DateTime
|
Date/Time of event origination in GMT format.
|
DateTime
|
10.10.2000 19:00:00
|
Source
|
Name of an Application or System Service originating the event.
|
Source
|
Security
|
Type
|
Warning, Information, Error, Success, Failure, etc.
|
Type
|
Success
|
User
|
Domain\Account name of user/service/computer initiating event.
|
User
|
RESEARCH\Alebovsky
|
Computer
|
Name of server workstation where event was logged.
|
Computer
|
DC1
|
EventID
|
Numerical ID of event. Unique within one Event Source.
|
EventId
|
576
|
Description
|
The entire unparsed event message.
|
Description
|
Special privileges assigned to new logon.
|
Log Name
|
The name of the event log (e.g. Application, Security, System, etc.)
|
LogName
|
Security
|
Task Category
|
A name for a subclass of events within the same Event Source.
|
TaskCategory
|
|
Level
|
Warning, Information, Error, etc.
|
Level
|
|
Keywords
|
Audit Success, Audit Failure, Classic, Connection etc.
|
Keywords
|
|
Category
|
A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version.
|
Category
|
Account Logon
|
Object Name
|
|
InsertionString7
|
|
Whom
|
|
InsertionString7
|
|
Object Type
|
|
InsertionString6
|
|
Class Name
|
|
InsertionString6
|
|
Security ID
|
|
InsertionString1
|
|
Account Name
|
|
InsertionString2
|
|
Account Domain
|
|
InsertionString3
|
|
Subject: Security ID
|
Security ID of the account that performed the action. Usually resolved to Domain\Name in home environment.
|
InsertionString1
|
ITSS\operations.manager
|
Subject: Account Name
|
Name of the account that initiated the action.
|
InsertionString2
|
operations.manager
|
Subject: Account Domain
|
Name of the domain that account initiating the action belongs to.
|
InsertionString3
|
ITSS
|
Subject: Logon ID
|
A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session.
|
InsertionString4
|
0x2962D681
|
Object: Object Server
|
The name of the system component handling the access request.
|
InsertionString5
|
Security Account Manager
|
Object: Object Type
|
SAM_USER or SAM_DOMAIN
|
InsertionString6
|
SAM_DOMAIN
|
Object: Object Name
|
Distinguished name of the AD object (or it's SAM replica)
|
InsertionString7
|
DC=itss,DC=wm,DC=zhu,DC=cn,DC=qsft
|
Object: Handle ID
|
ID of the object handle granted to the process accessing it.
|
InsertionString8
|
0x1f085009da0
|
Process Information: Process ID
|
ID of the process accessing the object.
|
InsertionString16
|
0x284
|
Process Information: Process Name
|
Filename of the process executable.
|
InsertionString17
|
C:\Windows\System32\lsass.exe
|
Access Request Information: Transaction ID
|
|
InsertionString9
|
{00000000-0000-0000-0000-000000000000}
|
Access Request Information: Accesses
|
|
InsertionString10
|
DELETE
|
Access Request Information: Access Mask
|
|
InsertionString12
|
0xF01BD
|
Access Request Information: Privileges Used for Access Check
|
|
InsertionString13
|
-
|
Access Request Information: Restricted SID Count
|
|
InsertionString15
|
0
|
Access Request Information: Properties
|
|
InsertionString14
|
---
|
Access Request Information: Access Reasons
|
|
InsertionString11
|
-
|
Process Name
|
|
InsertionString17
|
|
Accesses
|
|
InsertionString10
|
|
Access Mask
|
|
InsertionString12
|
|
Property
|
|
InsertionString14
|
|