2025-04-22

monitor ADFS logons

From Technet :
- events on ADFS: 1200,1201,1203,1206,1210
- events on WAP: 224, 245, 396, 12025, 13015, 13046, 14027, 14032

- events on ADFS - Security - 299, 401, 403, 404, 410, 412, 431, 500, 501, 502, 503, 510, 1200

event Security:299, AD FS Auditing, Classic - Audit Success, Information - token is issued; connection with different events on Instance ID; relaying party identifier

event Security:401, AD FS Auditing, Classic - Audit Success, Information - request context headers, Activity ID

event Security:403, AD FS Auditing, Classic - Audit Success, Information - HTTP request was received, Instance ID, Activity ID, client IP, caller identity, details, request header in ID 510

event Security:404, AD FS Auditing, Classic - Audit Success, Information - HTTP response was dispatched, Instance ID, Activity ID, headers in ID 510

event Security:410, AD FS Auditing, Classic - Audit Success, Information - request context headers, Activity ID

event Security:412, AD FS Auditing, Classic - Audit Success, Information - token for relaying party was successfully authenticated, instance ID in event 501 - caller identity, Activity ID, Instance ID

event Security:431, AD FS Auditing, Classic - Audit Success, Information - active request was received, key type, request type, Activity ID

event Security:500, AD FS Auditing, Classic - Audit Success, Information - issued claims; connection with different events on Instance ID

event Security:501, AD FS Auditing, Classic - Audit Success, Information - issued claims; groups (if issued as claim); connection with different events on Instance ID; caller identity

event Security:502, AD FS Auditing, Classic - Audit Success, Information - issued claims; groups (if issued as claim); connection with different events on Instance ID; onBehalf of identity

event Security:503, AD FS Auditing, Classic - Audit Success, Information - issued claims; groups (if issued as claim); connection with different events on Instance ID; actAS identity

event Security:510, AD FS Auditing, Classic - Audit Success, Information - header for request from event ID 403, Instance ID

event Security:1200, AD FS Auditing, Classic - Audit Success, Information - valid token issued; connection with different events on Instance ID

event Security:1206, AD FS Auditing, Classic - Audit Success, Information - sign out request Activity ID

Brak komentarzy:

Prześlij komentarz