Does anyone have some examples of the models that are used for the “Active Directory Authentication” data source? For example, does this depend on certain Event IDs being present in the logs, and if so how do they map to the models?
Page 1 / 1
Hi Nils,
Your assumption is correct, UEBA use the following Windows events for its Active Directory authentication model:
- 4624 : An account was successfully logged on.
- 4625 : An account failed to logon.
- 4648 : A logon was attempted using explicit credentials.
- 4768 : A Kerberos authentication ticket (TGT) was requested.
- 4769 : A Kerberos service ticket was requested.
- 4770 : A Kerberos service ticket was renewed.
- 4771 : Kerberos pre-authentication failed.
- 4772 : A Kerberos authentication ticket request failed.
- 4773 : A Kerberos service ticket request failed.
- 4776 : The computer attempted to validate the credentials for an account.
- 4777 : The domain controller failed to validate the credentials for an account.
Mandatory fields for these events are documented into appendix 30.1 of UEBA documentation (https://docs.logpoint.com/static/pdf/ueba-manual/latest/ueba-manual.pdf). You don’t need to manually check these, a convenient datasource validation tool is provided from UEBA plugin interface.
I hope this answer your question.
Kind regards
Jérôme
Reply
Sign up
Already have an account? Login
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.
LOGIN AS PARTNER OR CUSTOMER Login with LinkedInLogin to the community
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.
LOGIN AS PARTNER OR CUSTOMER Login with LinkedInEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.