xdm.logon

Cortex Data Model Schema Guide

Product
Cortex XSIAM
Last date published
2024-11-27
Category
XSIAM Data Model Schema

Fields related to a logon attempt.

xdm.logon.type

Description

A numeric value that indicates the type of logon session. See https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-logonsession.

Datatype

XDM_CONST.LOGON_TYPE

Dataclass

Scalar

Examples

XDM_CONST.LOGON_TYPE_INTERACTIVE, XDM_CONST.LOGON_TYPE_NETWORK, XDM_CONST.LOGON_TYPE_BATCH, XDM_CONST.LOGON_TYPE_SERVICE, XDM_CONST.LOGON_TYPE_PROXY

xdm.logon.assigned_rights

Description

A list of assigned user rights. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment.

Datatype

XDM_CONST.LOGON_ASSIGNED_RIGHT

Dataclass

Array

Examples

XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_TRUSTED_CRED_MAN_ACCESS_PRIVILEGE, XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_NETWORK_LOGON_RIGHT, XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_TCB_PRIVILEGE, XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_MACHINE_ACCOUNT_PRIVILEGE, XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_INCREASE_QUOTA_PRIVILEGE

xdm.logon.logon_guid

Description

The GUID of the logon request.

Datatype

String

Dataclass

Scalar

xdm.logon.is_elevated

Description

Whether the logon is elevated and has administrator privileges.

Datatype

Boolean

Dataclass

Scalar

xdm.logon.is_virtual_account

Description

Whether the logon account is a virtual account.

Datatype

Boolean

Dataclass

Scalar

xdm.logon.is_restricted_admin_mode

Description

Only populated for RemoteInteractive logon type sessions. Indicates whether the credentials provided were passed using Restricted Admin mode.

Datatype

Boolean

Dataclass

Scalar

xdm.logon.impersonation_level

Description

Impersonation is the ability of a thread to execute in a security context that is different from the context of the process that owns the thread. When running in the client's security context, the server 'is' the client, to some degree. See https://docs.microsoft.com/en-us/windows/win32/com/impersonation-levels

Datatype

XDM_CONST.LOGON_IMPERSONATION_LEVEL

Dataclass

Scalar

Examples

XDM_CONST.LOGON_IMPERSONATION_LEVEL_ANONYMOUS, XDM_CONST.LOGON_IMPERSONATION_LEVEL_IDENTIFICATION, XDM_CONST.LOGON_IMPERSONATION_LEVEL_IMPERSONATION, XDM_CONST.LOGON_IMPERSONATION_LEVEL_DELEGATION

xdm.logon.package_name

Description

The authentication package used.

Datatype

String

Dataclass

Scalar

xdm.logon.fingerprint

Description

The authentication fingerprint.

Datatype

String

Dataclass

Scalar