[ adn.f5.bigip.apm ] [ adn.f5.bigip.audit ] [ auth.cisco.ise ] Anchor |
---|
| adn.f5.bigip.apm |
---|
| adn.f5.bigip.apm |
---|
| adn.f5.bigip.apmField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | 1"bigip-apm"
| str
| | action | category eventType | 1(eventType = "Login") ? ((category = "allow") ? "LOGIN" : "FAILED") : (eventType = "Logout") ? 'LOGOUT' : 'N/A'
| str
| | machine | hostName | | str
| | appapplication | - | 1null('')
| str
| | user_domain | domain | | str
| | user | userName | | str srcIp
| | source_ip | clientIp | | ip4 srcHost
| | source_hostname | - | 1null('')
| str srcUser
| | source_user | - | 1null('')
| str
| | result | category eventType | 1(eventType = "Login") ? ((category = "allow") ? "allow" : "deny") : 'N/A'
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| adn.f5.bigip.audit |
---|
| adn.f5.bigip.audit |
---|
| adn.f5.bigip.auditField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | 1"bigip-audit"
| str
| | action | status | Code Block |
---|
1(status = "Login Success") ? 'LOGIN' : (status = "Logout Success") ? 'LOGOUT' : (status = "Login Failure") ? 'FAILED' : 'N/A' |
| str
| | machine | hostName | | str
| | appapplication | loginTty | | str
| | user_domain | - | 1null('')
| str
| | user | user | | str srcIp
| | source_ip | loginHostIp | | ip4 srcHost
| | source_hostname | - | 1null('')
| str srcUser
| | source_user | - | 1null('')
| str
| | result | status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.cisco.ise |
---|
| auth.cisco.ise |
---|
| auth.cisco.iseField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "cisco-ise"
| str
| | action | typeCode | (typeCode in {'Passed-Authentication'}) ? 'LOGIN' : (typeCode in {'Failed-Attempt'}) ? 'FAILED' : typeCode
| str
| | machine | host | | str
| | appapplication | DstIp | str(DstIp)
| str
| | user_domain | - | null('')
| str
| | user | UserName | | str srcIp
| | source_ip | FramedIPAddress | | ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | - | null('')
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ auth.duo.administrator.login ] [ auth.duo.authentication.events ] [ auth.okta.events ] Anchor |
---|
| auth.duo.administrator.login |
---|
| auth.duo.administrator.login |
---|
| auth.duo.administrator.loginField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "duo-administrator-login"
| str
| | action | action | (action in {'admin_login'}) ? 'LOGIN' : (action in {'admin_login_error', 'admin_2fa_error'}) ? 'FAILED' : action
| str
| | machine | host | | str
| | appapplication | - | null('')
| str
| | user_domain | - | null('')
| str
| | user | username email | ifthenelse(isnotnull(username) and not isempty(username), username, email)
| str srcIp
| | source_ip | ip_address | | ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | error | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.duo.authentication.events |
---|
| auth.duo.authentication.events |
---|
| auth.duo.authentication.eventsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "duo-authentication-events"
| str
| | action | reason | Code Block |
---|
decode(reason, 'user_approvedapplicationroved', 'LOGIN', 'valid_passcode', 'LOGIN', 'allowed_by_policy', 'LOGIN', 'bypass_user', 'LOGIN', 'locked_out', 'LOGOUT', 'invalid_passcode', 'FAILED', 'no_response', 'FAILED', 'user_cancelled', 'FAILED', 'user_disabled', 'FAILED', 'user_mistake', 'FAILED', 'call_timed_out', 'FAILED', 'no_keys_pressed', 'FAILED', 'user_marked_fraud', 'FAILED', reason) |
| str
| | machine | host | | str
| | appapplication | application_name | | str
| | user_domain | - | null('')
| str
| | user | user_name | | str srcIp
| | source_ip | access_device_ip | | ip4 srcHost
| | source_hostname | access_device_hostname2 | | str srcUser
| | source_user | - | null('')
| str
| | result | result | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.okta.events |
---|
| auth.okta.events |
---|
| auth.okta.eventsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "okta-events"
| str
| | action | action_message | (action_message = 'Sign-in successful') ? 'LOGIN' : action_message
| str
| | machine | - | null('')
| str
