:Brief description of security audit logs in ECS instances of Windows

Application scope

Field

Description:

Overview

"successful login account"

Log overview

Topic

-

This field indicates the account on the local system that requested login. This is usually a service (such as the Server service) or a local process (such as Winlogon.exe or Services.exe).

-

Security ID

SID, security identifier is used to uniquely identify a security principal or security group. A security principal can represent any entity that can be authenticated by an operating system, such as a user account, a computer account, or a thread or process, in the security context of a user or computer account. Example: iZ23kpfre8lZ\admin

For more information, see Overview.

-

Account Name

Concepts related to security domains. Usually, it is the last corresponding field of the above security ID (if it is a user), such as the corresponding SID, the corresponding account name is admin.

Note: If you use a workgroup environment, the corresponding value is [$Hostname], such as iZ23kpfre8lZ$,[$Hostname] is the computer name.

-

Account domain

Security domain-related concepts. Related resources belong to the security domain. If it is a security group, it is a WORKGROUP; if it is a domain environment, it is a corresponding domain name.

-

Logon ID

Internal code.

The type of the logon.

-

Indicates the type of login that occurred. Common categories and their code descriptions:

2 - Interactive:

The user is logged in through the operating system console (console) port on the local keyboard. However, through KVM (traditional physical data center) or VNC-based login (such as the management terminal of cloud server ECS), although it is based on the network, it is also an interactive login.

3 - Network:

Access by users or computers through the network. The most common scenario is a shared folder connected to the server, a shared printer, and other shared resources. This type is also recorded when logging in to IIS over the network, but IIS login in basic authentication mode is an exception, which will be recorded as type 8.

4 - Batch (started as a batch job):

When Windows runs a scheduled task, the Scheduled Task Service will first create a new login session for the task so that it can run under the user account configured for the scheduled task. When this login occurs, Windows is recorded as type 4 in the log. For other types of work task systems, depending on its design, you can also generate type 4 login events when you start work. Therefore, type 4 login usually indicates the start of a scheduled task, but it may also be a malicious user guessing the user password through the scheduled task. This attempt will generate a type 4 login failure event, but this failed login may also be caused by the failure to change the user password of the scheduled task synchronously, such as the user password changed and forgot to change it in the scheduled task.

5 - Service (Windows service started by service controller):

Similar to scheduled tasks, each service is configured to run under a specific user account. When a service starts, Windows first creates a login session for that specific user, which will be recorded as type 5. Therefore, type 5 login usually indicates the start of a service. Failure type 5 usually indicates that the user's password has changed and has not been updated here. Of course, this may also be caused by a malicious user's password guess, but this possibility is relatively small, because creating a new service or editing an existing The service requires an administrator or serversoperators identity by default, and a malicious user of this identity already has sufficient permissions without having to guess the service password.

7 - Unlock (screen saver unlocked):

The Windows screensaver unlock operation is recorded as a type 7 login. A failed type 7 login indicates that someone has entered the wrong password or someone is trying to unlock the computer.

8 - NetworkCleartext (use plaintext credentials for network login):

This login indicates that this is a type 3 network login, but the password for this login is transmitted in clear text on the network. Windows Server Services (LanmanServer) does not allow connections to shared folders or printers through plaintext authentication. This login type is only marked when logging in from an ASP script that uses Advapi, or when a user logs in to IIS using basic authentication mode.

9 - NewCredentials (used by RunAs when using the /netonly option): When you run a program by using the RUNAS command with the /Netonly parameter, RUNAS runs it as the current local login user. However, if this program needs to connect to other computers on the network, it will connect with the user specified in the RUNAS command, and Windows will record this login as type 9. If the RUNAS command does not contain the /Netonly parameter, the program will run with the specified user, but the login type in the log is 2.

- RemoteInteractive 10 (remote interaction):

When you access a computer through Terminal Services, Remote Desktop or Remote Assistance, Windows records the login type as type 10 to distinguish it from real console login. Note that previous versions of Windows XP do not support this login type. For example, Windows2000 still records Terminal Services login as type 2.

11- CachedInteractive (cache interaction):

Windows supports a function called cache login, which is especially beneficial to mobile users. For example, you will use this function when you log in as a domain user outside your network and cannot log in to the domain controller. By default, Windows caches the credentials HASH for the last 10 interactive domain logins. If you log in as a domain user and no domain controller is available, Windows will use these HASH to verify your identity and record the login type as type 11.

New login

-

This field will indicate for which account the new login was created, that is, the account that is logged in.

-

Security ID

As mentioned earlier.

-

Account Name

The user account that performed the login. For example, this may be NT AUTHORITY\SYSTEM, which is the LocalSystem account used to start many Windows services.

Account domain

The domain of the user who performed the login. If it is a workgroup environment, it is displayed as the corresponding computer name. If it is a domain environment, the corresponding domain information is displayed.

Networking

-

field indicates where the remote login request came from. "Workstation name" is not always available and may be left blank in some cases.

-

Work station name

The logon source hostname. It is displayed as the client host name when logging in via remote interactive. Other login types are usually the computer name of the local machine.

-

Source network address

The IP address of the client during remote interactive login.

-

Source port range

The port used by the client during remote interactive login.

Processes

-

The information about the process that is called by the logon operation.

Detailed authentication information

-

Provides details about this particular login request. Refers to the security packet called when attempting to log in to the account. An authentication packet is a dynamic link library (DLL) that analyzes login data and decides whether to authenticate an account. The most commonly used are Kerberos, Negotiate, NTLM, and MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 (also known as MSV1_0; can authenticate users in the SAM database, support pass-through authentication for accounts in trusted domains, and support sub-authentication data.