Authentication
The authentication category contains events that are related to authentication, sessions, and access controls that monitor users on the network.
The following table describes the low-level event categories and associated severity levels for the authentication category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unknown Authentication | 3001 | Indicates unknown authentication. | 1 |
| Host Login Succeeded | 3002 | Indicates a successful host login. | 1 |
| Host Login Failed | 3003 | Indicates that the host login failed. | 3 |
| Misc Login Succeeded | 3004 | Indicates that the login sequence succeeded. | 1 |
| Misc Login Failed | 3005 | Indicates that login sequence failed. | 3 |
| Privilege Escalation Failed | 3006 | Indicates that the privileged escalation failed. | 3 |
| Privilege Escalation Succeeded | 3007 | Indicates that the privilege escalation succeeded. | 1 |
| Mail Service Login Succeeded | 3008 | Indicates that the mail service login succeeded. | 1 |
| Mail Service Login Failed | 3009 | Indicates that the mail service login failed. | 3 |
| Auth Server Login Failed | 3010 | Indicates that the authentication server login failed. | 3 |
| Auth Server Login Succeeded | 3011 | Indicates that the authentication server login succeeded. | 1 |
| Web Service Login Succeeded | 3012 | Indicates that the web service login succeeded. | 1 |
| Web Service Login Failed | 3013 | Indicates that the web service login failed. | 3 |
| Admin Login Successful | 3014 | Indicates that an administrative login was successful. | 1 |
| Admin Login Failure | 3015 | Indicates the administrative login failed. | 3 |
| Suspicious Username | 3016 | Indicates that a user attempted to access the network by using an incorrect user name. | 4 |
| Login with username/ password defaults successful | 3017 | Indicates that a user accessed the network by using the default user name and password. | 4 |
| Login with username/ password defaults failed | 3018 | Indicates that a user was unsuccessful accessing the network by using the default user name and password. | 4 |
| FTP Login Succeeded | 3019 | Indicates that the FTP login was successful. | 1 |
| FTP Login Failed | 3020 | Indicates that the FTP login failed. | 3 |
| SSH Login Succeeded | 3021 | Indicates that the SSH login was successful. | 1 |
| SSH Login Failed | 3022 | Indicates that the SSH login failed. | 2 |
| User Right Assigned | 3023 | Indicates that user access to network resources was successfully granted. | 1 |
| User Right Removed | 3024 | Indicates that user access to network resources was successfully removed. | 1 |
| Trusted Domain Added | 3025 | Indicates that a trusted domain was successfully added to your deployment. | 1 |
| Trusted Domain Removed | 3026 | Indicates that a trusted domain was removed from your deployment. | 1 |
| System Security Access Granted | 3027 | Indicates that system security access was successfully granted. | 1 |
| System Security Access Removed | 3028 | Indicates that system security access was successfully removed. | 1 |
| Policy Added | 3029 | Indicates that a policy was successfully added. | 1 |
| Policy Change | 3030 | Indicates that a policy was successfully changed. | 1 |
| User Account Added | 3031 | Indicates that a user account was successfully added. | 1 |
| User Account Changed | 3032 | Indicates a change to an existing user account. | 1 |
| Password Change Failed | 3033 | Indicates that an attempt to change an existing password failed. | 3 |
| Password Change Succeeded | 3034 | Indicates that a password change was successful. | 1 |
| User Account Removed | 3035 | Indicates that a user account was successfully removed. | 1 |
| Group Member Added | 3036 | Indicates that a group member was successfully added. | 1 |
| Group Member Removed | 3037 | Indicates that a group member was removed. | 1 |
| Group Added | 3038 | Indicates that a group was successfully added. | 1 |
