tm-v1-schema

Active Directory (on-premises)

Layer: Identity

This documentation provides detailed information about all fields available for Active Directory (on-premises).

Field Name Type Searchable General Field Description Example Products
channel string true - The Windows event channel
  • Security
  • Microsoft-Windows-WMI-Activity/Trace
  • Microsoft-Windows-TaskScheduler/Operational
 Active Directory (on-premises)
correlationData dynamic true - The data for correlation - Active Directory (on-premises)
endpointGuid string true EndpointID The endpoint host GUID 11111111-1111-1111-1111-111111111111 Active Directory (on-premises)
endpointHostName string true EndpointName The endpoint hostname
  • PHILIPSIBE09
  • WHAM6WK8XG2
  • MacBook-Pro-del-Meno
 Active Directory (on-premises)
endpointIp dynamic true
  • IPv4
  • IPv6
 The endpoint IP
  • 10.10.10.10
  • ::1
  • fe80::1
 Active Directory (on-premises)
endpointMacAddress dynamic true - The host MAC address
  • 0-0-0-0-0-0-0-e0
  • 00:00:00:ff:ff:ff
 Active Directory (on-premises)
eventDataAccessList string true - The list of requested access rights
  • %%4416
  • %%4417
  • %%4418
 Active Directory (on-premises)
eventDataAccessMask string true - The hexadecimal value of the requested or used permissions during an access attempt
  • 16
  • 2147483648
  • 1048576
 Active Directory (on-premises)
eventDataActionName string false - The action performed
  • Language Components Installer
  • Group Policy Background Processing
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
 Active Directory (on-premises)
eventDataAdditionalInfo string true - The additional information about the event Restrictions Active Directory (on-premises)
eventDataAttributeLDAPDisplayName string true - The LDAP display name of the attribute that was accessed
  • sAMAccountName
  • memberOf
 Active Directory (on-premises)
eventDataAuthenticationPackageName string true - The authentication package name of the Windows event data
  • NTLM
  • Negotiate
  • MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Active Directory (on-premises)
eventDataCertIssuerName string true - The name of the Certification Authority that issued the TGT certificate CN=contoso-DC-CA, DC=contoso, DC=local Active Directory (on-premises)
eventDataCertSerialNumber string true - The serial number of the certificate 1D0000000120F1D8A3094A82760000000001 Active Directory (on-premises)
eventDataCertThumbprint string true - The thumbprint of the certificate 1A2B3C4D5E6F7A8B9C0D1E2F3A4B5C6D7E8F9A0B Active Directory (on-premises)
eventDataConsumer string false - The recipient of the reported event
  • HealthDriverEventConsumer="Health Event Consumer"
  • MemoryEventConsumer="Memory Event Consumer"
  • SysEventConsumer="System Event Consumer"
 Active Directory (on-premises)
eventDataElevatedToken string true - Whether the session is elevated and has administrator privileges
  • %%1842
  • %%1843
 Active Directory (on-premises)
eventDataFullyQualifiedAssemblyName string false - The fully qualified .NET assembly name
  • System.Runtime, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
  • System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
  • System.Diagnostics.Process, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
 Active Directory (on-premises)
eventDataImpersonationLevel string true - The sign-in session impersonation level
  • %%1830
  • %%1832
  • %%1833
 Active Directory (on-premises)
eventDataIpAddress string true
  • IPv4
  • IPv6
 The IP address for Windows events
  • -
  • 10.10.10.10
 Active Directory (on-premises)
eventDataJobOwner string false - The name of the account that initiated the event
  • BEI\holdej
  • NT AUTHORITY\SYSTEM
 Active Directory (on-premises)
eventDataLogonProcessName string true - The Windows event sign-in process name
  • NtLmSsp
  • Advapi
  • Advapi
 Active Directory (on-premises)
eventDataLogonType string true - The sign-in type of Windows Event 4624 (successful sign-in attempt)
  • 3
  • 5
  • 2
 Active Directory (on-premises)
