- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-06-30T13:36:43.873284800Z" />
<EventRecordID>866403047</EventRecordID>
<Correlation />
<Execution ProcessID="508" ThreadID="2240" />
<Channel>Security</Channel>
<Computer>xxxDC01.xxxlaw.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ahmeda</Data>
<Data Name="TargetSid">S-1-5-21-663965598-47014434-1039276024-1338</Data>
<Data Name="ServiceName">krbtgt/xxxLAW.LOCAL</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x18</Data>
<Data Name="PreAuthType">2</Data>
<Data Name="IpAddress">::ffff:192.168.94.207</Data>
<Data Name="IpPort">55633</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>
http://www.lepide.com/lepideauditor/active-directory.html
Will.