🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page

Was this helpful?

  1. Windows Artifacts
  2. Account Usage
  3. CrowdStrike Searches

Event Name - SsoApplicationAccess

Description

Platforms: Public Cloud

Indicates successful access to an application through an SSO facilitator, which could be either an IDaaS directory, a federation portal, or a combination of both, such as Azure with AD-FS.

Fields: Public Cloud

Field

Description

ActivityId

A globally-unique identifier for the activity event.

ContextTimeStamp

System time of event creation.

SsoEventSource

The source from which the activity data was retrieved. In the case of federated-SSO, this might be either the IDaaS vendor or the federation provider, depending on the retrieval method.

Values:

  • AZURE (1)

  • OKTA (2)

  • ADFS (100)

  • PING_FEDERATE (101)

WebSessionIdentifier

SourceAccountUserName

The username associated with this activity.

SourceAccountAzureId

The unique Azure userId value of the user associated with this activity

SourceAccountOktaId

The unique OKTA actor ID of the user associated with this activity

SourceAccountObjectSid

The objectSid value of the account bound with this activity.

SourceAccountObjectGuid

The objectGUID value of the account bound with this activity.

SourceEndpointAddressIP4

The IP address of the endpoint from which this activity originates.

Mutually exclusive with the SourceEndpointAddressIP6 field.

SourceEndpointAddressIP6

The IP address of the endpoint from which this activity originates.

Mutually exclusive with the SourceEndpointAddressIP4 field.

SourceEndpointIpReputation

The reputation attributes of the source IP (SourceEndpointAddressIP4 or SourceEndpointAddressIP6).

Only set for public addresses.

Values:

  • NONE (0x00)

  • ANONYMOUS_ACTIVE (0x01)

  • ANONYMOUS_SUSPECT (0x02)

  • ANONYMOUS_INACTIVE (0x04)

  • ANONYMOUS_PRIVATE (0x08)

  • ASSOCIATED_WITH_DICTIONARY_ATTACK (0x10)

  • ASSOCIATED_WITH_DDOS_ATTACK (0x20)

  • ASSOCIATED_WITH_SPAM (0x40)

  • HOSTING_FACILITY (0x80)

SourceEndpointNetworkType

The network type to which the SourceEndpointAddressIP4 or SourceEndpointAddressIP6 value belongs, depending on customer configuration.

Values:

  • INTERNAL (0x1)

  • VPN (0x2)

  • WIRELESS (0x4)

  • NAT (0x8)

  • PUBLIC (0x10)

SourceEndpointNetworkTag

The network tag to which the SourceEndpointAddressIP4 or SourceEndpointAddressIP6 value belongs, depending on customer configuration.

SourceEndpointHostName

The hostname of the source endpoint. Might originate either directly from the raw event data or from one of the host association resolution methods.

When available, either the SourceEndpointAccountObjectSid or SourceEndpointAccountObjectGuid fields are superior for use as foreign keys.

SourceEndpointAccountObjectSid

The objectSid value of the source endpoint account.

SourceEndpointAccountObjectGuid

The objectGUID value of the source endpoint account.

ClientUserAgentString

The HTTP User-Agent string identified by the client.

ClientIdentifier

A human readable string identifying the client, if available.

LocationLongitudeAsInt

The location longitude value associated with the event.

The value is a 4-digit precision fixed-point value (11.1m) represented as a 64-bit integer.

Divide by 100,000 to get back the fixed-point value

LocationLatitudeAsInt

The location latitude value associated with the event.

The value is a 4-digit precision fixed-point value (11.1m) represented as a 64-bit integer.

Divide by 100,000 to get back the fixed-point value.

LocationAccuracyRadius

The reported accuracy radius for (LocationLatitudeAsInt, LocationLongitudeAsInt).

LocationCountryCode

The country-code associated with (LocationLatitudeAsInt, LocationLongitudeAsInt).

LocationStateCode

The state-code associated with (LocationLatitudeAsInt, LocationLongitudeAsInt).

LocationCityCode

The city-code associated with (LocationLatitudeAsInt, LocationLongitudeAsInt) as listed in the GeoNames database.

SsoApplicationIdentifier

The human-readable target application identifier.

For stronger identification, use either the SsoApplicationUri field, or vendor-specific fields such as AzureApplicationId.

SsoApplicationUri

The URL or URN of the target application.

AzureApplicationId

The unique Azure appId value of the application accessed. Is only available when the SsoEventSource field is set to AZURE.

OktaApplicationId

The unique Okta actor ID of the application being accessed.

Only set if the SsoEventSource field is set to OKTA.

AppliedDisposition

A bit mask of the disposition the sensor has applied.

IdpEntityId

PreviousEvent Name - UserLogonFailed2NextBrowser Usage

Last updated 1 year ago

Was this helpful?