Skip to content

Latest commit

 

History

History
114 lines (82 loc) · 3.5 KB

audit-variables.md

File metadata and controls

114 lines (82 loc) · 3.5 KB

Audit variables

The following variables are available for use in events processed by audit notification channels. Where information is not available or not applicable to an audit event, the placeholder value will be replaced with an empty string.

{user.SamAccountName}

The user's samAccountName

{user.MsDsPrincipalName}

The user's NT4-style domain name (eg domain\user)

{user.DisplayName}

The user's displayName

{user.UserPrincipalName}

The user's UPN

{user.Sid}

The user's SID

{user.DistinguishedName}

The user's distinguished name

{user.Description}

The description attribute of the user in Active Directory

{user.EmailAddress}

The user's email address

{user.Guid}

The objectGUID of the user in Active Directory

{user.GivenName}

The user's given name

{user.Surname}

The user's surname

{computer.SamAccountName}

The samAccountName of the computer

{computer.MsDsPrincipalName}

The NT4-style name of the computer (eg domain\pc1$)

{computer.DistinguishedName}

The distinguishedName of the computer

{computer.Description}

The description attribute of the computer in Active Directory

{computer.DisplayName}

The display name of the computer

{computer.Guid}

The objectGUID of the computer in Active Directory

{computer.Sid}

The SID of the computer in Active Directory

{request.ComputerName}

The exact string provided by the user in the computer name field of the access request

{request.Reason}

The user-supplied reason for the access request

{AuthzResult.MatchedRuleDescription}

The friendly description of the rule that granted access to the user

{AuthzResult.MatchedRule}

The ID of the rule that granted access to the user

{AuthzResult.ExpireAfter}

The duration of time that access was allowed for. For JIT, this is the duration of allowed time specified in the matching access rule. For LAPS, this is the amount of time until the LAPS password expires, if configured to do so in the access rule.

{AuthzResult.AccessExpiryDate}

The specific date and time that the JIT access expires, or the date and time that the LAPS password is set to rotate.

{AuthzResult.ResponseCode}

A response code that represents the result of the authorization decision. Valid values are;

  • Success: The user was granted access to the specified computer
  • Undefined: No authorization state is provided. The user's access was denied.
  • NoMatchingRuleForComputer : There were no authorization rules that applied to the specific computer. The user's access was denied.
  • NoMatchingRuleForUser: There were no rules that specifically granted access to a user. The user's access was denied.
  • ExplicitlyDenied: Reserved for future use. The user's access was denied.

{AuthzResult.AccessType}

The type of access that was evaluated. Valid values are;

  • LocalAdminPassword
  • LocalAdminPasswordHistory
  • Jit
  • BitLocker

{AuthzResult.AccessTypeDescription}

A friendly name for type of access that was evaluated. Valid values are;

  • Local admin password
  • Local admin password history
  • Just-in-time access
  • BitLocker recovery passwords

{message}

Additional auditing information generated by the system

{request.IPAddress}

The IP address of the users request

{request.Hostname}

The hostname (if available) obtained from doing a reverse lookup of the IP address

{datetime}

The date and time of the access request, in the local time zone of the server

{datetimeutc}

The date and time of the access request, in UTC time