| Group Changed | 3039 | Indicates a change to an existing group. | 1 |
| Group Removed | 3040 | Indicates that a group was removed. | 1 |
| Computer Account Added | 3041 | Indicates that a computer account was successfully added. | 1 |
| Computer Account Changed | 3042 | Indicates a change to an existing computer account. | 1 |
| Computer Account Removed | 3043 | Indicates that a computer account was successfully removed. | 1 |
| Remote Access Login Succeeded | 3044 | Indicates that access to the network by using a remote login was successful. | 1 |
| Remote Access Login Failed | 3045 | Indicates that an attempt to access the network by using a remote login failed. | 3 |
| General Authentication Successful | 3046 | Indicates that the authentication processes was successful. | 1 |
| General Authentication Failed | 3047 | Indicates that the authentication process failed. | 3 |
| Telnet Login Succeeded | 3048 | Indicates that the telnet login was successful. | 1 |
| Telnet Login Failed | 3049 | Indicates that the telnet login failed. | 3 |
| Suspicious Password | 3050 | Indicates that a user attempted to log in by using a suspicious password. | 4 |
| Samba Login Successful | 3051 | Indicates that a user successfully logged in by using Samba. | 1 |
| Samba Login Failed | 3052 | Indicates a user failed to log in by using Samba. | 3 |
| Auth Server Session Opened | 3053 | Indicates that a communication session with the authentication server was started. | 1 |
| Auth Server Session Closed | 3054 | Indicates that a communication session with the authentication server was closed. | 1 |
| Firewall Session Closed | 3055 | Indicates that a firewall session was closed. | 1 |
| Host Logout | 3056 | Indicates that a host successfully logged out. | 1 |
| Misc Logout | 3057 | Indicates that a user successfully logged out. | 1 |
| Auth Server Logout | 3058 | Indicates that the process to log out of the authentication server was successful. | 1 |
| Web Service Logout | 3059 | Indicates that the process to log out of the web service was successful. | 1 |
| Admin Logout | 3060 | Indicates that the administrative user successfully logged out. | 1 |
| FTP Logout | 3061 | Indicates that the process to log out of the FTP service was successful. | 1 |
| SSH Logout | 3062 | Indicates that the process to log out of the SSH session was successful. | 1 |
| Remote Access Logout | 3063 | Indicates that the process to log out using remote access was successful. | 1 |
| Telnet Logout | 3064 | Indicates that the process to log out of the Telnet session was successful. | 1 |
| Samba Logout | 3065 | Indicates that the process to log out of Samba was successful. | 1 |
| SSH Session Started | 3066 | Indicates that the SSH login session was initiated on a host. | 1 |
| SSH Session Finished | 3067 | Indicates the termination of an SSH login session on a host. | 1 |
| Admin Session Started | 3068 | Indicates that a login session was initiated on a host by an administrative or privileged user. | 1 |
| Admin Session Finished | 3069 | Indicates the termination of an administrator or privileged users login session on a host. | 1 |
| VoIP Login Succeeded | 3070 | Indicates a successful VoIP service login | 1 |
| VoIP Login Failed | 3071 | Indicates an unsuccessful attempt to access VoIP service. | 1 |
| VoIP Logout | 3072 | Indicates a user logout, | 1 |
| VoIP Session Initiated | 3073 | Indicates the beginning of a VoIP session. | 1 |
| VoIP Session Terminated | 3074 | Indicates the end of a VoIP session. | 1 |
| Database Login Succeeded | 3075 | Indicates a successful database login. | 1 |
| Database Login Failure | 3076 | Indicates a database login attempt failed. | 3 |
| IKE Authentication Failed | 3077 | Indicates a failed Internet Key Exchange (IKE) authentication was detected. | 3 |
| IKE Authentication Succeeded | 3078 | Indicates that a successful IKE authentication was detected. | 1 |
| IKE Session Started | 3079 | Indicates that an IKE session started. | 1 |
