When
|
At what date and time a user activity originated in the system.
|
DateTime
|
10.10.2000 19:00:00
|
Who
|
Account or user name under which the activity occured.
|
Creator Subject: Account Name
|
Administrator
|
What
|
The type of activity occurred (e.g. Logon, Password Changed, etc.)
|
"Process Created"
|
Process Created
|
Where
|
The name of the workstation/server where the activity was logged.
|
Computer
|
DC1
|
Where From
|
The name of the workstation/server where the activity was initiated from.
|
-
|
10.10.10.10
|
Severity
|
Specify the seriousness of the event.
|
"Medium"
|
Medium
|
WhoDomain
|
|
Creator Subject: Account Domain
|
LOGISTICS
|
WhereDomain
|
|
-
|
|
Program Name
|
The name of the executed program/process.
|
Process Information: New Process Name
|
C:\Windows\System32\shutdown.exe
|
Security ID
|
|
Creator Subject: Security ID
|
ITSS\intrust.service
|
Account Name
|
|
InsertionString2
|
intrust.service
|
Account Domain
|
|
InsertionString3
|
ITSS
|
Target Account Name
|
|
Target Subject: Account Name
|
-
|
Target Account Domain
|
|
Target Subject: Account Domain
|
-
|
Process Name
|
|
InsertionString6
|
C:\Windows\System32\conhost.exe
|
Parent Process Name
|
|
Process Information: Creator Process Name
|
C:\Program Files (x86)\Quest\InTrust\Server\InTrust\IndexRemoteLauncher.exe
|
Command
|
|
Process Information: Process Command Line
|
|