FortiSIEM Security Information Management

Security Information Management

User Password Monitoring Events

AccelOps generates the following events related to user password monitoring during LDAP discoveries.

LDAP Password Never Expire Events

LDAP Password Not Required Events

LDAP Password Expiry Event

LDAP Password Stale Events

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_DISCOV_ADS_PASSWORD_NEVER_EXPIRES
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

userDN string User Distinguishing name
Password Age passwordAge uint64 Password age in days
Password Last

Set

passwordLastSet Date Time when password was last set

LDAP Password Not Required Events

Event Type: PH_DISCOV_ADS_PASSWORD_NOT_REQD

Description: Event contains users whose password is not required

Source: Windows Active Directory Discovery via LDAP Sample event

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_DISCOV_ADS_PASSWORD_NEVER_EXPIRES
Event Severity eventSeverity uint16 Set to 1.
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

userDN string User Distinguishing name

LDAP Password Expiry Event

Event Type: PH_DISCOV_ADS_PASSWORD_TO_EXPIRE

Description: Event contains users and the times when their passwords were last set and when their passwords are about to expire Source: Windows Active Directory Discovery via LDAP

Sample event

<174>Feb 12 12:09:29 PH-QA-AUTOTEST phDiscover[22677]: [PH_DISCOV_ADS_PASSWORD_TO_EXPIRE]:[eventSeverity]=PHL_INFO,[procNa me]=phDiscover,[fileName]=dirUser.cpp,[lineNumber]=1750,[hostIpAddr ]=192.168.0.10,[user]=testuser,[userFullName]=Testuser,[userDN]=CN=

Testuser,CN=Users,DC=acme,DC=net,[daysToPasswordExpiry]=0,[password

LastSet]=1360606672,[phLogDetail]=

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DISCOV_ADS_PASSWORD_TO_EXPIRE
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High

 

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

userDN string User Distinguishing name
Days to

Password

Expiry

daysToPasswordExpiry uint64 Number of days until the password will expire
Password Last

Set

passwordLastSet Date Time when password was last set
Name Id Type Description
Event Type eventType string Event type set to PH_DISCOV_ADS_PASSWORD_STALE
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name

 

User

Distinguishing

Name

userDN string User Distinguishing name
Password Age passwordAge uint64 Age of the password in days
Password Last

Set

passwordLastSet Date Time when password was last set

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website