3 Replies Latest reply on Feb 12, 2014 11:53 AM by rth67

    Normalization Rule Difference


      In the Authentication section of the Normalization Rule section there is a Domain Login Normalization Rule and a Network Login Authorization Rule. What is the difference between the two?

        • 1. Re: Normalization Rule Difference

          We have modified many of the Aggregation settings for the Authentication events, here is what we have documented for the 2 login's you are requesting: (There are also Admin Login, Host Login, and Misc Login Normalization Rules)


          Type                      Normalization   Signature ID           Rule Name
          Domain Login      409223168      43-263047760      The domain controller attempted to validate the credentials for an account.
          Domain Login      409223168      43-263047710      Kerberos pre-authentication failed.
          Domain Login      409223168      43-263047700      A Kerberos service ticket was renewed.
          Domain Login      409223168      43-211006800      Logon Attempt


          Network Login      409190400      43-263047690      A Kerberos service ticket was requested.
          Network Login      409190400      43-211005400      Successful Network Logon
          Network Login      409190400      43-211005520      Logon attempt using explicit credentials
          Network Login      409190400      43-263047790      A session was disconnected from a Window Station.
          Network Login      409190400      43-211006820      Reconnected Session

          Network Login      409190400      43-263047780      A session was reconnected to a Window Station.

          Network Login      409190400      43-211006830      Session disconnected from winstation

          Network Login      409190400      43-263047740      An account was mapped for logon.


          Hopefully by the descriptions of the events helps you determine what the differences are.

          • 2. Re: Normalization Rule Difference

            I understand what the difference is now, but with this new informaiton I am confised as to what kind of event needs to happen before you see anything in the HIPAA - Netowrk Login Failrues view/report.


            It looks like these sig IDs are successes whn it comes to network logons.

            • 3. Re: Normalization Rule Difference

              If you do an "Edit View" on the "HIPAA - Network Login Failures" View you can "Edit" the query to see what they are filtering on - NormID 409190400/18, Device Type ID [CLASS:OS], and Event Subtype: Failure

              If you go to a simple custom view (Event Summary, Count, and Distribution - for example) - then use the Filters on the Right Side and see if you can duplicate what the canned view is supposed to show.

              If I am at the Root of our Physical Display the Device Type ID slows down the view.

              We have many custom Navigation Tree items, if I switch it to a navigation tree that shows "Data Sources - WMI" and then just add the SigID and Event Subtype it populates much faster.


              FYI - You can't save changes to the canned views, but you can copy them, and then modify the copy.

              There are certain canned views/reports that are somewhat useless - for example any of them looking for anything related to "Admin" generally have it pre-populated with "Admin, Administrator, and SU" as the Source User which does not work for us.

              1 of 1 people found this helpful