| | appapplication | targets_id_str | | str
| | user_domain | - | null('')
| str
| | user | actors_login_str | | str srcIp
| | source_ip | actors_ip_address_str | ip4(actors_ip_address_str)
| ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | - | null('')
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ auth.okta.system ] [ auth.onelogin.events ] [ auth.ping.federate.audit ] Anchor |
---|
| auth.okta.system |
---|
| auth.okta.system |
---|
| auth.okta.systemField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "okta-system"
| str
| | action | legacyEventType | Code Block |
---|
(legacyEventType in {'appapplication.ad.login.success', 'app.ad.agent.user_auth', 'core.user_auth.idp.saml.login_success', 'iwa.auth', 'core.user.factor.attempt_success', 'core.user_auth.radius.login.succeeded', 'app.auth.sso', 'core.user_auth.login_success', 'core.user_auth.idp.social.login_success'}) ? 'LOGIN' : (legacyEventType in {'app.ad.login.expired_password', 'app.ad.login.unknown_failure', 'app.ad.login.locked_account', 'app.ad.login.bad_password', 'app.ad.agent.user_auth.error', 'core.user_auth.idp.saml.saml_validation_failed', 'core.user_auth.idp.saml.response_received_in_response_to_no_matching_key', 'core.user_auth.idp.invalid_user_status', 'iwa.invalid_token', 'core.user.factor.attempt_fail', 'core.user_auth.radius.login.failed', 'app.rich_client.login_failure'}) ? 'FAILED' : legacyEventType |
| str
| | machine | - | null('')
| str
| | appapplication | target_alternateId_str | | str
| | user_domain | - | null('')
| str
| | user | actor_alternateId | | str srcIp
| | source_ip | client_ipAddress | | ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | outcome_result | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.onelogin.events |
---|
| auth.onelogin.events |
---|
| auth.onelogin.eventsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "onelogin-events"
| str
| | action | eventTypeId | Code Block |
---|
(eventTypeId = 5 or eventTypeId = 8) ? 'LOGIN' : ((eventTypeId = 7 or eventTypeId = 29) ? 'LOGOUT' : 'FAILED') |
| str
| | machine | hostname | | str
| | appapplication | appName | | str
| | user_domain | - | null('')
| str
| | user | userName | | str srcIp
| | source_ip | ipaddr | | ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | riskReasons | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.ping.federate.audit |
---|
| auth.ping.federate.audit |
---|
| auth.ping.federate.auditField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "ping"
| str
| | action | event | Code Block |
---|
(event in {'SSO'}) ? 'LOGIN' : (event in {'SLO'}) ? 'LOGOUT' : event |
| str
| | machine | pfhost | | str
| | appapplication | app | | str
| | user_domain | - | null('')
| str
| | user | subject | | str srcIp
| | source_ip | ip | | ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | status | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ auth.ping.federate.security_audit ] [ auth.ping.id.mfa ] [ auth.securenvoy ] Anchor |
---|
| auth.ping.federate.security_audit |
---|
| auth.ping.federate.security_audit |
---|
| auth.ping.federate.security_auditField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | event | Code Block |
---|
(event in {'SSO'}) ? 'LOGIN' : (event in {'SLO'}) ? 'LOGOUT' : event |
| str
| | machine | host | | str
| | appapplication | app | | str
| | user_domain | - | | str
| | user | subject | | str srcIp
| | source_ip | ip | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.ping.id.mfa |
---|
| auth.ping.id.mfa |
---|
| auth.ping.id.mfaField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | result__status | Code Block |
---|
(result__status = "SUCCESS") ? 'LOGIN' : 'FAILED' |
| str
| | machine | hostname | | str
| | appapplication | - | | str
| | user_domain | - | | str
| | user | actors__name_str | | str srcIp
| | source_ip | - | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | result__message | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.securenvoy |
---|
| auth.securenvoy |
---|
| auth.securenvoyField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "securenvoy"
| str
| | action | - | "LOGIN"
| str
