Active Directory JSON Log File
The following information lists all of the attributes generated by Active Directory Activity Monitor into a JSON log file:
| Attributes | Description |
|---|---|
| AffectedObject | If resolved, contains DN of the object affected by operation; otherwise, some textual representation of the object |
| AffectedObjectAccountName | If resolved, contains account name of the object affected by operation |
| AffectedObjectSid | If resolved, contains Sid of the object affected by operation |
| AgentDomain | Domain where SI agent is installed |
| AgentHost | Host name where SI agent is installed |
| AgentIP | IP address where SI agent is installed. If multiple IP addresses, one of them is reported. |
| AuthenticationType | Indicates type of the authentication event. Possible values: Kerberos, NTLM. |
| AuthProtocol | Indicates authentication protocol. Possible values: Unknown, Kerberos, KerberosTgs, KerberosAS, NTLM, NTLMv1, NTLMMixed, NTLMv2. |
| Blocked | Indicates if operation was blocked by SI agent. Blocking policies are required. |
| ClassName | Affected object class |
| DesiredAccess | Security and access rights requested during OpenProcess invoke. List of possible values can be found at: https://docs.microsoft.com/en-us/windows/desktop/ProcThread/process-security-and-access-rights. |
| EncryptionType | Indicates encryption type used in request part of the Kerberos ticket. Possible values: des_cbc_crc, des_cbc_md4, des_cbc_md5, reserved_0x4, des3_cbc_md5, reserved_0x6, des3_cbc_sha1, dsaWithSHA1, md5WithRSAEncryption, rc2CBC, rsaEncryption, rsaES, des_ede3_cbc, des3_cbc_sha1_kd, aes128, aes256, rc4_hmac, rc4_hmac_exp, subkey_keymaterial. |
| EventResult | Result of the operation triggered current event |
| EventType | Identifies event |
| EventsCount | Number of similar events captured during consolidation period which is 1 minute by default |
| From | Contains raw representation of the machine from which event was triggered |
| FromHost | If resolved, contains host name of the machine from which event was triggered |
| FromIp | If resolved, contains the IP address of the machine from which event was triggered |
| FromMac | If resolved, contains mac address of the machine from which event was triggered |
| IsN2Password | Indicates if password that was used for authentication is a previous or one before previous |
| IsUserExist | Indicates if user exists |
| KerbAuthTime | Time at which KDC issued the initial ticket that corresponds to this ticket |
| KerbEndTime | Ticket expiration time |
| KerbRenewTill | Latest time at which renewal of ticket can be valid |
| KerbSPN | Service principal name for which ticket was requested |
| KerbStartTime | Ticket start time |
| LogonType | Contains SECURITY_LOGON_TYPE. More details at https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/ne-ntsecapi-security_logon_type. |
| NewAttributes | Map of new attributes where key is name and value attribute value |
| NewName | New name of the AD object |
| NlpLogonType | NTLM logon type. Possible values: Unknown, Interactive, Network, Service, Generic, TransitiveInteractive, TransitiveNetwork, TransitiveService |
| OldAttributes | Map of old attributes where key is attribute name and value attribute value |
| PAC | List of RIDs extracted from ticket authorization data |
| ProcessID | Contains process ID that attempted to open LSASS process |
| ProcessName | Contains process name that attempted to open LSASS process |
| Protocol | Operation specific details |
| QueryFilter | LDAP filter used in the operation |
| QueryIsSSL | Indicates if LDAP connection is secure or not |
| QueryObjectsReturned | Number of returned objects produced by the LDAP request |
| Source | Indicates source of the operation. Currently can be: ‘Authentication’, ‘Active Directory’, ‘LSASS Guardian – Monitor’, ‘LDAP Monitor’, ‘AD Replication Monitoring’. |
| Success | Indicates if original operation completed successfully or not |
| TargetHost | Contains host name to which authentication attempt took place. In case of failed Kerberos AS, this field contains name of the domain controller. |
| TargetHostIP | If resolved, contains IP address of the target host |
| TargetProcess | Contains process name that is monitored. Currently this is only lsass.exe. |
| TgsReplyEncryptionType | Indicates encryption type used in reply part of the TGS Kerberos ticket. Possible values the same as for EncryptionType. |
| TimeLogged | UTC timestamp of the event |
| UserDN | If resolved, contains DN of the object triggered operation |
| UserName | If resolved, contains account name of the object triggered operation |
| UserSid | If resolved, contains SID of the object triggered operation |