Page Comparison

Table of Contents

maxLevel	2
type	flat

Introduction

This table collects information about different authentication events generated by a variety of platforms.

Source tables

The information displayed is extracted from the following tables:

Expand

title	Check source tables

adn.f5.bigip.apm
adn.f5.bigip.audit
auth.cisco.ise
auth.duo.administrator.login
auth.duo.authentication.events
auth.jumpcloud.directory.events
auth.jumpcloud.ldap.events
auth.jumpcloud.mdm.events
auth.jumpcloud.radius.events
auth.jumpcloud.software.events
auth.jumpcloud.sso.events
auth.jumpcloud.systems.events
auth.okta.events
auth.okta.system
auth.onelogin.events
auth.ping.federate.audit
auth.ping.federate.security_audit
auth.ping.id.mfa
auth.rsa.secureid.runtime
auth.securenvoy
auth.thycotic.secretserver
box.audit.unix.audispd
box.audit.unix.auditd
box.devo_ea.events_linux
box.devo_ea.events_windows
box.devo_ua.events_windows
box.unix
box.unix_cloudwatch
box.vmware.esx
box.win
box.winNxlog
box.win_classic
box.win_cloudwatch
box.win_hf
box.win_kinesis
box.win_nxlog
box.win_quest.change_auditor.leef
box.win_snare
box.win_solarwinds
box.win_winlogbeat
cef0.microsoft.microsoftWindows
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.signin
cloud.azure.ad.signin
cloud.azure.sql.audit
cloud.azure.vm.applicationevent
cloud.azure.vm.securityevent
cloud.azure.vm.systemevent
cloud.azure.vm.unix
cloud.gsuite.reports.login
cloud.office365.management_all
cloud.office365.oldmanagement
crm.salesforceobjects.loginhistory
db.mssql.events
db.oracle.audit_trail
ddi.infoblox.audit
firewall.fortinet.event.system
firewall.juniper.srx.system
firewall.paloalto.globalprotect
firewall.paloalto.system
helpdesk.zendesk.audit.logs
network.citrix.adc.sslvpn
siem.logtrust.web.connection
vpn.aws.client
vpn.cisco.asa.anyconnect

Table structure

This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:

Note

Extra fields

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

Field	Data type	Extra fields
eventdate	`timestamp`	-
source	`str`	-
action	`str`	-
machine	`str`	-
application	`str`	-
user_domain	`str`	-
user	`str`	-

Field	Data type	Extra fields
source_ip	`ip`	-
source_hostname	`str`	-
source_user	`str`	-
result	`str`	-
message	`str`	-
hostchain	`str`	✓
tag	`str`	✓

Field transformations

Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.

Rw ui tabs macro

title	Table 1-3
tabIcon	bvicon-table

Rw tab

title	Tables 1-3

[ adn.f5.bigip.apm ] [ adn.f5.bigip.audit ] [ auth.cisco.ise ]

Anchor
adn.f5.bigip.apm
adn.f5.bigip.apm
adn.f5.bigip.apm

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`1"bigip-apm"`	`str`
action	category eventType	`1(eventType = "Login") ? ((category = "allow") ? "LOGIN" : "FAILED") : (eventType = "Logout") ? 'LOGOUT' : 'N/A'`	`str`
machine	hostName		`str`
application	-	`1null('')`	`str`
user_domain	domain		`str`
user	userName		`str`
source_ip	clientIp		`ip4`
source_hostname	-	`1null('')`	`str`
source_user	-	`1null('')`	`str`
result	category eventType	`1(eventType = "Login") ? ((category = "allow") ? "allow" : "deny") : 'N/A'`	`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
adn.f5.bigip.audit
adn.f5.bigip.audit
adn.f5.bigip.audit

