Authentication
The authentication category contains events that are related to authentication, sessions, and access controls that monitor users on the network.
The following table describes the low-level event categories and associated severity levels for the authentication category.
Table 1: Low-level Categories and Severity Levels for the Authentication Events Category
Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
Unknown Authentication | 3001 | Indicates unknown authentication. | 1 |
Host Login Succeeded | 3002 | Indicates a successful host login. | 1 |
Host Login Failed | 3003 | Indicates that the host login failed. | 3 |
Misc Login Succeeded | 3004 | Indicates that the login sequence succeeded. | 1 |
Misc Login Failed | 3005 | Indicates that login sequence failed. | 3 |
Privilege Escalation Failed | 3006 | Indicates that the privileged escalation failed. | 3 |
Privilege Escalation Succeeded | 3007 | Indicates that the privilege escalation succeeded. | 1 |
Mail Service Login Succeeded | 3008 | Indicates that the mail service login succeeded. | 1 |
Mail Service Login Failed | 3009 | Indicates that the mail service login failed. | 3 |
Auth Server Login Failed | 3010 | Indicates that the authentication server login failed. | 3 |
Auth Server Login Succeeded | 3011 | Indicates that the authentication server login succeeded. | 1 |
Web Service Login Succeeded | 3012 | Indicates that the web service login succeeded. | 1 |
Web Service Login Failed | 3013 | Indicates that the web service login failed. | 3 |
Admin Login Successful | 3014 | Indicates that an administrative login was successful. | 1 |
Admin Login Failure | 3015 | Indicates the administrative login failed. | 3 |
Suspicious Username | 3016 | Indicates that a user attempted to access the network by using an incorrect user name. | 4 |
Login with username/ password defaults successful | 3017 | Indicates that a user accessed the network by using the default user name and password. | 4 |
Login with username/ password defaults failed | 3018 | Indicates that a user was unsuccessful accessing the network by using the default user name and password. | 4 |
FTP Login Succeeded | 3019 | Indicates that the FTP login was successful. | 1 |
FTP Login Failed | 3020 | Indicates that the FTP login failed. | 3 |
SSH Login Succeeded | 3021 | Indicates that the SSH login was successful. | 1 |
SSH Login Failed | 3022 | Indicates that the SSH login failed. | 2 |
User Right Assigned | 3023 | Indicates that user access to network resources was successfully granted. | 1 |
User Right Removed | 3024 | Indicates that user access to network resources was successfully removed. | 1 |
Trusted Domain Added | 3025 | Indicates that a trusted domain was successfully added to your deployment. | 1 |
Trusted Domain Removed | 3026 | Indicates that a trusted domain was removed from your deployment. | 1 |
System Security Access Granted | 3027 | Indicates that system security access was successfully granted. | 1 |
System Security Access Removed | 3028 | Indicates that system security access was successfully removed. | 1 |
Policy Added | 3029 | Indicates that a policy was successfully added. | 1 |
Policy Change | 3030 | Indicates that a policy was successfully changed. | 1 |
User Account Added | 3031 | Indicates that a user account was successfully added. | 1 |
User Account Changed | 3032 | Indicates a change to an existing user account. | 1 |
Password Change Failed | 3033 | Indicates that an attempt to change an existing password failed. | 3 |
Password Change Succeeded | 3034 | Indicates that a password change was successful. | 1 |
User Account Removed | 3035 | Indicates that a user account was successfully removed. | 1 |
Group Member Added | 3036 | Indicates that a group member was successfully added. | 1 |
Group Member Removed | 3037 | Indicates that a group member was removed. | 1 |
