cancel
Showing results for 
Search instead for 
Did you mean: 

Normalization Rule Difference

Jump to solution

In the Authentication section of the Normalization Rule section there is a Domain Login Normalization Rule and a Network Login Authorization Rule. What is the difference between the two?

1 Solution

Accepted Solutions
Highlighted
rth67
Level 12
Report Inappropriate Content
Message 2 of 4

Re: Normalization Rule Difference

Jump to solution

We have modified many of the Aggregation settings for the Authentication events, here is what we have documented for the 2 login's you are requesting: (There are also Admin Login, Host Login, and Misc Login Normalization Rules)

Type                      Normalization   Signature ID           Rule Name
Domain Login      409223168      43-263047760      The domain controller attempted to validate the credentials for an account.
Domain Login      409223168      43-263047710      Kerberos pre-authentication failed.
Domain Login      409223168      43-263047700      A Kerberos service ticket was renewed.
Domain Login      409223168      43-211006800      Logon Attempt

Network Login      409190400      43-263047690      A Kerberos service ticket was requested.
Network Login      409190400      43-211005400      Successful Network Logon
Network Login      409190400      43-211005520      Logon attempt using explicit credentials
Network Login      409190400      43-263047790      A session was disconnected from a Window Station.
Network Login      409190400      43-211006820      Reconnected Session

Network Login      409190400      43-263047780      A session was reconnected to a Window Station.

Network Login      409190400      43-211006830      Session disconnected from winstation

Network Login      409190400      43-263047740      An account was mapped for logon.

Hopefully by the descriptions of the events helps you determine what the differences are.

3 Replies
Highlighted
rth67
Level 12
Report Inappropriate Content
Message 2 of 4

Re: Normalization Rule Difference

Jump to solution

We have modified many of the Aggregation settings for the Authentication events, here is what we have documented for the 2 login's you are requesting: (There are also Admin Login, Host Login, and Misc Login Normalization Rules)

Type                      Normalization   Signature ID           Rule Name
Domain Login      409223168      43-263047760      The domain controller attempted to validate the credentials for an account.
Domain Login      409223168      43-263047710      Kerberos pre-authentication failed.
Domain Login      409223168      43-263047700      A Kerberos service ticket was renewed.
Domain Login      409223168      43-211006800      Logon Attempt

Network Login      409190400      43-263047690      A Kerberos service ticket was requested.
Network Login      409190400      43-211005400      Successful Network Logon
Network Login      409190400      43-211005520      Logon attempt using explicit credentials
Network Login      409190400      43-263047790      A session was disconnected from a Window Station.
Network Login      409190400      43-211006820      Reconnected Session

Network Login      409190400      43-263047780      A session was reconnected to a Window Station.

Network Login      409190400      43-211006830      Session disconnected from winstation

Network Login      409190400      43-263047740      An account was mapped for logon.

Hopefully by the descriptions of the events helps you determine what the differences are.

Re: Normalization Rule Difference

Jump to solution

I understand what the difference is now, but with this new informaiton I am confised as to what kind of event needs to happen before you see anything in the HIPAA - Netowrk Login Failrues view/report.

It looks like these sig IDs are successes whn it comes to network logons.

rth67
Level 12
Report Inappropriate Content
Message 4 of 4

Re: Normalization Rule Difference

Jump to solution

If you do an "Edit View" on the "HIPAA - Network Login Failures" View you can "Edit" the query to see what they are filtering on - NormID 409190400/18, Device Type ID [CLASS:OS], and Event Subtype: Failure

If you go to a simple custom view (Event Summary, Count, and Distribution - for example) - then use the Filters on the Right Side and see if you can duplicate what the canned view is supposed to show.

If I am at the Root of our Physical Display the Device Type ID slows down the view.

We have many custom Navigation Tree items, if I switch it to a navigation tree that shows "Data Sources - WMI" and then just add the SigID and Event Subtype it populates much faster.

FYI - You can't save changes to the canned views, but you can copy them, and then modify the copy.

There are certain canned views/reports that are somewhat useless - for example any of them looking for anything related to "Admin" generally have it pre-populated with "Admin, Administrator, and SU" as the Source User which does not work for us.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community