Page Comparison

Table of Contents

maxLevel	2
type	flat

Introduction

This table collects information about different authentication events generated by a variety of platforms.

Source tables

The information displayed is extracted from the following tables:

Expand

title	Check source tables

adn.f5.bigip.apm

adn.f5.bigip.audit

auth.cisco.ise

auth.duo.administrator.login

auth.duo.authentication.events

auth.okta.events

auth.okta.system

auth.onelogin.events

auth.ping.federate.audit

auth.ping.federate.security_audit

auth.ping.id.mfa

auth.securenvoy

auth.delinia.secretserver (formerly Thycotic)

auth.unix

box.all.win

Table of Contents

maxLevel	2
type	flat

Introduction

This table collects information about different authentication events generated by a variety of platforms.

Source tables

The information displayed is extracted from the following tables:

Expand

title	Check source tables

adn.f5.bigip.apm
adn.f5.bigip.audit
auth.cisco.ise
auth.duo.administrator.login
auth.duo.authentication.events
auth.jumpcloud.directory.events
auth.jumpcloud.ldap.events
auth.jumpcloud.mdm.events
auth.jumpcloud.radius.events
auth.jumpcloud.software.events
auth.jumpcloud.sso.events
auth.jumpcloud.systems.events
auth.okta.events
auth.okta.system
auth.onelogin.events
auth.ping.federate.audit
auth.ping.federate.security_audit
auth.ping.id.mfa
auth.rsa.secureid.runtime
auth.securenvoy
auth.thycotic.secretserver
box.audit.unix.audispd
box.audit.unix.auditd
box.devo_ea.events_linux
box.devo_ea.events_windows
box.devo_ua.events_windows
box.unix
box.unix_cloudwatch
box.vmware.esx
box.win
box.winNxlog
box.win_classic
box.win_cloudwatch
box.win_hf
box.win_kinesis
box.win_nxlog
box.win_quest.change_auditor.leef
box.win_snare
box.win_solarwinds
box.win_winlogbeat
cef0.microsoft.microsoftWindows
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.signin
cloud.azure.ad.signin.signin
cloud.azure.sql.audit
cloud.azure.vm.applicationevent
cloud.azure.vm.securityevent
cloud.azure.vm.systemevent
cloud.azure.sqlvm.auditunix
cloud.gsuite.reports.login
cloud.office365.management_all
cloud.office365.oldmanagement
crm.salesforceobjects.loginhistory
db.mssql.events
db.oracle.audit_trail
ddi.infoblox.audit
firewall.fortinet.event.system
firewall.juniper.paloaltosrx.globalprotectsystem
firewall.paloalto.systemglobalprotect
firewall.juniperpaloalto.srx.system
helpdesk.zendesk.audit.logs
network.citrix.adc.sslvpn
siem.logtrust.web.connection
vpn.aws.client
vpn.cisco.asa.anyconnect

Table structure

This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:

Note

Extra columnsfields

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

Field	Data type	Extra fields
eventdate	`timestamp`	-
source	`str`	-
action	`str`	-
machine	`str`	-
appapplication	`str`	-
user_domain	`str`	-
user	`str`	-

Field	Data type	Extra fields
srcIpsource_ip	`ip`	-srcHost
source_hostname	`str`	-srcUser
source_user	`str`	-
result	`str`	-
message	`str`	-
hostchain	`str`	✓
tag	`str`	✓

Field transformations

Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.

Rw ui tabs macro

title	Table 1-3
tabIcon	bvicon-table

Rw tab

title	Tables 1-3

[ adn.f5.bigip.apm ] [ adn.f5.bigip.audit ] [ auth.cisco.ise ]

Anchor
adn.f5.bigip.apm
adn.f5.bigip.apm
adn.f5.bigip.apm

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`1"bigip-apm"`	`str`
action	category eventType	`1(eventType = "Login") ? ((category = "allow") ? "LOGIN" : "FAILED") : (eventType = "Logout") ? 'LOGOUT' : 'N/A'`	`str`
machine	hostName		`str`
appapplication	-	`1null('')`	`str`
user_domain	domain		`str`
user	userName		`str`srcIp
source_ip	clientIp		`ip4`srcHost
source_hostname	-	`1null('')`	`str`srcUser
source_user	-	`1null('')`	`str`
result	category eventType	`1(eventType = "Login") ? ((category = "allow") ? "allow" : "deny") : 'N/A'`	`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
adn.f5.bigip.audit
adn.f5.bigip.audit
adn.f5.bigip.audit