| IKE Session Ended | 3080 | Indicates that an IKE session ended. | 1 |
| IKE Error | 3081 | Indicates an IKE error message. | 1 |
| IKE Status | 3082 | Indicates IKE status message. | 1 |
| RADIUS Session Started | 3083 | Indicates that a RADIUS session started. | 1 |
| RADIUS Session Ended | 3084 | Indicates a RADIUS session ended. | 1 |
| RADIUS Session Denied | 3085 | Indicates that a RADIUS session was denied. | 1 |
| RADIUS Session Status | 3086 | Indicates a RADIUS session status message. | 1 |
| RADIUS Authentication Failed | 3087 | Indicates a RADIUS authentication failure. | 3 |
| RADIUS Authentication Successful | 3088 | Indicates a RADIUS authentication succeeded. | 1 |
| TACACS Session Started | 3089 | Indicates a TACACS session started. | 1 |
| TACACS Session Ended | 3090 | Indicates a TACACS session ended. | 1 |
| TACACS Session Denied | 3091 | Indicates that a TACACS session was denied. | 1 |
| TACACS Session Status | 3092 | Indicates a TACACS session status message. | 1 |
| TACACS Authentication Successful | 3093 | Indicates a TACACS authentication succeeded. | 1 |
| TACACS Authentication Failed | 3094 | Indicates a TACACS authentication failure. | 1 |
| Deauthenticating Host Succeeded | 3095 | Indicates that the deauthentication of a host was successful. | 1 |
| Deauthenticating Host Failed | 3096 | Indicates that the deauthentication of a host failed. | 3 |
| Station Authentication Succeeded | 3097 | Indicates that the station authentication was successful. | 1 |
| Station Authentication Failed | 3098 | Indicates that the station authentication of a host failed. | 3 |
| Station Association Succeeded | 3099 | Indicates that the station association was successful. | 1 |
| Station Association Failed | 3100 | Indicates that the station association failed. | 3 |
| Station Reassociation Succeeded | 3101 | Indicates that the station reassociation was successful. | 1 |
| Station Reassociation Failed | 3102 | Indicates that the station association failed. | 3 |
| Disassociating Host Succeeded | 3103 | Indicates that the disassociating a host was successful. | 1 |
| Disassociating Host Failed | 3104 | Indicates that the disassociating a host failed. | 3 |
| SA Error | 3105 | Indicates a Security Association (SA) error message. | 5 |
| SA Creation Failure | 3106 | Indicates a Security Association (SA) creation failure. | 3 |
| SA Established | 3107 | Indicates that a Security Association (SA) connection established. | 1 |
| SA Rejected | 3108 | Indicates that a Security Association (SA) connection rejected. | 3 |
| Deleting SA | 3109 | Indicates the deletion of a Security Association (SA). | 1 |
| Creating SA | 3110 | Indicates the creation of a Security Association (SA). | 1 |
| Certificate Mismatch | 3111 | Indicates a certificate mismatch. | 3 |
| Credentials Mismatch | 3112 | Indicates a credentials mismatch. | 3 |
| Admin Login Attempt | 3113 | Indicates an admin login attempt. | 2 |
| User Login Attempt | 3114 | Indicates a user login attempt. | 2 |
| User Login Successful | 3115 | Indicates a successful user login. | 1 |
| User Login Failure | 3116 | Indicates a failed user login. | 3 |
| SFTP Login Succeeded | 3117 | Indicates a successful SSH File Transfer Protocol (SFTP) login. | 1 |
| SFTP Login Failed | 3118 | Indicates a failed SSH File Transfer Protocol (SFTP) login. | 3 |
| SFTP Logout | 3119 | Indicates an SSH File Transfer Protocol (SFTP) logout. | 1 |
| Identity Granted | 3120 | Indicates that an identity was granted. | 1 |
| Identity Removed | 3121 | Indicates that an identity was removed. | 1 |
| Identity Revoked | 3122 | Indicates that an identity was revoked. | 1 |
| Policy Removed | 3123 | Indicates that a policy was removed. | 1 |
| User Account Lock | 3124 | Indicates that a user account was locked. | 1 |
| User Account Unlock | 3125 | Indicates that a user account was unlocked | 1 |
| User Account Expired | 3126 | Indicates that a user account is expired | 1 |