The following are lists of fields that occur in InTrust events, organized by type of returned object.
NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries. |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
Category |
No |
Sensitive Privilege Use |
Event category |
Computer |
No |
Y1202.seldom.mycompany |
Computer where the event occurred |
ComputerType |
No |
69635 |
Mask for computer type |
DataSourceType |
No |
{A9E5C7A2-5C01-41B7-9D36-E562DFDDEFA9} |
GUID of InTrust data source type |
Description |
No |
An operation was attempted on a privileged object. |
Event description |
Environment |
No |
9E442BEE-EAC2-4D79-9013-053FB225CFD0 |
Enviroment GUID |
EventID |
No |
4674 |
Event ID |
Type |
No |
16 |
Event Type ID numeric |
SourceComputer |
No |
Y1202 |
Name of gathering computer |
SourceDomain |
No |
SELDOM |
Name of gathering computer's domain |
Log |
No |
Security |
Log name |
PlatformID |
No |
500 |
Platform ID (500 means Windows) |
Source |
No |
Security |
Event source |
UserDomain |
No |
WST9983 |
Domain of the user that initiated this event |
UserName |
No |
Administrator |
Name of the user that initiated this event |
VersionMajor |
No |
6 |
OS version major |
VersionMinor |
No |
2 |
OS version minor |
InsertionString* |
Yes |
NT AUTHORITY |
InsertionString1, InsertionString2 etc. |
Workstation |
No |
WST9983 |
Computer where the operation was initiated |
Where_From |
No |
WST9983 |
Same as Workstation |
WhoDomain |
No |
SALES |
Same as UserDomain |
Who |
No |
Administrator |
Same as UserName |
Object_DN |
No |
CN=HealthMailbox, |
DN of the object that was changed/deleted/created |
Object_ID |
Yes |
DE442BEE-EAC2-4D79-9013-053FB225CFD0 |
ID of the object that was changed/deleted/created |
WhomId |
No |
CN=Admin, |
Object_DN of the object that was changed/deleted/created, if available; otherwise Object_ID of the object |
Whom_ObjectClass |
No |
user |
Class of the object that was changed/deleted /created |
ComputerName |
No |
COMP1 |
Same as Computer |
What |
No |
NTLM Authentication |
Event literal |
Log name |
No |
Security |
Same as Log |
SourceName |
No |
Security |
Same as Source |
RelatedOU |
No |
sales.mycompany.corp/Production Computers |
By Enterprise Reporter: OU associated with the computer |
Whom_ObjectClass |
No |
user |
By Enterprise Reporter: Object class of Whom |
The following are lists of fields that occur in Change Auditor for Active Directory events, organized by type of returned object. All of these fields are available in the IT Security Search web UI as clickable elements. You can also type any of these fields in your search queries.
Field Name |
Example Value |
Details |
---|---|---|
AAD_City |
"Halifax", "New York City" |
Azure sign-in city |
AAD_Country |
"Canada", "US" |
Azure sign-in country |
AAD_ActivityStatusReason |
User successfully reset password |
Reason for activity status |
AAD_OnPremisesTarget |
RHSOFTWARE\AD_Admin |
Azure AD on premises target name |
AAD_OnPremisesUserName |
RHSOFTWARE\AD_Admin |
Azure AD on premises user name |
AAD_State |
"Nova Scotia", "New York" |
Azure sign-in state |
AAD_TargetDisplayName |
AD_Admin@RHSoftware.Net |
Azure AD Target object display name |
AAD_TenantDefaultDomain |
QAMyProduct.onmicrosoft.com |
Azure AD tenant default domain name |
AAD_TenantDisplayName |
QA QAMyProduct.onmicrosoft.com My Product |
Azure AD tenant display name |
ActionName |
Modify Attribute |
Name of action |
Activity Details |
User successfully reset password |
Same as AAD_ActivityStatusReason |
After |
E:\NewName.txt |
Same as ValueNew |
Azure - Activity Name |
Set Company Information |
Same as O365_Operation |
Before |
E:\OldName.txt |
Same as ValueOld |
Description |
User AD Admin in the directory had their password reset |
Event's description |
DomainName |
PROD |
Domain where operation was performed |
FacilityName |
Local User Monitoring |
