NETLOGON

9 events across 1 channel

Event	Title	Channel	Sample
3210	Event ID 3210	System	Y
5719	This computer was not able to set up a secure session with a domain controller …	System	Y
5723	Event ID 5723	System	Y
5774	Event ID 5774	System	Y
5782	Event ID 5782	System	Y
5783	Event ID 5783	System	Y
5805	Event ID 5805	System	Y
5823	Event ID 5823	System	Y
5836	The Netlogon service was able to bind to a TCP/IP port with the configured …	System	Y

Event ID 3210

Provider: NETLOGON
Channel: System
Level: Error

Fields #

Name	Description
`Data_0`
`Data_1`
`Binary`

Example Event #

{
  "system": {
    "provider": "NETLOGON",
    "guid": "",
    "event_source_name": "",
    "event_id": 3210,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T16:35:16.146153+00:00",
    "event_record_id": 1731,
    "correlation": {},
    "execution": {
      "process_id": 780,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "ludus",
    "Data_1": "\\\\LAB-DC01.ludus.domain",
    "Binary": "220000C0"
  },
  "message": ""
}

Event ID 5719: This computer was not able to set up a secure session with a domain controller in domain ludus due to the following: An internal error occurred.

Provider: NETLOGON
Channel: System
Level: 2

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "NETLOGON",
    "guid": "",
    "event_source_name": "",
    "event_id": 5719,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-08 00:26:19.683004+00:00",
    "event_record_id": 911,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 992,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "tel2-WIN11-25H2-1",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>ludus</string>\n<string>%%1359</string>\n",
    "Binary": "5QAAwA=="
  },
  "message": "This computer was not able to set up a secure session with a domain controller in domain ludus due to the following: \r\nAn internal error occurred. \r\nThis may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  \r\n\r\nADDITIONAL INFO \r\nIf this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain."
}

Event ID 5723

Provider: NETLOGON
Channel: System
Level: Error

Fields #

Name	Description
`Data_0`
`Data_1`
`Binary`

Example Event #

{
  "system": {
    "provider": "NETLOGON",
    "guid": "",
    "event_source_name": "",
    "event_id": 5723,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T05:12:11.679917+00:00",
    "event_record_id": 10597,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "LAB-WIN11",
    "Data_1": "LAB-WIN11$",
    "Binary": "8B0100C0"
  },
  "message": ""
}

Event ID 5774

Provider: NETLOGON
Channel: System
Level: Error

Fields #

Name	Description
`Data_0`
`Data_1`
`Data_2`
`Data_3`
`Data_4`
`Binary`

Example Event #

{
  "system": {
    "provider": "NETLOGON",
    "guid": "",
    "event_source_name": "",
    "event_id": 5774,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T01:34:08.4639056+00:00",
    "event_record_id": 6575,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "cell-a.ludus.domain. 600 IN A 10.1.20.11",
    "Data_1": "%%9502",
    "Data_2": "10.1.20.11",
    "Data_3": "0",
    "Data_4": "9502"
  },
  "message": "The dynamic registration of the DNS record 'cell-a.ludus.domain. 600 IN A 10.1.20.11' failed on the following DNS server:  \r\n\r\nDNS server IP address: 10.1.20.11 \r\nReturned Response Code (RCODE): 0 \r\nReturned Status Code: 9502  \r\n\r\nFor computers and users to locate this domain controller, this record must be registered in DNS.  \r\n\r\nUSER ACTION  \r\nDetermine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. \r\n  Or, you can manually add this record to DNS, but it is not recommended.  \r\n\r\nADDITIONAL DATA \r\nError Value: Bad DNS packet."
}

Event ID 5782

Provider: NETLOGON
Channel: System
Level: Warning

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "NETLOGON",
    "guid": "",
    "event_source_name": "",
    "event_id": 5782,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T16:53:49.187430+00:00",
    "event_record_id": 1246,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "%%9852",
    "Binary": "7C260000"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 5783

Provider: NETLOGON
Channel: System
Level: Error

Fields #

Name	Description
`Data`
`Binary`

Example Event #

{
  "system": {
    "provider": "NETLOGON",
    "guid": "",
    "event_source_name": "",
    "event_id": 5783,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2012-04-06T18:07:03.000000Z",
    "event_record_id": 13508,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "WKS-WIN764BITB.shieldbase.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "\\\\Controller.shieldbase.local",
      "SHIELDBASE",
      "WKS-WIN764BITB"
    ],
    "Binary": ""
  }
}

Event ID 5805

Provider: NETLOGON
Channel: System
Level: Error

Fields #

Name	Description
`Data`
`Binary`

Example Event #

{
  "system": {
    "provider": "NETLOGON",
    "guid": "",
    "event_source_name": "",
    "event_id": 5805,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2020-09-15T19:28:49.359773+00:00",
    "event_record_id": 63221,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "01566s-win16-ir.threebeesco.com",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "01566S-WIN16-IR",
      "%%5"
    ],
    "Binary": "IgAAwA=="
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 5823

Provider: NETLOGON
Channel: System
Level: Informational

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "NETLOGON",
    "guid": "",
    "event_source_name": "",
    "event_id": 5823,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:15:01.574704+00:00",
    "event_record_id": 730,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "",
    "Binary": ""
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 5836: The Netlogon service was able to bind to a TCP/IP port with the configured backlog size of 10.

Provider: NETLOGON
Channel: System
Level: 4

Fields #

Name	Description
`Data_0`

Example Event #

{
  "system": {
    "provider": "NETLOGON",
    "guid": "",
    "event_source_name": "",
    "event_id": 5836,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-04-23T08:40:53.3140979+00:00",
    "event_record_id": 30512,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "10"
  },
  "message": "The Netlogon service was able to bind to a TCP/IP port with the configured backlog size of 10."
}

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

NETLOGON

Event ID 3210

Fields #

Example Event #

Event ID 5719: This computer was not able to set up a secure session with a domain controller in domain ludus due to the following: An internal error occurred.

Fields #

Example Event #

Event ID 5723

Fields #

Example Event #

Event ID 5774

Fields #

Example Event #

Event ID 5782

Fields #

Example Event #

References #

Event ID 5783

Fields #

Example Event #

Event ID 5805

Fields #

Example Event #

References #

Event ID 5823

Fields #

Example Event #

References #

Event ID 5836: The Netlogon service was able to bind to a TCP/IP port with the configured backlog size of 10.

Fields #

Example Event #

Keyboard shortcuts

Search operators