| | machine | hostchain | | str
| | appapplication | - | null('')
| str
| | user_domain | - | null('')
| str
| | user | client | | str srcIp
| | source_ip | - | ip4('')
| ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | - | null('')
| str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ auth.delinia.secretserver ] [ auth.unix ] [ box.all.win ] Anchor |
---|
| auth.thycotic.secretserver |
---|
| auth.thycotic.secretserver |
---|
| auth.delinia.secretserver (formerly Thycotic)Field in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "delinia-secretserver"
| str
| | action | name | (name in {'USER - LOGOUT'}) ? 'LOGOUT' : "LOGIN"
| str
| | machine | hostchain | split(hostchain, "=", 0)
| str
| | appapplication | - | null('')
| str
| | user_domain | - | null('')
| str
| | user | suser | | str srcIp
| | source_ip | src | | ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | - | null('')
| str
| | message | msg | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
auth.unixField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | source | | str
| | action | action | | str
| | machine | machine | | str
| | appapplication | app | | str
| | user_domain | - | null('')
| str
| | user | user | | str srcIp
| | source_ip | srcIp | | ip4 srcHost
| | source_hostname | srcHost | | str
| | srcUser | srcUsersource_user | source_user | | str
| | result | - | null('')
| str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
box.all.winField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | source | | str
| | action | status eventId | Code Block |
---|
(eventId = 512 or eventId = 4624 or eventId = 4648 or eventId = 4770) ? 'LOGIN' : (eventId = 4634) ? 'LOGOUT' : (eventId = 516 or eventId = 1210) ? 'LOCKED' : (eventId = 4768 or eventId = 4769 or eventId = 4772 or eventId = 4773) ? ((status = "0x0") ? 'LOGIN' : (status = "0x12") ? 'LOCKED' : 'FAILED') : (eventId = 4776 or eventId = 4777) ? ((status = "0x0") ? 'LOGIN' : (status = "0xC0000234") ? 'LOCKED' : 'FAILED') : 'FAILED' |
| str
| | machine | machineIp | str(machineIp)
| str
| | appapplication | sourceName | | str
| | user_domain | domain | | str
| | user | account | | str srcIp
| | source_ip | srcIp | ip4(srcIp)
| ip4 srcHost
| | source_hostname | srcHost | | str srcUser
| | source_user | subjectUsername | | str
| | result | status | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ cef0.microsoft.microsoftWindows ] [ cloud.aws.cloudtrail.events ] [ cloud.aws.cloudtrail.signin ] [ cloud.azure.ad.signin ] Anchor |
---|
| cef0.microsoft.microsoftWindows |
---|
| cef0.microsoft.microsoftWindows |
---|
| cef0.microsoft.microsoftWindowsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "microsoft-microsoft_windows"
| str
| | action | name | | str
| | machine | shost | | str
| | appapplication | deviceProcessName | | str
| | user_domain | - | null('')
| str
| | user | duser | | str srcIp
| | source_ip | src | | ip4 srcHost
| | source_hostname | shost | | str srcUser
| | source_user | suser | | str
| | result | reason | | str
| | message | msg | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.aws.cloudtrail.events |
---|
| cloud.aws.cloudtrail.events |
---|
| cloud.aws.cloudtrail.eventsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "aws-cloudtrail-events"
| str
| | action | responseElements_ConsoleLogin | Code Block |
---|
decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin) |
| str
| | machine | - | null('')
| str
| | appapplication | - | null('')
| str
| | user_domain | - | null('')
| str
| | user | userIdentity_userName | | str srcIp
| | source_ip | sourceIPAddress | ip4(sourceIPAddress)
| ip4 srcHost
| | source_hostname | requestParameters_host_str | | str srcUser
| | source_user | requestParameters_userName | | str
| | result | responseElements_ConsoleLogin | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.aws.cloudtrail.signin |
---|
| cloud.aws.cloudtrail.signin |
---|
| cloud.aws.cloudtrail.signinField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "aws-cloudtrail-signin"
| str
| | action | eventName serviceEventDetails_UserAuthentication responseElements_ConsoleLogin responseElements_ExternalIdPDirectoryLogin | Code Block |
