Eric Partington

Feed: MS Logon Type Description

Blog Post created by Eric Partington Employee on May 14, 2018

logon.type has been a numeric value for windows logs in RSA NetWitness for a while, but it might not normally be indexed.  Now with RSA NetWitness Endpoint Insights and the built in windows log parser (device.type='windows') the metakey logon.type is now indexed OOTB. 

 

Having a feed to match all potential sources of values for that metakey maps a useful, analyst-friendly name that can significantly help illustrate what logon.type=2 means and why you should or should not care.

 

This feed was built from a Microsoft KB article and appears in a new meta key: logon.type.desc

 

It looks like this and currently flags on device.type='windows','nwendpoint','winevent_nic'

 

 

 

Here's my github link specifically for this feed which will reflect any changes made in the future.

 

GitHub - epartington/rsa_nw_feed_microsoftlogontype 

Outcomes