User Account Authentication (a953ca55-921a-44f7-9b8d-3d40141aa17e)
An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.
Data Collection Measures:
- Host-Based Authentication Logs
- Windows Event Logs
- Event ID 4776 – NTLM authentication attempt.
- Event ID 4624 – Successful user logon.
- Event ID 4625 – Failed authentication attempt.
- Event ID 4648 – Explicit logon with alternate credentials.
- Linux/macOS Authentication Logs
/var/log/auth.log,/var/log/secure– Logs SSH, sudo, and other authentication attempts.- AuditD – Tracks authentication events via PAM modules.
- macOS Unified Logs –
/var/db/diagnosticscaptures authentication failures.
- Windows Event Logs
- Cloud Authentication Logs
- Azure AD Logs
- Sign-in Logs – Tracks authentication attempts, MFA challenges, and conditional access failures.
- Audit Logs – Captures authentication-related configuration changes.
- Microsoft Graph API – Provides real-time sign-in analytics.
- Google Workspace & Office 365
- Google Admin Console –
User Login Reporttracks login attempts and failures. - Office 365 Unified Audit Logs – Captures logins across Exchange, SharePoint, and Teams.
- Google Admin Console –
- AWS CloudTrail & IAM
- Tracks authentication via
AWS IAM AuthenticateUserandsts:GetSessionToken. - Logs failed authentications to AWS Management Console and API requests.
- Tracks authentication via
- Azure AD Logs
- Container Authentication Monitoring
- Kubernetes Authentication Logs
- kubectl audit logs – Captures authentication attempts for service accounts and admin users.
- Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) – Logs IAM authentication events.
- Kubernetes Authentication Logs