---|
decode(eventName, "ConsoleLogin", decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin), "ExternalIdPDirectoryLogin", decode(responseElements_ExternalIdPDirectoryLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ExternalIdPDirectoryLogin), "UserAuthentication", decode(serviceEventDetails_UserAuthentication, "Success", 'LOGIN', "Failure", 'FAILED', serviceEventDetails_UserAuthentication)) |
| str
| | machine | - | null('')
| str
| | appapplication | - | null('')
| str
| | user_domain | userIdentity_accountId | | str
| | user | userIdentity_userName | | str srcIp
| | source_ip | sourceIPAddress | ip4(sourceIPAddress)
| ip4 srcHost
| | source_hostname | eventSource | | str srcUser
| | source_user | - | null('')
| str
| | result | - | null('')
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.azure.ad.signin |
---|
| cloud.azure.ad.signin |
---|
| cloud.azure.ad.signinField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "azure-ad"
| str
| | action | resultType | (resultType = 0) ? 'LOGIN' : 'FAILED'
| str
| | machine | hostchain | split(hostchain, "=", 0)
| str
| | appapplication | properties_appDisplayName | | str
| | user_domain | - | null('')
| str
| | user | identity | | str srcIp
| | source_ip | callerIpAddress | ip4(callerIpAddress)
| ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | resultType | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ cloud.azure.sql.audit ] [ cloud.gsuite.reports.login ] [ cloud.office365.management ] [ crm.salesforceobjects.loginhistory ] Anchor |
---|
| cloud.azure.sql.audit |
---|
| cloud.azure.sql.audit |
---|
| cloud.azure.sql.auditField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "azure-sql-audit"
| str
| | action | action_id | (action_id = "DBAF") ? 'FAILED' : 'LOGIN'
| str
| | machine | hostname | | str
| | appapplication | application_name | | str
| | user_domain | - | null('')
| str
| | user | - | null('')
| str srcIp
| | source_ip | client_ip | | ip4 srcHost
| | source_hostname | host_name | | str srcUser
| | source_user | - | null('')
| str
| | result | - | null('')
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.gsuite.reports.login |
---|
| cloud.gsuite.reports.login |
---|
| cloud.gsuite.reports.loginField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "gsuite-reports-login"
| str
| | action | - | null('')
| str
| | machine | hostname | | str
| | appapplication | id_applicationName | | str
| | user_domain | id_customerId | | str
| | user | actor_email | | str srcIp
| | source_ip | ipAddress | ip4(ipAddress)
| ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | actor_profileId | | str
| | result | - | null('')
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.office365.management |
---|
| cloud.office365.management |
---|
| cloud.office365.managementField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "office365-management"
| str
| | action | Operation ResultStatus | (Operation = "UserLoggedIn" and ResultStatus = "Success") ? 'LOGIN' : 'FAILED'
| str
| | machine | hostname | | str
| | appapplication | - | null('')
| str
| | user_domain | - | null('')
| str
| | user | UserId | | str srcIp
| | source_ip | ActorIpAddress | ip4(ActorIpAddress)
| ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | LogonError Operation ResultStatus | Code Block |
---|
'{' + '"Operation": ' + (isnull(Operation) ? 'null' : '"' + str(Operation) + '"') + ', ' + '"LogonError": ' + (isnull(LogonError) ? 'null' : '"' + str(LogonError) + '"') + ', ' + '"ResultStatus": ' + (isnull(ResultStatus) ? 'null' : '"' + str(ResultStatus) + '"') + '}' |
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| crm.salesforceobjects.loginhistory |
---|
| crm.salesforceobjects.loginhistory |
---|
| crm.salesforceobjects.loginhistoryField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "crm.salesforceobjects.loginhistory"
| str
| | action | - | (Status = "Success") ? 'LOGIN'
: 'FAILED';
| str
| | machine | hostname | | str
| | appapplication | Application | | str
| | user_domain | - | | str
| | user | UserId | | str srcIp
| | source_ip | SourceIp | | ip4 srcHost