Name of Facility |
LDAP - Attributes |
canonicalName, co, company, department, displayName |
Attributes that were queried |
LDAP - Elapsed |
8094 |
How long the AD query took to run, in milliseconds; zero (0) indicates that it took less than a millisecond to complete |
LDAP - Filter |
(&(objectClass=user)(!(objectClass=computer))) |
Filter string used in the AD query |
LDAP - Occurrences |
1 |
Number of times the AD query occurred during the specified interval |
LDAP - Results |
52 |
Number of results returned for the query |
LDAP - Scope |
This object and all children |
Scope of coverage: (This object only, This object and all children) |
LDAP - Since |
2018-01-15T09:42:01.3672010Z |
Date and time when the AD query was first initiated |
Log |
ChangeAuditor |
Name of event log |
Log name |
ChangeAuditor |
Same as Log |
O365_Operation |
Set Company Information |
Office 365 operation |
O365_SiteUrl |
https://qa.sharepoint.com/sites/Certification/ |
URL of Office 365 site |
Office 365 Site URL |
https://qa.sharepoint.com/sites/Certification/ |
Same as O365_SiteUrl |
On premises target |
RHSOFTWARE\AD_Admin |
Same as AAD_OnPremisesTarget |
On premises user name |
RHSOFTWARE\AD_Admin |
Same as AAD_OnPremisesUserName |
RelatedOU |
RHSoftware.Net/AzureAD Accounts |
Same as RelatedOUWhom |
RelatedOUWhere |
OU=Domain Controllers,DC=RHSoftware,DC=Net |
Ou where operation was performed |
RelatedOUWhom |
RHSoftware.Net/AzureAD Accounts |
OU of target object |
Result |
None |
Operation result |
SiteName |
EMEA-SPB |
Site where operation was performed |
Target display name |
AD_Admin@RHSoftware.Net |
Same as AAD_TargetDisplayName |
Tenant |
QAMyProduct.onmicrosoft.com |
Same as AAD_TenantDisplayName |
Tenant initial domain |
QAMyProduct.onmicrosoft.com |
Same as AAD_TenantDefaultDomain |
UserName |
SPB9983\Administrator |
Event initiator |
ValueNew |
E:\NewName.txt |
new value of changed attribute |
ValueOld |
E:\OldName.txt |
old value of changed attribute |
What |
Local user logged on |
Event class name |
When |
2016-11-12T06:00:00.0460000Z |
When the operation was performed |
Where |
wst9983 |
Where the operation was performed |
Where_From |
wst9943.sales.mycompany.com |
Same as Workstation |
Who |
Administrator |
Display name or name of initiator |
WhoId |
S-1-5-21-1763487455-1171009733-2095814533-500 |
SID of initiator |
Whom |
WST9983\TestUser |
Target object of operation |
Whom_ObjectClass |
Users |
Target object's class |
Workstation |
wst9983.sales.mycompany.com |
Workstationn from that operation was initiated |
The following are lists of fields that occur in Active Roles data, organized by type of returned object. All of these fields are available in the IT Security Search web UI as clickable elements. You can also type any of these fields in your search queries.
NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries. For events, all fields are displayed. |
Field Name |
Example Value |
Details |
---|---|---|
AR_ClientComputerName |
ITSEARCHTEST3 |
Host with Active Roles client software |
AR_ClientVersion_Build |
2 |
Version build number of Active Roles client software |
AR_ClientVersion_Major |
7 |
Version major number of Active Roles client software |
AR_ClientVersion_Minor |
1 |
Version minor number of Active Roles client software |
AR_ClientVersion_Revision |
3406 |
Revision of Active Roles client software |
AR_Server |
arsit |
Active Roles Server host |
Attribute_* |
New description1 |
New value of attribute |
ChangedAttributes |
description,streetAddress |
List of attributes |
Completed |
2017-05-04T07:18:57.9741631Z |
Timestamp of operation when that was completed |
Control_OperationReason |
Reason for modification |
Reason of operation |
Description |
Modified attributes: |
Description of event |
ID |
1-107540 |
ID of operation |
Initiated |
2017-05-04T07:18:57.9116595Z |