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

1"bigip-audit"

str

action

status

Code Block
1(status = "Login Success") ? 'LOGIN' : (status = "Logout Success") ? 'LOGOUT' : (status = "Login Failure") ? 'FAILED' : 'N/A'

str

machine

hostName

str

appapplication

loginTty

str

user_domain

-

1null('')

str

user

strsrcIp

source_ip

loginHostIp

ip4srcHost

source_hostname

-

1null('')

strsrcUser

source_user

-

1null('')

str

result

status

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
auth.cisco.ise
auth.cisco.ise
auth.cisco.ise

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"cisco-ise"`	`str`
action	typeCode	`(typeCode in {'Passed-Authentication'}) ? 'LOGIN' : (typeCode in {'Failed-Attempt'}) ? 'FAILED' : typeCode`	`str`
machine	host		`str`
appapplication	DstIp	`str(DstIp)`	`str`
user_domain	-	`null('')`	`str`
user	UserName		`str`srcIp
source_ip	FramedIPAddress		`ip4`srcHost
source_hostname	-	`null('')`	`str`srcUser
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Rw tab

title	Tables 4-6

[ auth.duo.administrator.login ] [ auth.duo.authentication.events ] [ auth.okta.events ]

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"duo-administrator-login"`	`str`
action	action	`(action in {'admin_login'}) ? 'LOGIN' : (action in {'admin_login_error', 'admin_2fa_error'}) ? 'FAILED' : action`	`str`
machine	host		`str`
appapplication	-	`null('')`	`str`
user_domain	-	`null('')`	`str`
user	username email	`ifthenelse(isnotnull(username) and not isempty(username), username, email)`	`str`srcIp
source_ip	ip_address		`ip4`srcHost
source_hostname	-	`null('')`	`str`srcUser
source_user	-	`null('')`	`str`
result	error		`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
auth.duo.authentication.events
auth.duo.authentication.events
auth.duo.authentication.events

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"duo-authentication-events"

str

action

reason

Code Block

decode(reason, 'user_approvedapplicationroved', 'LOGIN', 'valid_passcode', 'LOGIN', 'allowed_by_policy', 'LOGIN', 'bypass_user', 'LOGIN', 'locked_out', 'LOGOUT', 'invalid_passcode', 'FAILED', 'no_response', 'FAILED', 'user_cancelled', 'FAILED', 'user_disabled', 'FAILED', 'user_mistake', 'FAILED', 'call_timed_out', 'FAILED', 'no_keys_pressed', 'FAILED', 'user_marked_fraud', 'FAILED', reason)

str

machine

host

str

appapplication

application_name

str

user_domain

-

null('')

str

user

user_name

strsrcIp

source_ip

access_device_ip

ip4srcHost

source_hostname

access_device_hostname2

strsrcUser

source_user

-

null('')

str

result

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
auth.okta.events
auth.okta.events
auth.okta.events

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"okta-events"`	`str`
action	action_message	`(action_message = 'Sign-in successful') ? 'LOGIN' : action_message`	`str`
machine	-	`null('')`	`str`
appapplication	targets_id_str		`str`
user_domain	-	`null('')`	`str`
user	actors_login_str		`str`srcIp
source_ip	actors_ip_address_str	`ip4(actors_ip_address_str)`	`ip4`srcHost
source_hostname	-	`null('')`	`str`srcUser
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Rw tab

title	Tables 7-9

[ auth.okta.system ] [ auth.onelogin.events ] [ auth.ping.federate.audit ]

Anchor
auth.okta.system
auth.okta.system
auth.okta.system

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"okta-system"

str

action

legacyEventType

Code Block

(legacyEventType in {'appapplication.ad.login.success', 'app.ad.agent.user_auth', 'core.user_auth.idp.saml.login_success', 'iwa.auth', 'core.user.factor.attempt_success', 'core.user_auth.radius.login.succeeded', 'app.auth.sso', 'core.user_auth.login_success', 'core.user_auth.idp.social.login_success'}) ? 'LOGIN' : (legacyEventType in {'app.ad.login.expired_password', 'app.ad.login.unknown_failure', 'app.ad.login.locked_account', 'app.ad.login.bad_password', 'app.ad.agent.user_auth.error', 'core.user_auth.idp.saml.saml_validation_failed', 'core.user_auth.idp.saml.response_received_in_response_to_no_matching_key', 'core.user_auth.idp.invalid_user_status', 'iwa.invalid_token', 'core.user.factor.attempt_fail', 'core.user_auth.radius.login.failed', 'app.rich_client.login_failure'}) ? 'FAILED' : legacyEventType

str

machine

-

null('')

str

appapplication

target_alternateId_str

str

user_domain

-

null('')

str

user

actor_alternateId

strsrcIp

source_ip

client_ipAddress

ip4srcHost

source_hostname

-

null('')

strsrcUser

source_user

-

null('')

str

result

outcome_result

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
auth.onelogin.events
auth.onelogin.events
auth.onelogin.events

