Active Directory data used by Identity Security

Views:

Identity Security uses data from Active Directory (on-premises) for identity-related threat detection and identity asset discovery.

The following table lists the Windows event data used by Identity Security for identity-related threat detection.

Category	Event ID	Description
Audit Logon	4624	An account was successfully logged on.
Audit Account Lockout and Audit Logon	4625	An account failed to log on.
Audit Logoff	4634	An account was logged off.
Audit Special Logon	4672	Special privileges assigned to new logon.
Audit Directory Service Access and Audit SAM	4661	A handle to an object was requested.
Audit Directory Service Access	4662	An operation was performed on an object.
Audit User Account Management	4720	A user account was created.
Audit User Account Management	4726	A user account was deleted.
Audit Security Group Management	4728	A member was added to a security-enabled global group.
Audit Security Group Management	4732	A member was added to a security-enabled local group
Audit Kerberos Service Ticket Operations	4769	A Kerberos service ticket was requested.
Audit Credential Validation	4776	The computer attempted to validate the credentials for an account.

The following table lists the Active Directory data used by Identity Security for identity asset discovery.

Category	Data
User information	Canonical name Username SAM account name User principal name User display name Description Distinguished name Given name Surname Email address Company name Department Job title SID Account enabled Domain Direct parent group All parent groups Usage location Last password change time
Group information	Canonical name Description Distinguished name Member SAM account name Display name Email address Direct parent group All parent groups Direct members All members
Computer information	Canonical name Distinguished name Country code Display name Description SAM account name DNS host name Bad password time Bad password count Last logon Last logoff Logon count OS Service principal name Direct parent group All parent groups
Event log	Timestamp Agent ID System event ID System time created System security System computer IP address IP port Logon type Member SID New UAC value Old UAC value Password last set Primary group ID Privilege list Process ID Process name Service name Service SID Status Sub-status Subject domain name Subject logon ID Subject username Subject user SID Target domain name Target linked logon ID Target logon ID Target SID Target username Target user SID Virtual account Workstation Workstation name