Timestamp of operation when that was initiated |
Initiator_DN |
CN=Zakhar Shkonda, |
DN of initiator |
Initiator_Guid |
b58c2906-ad0b-4682- |
GUID of initiator |
Initiator_Host |
ARSIT.it.sales.mycompany |
Host of Initiator |
Initiator_IsDSAdmin |
True |
True if initiator is DS administrator |
Initiator_NTAccountName |
IT\zs |
NT Account name of initiator |
Initiator_ObjectClass |
user |
Class of initiator |
Initiator_Sid |
S-1-5-21-4039273466- |
SID of initiator |
Initiator_Site |
Default-First-Site-Name |
Site of initiator |
Log |
Active Roles |
Log name |
Logon_Site |
Default-First-Site-Name |
Same as Initiator_Site |
Operation_GUID |
9b3c5524-065d-418a-9511- |
GUID of operation |
Operation_Type |
Delete |
Type of operation |
Operation_TypeID |
1 |
Type ID of operation |
Reason |
Reason for modification |
Same as Control_OperationReason |
RelatedOU |
it.sales.mycompany/AutotestOU/ARS/FIT2711055222_0E7C |
Same as TargetObject_OUCanonical |
Result |
Completed |
Same as Status |
Status |
Completed |
Operation status |
StatusID |
1 |
Operation status ID |
TargetObject_DN |
CN=ArsCHUser1_0E7C, |
DN of target object |
TargetObject_Guid |
b6a8b5d0-e003-4421- |
GUID of target object |
TargetObject_NTAccountName |
IT\ArsCHUser1_0E7C |
NT Account name of target object |
TargetObject_ObjectClass |
user |
Class of target object |
TargetObject_OUCanonical |
it.mycompany.com/AutotestOU/ARS/FIT2711055222_0E7C |
Canonical name of object's OU |
TargetObject_Sid |
S-1-5-21-4039273466- |
SID of target object |
TargetObject_SimpleName |
ArsCHUser1_0E7C |
Name of target object |
What |
Delete |
Same as Operation_Type |
When |
2017-05-10T08:38:58.0000000Z |
Same as Completed |
Where |
dc2.it.sales.mycompany |
Host where this operation was performed |
Who |
IT\zs |
Same as Initiator_NTAccountName |
Who_DN |
CN=Caroline Abbage, |
Same as Initiator_DN |
Who_Guid |
b58c2906-ad0b-4682- |
Same as Initiator_Guid |
Who_IsDSAdmin |
True |
Initiator_IsDSAdmin |
Who_ObjectClass |
user |
Same as Initiator_ObjectClass |
Who_Sid |
S-1-5-21-4039273466- |
Same as Initiator_Sid |
WhoId |
S-1-5-21-4039273466- |
Same as Initiator_Sid |
Whom |
ArsTestDynamicGroup_CB79 |
Same as TargetObject_SimpleName |
Whom_DN |
CN=ArsTestTemporalGroup_CB79, |
Same as TargetObject_DN |
Whom_Guid |
eff86e4b-7800-44ce- |
Same as TargetObject_Guid |
Whom_NTAccountName |
IT\ArsCHUser1_0E7C |
Same as TargetObject_NTAccountName |
Whom_ObjectClass |
Groups |
Same as TargetObject_ObjectClass |
Whom_Sid |
S-1-5-21-4039273466- |
Same as TargetObject_Sid |
WhomId |
CN=ArsTestDynamicGroup_CB79, |
Same as TargetObject_DN |
WhomSimple |
ArsTestDynamicGroup_CB79 |
Same as TargetObject_SimpleName |
Workstation |
ARSIT.it.sales.mycompany |
Same as Initiator_Host |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
AccountSid |
Yes |
S-1-5-21-4039273466- 3631535243-455089366-89812 |
Computer account SID |
Description |
Yes |
Storage Server |
Description of computer |
DistinguishedName |
No |
CD=DC1, |
Computer account distinguished name; search by full value only |
DNSHostName |
Yes |
DC1.it.sales.mycompany |
DNS host name |
Location |
Yes |
Houston |
Location of computer |
ManagedBy |
No |
CN=Caroline Abbage, |
Same as ManagedByFullName |
ManagedByFullName |
No |
CN=Caroline Abbage, |
Distinguished name of manager of the computer account; search by full value only |
Name |
Yes |
DC1 |
Same as NetBiosName |
NetBiosName |
Yes |
DC1 |
NetBIOS name of computer |
NumLogons |
Yes |
12656 |
Logon count |
ObjectCategory |
Yes |
computer |
Object class = computer |
ObjectGUID |
No |
ddd94ab4-5de6-4696- a93c-433cf9827c28 |
Object GUID of computer account |
OSName |
Yes |
Windows Server 2008 R2 Enterprise |
OS name |
OSServicePack |
Yes |
Service Pack 1 |
OS service pack |
OSVersion |
Yes |
6.1 (7601) |
OS version |
Where |
Yes |
DC1 |
Same as NetBiosName |
Who |
Yes |
CN=Caroline Abbage, |