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"onelogin-events"

str

action

eventTypeId

Code Block
(eventTypeId = 5 or eventTypeId = 8) ? 'LOGIN' : ((eventTypeId = 7 or eventTypeId = 29) ? 'LOGOUT' : 'FAILED')

str

machine

hostname

str

appapplication

appName

str

user_domain

-

null('')

str

user

userName

strsrcIp

source_ip

ipaddr

ip4srcHost

source_hostname

-

null('')

strsrcUser

source_user

-

null('')

str

result

riskReasons

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
auth.ping.federate.audit
auth.ping.federate.audit
auth.ping.federate.audit

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"ping"

str

action

event

Code Block
(event in {'SSO'}) ? 'LOGIN' : (event in {'SLO'}) ? 'LOGOUT' : event

str

machine

pfhost

str

appapplication

app

str

user_domain

-

null('')

str

user

subject

strsrcIp

source_ip

ip

ip4srcHost

source_hostname

-

null('')

strsrcUser

source_user

-

null('')

str

result

status

str

message

str

hostchain

str

✓

tag

str

✓

Rw tab

title	Tables 10-12

[ auth.ping.federate.security_audit ] [ auth.ping.id.mfa ] [ auth.securenvoy ]

Anchor
auth.ping.federate.security_audit
auth.ping.federate.security_audit
auth.ping.federate.security_audit

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

Code Block
"ping"

str

action

event

Code Block
(event in {'SSO'}) ? 'LOGIN' : (event in {'SLO'}) ? 'LOGOUT' : event

str

machine

host

str

appapplication

app

str

user_domain

-

Code Block
null('')

str

user

subject

strsrcIp

source_ip

ip

ip4srcHost

source_hostname

-

Code Block
null('')

strsrcUser

source_user

-

Code Block
null('')

str

result

status

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
auth.ping.id.mfa
auth.ping.id.mfa
auth.ping.id.mfa

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

Code Block
"ping-id"

str

action

result__status

Code Block
(result__status = "SUCCESS") ? 'LOGIN' : 'FAILED'

str

machine

hostname

str

appapplication

-

Code Block
null('')

str

user_domain

-

Code Block
null('')

str

user

actors__name_str

strsrcIp

source_ip

-

Code Block
ip4('')

ip4srcHost

source_hostname

-

Code Block
null('')

strsrcUser

source_user

-

Code Block
null('')

str

result

result__message

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
auth.securenvoy
auth.securenvoy
auth.securenvoy

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"securenvoy"`	`str`
action	-	`"LOGIN"`	`str`
machine	hostchain		`str`
appapplication	-	`null('')`	`str`
user_domain	-	`null('')`	`str`
user	client		`str`srcIp
source_ip	-	`ip4('')`	`ip4`srcHost
source_hostname	-	`null('')`	`str`srcUser
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	message		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Rw tab

title	Tables 13-15

[ auth.delinia.secretserver ] [ auth.unix ] [ box.all.win ]

Anchor
auth.thycotic.secretserver
auth.thycotic.secretserver
auth.delinia.secretserver (formerly Thycotic)

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"delinia-secretserver"`	`str`
action	name	`(name in {'USER - LOGOUT'}) ? 'LOGOUT' : "LOGIN"`	`str`
machine	hostchain	`split(hostchain, "=", 0)`	`str`
appapplication	-	`null('')`	`str`
user_domain	-	`null('')`	`str`
user	suser		`str`srcIp
source_ip	src		`ip4`srcHost
source_hostname	-	`null('')`	`str`srcUser
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	msg		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
auth.unix
auth.unix
auth.unix