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

1"bigip-audit"

str

action

status

Code Block
1(status = "Login Success") ? 'LOGIN' : (status = "Logout Success") ? 'LOGOUT' : (status = "Login Failure") ? 'FAILED' : 'N/A'

str

machine

hostName

str

application

loginTty

str

user_domain

-

1null('')

str

user

str

source_ip

loginHostIp

ip4

source_hostname

-

1null('')

str

source_user

-

1null('')

str

result

status

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
auth.cisco.ise
auth.cisco.ise
auth.cisco.ise

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"cisco-ise"`	`str`
action	typeCode	`(typeCode in {'Passed-Authentication'}) ? 'LOGIN' : (typeCode in {'Failed-Attempt'}) ? 'FAILED' : typeCode`	`str`
machine	host		`str`
application	DstIp	`str(DstIp)`	`str`
user_domain	-	`null('')`	`str`
user	UserName		`str`
source_ip	FramedIPAddress		`ip4`
source_hostname	-	`null('')`	`str`
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Rw tab

title	Tables 4-6

[ auth.duo.administrator.login ] [ auth.duo.authentication.events ] [ auth.okta.events ]

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"duo-administrator-login"`	`str`
action	action	`(action in {'admin_login'}) ? 'LOGIN' : (action in {'admin_login_error', 'admin_2fa_error'}) ? 'FAILED' : action`	`str`
machine	host		`str`
application	-	`null('')`	`str`
user_domain	-	`null('')`	`str`
user	username email	`ifthenelse(isnotnull(username) and not isempty(username), username, email)`	`str`
source_ip	ip_address		`ip4`
source_hostname	-	`null('')`	`str`
source_user	-	`null('')`	`str`
result	error		`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
auth.duo.authentication.events
auth.duo.authentication.events
auth.duo.authentication.events

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"duo-authentication-events"

str

action

reason

Code Block

decode(reason, 'user_applicationroved', 'LOGIN', 'valid_passcode', 'LOGIN', 'allowed_by_policy', 'LOGIN', 'bypass_user', 'LOGIN', 'locked_out', 'LOGOUT', 'invalid_passcode', 'FAILED', 'no_response', 'FAILED', 'user_cancelled', 'FAILED', 'user_disabled', 'FAILED', 'user_mistake', 'FAILED', 'call_timed_out', 'FAILED', 'no_keys_pressed', 'FAILED', 'user_marked_fraud', 'FAILED', reason)

str

machine

host

str

application

application_name

str

user_domain

-

null('')

str

user

user_name

str

source_ip

access_device_ip

ip4

source_hostname

access_device_hostname2

str

source_user

-

null('')

str

result

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
auth.okta.events
auth.okta.events
auth.okta.events

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"okta-events"`	`str`
action	action_message	`(action_message = 'Sign-in successful') ? 'LOGIN' : action_message`	`str`
machine	-	`null('')`	`str`
application	targets_id_str		`str`
user_domain	-	`null('')`	`str`
user	actors_login_str		`str`
source_ip	actors_ip_address_str	`ip4(actors_ip_address_str)`	`ip4`
source_hostname	-	`null('')`	`str`
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Rw tab

title	Tables 7-9

[ auth.okta.system ] [ auth.onelogin.events ] [ auth.ping.federate.audit ]

Anchor
auth.okta.system
auth.okta.system
auth.okta.system

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"okta-system"

str

action

legacyEventType

Code Block

(legacyEventType in {'application.ad.login.success', 'app.ad.agent.user_auth', 'core.user_auth.idp.saml.login_success', 'iwa.auth', 'core.user.factor.attempt_success', 'core.user_auth.radius.login.succeeded', 'app.auth.sso', 'core.user_auth.login_success', 'core.user_auth.idp.social.login_success'}) ? 'LOGIN' : (legacyEventType in {'app.ad.login.expired_password', 'app.ad.login.unknown_failure', 'app.ad.login.locked_account', 'app.ad.login.bad_password', 'app.ad.agent.user_auth.error', 'core.user_auth.idp.saml.saml_validation_failed', 'core.user_auth.idp.saml.response_received_in_response_to_no_matching_key', 'core.user_auth.idp.invalid_user_status', 'iwa.invalid_token', 'core.user.factor.attempt_fail', 'core.user_auth.radius.login.failed', 'app.rich_client.login_failure'}) ? 'FAILED' : legacyEventType

str

machine

-

null('')

str

application

target_alternateId_str

str

user_domain

-

null('')

str

user

actor_alternateId

str

source_ip

client_ipAddress

ip4

source_hostname

-

null('')

str

source_user

-

null('')

str

result

outcome_result

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
auth.onelogin.events
auth.onelogin.events
auth.onelogin.events

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"onelogin-events"

str

action

eventTypeId

Code Block
(eventTypeId = 5 or eventTypeId = 8) ? 'LOGIN' : ((eventTypeId = 7 or eventTypeId = 29) ? 'LOGOUT' : 'FAILED')

str

machine

hostname

str

application

appName

str

user_domain

-

null('')

str

user

userName

str

source_ip

ipaddr

ip4

source_hostname

-

null('')

str

source_user

-

null('')

str

result

riskReasons

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
auth.ping.federate.audit
auth.ping.federate.audit
auth.ping.federate.audit

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"ping"

str

action

event

Code Block
(event in {'SSO'}) ? 'LOGIN' : (event in {'SLO'}) ? 'LOGOUT' : event

str

machine

pfhost

str

application

app

str

user_domain

-

null('')

str

user

subject

str

source_ip

ip

ip4

source_hostname

-

null('')

str

source_user

-

null('')

str

result

status

str

message

str

hostchain

str

✓

tag

str

✓

Rw tab

title	Tables 10-12

[ auth.ping.federate.security_audit ] [ auth.ping.id.mfa ] [ auth.securenvoy ]

Anchor
auth.ping.federate.security_audit
auth.ping.federate.security_audit
auth.ping.federate.security_audit

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

Code Block
"ping"

str

action

event

Code Block
(event in {'SSO'}) ? 'LOGIN' : (event in {'SLO'}) ? 'LOGOUT' : event

str

machine

host

str

application

app

str

user_domain

-

Code Block
null('')

str

user

subject

str

source_ip

ip

ip4

source_hostname

-

Code Block
null('')

str

source_user

-

Code Block
null('')

str

result

status

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
auth.ping.id.mfa
auth.ping.id.mfa
auth.ping.id.mfa

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

Code Block
"ping-id"

str

action

result__status

Code Block
(result__status = "SUCCESS") ? 'LOGIN' : 'FAILED'

str

machine

hostname

str

application

-

Code Block
null('')

str

user_domain

-

Code Block
null('')

str

user

actors__name_str

str

source_ip

-

Code Block
ip4('')

ip4

source_hostname

-

Code Block
null('')

str

source_user

-

Code Block
null('')

str

result

result__message

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
auth.securenvoy
auth.securenvoy
auth.securenvoy

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"securenvoy"`	`str`
action	-	`"LOGIN"`	`str`
machine	hostchain		`str`
application	-	`null('')`	`str`
user_domain	-	`null('')`	`str`
user	client		`str`
source_ip	-	`ip4('')`	`ip4`
source_hostname	-	`null('')`	`str`
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	message		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Rw tab

title	Tables 13-15

[ auth.delinia.secretserver ] [ auth.unix ] [ box.all.win ]

Anchor
auth.thycotic.secretserver
auth.thycotic.secretserver
auth.delinia.secretserver (formerly Thycotic)

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"delinia-secretserver"`	`str`
action	name	`(name in {'USER - LOGOUT'}) ? 'LOGOUT' : "LOGIN"`	`str`
machine	hostchain	`split(hostchain, "=", 0)`	`str`
application	-	`null('')`	`str`
user_domain	-	`null('')`	`str`
user	suser		`str`
source_ip	src		`ip4`
source_hostname	-	`null('')`	`str`
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	msg		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
auth.unix
auth.unix
auth.unix