eventDataMemberName string true UserAccount The distinguished name of the account that was added to the group CN=User1,CN=Users,DC=contoso,DC=local Active Directory (on-premises)
eventDataMemberSid string true - The security identifier (SID) of the account that was added to the group S-1-5-21-3623811015-3361044348-30300820-1013 Active Directory (on-premises)
eventDataModuleILPath string false - The CIL image path of the module or the dynamic module name
  • C:\Program Files\Cymulate\Agent\System.Threading.dll
  • C:\windows\system32\tzsync.exe
  • C:\Program.exe
 Active Directory (on-premises)
eventDataObjectClass string true - The class of the object that was accessed
  • user
  • group
 Active Directory (on-premises)
eventDataObjectDN string true - The distinguished name of the object that was accessed CN=User1,CN=Users,DC=contoso,DC=local Active Directory (on-premises)
eventDataObjectGUID string true - The unique identifier of the object that was accessed {11111111-1111-1111-1111-111111111111} Active Directory (on-premises)
eventDataObjectName string true - The identifying information about the object for which access was requested
  • \Device\HarddiskVolume2\Windows\System32\lsass.exe
  • C:\Windows\System32\osk.exe
 Active Directory (on-premises)
eventDataObjectServer string true - The name of the Windows sub-system calling the routine
  • Security
  • LSA
 Active Directory (on-premises)
eventDataObjectType string true - The object type
  • Process
  • File
 Active Directory (on-premises)
eventDataOperation string false - Windows event 11
  • Start IWbemServices::ExecQuery - root\ccm : select * from SMS_Authority
  • Start IWbemServices::ExecQuery - root\cimv2 : select * from win32_process
  • Start IWbemServices::ExecQuery - root\ccm : SELECT * FROM SMS_Authority
 Active Directory (on-premises)
eventDataOperationType string true - The type of operation performed on the object
  • Object Access
  • Object Open
 Active Directory (on-premises)
eventDataPath string false - The path of the Windows event data
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\officesvcmgr.exe
  • taskhostw.exe
  • gpupdate.exe
 Active Directory (on-premises)
eventDataProcessPath string false - The process path that initiated the event
  • C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
  • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  • C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
 Active Directory (on-premises)
eventDataProperties string true - The properties of the object %%8278 Active Directory (on-premises)
eventDataProviderName string true - The name of the Windows event data provider
  • SmsClientMethodProvider
  • MS_NT_EVENTLOG_PROVIDER
  • RegProv
 Active Directory (on-premises)
eventDataProviderPath string false - The file path of the Windows event data provider
  • %systemroot%\system32\wbem\ntevt.dll
  • %systemroot%\system32\wbem\stdprov.dll
  • C:\WINDOWS\CCM\smsclient.dll
 Active Directory (on-premises)
eventDataScriptBlockText string false - Windows event 4104, Creating Scriptblock text
  • $global:?
  • 0
  • { Set-StrictMode -Version 1; $_.PSMessageDetails }
 Active Directory (on-premises)
eventDataServiceAccount string false - The service account
  • LocalSystem
  • NT AUTHORITY\SYSTEM
 Active Directory (on-premises)
eventDataServiceFileName string false - The full file path of the service executable file
  • %SystemRoot%\PSEXESVC.exe
  • C:\Windows\System32\svchost.exe -k WinSysRestoreGroup
 Active Directory (on-premises)
eventDataServiceName string true - The service name
  • PSEXESVC
  • WinResSvc
 Active Directory (on-premises)
eventDataServiceSid string true - The security identifier (SID) of the service S-1-5-21-3623811015-3361044348-30300820-1013 Active Directory (on-premises)
eventDataServiceStartType string false - The service start type 2 Active Directory (on-premises)
eventDataServiceType string false - The service type
  • 0x10
  • 0x20
 Active Directory (on-premises)
eventDataStatus string true - The Windows event data status
  • 0xc000006d
  • -1073741715