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	source		`str`
action	action		`str`
machine	machine		`str`
appapplication	app		`str`
user_domain	-	`null('')`	`str`
user	user		`str`srcIp
source_ip	srcIp		`ip4`srcHost
source_hostname	srcHost		`str`
srcUser	srcUsersource_user	source_user		`str`
result	-	`null('')`	`str`
message	message		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
box.all.win
box.all.win
box.all.win

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

str

action

status

eventId

Code Block

(eventId = 512 or eventId = 4624 or eventId = 4648 or eventId = 4770) ? 'LOGIN' : (eventId = 4634) ? 'LOGOUT' : (eventId = 516 or eventId = 1210) ? 'LOCKED' : (eventId = 4768 or eventId = 4769 or eventId = 4772 or eventId = 4773) ? ((status = "0x0") ? 'LOGIN' : (status = "0x12") ? 'LOCKED' : 'FAILED') : (eventId = 4776 or eventId = 4777) ? ((status = "0x0") ? 'LOGIN' : (status = "0xC0000234") ? 'LOCKED' : 'FAILED') : 'FAILED'

str

machine

machineIp

str(machineIp)

str

appapplication

sourceName

str

user_domain

domain

str

user

account

strsrcIp

source_ip

srcIp

ip4(srcIp)

ip4srcHost

source_hostname

srcHost

strsrcUser

source_user

subjectUsername

str

result

status

str

message

str

hostchain

str

✓

tag

str

✓

Rw tab

title	Tables 16-19

[ cef0.microsoft.microsoftWindows ] [ cloud.aws.cloudtrail.events ] [ cloud.aws.cloudtrail.signin ] [ cloud.azure.ad.signin ]

Anchor
cef0.microsoft.microsoftWindows
cef0.microsoft.microsoftWindows
cef0.microsoft.microsoftWindows

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"microsoft-microsoft_windows"`	`str`
action	name		`str`
machine	shost		`str`
appapplication	deviceProcessName		`str`
user_domain	-	`null('')`	`str`
user	duser		`str`srcIp
source_ip	src		`ip4`srcHost
source_hostname	shost		`str`srcUser
source_user	suser		`str`
result	reason		`str`
message	msg		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.events

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"aws-cloudtrail-events"

str

action

responseElements_ConsoleLogin

Code Block
decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin)

str

machine

-

null('')

str

appapplication

-

null('')

str

user_domain

-

null('')

str

user

userIdentity_userName

strsrcIp

source_ip

sourceIPAddress

ip4(sourceIPAddress)

ip4srcHost

source_hostname

requestParameters_host_str

strsrcUser

source_user

requestParameters_userName

str

result

responseElements_ConsoleLogin

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"aws-cloudtrail-signin"

str

action

eventName

serviceEventDetails_UserAuthentication

responseElements_ConsoleLogin

responseElements_ExternalIdPDirectoryLogin

Code Block

decode(eventName, "ConsoleLogin", decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin), "ExternalIdPDirectoryLogin", decode(responseElements_ExternalIdPDirectoryLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ExternalIdPDirectoryLogin), "UserAuthentication", decode(serviceEventDetails_UserAuthentication, "Success", 'LOGIN', "Failure", 'FAILED', serviceEventDetails_UserAuthentication))

str

machine

-

null('')

str

appapplication

-

null('')

str

user_domain

userIdentity_accountId

str

user

userIdentity_userName

strsrcIp

source_ip

sourceIPAddress

ip4(sourceIPAddress)

ip4srcHost

source_hostname

eventSource

strsrcUser

source_user

-

null('')

str

result

-

null('')

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"azure-ad"`	`str`
action	resultType	`(resultType = 0) ? 'LOGIN' : 'FAILED'`	`str`
machine	hostchain	`split(hostchain, "=", 0)`	`str`
appapplication	properties_appDisplayName		`str`
user_domain	-	`null('')`	`str`
user	identity		`str`srcIp
source_ip	callerIpAddress	`ip4(callerIpAddress)`	`ip4`srcHost
source_hostname	-	`null('')`	`str`srcUser
source_user	-	`null('')`	`str`
result	resultType		`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Rw tab

title	Tables 20-23

[ cloud.azure.sql.audit ] [ cloud.gsuite.reports.login ] [ cloud.office365.management ] [ crm.salesforceobjects.loginhistory ]

