Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Type: Success Audit|
Logon attempt using explicit credentials:
Logged on user:
User Name: <name>
Logon ID: <ID>
Logon GUID: <GUID>
User whose credentials were used:
Target User Name: <name>
Target Domain: <domain>
Target Logon GUID: <GUID>
Target Server Name: <name>
Target Server Info: <name>
Caller Process ID: <ID>
Source Network Address: <address>
Source Port: <port>.
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
Whare are the credentials?
This event can occur when the user credentials have been stored using the "Stored user names and passwords" applet in the control panel. It is possible to store credentials for automatic use (on XP and Server 2003) when connecting to network resources. When in place, any drive mapping or browsing attempt will automatically use any relevant stored credentials, even if the password for those credentials is no longer valid. In my case, it eventually locked out the stored user's account. See the link to "Stored User Names and Passwords" for some info on stored credentials.
This event is also recorded when FrontPage is used to connect to a website with a different account from the one currently logged in.
As per Microsoft: "A user who is logged on tried to create another logon session with a different user's credentials. Typically, this occurs when the user runs the RUNAS command and specifies a different set of credentials". See MSW2KDB for more details.
|Private comment: Subscribers only. See example of private comment|
|Links: Stored User Names and Passwords, MSW2KDB|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated