Field | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | |
hostname | str
| | | |
region | str
| | | |
timestamp | timestamp
| Code Block |
---|
parsedate(time, ifthenelse(length(time) > 20, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSS[Z]", "UTC"), dateformat("YYYY-MM-DD[T]HH:mm:ss[Z]", "UTC"))) |
| time | |
resourceId | str
| | | |
correlationId | str
| | | |
operationName | str
| | | |
level | str
| | | |
resultType | str
| | | |
resultDescription | str
| | | |
category | str
| | | |
properties__eventCategory | str
| | | |
properties__eventName | str
| | | |
properties__operationId | str
| | | |
properties__eventProperties | json
| | | |
properties__eventProperties__resourceType | str
| | | |
properties__eventProperties__compromisedHost | str
| | | |
properties__eventProperties__actionTaken | str
| | | |
properties__eventProperties__attackTypeDetected | str
| | | |
properties__eventProperties__possibleVictims | str
| | | |
properties__eventProperties__severity | str
| | | |
properties__eventProperties__intent_str | str
| Code Block |
---|
join(properties__eventProperties__intent, ',') |
| properties__eventProperties__intent | |
properties__eventProperties__compromisedEntity | str
| | | |
properties__eventProperties__remediationSteps_str | str
| Code Block |
---|
join(properties__eventProperties__remediationSteps, ',') |
| properties__eventProperties__remediationSteps | |
properties__eventProperties__attackedResourceType | str
| | | |
properties__eventProperties__applicationID | str
| | | |
properties__eventProperties__clientObjectID | str
| | | |
properties__eventProperties__clientInformation | str
| | | |
properties__eventProperties__clientIPAddress | ip4
| | | |
properties__eventProperties__resultSignature | str
| | | |
properties__eventProperties__target | str
| | | |
properties__eventProperties__alertReasons | str
| | | |
properties__eventProperties__allVaultOperationsInLast24Hours | str
| | | |
properties__eventProperties__suspiciousOperations | str
| | | |
properties__eventProperties__startTime | timestamp
| | | |
properties__eventProperties__endTime | timestamp
| | | |
properties__eventProperties__numberOfFailedAuthenticationAttemptsToHost | int4
| | | |
properties__eventProperties__accountsUsedOnFailedSignInToHostAttempts_str | str
| Code Block |
---|
join(properties__eventProperties__accountsUsedOnFailedSignInToHostAttempts, ',') |
| properties__eventProperties__accountsUsedOnFailedSignInToHostAttempts | |
properties__eventProperties__wasSSHSessionInitiated | str
| | | |
properties__eventProperties__attackerSourceIP | str
| | | |
properties__eventProperties__attackerSourceComputerName | str
| | | |
properties__eventProperties__numberOfExistingAccountsUsedBySourceToSignIn | int4
| | | |
properties__eventProperties__numberOfNonexistentAccountsUsedBySourceToSignIn | int4
| | | |
properties__eventProperties__topAccountsWithFailedSignInAttempts | str
| | | |
properties__eventProperties__wasRDPSessionInitiated | str
| | | |
at_devo_collector_version | int4
| | | |
at_entry_offset | str
| | | |
at_enqueued_time | timestamp
| | | |
hostchain | str
| | | ✓ |
tag | str
| | | ✓ |
rawMessage | str
| | | ✓ |