  • 0xc000006e
 Active Directory (on-premises)
eventDataSubjectDomainName string true DomainName The domain or computer name of the account
  • NT AUTHORITY
  • WORKGROUP
  • CONTOSO
 Active Directory (on-premises)
eventDataSubjectLogonId string true - The account sign-in ID
  • 0x3e7
  • 0x3e4
 Active Directory (on-premises)
eventDataSubjectUserName string true - The account name
  • dadmin
  • Alex
  • london$
 Active Directory (on-premises)
eventDataSubjectUserSid string true - The security identifier (SID) of the account
  • S-1-5-18
  • S-1-5-21-3623811015-3361044348-30300820-1013
 Active Directory (on-premises)
eventDataSubStatus string true - The Windows event data sub-status
  • 0xc0000064
  • 0xc000006a
  • -1073741724
 Active Directory (on-premises)
eventDataTargetDomainName string true - The target sign-in account domain or computer name
  • NT AUTHORITY
  • Builtin
  • SHOCKWAVE
 Active Directory (on-premises)
eventDataTargetLogonId string true - The hexadecimal value to correlate this event with events that contain the same sign-in ID 0x3e7 Active Directory (on-premises)
eventDataTargetName string false - The service, application, or network resource name
  • Microsoft_RssPlatform_*
  • WindowsLive:target=virtualapp/didlogical
  • MicrosoftOffice*
 Active Directory (on-premises)
eventDataTargetSid string true - The security identifier (SID) of the target account S-1-5-21-3623811015-3361044348-30300820-1013 Active Directory (on-premises)
eventDataTargetUserName string true - The user name of the Windows event data target
  • Auditor
  • Administrators
 Active Directory (on-premises)
eventDataTargetUserSid string true - The security identifier (SID) of the account for which sign-in was requested S-1-5-21-3623811015-3361044348-30300820-1013 Active Directory (on-premises)
eventDataTaskName string false - The task name logged by the Windows event
  • \Microsoft\Windows\LanguageComponentsInstaller\Installation
  • \Microsoft\Office\Office Serviceability Manager
  • \MicrosoftEdgeUpdateTaskMachineUA
 Active Directory (on-premises)
eventDataTicketEncryptionType string true - The cryptographic suite used for the Kerberos TGS
  • 0x12
  • 0x17
  • 0x18
 Active Directory (on-premises)
eventDataTicketOptions string true - The authentication request Kerberos ticket behavior and permissions flags
  • 0x40810000
  • 0x40810010
 Active Directory (on-premises)
eventDataUserContext string false - The user context of the Windows event data
  • MP\MPBSA179345$
  • MP\MPBSASPU179370$
  • MP\MPBSA4025625$
 Active Directory (on-premises)
eventDataUserPrincipalName string true UserAccount The user account UPN user@contoso.local Active Directory (on-premises)
eventDataWorkstation string true EndpointName The computer name from which the sign-in request was received WORKSTATION01 Active Directory (on-premises)
eventDataWorkstationName string true - The name of the computer used in the sign-in attempt
  • WIN-GG82ULGC9GO
  • DESKTOP-123ABC
  • CLIENT01
 Active Directory (on-premises)
eventId string true - The identity provider event ID
  • 1 - EVENT_SOURCE_AAD_SIGN_INS
  • 2 - EVENT_SOURCE_AAD_DIR_AUDIT
  • Microsoft Entra ID
  • Active Directory (on-premises)
eventName string true - The event type
  • EVENT_SOURCE_AAD_SIGN_INS
  • EVENT_SOURCE_AAD_DIR_AUDIT
  • EVENT_SOURCE_OPA_WINDOWS_EVENT
  • Microsoft Entra ID
  • Active Directory (on-premises)
eventTime real true - The time the identity provider detected the event 1657781088000
  • Microsoft Entra ID
  • Active Directory (on-premises)
instanceId string true - The virtual machine instance ID on the cloud platform i-01234567890abcdef Active Directory (on-premises)
logonUser dynamic true UserAccount The sign-in user name
  • root
  • SISTEMA
  • oracle
 Active Directory (on-premises)
netBiosDomainName string true DomainName The NetBIOS domain name TREND Active Directory (on-premises)
osDescription string true - The OS version
  • Windows 10 (64 bit)
  • Windows 10 Pro (64 bit) build 19044
  • Amazon Linux 2 (64 bit) (5.4.188-104.359.amzn2.x86_64)
