Active Directory
Active Directory data sources: ad
The Active Directory schema represents events collected from Identity and Access Management (IAM) solutions that identify successful and failed logins to authentication targets. These authentication targets include domain controllers/servers, resources, and file shares.
Examples of authentication events include:
-
A user fails to log in to YOURDC.yourcompany.com
-
A user attempts to access shared drive DEV_102_share
Examples of IAM products include:
-
Active Directory
The Intelligence Authentication data type best supports Windows Security Log (or Active Directory) event data.
The Microsoft Windows Security Log contains records of login/logout activity, as well as other security-related events specified in the system's Audit Policy. A System Administrator must enable the Windows Audit feature to allow events to be recorded in the Security Log.
Supported SmartConnectors
The SmartConnector for Microsoft Active Directory Windows Event Log Native is used for the collection and ingestion of Active Directory data.
Active Directory Schema
The following table describes the default_secops_adm.Events table columns for Active Directory data.
| Column Name | Data Type | Required (Y/N) | Description | Example |
|---|---|---|---|---|
| destinationUserName | Varchar | Y | The user involved in authentication. Primary entity for ad data source. | john.legget |
| categoryOutcome | Varchar | Y |
The outcome of the event. One of success or failure. |
success |
| destinationHostName | Varchar | Y |
The target involved in the authentication. Typically the domain controller to which the user is authenticating. The secondary entity for an ad data source. |
CONTROLLER3.interset.com |
| externalId | Varchar | Y | Usually a Windows event code (e.g., 4624, 4771, etc.), but Analytics can be configured to accept other values, including -1. | 4624 |
| deviceReceiptTime | Integer | Y |
The time at which the event related to the activity was received. |
1592839336200 Equivalent GMT -2020-06-22 15:22:00 |
| destinationNTDomain | Varchar | N | The domain that contains the user that is affected by the event. | interset |
| categoryObject | Varchar | N | The type of the object. | /Host/Operating System |
| categoryBehavior | Varchar | N | The action or behavior associated with the event. | Authentication/Verify |
| deviceCustomString4 | Varchar | N |
The string that further explains why the user failed to authenticate. Usually a hexadecimal code, but can be any string. |
0xc0000064 |
| sourceGeoLocationInfo | Varchar | N |
Combination of the latitude and longitude values separated by a comma. |
45.1234, -74.4321 |