Anchor
cloud.azure.sql.audit
cloud.azure.sql.audit
cloud.azure.sql.audit

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"azure-sql-audit"`	`str`
action	action_id	`(action_id = "DBAF") ? 'FAILED' : 'LOGIN'`	`str`
machine	hostname		`str`
appapplication	application_name		`str`
user_domain	-	`null('')`	`str`
user	-	`null('')`	`str`srcIp
source_ip	client_ip		`ip4`srcHost
source_hostname	host_name		`str`srcUser
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"gsuite-reports-login"`	`str`
action	-	`null('')`	`str`
machine	hostname		`str`
appapplication	id_applicationName		`str`
user_domain	id_customerId		`str`
user	actor_email		`str`srcIp
source_ip	ipAddress	`ip4(ipAddress)`	`ip4`srcHost
source_hostname	-	`null('')`	`str`srcUser
source_user	actor_profileId		`str`
result	-	`null('')`	`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
cloud.office365.management
cloud.office365.management
cloud.office365.management

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"office365-management"

str

action

Operation

ResultStatus

(Operation = "UserLoggedIn" and ResultStatus = "Success") ? 'LOGIN' : 'FAILED'

str

machine

hostname

str

appapplication

-

null('')

str

user_domain

-

null('')

str

user

UserId

strsrcIp

source_ip

ActorIpAddress

ip4(ActorIpAddress)

ip4srcHost

source_hostname

-

null('')

strsrcUser

source_user

-

null('')

str

result

LogonError

Operation

ResultStatus

Code Block

'{' + '"Operation": ' + (isnull(Operation) ? 'null' : '"' + str(Operation) + '"') + ', ' + '"LogonError": ' + (isnull(LogonError) ? 'null' : '"' + str(LogonError) + '"') + ', ' + '"ResultStatus": ' + (isnull(ResultStatus) ? 'null' : '"' + str(ResultStatus) + '"') + '}'

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
crm.salesforceobjects.loginhistory
crm.salesforceobjects.loginhistory
crm.salesforceobjects.loginhistory

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"crm.salesforceobjects.loginhistory"

str

action

-

(Status = "Success") ? 'LOGIN'
: 'FAILED';

str

machine

hostname

str

appapplication

Application

str

user_domain

-

Code Block
null('')

str

user

UserId

strsrcIp

source_ip

SourceIp

Code Block
ip4(SourceIp)

ip4srcHost

source_hostname

Code Block
null('')

strsrcUser

source_user

Code Block
null('')

str

result

Status

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Rw tab

title	Tables 24-30

[ db.mssql.events ] [ db.oracle.audit_trail ] [ ddi.infoblox.audit ] [ firewall.fortinet.event.system ] [ firewall.paloalto.globalprotect ] [ firewall.paloalto.system ] [ helpdesk.zendesk.audit.logs ][ firewall.juniper.srx.system]

Anchor
db.mssql.events
db.mssql.events
db.mssql.events

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"mssql"`	`str`
action	eventID	`(eventID = 18456) ? 'FAILED' : 'LOGIN'`	`str`
machine	hostname2		`str`
appapplication	-	`null('')`	`str`
user_domain	-	`null('')`	`str`
user	user		`str`srcIp
source_ip	-	`ip4('')`	`ip4`srcHost
source_hostname	-	`null('')`	`str`srcUser
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	message		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
db.oracle.audit_trail
db.oracle.audit_trail
db.oracle.audit_trail

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

Code Block
"fortinet-event-system"

str

action

status

action

Code Block
(action = "login" and status = "success") ? 'LOGIN' : (action = "logout") ? 'LOGOUT' : 'FAILED'

str

machine

str

appapplication

method

str

user_domain

-

Code Block
null('')

str

user

strsrcIp

source_ip

srcIp

Code Block
ip4(srcIp)

ip4srcHost

source_hostname

devName

strsrcUser

source_user

user

str

result

status

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
ddi.infoblox.audit
ddi.infoblox.audit
ddi.infoblox.audit

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

Code Block
"ddi-infoblox-audit"

str

action

Code Block
(action = "Login_Allowed") ? 'LOGIN' : (action = "Logout") ? 'LOGOUT' : 'FAILED'

str

machine

hostname

str

appapplication

-

Code Block
null('')

str

user_domain

-

Code Block
null('')

str

user

admin_user

strsrcIp

source_ip

srcIp

ip4srcHost

source_hostname

-

Code Block
null('')

strsrcUser

source_user

-

Code Block
null('')

str

result

message

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.fortinet.event.system
firewall.fortinet.event.system
firewall.fortinet.event.system