| | source_hostname | | | str srcUser
| | source_user | | | str
| | result | Status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ db.mssql.events ] [ db.oracle.audit_trail ] [ ddi.infoblox.audit ] [ firewall.fortinet.event.system ] [ firewall.paloalto.globalprotect ] [ firewall.paloalto.system ] [ helpdesk.zendesk.audit.logs ][ firewall.juniper.srx.system] Anchor |
---|
| db.mssql.events |
---|
| db.mssql.events |
---|
| db.mssql.eventsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "mssql"
| str
| | action | eventID | (eventID = 18456) ? 'FAILED' : 'LOGIN'
| str
| | machine | hostname2 | | str
| | appapplication | - | null('')
| str
| | user_domain | - | null('')
| str
| | user | user | | str srcIp
| | source_ip | - | ip4('')
| ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | - | null('')
| str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| db.oracle.audit_trail |
---|
| db.oracle.audit_trail |
---|
| db.oracle.audit_trailField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"fortinet-event-system" |
| str
| | action | status action | Code Block |
---|
(action = "login" and status = "success") ? 'LOGIN' : (action = "logout") ? 'LOGOUT' : 'FAILED' |
| str
| | machine | machine | | str
| | appapplication | method | | str
| | user_domain | - | | str
| | user | user | | str srcIp
| | source_ip | srcIp | | ip4 srcHost
| | source_hostname | devName | | str srcUser
| | source_user | user | | str
| | result | status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| ddi.infoblox.audit |
---|
| ddi.infoblox.audit |
---|
| ddi.infoblox.auditField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp | | source | - | Code Block |
---|
"ddi-infoblox-audit" |
| str | | action | action | Code Block |
---|
(action = "Login_Allowed") ? 'LOGIN' : (action = "Logout") ? 'LOGOUT' : 'FAILED' |
| str | | machine | hostname | | str | | appapplication | - | | str | | user_domain | - | | str | | user | admin_user | | strsrcIp | | source_ip | srcIp | | ip4srcHost | | source_hostname | - | | strsrcUser | | source_user | - | | str | | result | message | | str | | message | rawMessage | | str | | hostchain | hostchain | | str | ✓ | tag | tag | | str | ✓ |
Anchor |
---|
| firewall.fortinet.event.system |
---|
| firewall.fortinet.event.system |
---|
| firewall.fortinet.event.systemField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "fortinet-event-system"
| str
| | action | status action | (action = "login" and status = "success") ? 'LOGIN' : (action = "logout") ? 'LOGOUT' : 'FAILED'
| str
| | machine | machine | | str
| | appapplication | method | | str
| | user_domain | - | null('')
| str
| | user | user | | str srcIp
| | source_ip | srcIp | ip4(srcIp)
| ip4 srcHost
| | source_hostname | devName | | str srcUser
| | source_user | user | | str
| | result | status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.paloalto.system |
---|
| firewall.paloalto.system |
---|
| firewall.paloalto.globalprotectField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "paloalto-globalprotect"
| str
| | action | stage status | (stage = "login") ? ((status = "success") ? 'LOGIN' : 'FAILED') : (stage = "logout") ? ((status = "success") ? 'LOGOUT' : 'FAILED') : 'FAILED'
| str
| | machine | machine | | str
| | appapplication | subType | | str
| | user_domain | - | null('')
| str
| | user | srcuser | | str srcIp
| | source_ip | public_ip | | ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | description | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.paloalto.system |
---|
| firewall.paloalto.system |
---|
| firewall.paloalto.systemField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "paloalto-system"
| str
| | action | eventId | (eventId = "globalprotectportal-auth-succ" or eventId = "panorama-auth-success") ? 'LOGIN' : 'FAILED'
| str
| | machine | machine | | str
| | appapplication | subType | | str
| | user_domain | - | null('')
| str
| | user | user_name | | str srcIp
| | source_ip | client_ip | | ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | description | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
firewall.juniper.srx.system Anchor |