Same as ManagedByFullName |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
CN |
Yes |
Users |
Common name of group |
Description |
Yes |
Houston internal group for notification |
Description of group |
DisplayName |
Yes |
Users |
Display name of group |
DistinguishedName |
No |
CN=MCDL.RD.Notification, OU=RD, OU=Groups, DC=it, DC=sales, DC=mycompany |
Distinguished name of group;. search by full value only |
|
Yes |
MCDL.RD.Notification@it.sales.mycompany |
Email address of group |
GroupType |
No |
-2147483640 |
Integer value of bitmask that contains information about group type and scope; search by full value only (more details at https://msdn.microsoft.com/en-us/library/ms675935.aspx) |
HomePage |
Yes |
http://homepage |
Home page of group |
Info |
Yes |
Some info |
Additional information about group |
ManagedBy |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
ManagedByFullName |
Yes |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of the group; search by full value only |
Name |
Yes |
Users |
Name of group |
ObjectCategory |
Yes |
group |
Object class = group |
ObjectGUID |
No |
80b090a2-968f-42e6- bc76-6e2505f43759 |
GUID of group object |
SAMAccountName |
Yes |
Users |
SAMAccount name of group |
Url |
Yes |
http://groupname |
URL of group |
Who |
Yes |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
Description |
Yes |
Default container for Defender objects |
Description of OU |
DistinguishedName |
No |
OU=BestEmployees, DC=it, DC=sales, DC=mycompany |
Distinguished name of group; search by full value only |
ManagedBy |
No |
CN=Clive Herry, OU=mgmt, OU=TestUsers, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
ManagedByFullName |
Yes |
CN=Clive Herry, OU=mgmt, OU=TestUsers, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of the OU; search by full value only |
Name |
Yes |
Users |
Name of OU |
ObjectCategory |
Yes |
organizationalUnit |
Object class = organizationalUnit or container |
ObjectGUID |
No |
675205fb-4d29-44b6- 9284-69e867689f38 |
GUID of OU |
USNChanged |
No |
9296605 |
USN-Changed attribute of OU; search by full value only |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
AccountSid |
No |
S-1-5-21-4039273466- |
User SID; search by full value only |
Company |
Yes |
MyCompany |
Company name |
Country |
Yes |
United States |
Country name |
Department |
Yes |
Sales |
Department name |
DisplayName |
No |
Caroline Abbage |
User display name |
DistinguishedName |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
User distinguished name; search by full value only |
EmailAddress |
Yes |
Caroline.Abbage@sales.mycompany.com |
Email address |
HomePhoneNumber |
Yes |
+1 410 531 0638 |
Home telephone number |
Logon Name |
Yes |
|
Same as LogonName |
LogonName |
No |
SVC-Scanner@main.mycompany.corp |
Logon name for the domain user |
ManagedBy |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
ManagedByFullName |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of user; search by full value only |
Mobile |
Yes |
+ 911 9 769 8889 |
Mobile phone number |
Name |
Yes |
Caroline Abbage |
User name |
ObjectCategory |
Yes |
user |
Object class = user |
ObjectGUID |
No |
861205fb-4d29-44b6- |
User object GUID; search by full value only |
Office |
Yes |
Ludlow st. 80, suite 200 |
Physical delivery office name |
SAMAccountName |
Yes |
jcdenton |
SAMAccountName of user |
StreetAddress |
Yes |
Ludlow st. 80 |
Street address |
TelephoneNumber |
Yes |
+ 123 4 567 8900 |
Telephone number |
Title |
Yes |
Mgr, Sales |
User job title |
USNChanged |
No |
9296605 |
USN-Changed attribute of user; search by full value only |
Who |
No |
Administrator |
Search in the following attributes: SAMAccountName, DisplayName, AccountSid, DistinguishedName |
The following are lists of fields that occur in Recovery Manager for Active Directory data, organized by type of returned object.
NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries. |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
AccountSid |
Yes |
S-1-5-21-4039273466- 3631535243-455089366-89812 |
Computer account SID |
Description |
Yes |
Storage Server |
Description of computer |
DistinguishedName |
No |
CD=DC1, |
Computer account distinguished name; search by full value only |
DNSHostName |
Yes |
DC1.it.sales.mycompany |
DNS host name |
Location |
Yes |
Houston |
Location of computer |
ManagedBy |
No |
CN=Caroline Abbage, |
Same as ManagedByFullName |
ManagedByFullName |
No |
CN=Caroline Abbage, |
Distinguished name of manager of the computer account; search by full value only |
Name |
Yes |
DC1 |
Same as NetBiosName |
NetBiosName |
Yes |
DC1 |
NetBIOS name of computer |
NumLogons |
Yes |
12656 |
Logon count |
ObjectCategory |
Yes |
computer |
Object class = computer |
ObjectGUID |
No |
ddd94ab4-5de6-4696- a93c-433cf9827c28 |
Object GUID of computer account |
OSName |
Yes |
Windows Server 2008 R2 Enterprise |
OS name |
OSServicePack |
Yes |
Service Pack 1 |
OS service pack |
OSVersion |
Yes |
6.1 (7601) |
OS version |
Where |
Yes |
DC1 |
Same as NetBiosName |
Who |
Yes |
CN=Caroline Abbage, |
Same as ManagedByFullName |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
CN |
Yes |
Users |
Common name of group |
Description |
Yes |
Houston internal group for notification |
Description of group |
DisplayName |
Yes |
Users |
Display name of group |
DistinguishedName |
No |
CN=MCDL.RD.Notification, OU=RD, OU=Groups, DC=it, DC=sales, DC=mycompany |
Distinguished name of group;. search by full value only |
|
Yes |
MCDL.RD.Notification@it.sales.mycompany |
Email address of group |
GroupType |
No |
-2147483640 |
Integer value of bitmask that contains information about group type and scope; search by full value only (more details at https://msdn.microsoft.com/en-us/library/ms675935.aspx) |
HomePage |
Yes |
http://homepage |
Home page of group |
Info |
Yes |
Some info |
Additional information about group |
ManagedBy |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
ManagedByFullName |
Yes |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of the group; search by full value only |
Name |
Yes |
Users |
Name of group |
ObjectCategory |
Yes |
group |
Object class = group |
ObjectGUID |
No |
80b090a2-968f-42e6- bc76-6e2505f43759 |
GUID of group object |
SAMAccountName |
Yes |
Users |
SAMAccount name of group |
Url |
Yes |
http://groupname |
URL of group |
Who |
Yes |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
Description |
Yes |
Default container for Defender objects |
Description of OU |
DistinguishedName |
No |
OU=BestEmployees, DC=it, DC=sales, DC=mycompany |
Distinguished name of group; search by full value only |
ManagedBy |
No |
CN=Clive Herry, OU=mgmt, OU=TestUsers, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
ManagedByFullName |
Yes |
CN=Clive Herry, OU=mgmt, OU=TestUsers, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of the OU; search by full value only |
Name |
Yes |
Users |
Name of OU |
ObjectCategory |
Yes |
organizationalUnit |
Object class = organizationalUnit or container |
ObjectGUID |
No |
675205fb-4d29-44b6- 9284-69e867689f38 |
GUID of OU |
USNChanged |
No |
9296605 |
USN-Changed attribute of OU; search by full value only |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
AccountSid |
No |
S-1-5-21-4039273466- |
User SID; search by full value only |
Company |
Yes |
MyCompany |
Company name |
Country |
Yes |
United States |
Country name |
Department |
Yes |
Sales |
Department name |
DisplayName |
No |
Caroline Abbage |
User display name |
DistinguishedName |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
User distinguished name; search by full value only |
EmailAddress |
Yes |
Caroline.Abbage@sales.mycompany.com |
Email address |
HomePhoneNumber |
Yes |
+1 410 531 0638 |
Home telephone number |
Logon Name |
No |
|
Same as LogonName |
LogonName |
No |
SVC-Scanner@main.mycompany.corp |
Logon name for the domain user |
ManagedBy |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
ManagedByFullName |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of user; search by full value only |
Mobile |
Yes |
+ 911 9 769 8889 |
Mobile phone number |
Name |
Yes |
Caroline Abbage |
User name |
ObjectCategory |
Yes |
user |
Object class = user |
ObjectGUID |
No |
861205fb-4d29-44b6- |
User object GUID; search by full value only |
Office |
Yes |
Ludlow st. 80, suite 200 |
Physical delivery office name |
SAMAccountName |
Yes |
jcdenton |
SAMAccountName of user |
StreetAddress |
Yes |
Ludlow st. 80 |
Street address |
TelephoneNumber |
Yes |
+ 123 4 567 8900 |
Telephone number |
Title |
Yes |
Mgr, Sales |
User job title |
USNChanged |
No |
9296605 |
USN-Changed attribute of user; search by full value only |
Who |
No |
Administrator |
Search in the following attributes: SAMAccountName, DisplayName, AccountSid, DistinguishedName |
© ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center