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"fortinet-event-system"`	`str`
action	status action	`(action = "login" and status = "success") ? 'LOGIN' : (action = "logout") ? 'LOGOUT' : 'FAILED'`	`str`
machine	machine		`str`
appapplication	method		`str`
user_domain	-	`null('')`	`str`
user	user		`str`srcIp
source_ip	srcIp	`ip4(srcIp)`	`ip4`srcHost
source_hostname	devName		`str`srcUser
source_user	user		`str`
result	status		`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
firewall.paloalto.system
firewall.paloalto.system
firewall.paloalto.globalprotect

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"paloalto-globalprotect"`	`str`
action	stage status	`(stage = "login") ? ((status = "success") ? 'LOGIN' : 'FAILED') : (stage = "logout") ? ((status = "success") ? 'LOGOUT' : 'FAILED') : 'FAILED'`	`str`
machine	machine		`str`
appapplication	subType		`str`
user_domain	-	`null('')`	`str`
user	srcuser		`str`srcIp
source_ip	public_ip		`ip4`srcHost
source_hostname	-	`null('')`	`str`srcUser
source_user	-	`null('')`	`str`
result	description		`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
firewall.paloalto.system
firewall.paloalto.system
firewall.paloalto.system

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"paloalto-system"`	`str`
action	eventId	`(eventId = "globalprotectportal-auth-succ" or eventId = "panorama-auth-success") ? 'LOGIN' : 'FAILED'`	`str`
machine	machine		`str`
appapplication	subType		`str`
user_domain	-	`null('')`	`str`
user	user_name		`str`srcIp
source_ip	client_ip		`ip4`srcHost
source_hostname	-	`null('')`	`str`srcUser
source_user	-	`null('')`	`str`
result	description		`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

firewall.juniper.srx.system
Anchor
firewall.juniper.srx.system
firewall.juniper.srx.system

Field in

Field in source table

Field transformation

Data Type

Extra Field

eventdate

timestamp

source

-

Code Block
"juniper-srx-system"

str

action

log_type

Code Block
(log_type = "UI_LOGIN_EVENT") ? 'LOGIN' : (log_type = "UI_LOGOUT_EVENT") ? 'LOGOUT' : 'FAILED'

str

machine

str

appapplication

-

Code Block
null('')

str

user_domain

-

Code Block
null('')

str

user

username

strsrcIp

source_ip

client_ip

ip4srcHost

source_hostname

hostname

strsrcUser

source_user

-

Code Block
null('')

str

result

-

Code Block
null('')

str

message

str

hostchain

str

✓

tag

str

✓

Anchor
helpdesk.zendesk.audit.logs
helpdesk.zendesk.audit.logs
helpdesk.zendesk.audit.logs

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"helpdesk.zendesk.audit.logs"

str

action

-

(action_label = "Signed in") ? 'LOGIN'
: 'FAILED';

str

machine

-

Code Block
null('')

str

appapplication

-

Code Block
null('')

str

user_domain

-

Code Block
null('')

str

user

source_label

strsrcIp

source_ip

ip_address

ip4(ip_address)

ip4srcHost

source_hostname

Code Block
null('')

strsrcUser

source_user

Code Block
null('')

str

result

change_description

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Rw tab

title	Tables 31-34

[ network.citrix.adc.sslvpn ] [ siem.logtrust.web.connection ] [ vpn.aws.client ] [ vpn.cisco.asa.anyconnect ]

Anchor
network.citrix.adc.sslvpn
network.citrix.adc.sslvpn
network.citrix.adc.sslvpn

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"citrix-adc-sslvpn"

str

action

subtype

Code Block
(subtype = "LOGIN") ? 'LOGIN' : (subtype = "LOGOUT") ? 'LOGOUT' : 'FAILED'

str

machine

str

appapplication

-

null('')

str

user_domain

-

null('')

str

user

strsrcIp

source_ip

sourceIp

ip4srcHost

source_hostname

vserverIp

str(vserverIp)

strsrcUser

source_user

-

null('')

str

result

-

null('')

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
siem.logtrust.web.connection
siem.logtrust.web.connection
siem.logtrust.web.connection