---|
| firewall.juniper.srx.system |
---|
| firewall.juniper.srx.system |
---|
|
Field in | Field in source table | Field transformation | Data Type | Extra Field |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"juniper-srx-system" |
| str
| | action | log_type | Code Block |
---|
(log_type = "UI_LOGIN_EVENT") ? 'LOGIN' : (log_type = "UI_LOGOUT_EVENT") ? 'LOGOUT' : 'FAILED' |
| str
| | machine | machine | | str
| | appapplication | - | | str
| | user_domain | - | | str
| | user | username | | str srcIp
| | source_ip | client_ip | | ip4 srcHost
| | source_hostname | hostname | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| helpdesk.zendesk.audit.logs |
---|
| helpdesk.zendesk.audit.logs |
---|
| helpdesk.zendesk.audit.logsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "helpdesk.zendesk.audit.logs"
| str
| | action | - | (action_label = "Signed in") ? 'LOGIN'
: 'FAILED';
| str
| | machine | - | | str
| | appapplication | - | | str
| | user_domain | - | | str
| | user | source_label | | str srcIp
| | source_ip | ip_address | ip4(ip_address)
| ip4 srcHost
| | source_hostname | | | str srcUser
| | source_user | | | str
| | result | change_description | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ network.citrix.adc.sslvpn ] [ siem.logtrust.web.connection ] [ vpn.aws.client ] [ vpn.cisco.asa.anyconnect ] Anchor |
---|
| network.citrix.adc.sslvpn |
---|
| network.citrix.adc.sslvpn |
---|
| network.citrix.adc.sslvpnField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "citrix-adc-sslvpn"
| str
| | action | subtype | Code Block |
---|
(subtype = "LOGIN") ? 'LOGIN' : (subtype = "LOGOUT") ? 'LOGOUT' : 'FAILED' |
| str
| | machine | machine | | str
| | appapplication | - | null('')
| str
| | user_domain | - | null('')
| str
| | user | user | | str srcIp
| | source_ip | sourceIp | | ip4 srcHost
| | source_hostname | vserverIp | str(vserverIp)
| str srcUser
| | source_user | - | null('')
| str
| | result | - | null('')
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| siem.logtrust.web.connection |
---|
| siem.logtrust.web.connection |
---|
| siem.logtrust.web.connectionField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "logtrust-app"
| str
| | action | action | Code Block |
---|
(action in {'login', 'api_login', 'changedomain', 'ghost_login'}) ? 'LOGIN' : (action in {'logout', 'api_logout'}) ? 'LOGOUT' : 'FAILED' |
| str
| | machine | hostchain | split(hostchain, "=", 0)
| str
| | appapplication | serverHost | | str
| | user_domain | inputDomain | | str
| | user | inputUser | | str srcIp
| | source_ip | srcHost | ip4(srcHost)
| ip4 srcHost
| | source_hostname | srcHost | | str srcUser
| | source_user | - | null('')
| str
| | result | - | null('')
| str
| | message | message action | 'ACTION: ' + action + ' MSG: ' + message
| str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| vpn.aws.client |
---|
| vpn.aws.client |
---|
| vpn.aws.clientField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "aws-vpn-client"
| str
| | action | connection_log_type connection_attempt_status | (connection_log_type in {'connection-reset'} ? 'LOGOUT' : (connection_attempt_status in {'successful'} ? "LOGIN" : "FAILED"))
| str
| | machine | hostname | | str
| | appapplication | - | null('')
| str
| | user_domain | - | null('')
| str
| | user | username | | str srcIp
| | source_ip | client_ip | | ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | connection_attempt_status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| vpn.cisco.asa.anyconnect |
---|
| vpn.cisco.asa.anyconnect |
---|
| vpn.cisco.asa.anyconnectField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | "cisco-asa-anyconnect"
| str
| | action | EventID | (EventID = 722022) ? 'LOGIN' : ((EventID = 722023) ? 'LOGOUT' : null(''))
| str
| | machine | host | | str
| | appapplication | - | null('')
| str
| | user_domain | - | null('')
| str
| | user | User | | str srcIp
| | source_ip | srcIP | | ip4 srcHost
| | source_hostname | - | null('')
| str srcUser
| | source_user | - | null('')
| str
| | result | - | null('')
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|