Elastic Windows Event Explorer


Publisher - Microsoft-Windows-User Device Registration

Event ID 364

Message:

The saved Microsoft Passport information does not match the key. 
Saved information: 
  Key ID: %{SavedKeyId} 
  Key name: %{SavedKeyName} 
  IDP domain: %{SavedIdpDomain} 
  Tenant ID: %{SavedTenantId} 
  User email: %{SavedUserEmail} 
The Microsoft Passport key: 
  Key name: %{KeyName} 
  IDP domain: %{IdpDomain} 
  Tenant ID: %{TenantId} 
  User email: %{UserEmail}

Event Data:

# Name In Type
Out Type
1 SavedKeyId win:GUID xs:GUID
2 SavedKeyName win:UnicodeString xs:string
3 SavedIdpDomain win:UnicodeString xs:string
4 SavedTenantId win:UnicodeString xs:string
5 SavedUserEmail win:UnicodeString xs:string
6 KeyName win:UnicodeString xs:string
7 IdpDomain win:UnicodeString xs:string
8 TenantId win:UnicodeString xs:string
9 UserEmail win:UnicodeString xs:string

Observed Windows Versions:

Version: 0

Fingerprint: RCEZVMCWX77F4