0 Replies Latest reply on May 1, 2017 7:19 AM by ksudki

    "Host" field

    ksudki

      Dear community,

       

      What should be the value of the "host" field used for ?

       

      The reason why I am asking such "basic" question is that:

      1. No document described the mapping the fields, does McAfee have any document explaining it ?

       

      2. For the same event ID 4624 (Windows) ntlm/kerberos/microsoft authentication package the field mapping is changed

      Case 1 - kerberos

      FieldValue
      Host<fqdn(hostname.domain)>
      Source_IP<Datasource IP> or 127.0.0.1
      Destination_IP<Datasource IP>
      Source_User<Hostname$>
      Destination_User<empty>
      Logon_Type3 - Network
      Objectkerberos

       

      Case 2 - Authentication package

      FieldValue
      Host<hostname>
      Source_IP<Client IP>
      Destination_IP<Datasource IP>
      Source_User<username>
      Destination_User<empty>
      Logon_Type3 - Network
      Objectmicrosoft_authentication_package_v1_0

       

      Case 3 - NTLM

      FieldValue
      Host<Client hostname>
      Source_IP<Client IP>
      Destination_IP<Datasource IP>
      Source_User<Client hostname$>
      Destination_User<empty>
      Logon_Type3 - Network
      Objectntlm

       

      * The same applies when using Windows Event Forwarding.

      ** Even between built-in and ASP parser there are some differences with the mapping to the custom fields.

       

      Thank you for your help