Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[STRM/JSA] Windows events do not contain asset identity information

0

0

Article ID: KB34780 KB Last Updated: 27 Jul 2019Version: 1.0
Summary:

JSA states that Windows events have identity properties, but not all Windows events contain information that can be used for Asset identity.

Symptoms:

Windows events do not contain asset identity information.

Cause:

When examining the "Logon Type" within the Windows event payload, the following values do not generate Asset information. Logon Type's 3, 4, 5, 7, 8, 9, and 10 will not generate Identity.

These Logon Types correlate to:

3: Network
4: Batch
5: Service
7: Unlock
8: Network clear text
9: New credentials based
10: Remote Interactive
Solution:

To be considered for Identity, an event must have certain eventID and Computer= and OriginatingComputer= must be null.

Windows Event IDs 528, 540, 672, 4624, 4768, 4776, 18453, 18454, 18455, 20158 are considered for identity provided all preconditions are met: Meaning Computer= and OriginatingComputer= must be null and the Logon Type does not match 3, 4, 5, 7, 8, 9, and 10.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search