User Access Logs (UAL)
Overview
Section titled “Overview”Evidence: User Access Logs (UAL)
Description: Collect and Parse User Access Logs
Category: System
Platform: windows
Short Name: ual
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”User Access Logs (UAL/SUM) databases record authenticated user accesses to roles/services, including addresses and counts. This data is essential for auditing remote access and service usage.
Data Collected
Section titled “Data Collected”This collector gathers structured data about user access logs (ual).
Collection Method
Section titled “Collection Method”This collector collects SystemIdentity.mdb and Current.mdb files, reads SystemIdentity.mdb to resolve roles and chained databases, then parses SUM .mdb files to extract client access records into user_access_logs.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it reveals who accessed what and when, aiding in lateral movement and unauthorized access analysis.