName

Owner

Yes

 

Same as FullOwnerName

OwnerDomain

No

WST9240

SAM account name of owner account's domain

OwnerName

No

Administrators

SAM account name of owner account

OwnerType

No

Groups

Owner account type; Users or Groups

PermissionsText

No

WST9240\Remote Desktop Users: Allow List folder/read data, Create files/Write data, Create folders/append data, Read extended attributes, Write extended attributes, Traverse folder/execute file, Read attributes, Write attributes, Read permissions Inherite

Semicolon-delimited list of permission/ Account: access type [Allow|Deny] Inheritance[Inherited|Explicit]

RelatedOU

No

main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers

Canonical name for organizational unit (for domain users only)

ShareName

No

C$

Name of the share

SharePath

No

D:\Custom Utilites

Local path of share

ShareType

No

Administrative Shared Folder

Type of resource being shared

Source

Yes

Enterprise Reporter

Enterprise Reporter (data source)

What

No

 

Same as PermissionsText

Where

No

 

Same as ComputerName

Who

No

 

Same as PermissionsText

Users

Field Name

In UI

Example Value

Details

Account SID

Yes

 

Same as AccountSid

AccountIsDisabled

No

True

True if domain(computer) user account is disabled; otherwise, False

AccountIsLocked

No

False

True if domain(local) user account is locked; otherwise, False

AccountSid

No

S-1-5-21-636461855-
2365528612-
2953867313-71684

Security identifier (SID) of the account

Assistant

No

CN=Pamela Ear,
OU=Employees,
DC=main,
DC=mycompany,
DC=corp

The distinguished name of the domain user's administrative assistant

CannotChangePassword

Yes

False

True if the local user cannot change the password; otherwise, false

City

No

Shanghai

City of domain user account

Company

Yes

My Company Inc.

Company of the user account

Country

Yes

Canada

Country or region of the user account

Department

Yes

R&D - Development

Name of the user's department

Description

No

Build account for Archive Manager Offline Client

Description of the user

DirectReports

No

CN=Philip Arsley,
OU=Employees,
DC=main,
DC=mycompany,
DC=corp;
CN=Gwen Arlic,
OU=Employees,
DC=main,
DC=mycompany,
DC=corp;
CN=Greg Inger,
OU=Employees,
DC=main,
DC=mycompany,
DC=corp

List of domain users that directly report to the domain user

DisplayName

No

Caroline Abbage

Display name or SAMAccount name for the user

DistinguishedName

No

CN=Caroline Abbage,
OU=Employees,
DC=main,
DC=mycompany,
DC=corp

Distinguished name for domain user or computer\user for local users

Division

No

Reporting division

Division for domain user

Domain

Yes

main.mycompany.corp

Fully qualified domain name for domain's users or NetBIOS name of the computer for computer's users

E-mail

Yes

 

Same as EmailAddress

EmailAddress

No

Patricia.Lum@support.mycompany.com

Email address for the user

EmployeeID

No

69267

Employee ID for domain user

FaxNumber

No

0123456789

Facsimile number for domain user

FirstName

No

Paul

Given name (first name) of domain user

FullAccountName

No

MAIN\jcdenton

domain\user; user is a SAM account name, domain is the SAM account name of a domain or NetBIOS name of a computer

Groups

No

WST8766VM1\Administrators;
Office.US.Houston

List of groups. CommonName or  Computer\groupName (explicit membership)

HasDirectReports

No

True

True or False; True if DirectReports is not empty

HasGroups

No

True

True if this user is member of any group

HasPhoto

No

True

True if this user has a photo

HomeDirSize

No

0

Size of the home directory for the domain user

HomePhoneNumber

No

+7-123-4567890

Phone number for the domain user

HomePostalAddress

No

Main street

Mailing address for the domain user

Info

No

Account used for Patchlink & Symantec scanning of domain systems

Informational notes on the domain user

Initials

No

M

Initials for the domain user

IpPhone

No

+44 1234 567890 x12345

IP telephone number or address for the domain user

LastName

No

Epper

Last name of domain user

LogonHours

No

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Hex-coded hours that the domain/local user is allowed to log on to the domain

LogonName

No

SVC-Scanner@main.mycompany.corp

Logon name for the domain user

ManagedBy

No

CN=Christina Hilli,
OU=Employees,
DC=main,
DC=mycompany,
DC=corp

The account (distinguished name) by which the domain user is managed

Manager

Yes

 