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"logtrust-app"

str

action

Code Block
(action in {'login', 'api_login', 'changedomain', 'ghost_login'}) ? 'LOGIN' : (action in {'logout', 'api_logout'}) ? 'LOGOUT' : 'FAILED'

str

machine

hostchain

split(hostchain, "=", 0)

str

appapplication

serverHost

str

user_domain

inputDomain

str

user

inputUser

strsrcIp

source_ip

srcHost

ip4(srcHost)

ip4srcHost

source_hostname

srcHost

strsrcUser

source_user

-

null('')

str

result

-

null('')

str

message

action

'ACTION: ' + action + ' MSG: ' + message

str

hostchain

str

✓

tag

str

✓

Anchor
vpn.aws.client
vpn.aws.client
vpn.aws.client

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"aws-vpn-client"`	`str`
action	connection_log_type connection_attempt_status	`(connection_log_type in {'connection-reset'} ? 'LOGOUT' : (connection_attempt_status in {'successful'} ? "LOGIN" : "FAILED"))`	`str`
machine	hostname		`str`
appapplication	-	`null('')`	`str`
user_domain	-	`null('')`	`str`
user	username		`str`srcIp
source_ip	client_ip		`ip4`srcHost
source_hostname	-	`null('')`	`str`srcUser
source_user	-	`null('')`	`str`
result	connection_attempt_status		`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
vpn.cisco.asa.anyconnect
vpn.cisco.asa.anyconnect
vpn.cisco.asa.anyconnect

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"cisco-asa-anyconnect"`	`str`
action	EventID	`(EventID = 722022) ? 'LOGIN' : ((EventID = 722023) ? 'LOGOUT' : null(''))`	`str`
machine	host		`str`
appapplication	-	`null('')`	`str`
user_domain	-	`null('')`	`str`
user	User		`str`srcIp
source_ip	srcIP		`ip4`srcHost
source_hostname	-	`null('')`	`str`srcUser
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Page Comparison

Versions Compared

Old Version 28

New Version 29

Key

Introduction

Source tables

Introduction

Source tables

Table structure

Field transformations

Anchoradn.f5.bigip.apmadn.f5.bigip.apmadn.f5.bigip.apm

Anchoradn.f5.bigip.auditadn.f5.bigip.auditadn.f5.bigip.audit

Anchorauth.cisco.iseauth.cisco.iseauth.cisco.ise

Anchorauth.duo.administrator.loginauth.duo.administrator.loginauth.duo.administrator.login

Anchorauth.duo.authentication.eventsauth.duo.authentication.eventsauth.duo.authentication.events

Anchorauth.okta.eventsauth.okta.eventsauth.okta.events

Anchorauth.okta.systemauth.okta.systemauth.okta.system

Anchorauth.onelogin.eventsauth.onelogin.eventsauth.onelogin.events

Anchorauth.ping.federate.auditauth.ping.federate.auditauth.ping.federate.audit

Anchorauth.ping.federate.security_auditauth.ping.federate.security_auditauth.ping.federate.security_audit

Anchorauth.ping.id.mfaauth.ping.id.mfaauth.ping.id.mfa

Anchorauth.securenvoyauth.securenvoyauth.securenvoy

Anchorauth.thycotic.secretserverauth.thycotic.secretserverauth.delinia.secretserver (formerly Thycotic)

Anchorauth.unixauth.unixauth.unix

Anchorbox.all.winbox.all.winbox.all.win

Anchorcef0.microsoft.microsoftWindowscef0.microsoft.microsoftWindowscef0.microsoft.microsoftWindows

Anchorcloud.aws.cloudtrail.eventscloud.aws.cloudtrail.eventscloud.aws.cloudtrail.events

Anchorcloud.aws.cloudtrail.signincloud.aws.cloudtrail.signincloud.aws.cloudtrail.signin

Anchorcloud.azure.ad.signincloud.azure.ad.signincloud.azure.ad.signin

Anchorcloud.azure.sql.auditcloud.azure.sql.auditcloud.azure.sql.audit

Anchorcloud.gsuite.reports.logincloud.gsuite.reports.logincloud.gsuite.reports.login

Anchorcloud.office365.managementcloud.office365.managementcloud.office365.management

Anchorcrm.salesforceobjects.loginhistorycrm.salesforceobjects.loginhistorycrm.salesforceobjects.loginhistory

Anchordb.mssql.eventsdb.mssql.eventsdb.mssql.events

Anchordb.oracle.audit_traildb.oracle.audit_traildb.oracle.audit_trail

Anchorddi.infoblox.auditddi.infoblox.auditddi.infoblox.audit

Anchorfirewall.fortinet.event.systemfirewall.fortinet.event.systemfirewall.fortinet.event.system

Anchorfirewall.paloalto.systemfirewall.paloalto.systemfirewall.paloalto.globalprotect

