windows_event_successful_logon
SCHEMA
| authentication_package | string | The name of the authentication package which was used for the logon |
| description | string | Plugin description text |
| event_timestamps | string | List of times for the same logons |
| eventid | int | The Windows event ID |
| key_length | int | The length of NTLM Session Security key |
| logon_process | string | The name of the trusted logon process that was used for the logon attempt |
| logon_type | int | The type of logon which was performed. |
| name | string | Name of the registry value entry |
| provider_name | string | The Windows event provider |
| remote_address | string | IP address of machine from which logon attempt was performed |
| remote_port | int | Source port which was used for logon attempt from remote machine |
| source | string | The Windows event source |
| subject_domain | string | The domain or computer name for the account that reported the logon |
| subject_logon_id | string | Hexadecimal value for the logon that created the task |
| subject_username | string | The account that reported the logon |
| target_domain | string | The domain or computer name for the account specified |
| target_logon_id | string | Hexadecimal value for the new logon |
| target_username | string | The name of the account that was specified in the logon attempt |
| transmitted_services | string | The list of transmitted services |
-- windows_event_successful_logon INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, authentication_package, description, event_timestamps, eventid, key_length, logon_process, logon_type, name, provider_name, remote_address, remote_port, source, subject_domain, subject_logon_id, subject_username, target_domain, target_logon_id, target_username, transmitted_services, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'windows_event_successful_logon'
RESULTS
+-----------------+-------------------+--------------------------------+--------------------------+-------------------------------------------+---------------------------------------------------------------------------------------------------------------+-----------+--------------+-----------------+--------------+----------------------------------+-------------------------------------+------------------+---------------+----------+------------------+--------------------+--------------------+-----------------+-------------------+-------------------+------------------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------+ | meta_hostname | meta_ip_address | query_name | authentication_package | description | event_timestamps | eventid | key_length | logon_process | logon_type | name | provider_name | remote_address | remote_port | source | subject_domain | subject_logon_id | subject_username | target_domain | target_logon_id | target_username | transmitted_services | meta_boot_time | meta_eid | meta_endpoint_type | meta_ip_mask | meta_mac_address | meta_os_name | meta_os_platform | meta_os_type | meta_os_version | meta_public_ip | meta_query_pack_version | meta_username | calendar_time | counter | epoch | host_identifier | osquery_action | unix_time | customer_id | endpoint_id | upload_size | |-----------------+-------------------+--------------------------------+--------------------------+-------------------------------------------+---------------------------------------------------------------------------------------------------------------+-----------+--------------+-----------------+--------------+----------------------------------+-------------------------------------+------------------+---------------+----------+------------------+--------------------+--------------------+-----------------+-------------------+-------------------+------------------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------| | Victim5-Win10 | 192.168.100.129 | windows_event_successful_logon | Negotiate | A user account was successfully logged on | 1602540120,1602541309,1602542497,1602543553,1602543686 | 4624 | 0 | Advapi | 5 | C:\Windows\System32\services.exe | Microsoft-Windows-Security-Auditing | - | 0 | Security | WORKGROUP | 0x3e7 | VICTIM5-WIN10$ | NT AUTHORITY | 0x3e7 | SYSTEM | - | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-12T23:05:52Z | 33 | 1602413479 | Victim5-Win10 | False | 2020-10-12T23:05:52Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 1260 | | Victim1-EDR | 192.168.100.164 | windows_event_successful_logon | Negotiate | A user account was successfully logged on | 1602144242,1602144374,1602144376,1602145517,1602146294,1602146429,1602146431 | 4624 | 0 | Advapi | 5 | C:\Windows\System32\services.exe | Microsoft-Windows-Security-Auditing | - | 0 | Security | WORKGROUP | 0x3e7 | VICTIM1-EDR$ | NT AUTHORITY | 0x3e7 | SYSTEM | - | 1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer | 255.255.255.0 | 00:50:56:25:94:3c | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-08T08:57:50Z | 40 | 1601805150 | Victim1-EDR | False | 2020-10-08T08:57:50Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 | 1278 | | Victim3-EDR | 192.168.100.143 | windows_event_successful_logon | NTLM | A user account was successfully logged on | 1602146896 | 4624 | 128 | NtLmSsp | 3 | - | Microsoft-Windows-Security-Auditing | 192.168.100.164 | 53805 | Security | - | 0x0 | - | NT AUTHORITY | 0xeaec5dd | ANONYMOUS LOGON | - | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-08T09:49:10Z | 44 | 1601805653 | Victim3-EDR | False | 2020-10-08T09:49:10Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 1185 | | Victim3-EDR | 192.168.100.143 | windows_event_successful_logon | NTLM | A user account was successfully logged on | 1602146896 | 4624 | 128 | NtLmSsp | 3 | - | Microsoft-Windows-Security-Auditing | 192.168.100.164 | 53806 | Security | - | 0x0 | - | NT AUTHORITY | 0xeaec5f3 | ANONYMOUS LOGON | - | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-08T09:49:10Z | 44 | 1601805653 | Victim3-EDR | False | 2020-10-08T09:49:10Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 1185 | | Victim3-EDR | 192.168.100.143 | windows_event_successful_logon | NTLM | A user account was successfully logged on | 1602147621 | 4624 | 128 | NtLmSsp | 3 | - | Microsoft-Windows-Security-Auditing | 192.168.100.164 | 53821 | Security | - | 0x0 | - | NT AUTHORITY | 0xeb61abf | ANONYMOUS LOGON | - | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-08T09:49:10Z | 44 | 1601805653 | Victim3-EDR | False | 2020-10-08T09:49:10Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 1185 | | Victim3-EDR | 192.168.100.143 | windows_event_successful_logon | NTLM | A user account was successfully logged on | 1602147621 | 4624 | 128 | NtLmSsp | 3 | - | Microsoft-Windows-Security-Auditing | 192.168.100.164 | 53822 | Security | - | 0x0 | - | NT AUTHORITY | 0xeb61ad9 | ANONYMOUS LOGON | - | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-08T09:49:10Z | 44 | 1601805653 | Victim3-EDR | False | 2020-10-08T09:49:10Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 1185 | | Victim3-EDR | 192.168.100.143 | windows_event_successful_logon | NTLM | A user account was successfully logged on | 1602148346 | 4624 | 128 | NtLmSsp | 3 | - | Microsoft-Windows-Security-Auditing | 192.168.100.164 | 53836 | Security | - | 0x0 | - | NT AUTHORITY | 0xec88ac8 | ANONYMOUS LOGON | - | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-08T09:49:10Z | 44 | 1601805653 | Victim3-EDR | False | 2020-10-08T09:49:10Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 1185 | | Victim3-EDR | 192.168.100.143 | windows_event_successful_logon | NTLM | A user account was successfully logged on | 1602148346 | 4624 | 128 | NtLmSsp | 3 | - | Microsoft-Windows-Security-Auditing | 192.168.100.164 | 53838 | Security | - | 0x0 | - | NT AUTHORITY | 0xec88ae2 | ANONYMOUS LOGON | - | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-08T09:49:10Z | 44 | 1601805653 | Victim3-EDR | False | 2020-10-08T09:49:10Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 1185 | | Victim3-EDR | 192.168.100.143 | windows_event_successful_logon | NTLM | A user account was successfully logged on | 1602149071 | 4624 | 128 | NtLmSsp | 3 | - | Microsoft-Windows-Security-Auditing | 192.168.100.164 | 53847 | Security | - | 0x0 | - | NT AUTHORITY | 0xed008c5 | ANONYMOUS LOGON | - | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-08T09:49:10Z | 44 | 1601805653 | Victim3-EDR | False | 2020-10-08T09:49:10Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 1185 | | Victim3-EDR | 192.168.100.143 | windows_event_successful_logon | NTLM | A user account was successfully logged on | 1602149071 | 4624 | 128 | NtLmSsp | 3 | - | Microsoft-Windows-Security-Auditing | 192.168.100.164 | 53848 | Security | - | 0x0 | - | NT AUTHORITY | 0xed008fc | ANONYMOUS LOGON | - | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-08T09:49:10Z | 44 | 1601805653 | Victim3-EDR | False | 2020-10-08T09:49:10Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 1185 | | Victim3-EDR | 192.168.100.143 | windows_event_successful_logon | NTLM | A user account was successfully logged on | 1602149796 | 4624 | 128 | NtLmSsp | 3 | - | Microsoft-Windows-Security-Auditing | 192.168.100.164 | 53860 | Security | - | 0x0 | - | NT AUTHORITY | 0xed63b3d | ANONYMOUS LOGON | - | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-08T09:49:10Z | 44 | 1601805653 | Victim3-EDR | False | 2020-10-08T09:49:10Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 1185 | | Victim3-EDR | 192.168.100.143 | windows_event_successful_logon | NTLM | A user account was successfully logged on | 1602149797 | 4624 | 128 | NtLmSsp | 3 | - | Microsoft-Windows-Security-Auditing | 192.168.100.164 | 53861 | Security | - | 0x0 | - | NT AUTHORITY | 0xed63f62 | ANONYMOUS LOGON | - | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-08T09:49:10Z | 44 | 1601805653 | Victim3-EDR | False | 2020-10-08T09:49:10Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 1185 | | Victim3-EDR | 192.168.100.143 | windows_event_successful_logon | Negotiate | A user account was successfully logged on | 1602148166,1602148299,1602148301,1602148574 | 4624 | 0 | Advapi | 5 | C:\Windows\System32\services.exe | Microsoft-Windows-Security-Auditing | - | 0 | Security | WORKGROUP | 0x3e7 | VICTIM3-EDR$ | NT AUTHORITY | 0x3e7 | SYSTEM | - | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-08T09:49:10Z | 44 | 1601805653 | Victim3-EDR | False | 2020-10-08T09:49:10Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 1245 |