Same as ManagedBy,ManagedByDisplayName

MiddleName

No

N

Middle name for the domain user

Mobile

Yes

+7-123-4567890

Mobile number for the user

Name

Yes

 

Same as DisplayName

NumLogons

No

3910

Number of times the domain/local user has successfully logged on

Office

Yes

Castlegar

Office location for the user

Organizational Unit

Yes

 

Same as OU_CanonicalName

OtherIpPhone

No

Conference 84030

List of alternate TCP/IP addresses for the phone for the domain user (Telephony)

OtherMailbox

No

other_mailbox@hotmail.com

Additional email addresses for the domain user

OtherMobile

No

+55 11 12345 6789

List of alternate mobile phone numbers for the domain user

OtherTelephone

No

+1 123 456 7890

List of alternate telephone numbers for the domain user

OU_CanonicalName

No

main.mycompany.corp/IS/SVC-Accounts/MailboxEnabled

Canonical name for organizational unit (for domain users only)

OU_DistinguishedName

No

OU=Enabled SVC-Accounts,
OU=SVC-Accounts,
OU=IS,
DC=main,
DC=mycompany,
DC=corp

Distinguished name for organizational unit (for domain users only)

PasswordIsexpired

No

True

True if domain user's password is expired; otherwise, false

PasswordNeverExpires

No

True

True if the domain/local user's password never expires; otherwise, false

PersonalTitle

No

Mr.

Personal title for the domain user

PostalCode

No

411016

Postal or zip code for the domain user

RelatedOU

No

 

Same as OU_CanonicalName

SAM Account Domain

Yes

 

Same as SAMAccountDomain

SAM Account Name

Yes

 

Same as SAMAccountName

SAMAccountDomain

No

MAIN

SAM account name for the account's domain  for domain's users or NetBIOS name of the computer for computer's users

SAMAccountName

No

jcdenton

SAM account name for the account

Scope

Yes

Active Directory

Active Directory or Computer

Source

Yes

Enterprise Reporter

Enterprise Reporter (data source)

State

Yes

Current

Current or Deleted

StateOrProvince

No

AZ

State or province for the domain user

StreetAddress

No

1042 Bluesky Blvd., Bldg. 1 Flagstaff AZ

Street address for the domain user

TelephoneNumber

No

+1 123 456 7890 x45678

Telephone number for the domain user

Title

Yes

Software Developer 3

Title for the user

UserPrivilegeLevel

No

Normal

Flag for user privilege level: Normal or Unknown

UserWorkstations

No

ALVMISW02,ALVSANW01,ALVPATW01,ALVPATW02

NetBIOS or DNS names of the computers running Windows?NT Workstation or Windows?2000 Professional to which the domain user can log on

Where

No

 

Same as DomainName

Who

No

 

Same as SAMAccountName, DisplayName, AccountSid, DistinguishedName

InTrust Event Fields

The following are lists of fields that occur in InTrust events, organized by type of returned object. You can use these fields in your search queries.

NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can use any of these fields in your search queries.

Field Name

In UI

Example Value

Details

Category

No

Sensitive Privilege Use

Event category

Computer

No

Y1202.seldom.mycompany

Computer where the event occurred

ComputerType

No

69635

Mask for computer type

DataSourceType

No

{A9E5C7A2-5C01-41B7-9D36-E562DFDDEFA9}

GUID of InTrust data source type

Description

No

An operation was attempted on a privileged object.

Event description

Environment

No

9E442BEE-EAC2-4D79-9013-053FB225CFD0

Enviroment GUID

EventID

No

4674

Event ID

Type

No

16

Event Type ID numeric

SourceComputer

No

Y1202

Name of gathering computer

SourceDomain

No

SELDOM

Name of gathering computer's domain

Log

No

Security

Log name

PlatformID

No

500

Platform ID (500 means Windows)

Source

No

Security

Event source

UserDomain

No

WST9983

Domain of the user that initiated this event

UserName

No

Administrator

Name of the user that initiated this event

VersionMajor

No

6

OS version major

VersionMinor

No

2

OS version minor

InsertionString*

Yes

NT AUTHORITY

InsertionString1, InsertionString2 etc.