 Active Directory (on-premises)
osName string true - The host OS name
  • Windows
  • Linux
  • macOS
 Active Directory (on-premises)
osType string true - The host OS type
  • 0x00000030
  • 4
 Active Directory (on-premises)
osVer string true - The host OS version
  • Amazon Linux 2
  • 10.0.19044
  • 10.0.19042
 Active Directory (on-premises)
pname string true - The internal product ID (Deprecated, use productCode)
  • 2200
  • 751
  • 533
  • Microsoft Entra ID
  • Active Directory (on-premises)
pplat int false - The product platform
  • 5889
  • 9217
 Active Directory (on-premises)
processCmd string true CLICommand The command line entry of the subject process
  • C:\Windows\system32\lsass.exe
  • C:\WINDOWS\system32\lsass.exe
  • nimbus(processes)
 Active Directory (on-premises)
processFileHashSha1 string true FileSHA1 The SHA-1 hash of the subject process image
  • 1f912d4bec338ef10b7c9f19976286f8acc4eb97
  • ded3833f145989fd86c1f4811b61497298ebc7fd
  • 9ad737cbd8bbdddc96726156dbd3bc03936bf02f
 Active Directory (on-premises)
processFileOriginalName string true FileName The original file name of the process image
  • Taskmgr.exe
  • WINLOGON.EXE
  • svchost.exe
 Active Directory (on-premises)
processFilePath string true
  • ProcessFullPath
  • ProcessName
  • FileFullPath
  • FileName
 The file path of the subject process
  • /usr/bin/bash
  • c:\windows\system32\svchost.exe
  • c:\windows\system32\lsass.exe
 Active Directory (on-premises)
processFileSize string false - The file size of the process file
  • 59952
  • 59456
  • 47024
 Active Directory (on-premises)
processHashId long true - The subject process FNV
  • 7114696589795796819
  • 1307755369266815004
  • -5015325378148567246
 Active Directory (on-premises)
processName string true ProcessName The image name of the process that triggered the event
  • /usr/bin/bash
  • c:\windows\system32\svchost.exe
  • c:\windows\system32\lsass.exe
 Active Directory (on-premises)
processPid int true - The subject process PID
  • 4
  • 1
  • 784
  • 792
 Active Directory (on-premises)
processSigner dynamic true - The process file signer
  • Microsoft Windows
  • Microsoft Windows Publisher
  • Microsoft Corporation
 Active Directory (on-premises)
processSignerValid dynamic true - The validity of the process signer
  • 1
 Active Directory (on-premises)
processStackTrace string true - The process stack trace of the telemetry event C:\Windows\System32\ntdll.dll?NtCreateUserProcess|ZwCreateUserProcess, C:\Windows\System32\kernelbase.dll!CreateProcessInternalW Active Directory (on-premises)
providerGUID string true - The GUID of the Windows event provider {11111111-1111-1111-1111-111111111111} Active Directory (on-premises)
providerName string true - The name of the Windows event provider
  • Microsoft-Windows-Security-Auditing
  • Microsoft-Windows-WMI-Activity
  • Microsoft-Windows-TaskScheduler
 Active Directory (on-premises)
pver string true - The product version
  • 1.2.0.2752
  • 1.0.345
  • 1.2.0.2657
 Active Directory (on-premises)
rawDataStr string true - The Windows event raw contents
  • { "EventData" : { "LogonType" : "", "TargetDomainName" : "", "TargetLogonId" : "", "TargetUserName" : "", "TargetUserSid" : "" } }
  • { "EventData" : { "LogonType" : "10", "TargetDomainName" : "AFASADV", "TargetLogonId" : "14941011731", "TargetUserName" : "administrator", "TargetUserSid" : "S-1-5-21-1507008304-2416677881-2121376573-500" } }
  • { "EventData" : { "LogonType" : "10", "TargetDomainName" : "AIS", "TargetLogonId" : "216921070", "TargetUserName" : "MWoodr01", "TargetUserSid" : "S-1-5-21-1873864278-1756520048-3043165120-15057" } }
Active Directory (on-premises)
rt string false - The event time 1657781088000 Active Directory (on-premises)
userDomain dynamic true - The user domain name
  • CORP
  • AUTORIDADE NT
 Active Directory (on-premises)
winEventId int true - The Windows Event ID
  • 4662
  • 4624
  • 4625
 Active Directory (on-premises)

Field Statistics

Generated by XDR Common Schema Public Doc Generator V2

This site is open source. Improve this page.