Group Added | 3038 | Indicates that a group was successfully added. | 1 |
Group Changed | 3039 | Indicates a change to an existing group. | 1 |
Group Removed | 3040 | Indicates that a group was removed. | 1 |
Computer Account Added | 3041 | Indicates that a computer account was successfully added. | 1 |
Computer Account Changed | 3042 | Indicates a change to an existing computer account. | 1 |
Computer Account Removed | 3043 | Indicates that a computer account was successfully removed. | 1 |
Remote Access Login Succeeded | 3044 | Indicates that access to the network by using a remote login was successful. | 1 |
Remote Access Login Failed | 3045 | Indicates that an attempt to access the network by using a remote login failed. | 3 |
General Authentication Successful | 3046 | Indicates that the authentication processes was successful. | 1 |
General Authentication Failed | 3047 | Indicates that the authentication process failed. | 3 |
Telnet Login Succeeded | 3048 | Indicates that the telnet login was successful. | 1 |
Telnet Login Failed | 3049 | Indicates that the telnet login failed. | 3 |
Suspicious Password | 3050 | Indicates that a user attempted to log in by using a suspicious password. | 4 |
Samba Login Successful | 3051 | Indicates that a user successfully logged in by using Samba. | 1 |
Samba Login Failed | 3052 | Indicates a user failed to log in by using Samba. | 3 |
Auth Server Session Opened | 3053 | Indicates that a communication session with the authentication server was started. | 1 |
Auth Server Session Closed | 3054 | Indicates that a communication session with the authentication server was closed. | 1 |
Firewall Session Closed | 3055 | Indicates that a firewall session was closed. | 1 |
Host Logout | 3056 | Indicates that a host successfully logged out. | 1 |
Misc Logout | 3057 | Indicates that a user successfully logged out. | 1 |
Auth Server Logout | 3058 | Indicates that the process to log out of the authentication server was successful. | 1 |
Web Service Logout | 3059 | Indicates that the process to log out of the web service was successful. | 1 |
Admin Logout | 3060 | Indicates that the administrative user successfully logged out. | 1 |
FTP Logout | 3061 | Indicates that the process to log out of the FTP service was successful. | 1 |
SSH Logout | 3062 | Indicates that the process to log out of the SSH session was successful. | 1 |
Remote Access Logout | 3063 | Indicates that the process to log out using remote access was successful. | 1 |
Telnet Logout | 3064 | Indicates that the process to log out of the Telnet session was successful. | 1 |
Samba Logout | 3065 | Indicates that the process to log out of Samba was successful. | 1 |
SSH Session Started | 3066 | Indicates that the SSH login session was initiated on a host. | 1 |
SSH Session Finished | 3067 | Indicates the termination of an SSH login session on a host. | 1 |
Admin Session Started | 3068 | Indicates that a login session was initiated on a host by an administrative or privileged user. | 1 |
Admin Session Finished | 3069 | Indicates the termination of an administrator or privileged users login session on a host. | 1 |
VoIP Login Succeeded | 3070 | Indicates a successful VoIP service login | 1 |
VoIP Login Failed | 3071 | Indicates an unsuccessful attempt to access VoIP service. | 1 |
VoIP Logout | 3072 | Indicates a user logout, | 1 |
VoIP Session Initiated | 3073 | Indicates the beginning of a VoIP session. | 1 |
VoIP Session Terminated | 3074 | Indicates the end of a VoIP session. | 1 |
Database Login Succeeded | 3075 | Indicates a successful database login. | 1 |
Database Login Failure | 3076 | Indicates a database login attempt failed. | 3 |
IKE Authentication Failed | 3077 | Indicates a failed Internet Key Exchange (IKE) authentication was detected. | 3 |
IKE Authentication Succeeded | 3078 | Indicates that a successful IKE authentication was detected. | 1 |