Workstation

No

WST9983

Computer where the operation was initiated

Where_From

No

WST9983

Same as Workstation

WhoDomain

No

SALES

Same as UserDomain

Who

No

Administrator

Same as UserName

Object_DN

No

CN=HealthMailbox,
CN=Users,
DC=seldom,
DC=mycompany

DN of the object that was changed/deleted/created

Object_ID

Yes

DE442BEE-EAC2-4D79-9013-053FB225CFD0

ID of the object that was changed/deleted/created

WhomId

No

CN=Admin,
CN=Users,
DC=seldom,
DC=spb,
DC=qsft

Object_DN of the object that was changed/deleted/created, if available; otherwise Object_ID of the object

Whom_ObjectClass

No

user

Class of the object that was changed/deleted /created

ComputerName

No

COMP1

Same as Computer

What

No

NTLM Authentication

Event literal

Log name

No

Security

Same as Log

SourceName

No

Security

Same as Source

RelatedOU

No

sales.mycompany.corp/Production Computers

By Enterprise Reporter: OU associated with the computer

Whom_ObjectClass

No

user

By Enterprise Reporter: Object class of Whom

Change Auditor for Active Directory Event Fields

The following are lists of fields that occur in Change Auditor for Active Directory events, organized by type of returned object. You can use these fields in your search queries. All of these fields are available in the IT Security Search web UI as clickable elements. You can also type any of these fields in your search queries.

Field Name

Example Value

Details

AAD_ActivityStatusReason

User successfully reset password

Reason for activity status

AAD_OnPremisesTarget

RHSOFTWARE\AD_Admin

Azure AD on premises target name

AAD_OnPremisesUserName

RHSOFTWARE\AD_Admin

Azure AD on premises user name

AAD_TargetDisplayName

AD_Admin@RHSoftware.Net

Azure AD Target object display name

AAD_TenantDefaultDomain

QAMyProduct.onmicrosoft.com

Azure AD tenant default domain name

AAD_TenantDisplayName

QA QAMyProduct.onmicrosoft.com My Product

Azure AD tenant display name

ActionName

Modify Attribute

Name of action

Activity Details

User successfully reset password

Same as AAD_ActivityStatusReason

After

E:\NewName.txt

Same as ValueNew

Azure - Activity Name

Set Company Information

Same as O365_Operation

Before

E:\OldName.txt

Same as ValueOld

Description

User AD Admin in the directory had their password reset

Event's description

DomainName

PROD

Domain where operation was performed

FacilityName

Local User Monitoring

Name of Facility

Log

ChangeAuditor

Name of event log

Log name

ChangeAuditor

Same as Log

O365_Operation

Set Company Information

Office 365 operation

O365_SiteUrl

https://qa.sharepoint.com/sites/Certification/

URL of Office 365 site

Office 365 Site URL

https://qa.sharepoint.com/sites/Certification/

Same as O365_SiteUrl

On premises target

RHSOFTWARE\AD_Admin

Same as AAD_OnPremisesTarget

On premises user name

RHSOFTWARE\AD_Admin

Same as AAD_OnPremisesUserName

RelatedOU

RHSoftware.Net/AzureAD Accounts

Same as RelatedOUWhom

RelatedOUWhere

 OU=Domain Controllers,DC=RHSoftware,DC=Net

Ou where operation was performed

RelatedOUWhom

RHSoftware.Net/AzureAD Accounts

OU of target object

Result

None

Operation result

SiteName

EMEA-SPB

Site where operation was performed

Target display name

AD_Admin@RHSoftware.Net

Same as AAD_TargetDisplayName

Tenant

QAMyProduct.onmicrosoft.com

Same as AAD_TenantDisplayName

Tenant initial domain

QAMyProduct.onmicrosoft.com

Same as AAD_TenantDefaultDomain

UserName

SPB9983\Administrator

Event initiator

ValueNew

E:\NewName.txt

new value of changed attribute

ValueOld

E:\OldName.txt

old value of changed attribute

What

Local user logged on

Event class name

When

2016-11-12T06:00:00.0460000Z

When the operation was performed

Where

wst9983

Where the operation was performed

Where_From

wst9943.sales.mycompany.com

Same as Workstation

Who

Administrator

Display name or name of initiator

WhoId

S-1-5-21-1763487455-1171009733-2095814533-500

SID of initiator

Whom

WST9983\TestUser

Target object of operation

Whom_ObjectClass

Users

Target object's class

Workstation

wst9983.sales.mycompany.com

Workstationn from that operation was initiated

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating