Elastic Windows Event Explorer

Publisher - LsaSrv

Event ID 301


Claims assigned to a new logon.

New Logon:
	Security ID:		%{TargetUserSid}
	Account Name:		%{TargetUserName}
	Account Domain:		%{TargetDomainName}
	Logon ID:		%{TargetLogonId}
	Logon GUID:		%{TargetLogonGuid}

	Logon Type:		%{LogonType}

Event in sequence:		%{EventIdx} of %{EventCountTotal}

User Claims:		%{UserClaims}

Device Claims:		%{DeviceClaims}

This event is generated when a new logon session is created and the user token associated with it contains user and/or device claims. The New Logon fields indicate the account that was logged on. If all the user and device claims in the user token cannot be accommodated in a single event, multiple such events are generated. The Event in sequence field indicates how many more events are generated for this logon session. Each user or device claim is represented in the following format:

	ClaimID ClaimTypeID : Value1, Value2 … 

The common claim types are: 0 (Invalid Type), 1 (64-bit Integer, 2 (Unsigned 64-bit Integer), 3 (String), 4 (FQBN), 5 (SID), 6 (Boolean) and 16 (Blob). If the claim value exceeds the max allowed length then the string is terminated by ...

Event Data:

# Name In Type
Out Type
1 TargetUserSid win:SID xs:string
2 TargetUserName win:UnicodeString xs:string
3 TargetDomainName win:UnicodeString xs:string
4 TargetLogonId win:HexInt64 win:HexInt64
5 TargetLogonGuid win:GUID xs:GUID
6 LogonType win:UInt32 xs:unsignedInt
7 EventIdx win:UInt32 xs:unsignedInt
8 EventCountTotal win:UInt32 xs:unsignedInt
9 UserClaims win:UnicodeString xs:string
10 DeviceClaims win:UnicodeString xs:string

Observed Windows Versions:

Version: 0

Fingerprint: LLP6MHAPWQITI