IKE Session Started | 3079 | Indicates that an IKE session started. | 1 |
IKE Session Ended | 3080 | Indicates that an IKE session ended. | 1 |
IKE Error | 3081 | Indicates an IKE error message. | 1 |
IKE Status | 3082 | Indicates IKE status message. | 1 |
RADIUS Session Started | 3083 | Indicates that a RADIUS session started. | 1 |
RADIUS Session Ended | 3084 | Indicates a RADIUS session ended. | 1 |
RADIUS Session Denied | 3085 | Indicates that a RADIUS session was denied. | 1 |
RADIUS Session Status | 3086 | Indicates a RADIUS session status message. | 1 |
RADIUS Authentication Failed | 3087 | Indicates a RADIUS authentication failure. | 3 |
RADIUS Authentication Successful | 3088 | Indicates a RADIUS authentication succeeded. | 1 |
TACACS Session Started | 3089 | Indicates a TACACS session started. | 1 |
TACACS Session Ended | 3090 | Indicates a TACACS session ended. | 1 |
TACACS Session Denied | 3091 | Indicates that a TACACS session was denied. | 1 |
TACACS Session Status | 3092 | Indicates a TACACS session status message. | 1 |
TACACS Authentication Successful | 3093 | Indicates a TACACS authentication succeeded. | 1 |
TACACS Authentication Failed | 3094 | Indicates a TACACS authentication failure. | 1 |
Deauthenticating Host Succeeded | 3095 | Indicates that the deauthentication of a host was successful. | 1 |
Deauthenticating Host Failed | 3096 | Indicates that the deauthentication of a host failed. | 3 |
Station Authentication Succeeded | 3097 | Indicates that the station authentication was successful. | 1 |
Station Authentication Failed | 3098 | Indicates that the station authentication of a host failed. | 3 |
Station Association Succeeded | 3099 | Indicates that the station association was successful. | 1 |
Station Association Failed | 3100 | Indicates that the station association failed. | 3 |
Station Reassociation Succeeded | 3101 | Indicates that the station reassociation was successful. | 1 |
Station Reassociation Failed | 3102 | Indicates that the station association failed. | 3 |
Disassociating Host Succeeded | 3103 | Indicates that the disassociating a host was successful. | 1 |
Disassociating Host Failed | 3104 | Indicates that the disassociating a host failed. | 3 |
SA Error | 3105 | Indicates a Security Association (SA) error message. | 5 |
SA Creation Failure | 3106 | Indicates a Security Association (SA) creation failure. | 3 |
SA Established | 3107 | Indicates that a Security Association (SA) connection established. | 1 |
SA Rejected | 3108 | Indicates that a Security Association (SA) connection rejected. | 3 |
Deleting SA | 3109 | Indicates the deletion of a Security Association (SA). | 1 |
Creating SA | 3110 | Indicates the creation of a Security Association (SA). | 1 |
Certificate Mismatch | 3111 | Indicates a certificate mismatch. | 3 |
Credentials Mismatch | 3112 | Indicates a credentials mismatch. | 3 |
Admin Login Attempt | 3113 | Indicates an admin login attempt. | 2 |
User Login Attempt | 3114 | Indicates a user login attempt. | 2 |
User Login Successful | 3115 | Indicates a successful user login. | 1 |
User Login Failure | 3116 | Indicates a failed user login. | 3 |
SFTP Login Succeeded | 3117 | Indicates a successful SSH File Transfer Protocol (SFTP) login. | 1 |
SFTP Login Failed | 3118 | Indicates a failed SSH File Transfer Protocol (SFTP) login. | 3 |
SFTP Logout | 3119 | Indicates an SSH File Transfer Protocol (SFTP) logout. | 1 |
Identity Granted | 3120 | Indicates that an identity was granted. | 1 |
Identity Removed | 3121 | Indicates that an identity was removed. | 1 |
Identity Revoked | 3122 | Indicates that an identity was revoked. | 1 |
Policy Removed | 3123 | Indicates that a policy was removed. | 1 |
User Account Lock | 3124 | Indicates that a user account was locked. | 1 |
User Account Unlock | 3125 | Indicates that a user account was unlocked | 1 |
User Account Expired | 3126 | Indicates that a user account is expired | 1 |