-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
security-windows2016-logoff.evtx.golden.json
90 lines (90 loc) · 2.78 KB
/
security-windows2016-logoff.evtx.golden.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
[
{
"@timestamp": "2019-05-17T11:06:58.210768Z",
"event": {
"action": "Logoff",
"code": 4634,
"kind": "event"
},
"log": {
"level": "information"
},
"message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x767A77\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-1000",
"name": "audittest"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR",
"event_data": {
"LogonType": "3",
"TargetLogonId": "0x767a77"
},
"event_id": 4634,
"keywords": [
"Audit Success"
],
"logon": {
"type": "Network"
},
"opcode": "Info",
"process": {
"pid": 776,
"thread": {
"id": 540
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 485,
"task": "Logoff"
}
},
{
"@timestamp": "2019-05-19T16:15:38.542273Z",
"event": {
"action": "Logoff",
"code": 4634,
"kind": "event"
},
"log": {
"level": "information"
},
"message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x104A4A6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"name": "Administrator"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR",
"event_data": {
"LogonType": "3",
"TargetLogonId": "0x104a4a6"
},
"event_id": 4634,
"keywords": [
"Audit Success"
],
"logon": {
"type": "Network"
},
"opcode": "Info",
"process": {
"pid": 780,
"thread": {
"id": 820
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 747,
"task": "Logoff"
}
}
]