cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
docdriza
Level 10
Report Inappropriate Content
Message 1 of 4

Normalization Rule Difference

Jump to solution

In the Authentication section of the Normalization Rule section there is a Domain Login Normalization Rule and a Network Login Authorization Rule. What is the difference between the two?

1 Solution

Accepted Solutions
rth67
Level 12
Report Inappropriate Content
Message 2 of 4

Re: Normalization Rule Difference

Jump to solution

We have modified many of the Aggregation settings for the Authentication events, here is what we have documented for the 2 login's you are requesting: (There are also Admin Login, Host Login, and Misc Login Normalization Rules)

Type                      Normalization   Signature ID           Rule Name
Domain Login      409223168      43-263047760      The domain controller attempted to validate the credentials for an account.
Domain Login      409223168      43-263047710      Kerberos pre-authentication failed.
Domain Login      409223168      43-263047700      A Kerberos service ticket was renewed.
Domain Login      409223168      43-211006800      Logon Attempt

Network Login      409190400      43-263047690      A Kerberos service ticket was requested.
Network Login      409190400      43-211005400      Successful Network Logon
Network Login      409190400      43-211005520      Logon attempt using explicit credentials
Network Login      409190400      43-263047790      A session was disconnected from a Window Station.
Network Login      409190400      43-211006820      Reconnected Session

Network Login      409190400      43-263047780      A session was reconnected to a Window Station.

Network Login      409190400      43-211006830      Session disconnected from winstation

Network Login      409190400      43-263047740      An account was mapped for logon.

Hopefully by the descriptions of the events helps you determine what the differences are.

View solution in original post

3 Replies
rth67
Level 12
Report Inappropriate Content
Message 2 of 4

Re: Normalization Rule Difference

Jump to solution

We have modified many of the Aggregation settings for the Authentication events, here is what we have documented for the 2 login's you are requesting: (There are also Admin Login, Host Login, and Misc Login Normalization Rules)

Type                      Normalization   Signature ID           Rule Name
Domain Login      409223168      43-263047760      The domain controller attempted to validate the credentials for an account.
Domain Login      409223168      43-263047710      Kerberos pre-authentication failed.
Domain Login      409223168      43-263047700      A Kerberos service ticket was renewed.
Domain Login      409223168      43-211006800      Logon Attempt

Network Login      409190400      43-263047690      A Kerberos service ticket was requested.
Network Login      409190400      43-211005400      Successful Network Logon
Network Login      409190400      43-211005520      Logon attempt using explicit credentials
Network Login      409190400      43-263047790      A session was disconnected from a Window Station.
Network Login      409190400      43-211006820      Reconnected Session

Network Login      409190400      43-263047780      A session was reconnected to a Window Station.

Network Login      409190400      43-211006830      Session disconnected from winstation

Network Login      409190400      43-263047740      An account was mapped for logon.

Hopefully by the descriptions of the events helps you determine what the differences are.

View solution in original post

docdriza
Level 10
Report Inappropriate Content
Message 3 of 4

Re: Normalization Rule Difference

Jump to solution

I understand what the difference is now, but with this new informaiton I am confised as to what kind of event needs to happen before you see anything in the HIPAA - Netowrk Login Failrues view/report.

It looks like these sig IDs are successes whn it comes to network logons.

rth67
Level 12
Report Inappropriate Content
Message 4 of 4

Re: Normalization Rule Difference

Jump to solution

If you do an "Edit View" on the "HIPAA - Network Login Failures" View you can "Edit" the query to see what they are filtering on - NormID 409190400/18, Device Type ID [CLASS:OS], and Event Subtype: Failure

If you go to a simple custom view (Event Summary, Count, and Distribution - for example) - then use the Filters on the Right Side and see if you can duplicate what the canned view is supposed to show.

If I am at the Root of our Physical Display the Device Type ID slows down the view.

We have many custom Navigation Tree items, if I switch it to a navigation tree that shows "Data Sources - WMI" and then just add the SigID and Event Subtype it populates much faster.

FYI - You can't save changes to the canned views, but you can copy them, and then modify the copy.

There are certain canned views/reports that are somewhat useless - for example any of them looking for anything related to "Admin" generally have it pre-populated with "Admin, Administrator, and SU" as the Source User which does not work for us.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community