Anchorfirewall.paloalto.systemfirewall.paloalto.systemfirewall.paloalto.system

firewall.juniper.srx.system Anchorfirewall.juniper.srx.systemfirewall.juniper.srx.system

Anchorhelpdesk.zendesk.audit.logshelpdesk.zendesk.audit.logshelpdesk.zendesk.audit.logs

Anchornetwork.citrix.adc.sslvpnnetwork.citrix.adc.sslvpnnetwork.citrix.adc.sslvpn

Anchorsiem.logtrust.web.connectionsiem.logtrust.web.connectionsiem.logtrust.web.connection

Anchorvpn.aws.clientvpn.aws.clientvpn.aws.client

Anchorvpn.cisco.asa.anyconnectvpn.cisco.asa.anyconnectvpn.cisco.asa.anyconnect

Anchor
adn.f5.bigip.apm
adn.f5.bigip.apm
adn.f5.bigip.apm

Anchor
adn.f5.bigip.audit
adn.f5.bigip.audit
adn.f5.bigip.audit

Anchor
auth.cisco.ise
auth.cisco.ise
auth.cisco.ise

Anchor
auth.duo.administrator.login
auth.duo.administrator.login
auth.duo.administrator.login

Anchor
auth.duo.authentication.events
auth.duo.authentication.events
auth.duo.authentication.events

Anchor
auth.okta.events
auth.okta.events
auth.okta.events

Anchor
auth.okta.system
auth.okta.system
auth.okta.system

Anchor
auth.onelogin.events
auth.onelogin.events
auth.onelogin.events

Anchor
auth.ping.federate.audit
auth.ping.federate.audit
auth.ping.federate.audit

Anchor
auth.ping.federate.security_audit
auth.ping.federate.security_audit
auth.ping.federate.security_audit

Anchor
auth.ping.id.mfa
auth.ping.id.mfa
auth.ping.id.mfa

Anchor
auth.securenvoy
auth.securenvoy
auth.securenvoy

Anchor
auth.thycotic.secretserver
auth.thycotic.secretserver
auth.delinia.secretserver (formerly Thycotic)

Anchor
auth.unix
auth.unix
auth.unix

Anchor
box.all.win
box.all.win
box.all.win

Anchor
cef0.microsoft.microsoftWindows
cef0.microsoft.microsoftWindows
cef0.microsoft.microsoftWindows

Anchor
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.events

Anchor
cloud.aws.cloudtrail.signin
cloud.aws.cloudtrail.signin
cloud.aws.cloudtrail.signin

Anchor
cloud.azure.ad.signin
cloud.azure.ad.signin
cloud.azure.ad.signin

Anchor
cloud.azure.sql.audit
cloud.azure.sql.audit
cloud.azure.sql.audit

Anchor
cloud.gsuite.reports.login
cloud.gsuite.reports.login
cloud.gsuite.reports.login

Anchor
cloud.office365.management
cloud.office365.management
cloud.office365.management

Anchor
crm.salesforceobjects.loginhistory
crm.salesforceobjects.loginhistory
crm.salesforceobjects.loginhistory

Anchor
db.mssql.events
db.mssql.events
db.mssql.events

Anchor
db.oracle.audit_trail
db.oracle.audit_trail
db.oracle.audit_trail

Anchor
ddi.infoblox.audit
ddi.infoblox.audit
ddi.infoblox.audit

Anchor
firewall.fortinet.event.system
firewall.fortinet.event.system
firewall.fortinet.event.system

Anchor
firewall.paloalto.system
firewall.paloalto.system
firewall.paloalto.globalprotect

Anchor
firewall.paloalto.system
firewall.paloalto.system
firewall.paloalto.system

firewall.juniper.srx.system
Anchor
firewall.juniper.srx.system
firewall.juniper.srx.system

Anchor
helpdesk.zendesk.audit.logs
helpdesk.zendesk.audit.logs
helpdesk.zendesk.audit.logs

Anchor
network.citrix.adc.sslvpn
network.citrix.adc.sslvpn
network.citrix.adc.sslvpn

Anchor
siem.logtrust.web.connection
siem.logtrust.web.connection
siem.logtrust.web.connection

Anchor
vpn.aws.client
vpn.aws.client
vpn.aws.client

Anchor
vpn.cisco.asa.anyconnect
vpn.cisco.asa.anyconnect
vpn.cisco.asa.anyconnect