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	source		`str`
action	action		`str`
machine	machine		`str`
application	app		`str`
user_domain	-	`null('')`	`str`
user	user		`str`
source_ip	srcIp		`ip4`
source_hostname	srcHost		`str`
source_user	source_user		`str`
result	-	`null('')`	`str`
message	message		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
box.all.win
box.all.win
box.all.win

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

str

action

status

eventId

Code Block

(eventId = 512 or eventId = 4624 or eventId = 4648 or eventId = 4770) ? 'LOGIN' : (eventId = 4634) ? 'LOGOUT' : (eventId = 516 or eventId = 1210) ? 'LOCKED' : (eventId = 4768 or eventId = 4769 or eventId = 4772 or eventId = 4773) ? ((status = "0x0") ? 'LOGIN' : (status = "0x12") ? 'LOCKED' : 'FAILED') : (eventId = 4776 or eventId = 4777) ? ((status = "0x0") ? 'LOGIN' : (status = "0xC0000234") ? 'LOCKED' : 'FAILED') : 'FAILED'

str

machine

machineIp

str(machineIp)

str

application

sourceName

str

user_domain

domain

str

user

account

str

source_ip

srcIp

ip4(srcIp)

ip4

source_hostname

srcHost

str

source_user

subjectUsername

str

result

status

str

message

str

hostchain

str

✓

tag

str

✓

Rw tab

title	Tables 16-19

[ cef0.microsoft.microsoftWindows ] [ cloud.aws.cloudtrail.events ] [ cloud.aws.cloudtrail.signin ] [ cloud.azure.ad.signin ]

Anchor
cef0.microsoft.microsoftWindows
cef0.microsoft.microsoftWindows
cef0.microsoft.microsoftWindows

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"microsoft-microsoft_windows"`	`str`
action	name		`str`
machine	shost		`str`
application	deviceProcessName		`str`
user_domain	-	`null('')`	`str`
user	duser		`str`
source_ip	src		`ip4`
source_hostname	shost		`str`
source_user	suser		`str`
result	reason		`str`
message	msg		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.events

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"aws-cloudtrail-events"

str

action

responseElements_ConsoleLogin

Code Block
decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin)

str

machine

-

null('')

str

application

-

null('')

str

user_domain

-

null('')

str

user

userIdentity_userName

str

source_ip

sourceIPAddress

ip4(sourceIPAddress)

ip4

source_hostname

requestParameters_host_str

str

source_user

requestParameters_userName

str

result

responseElements_ConsoleLogin

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"aws-cloudtrail-signin"

str

action

eventName

serviceEventDetails_UserAuthentication

responseElements_ConsoleLogin

responseElements_ExternalIdPDirectoryLogin

Code Block

decode(eventName, "ConsoleLogin", decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin), "ExternalIdPDirectoryLogin", decode(responseElements_ExternalIdPDirectoryLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ExternalIdPDirectoryLogin), "UserAuthentication", decode(serviceEventDetails_UserAuthentication, "Success", 'LOGIN', "Failure", 'FAILED', serviceEventDetails_UserAuthentication))

str

machine

-

null('')

str

application

-

null('')

str

user_domain

userIdentity_accountId

str

user

userIdentity_userName

str

source_ip

sourceIPAddress

ip4(sourceIPAddress)

ip4

source_hostname

eventSource

str

source_user

-

null('')

str

result

-

null('')

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"azure-ad"`	`str`
action	resultType	`(resultType = 0) ? 'LOGIN' : 'FAILED'`	`str`
machine	hostchain	`split(hostchain, "=", 0)`	`str`
application	properties_appDisplayName		`str`
user_domain	-	`null('')`	`str`
user	identity		`str`
source_ip	callerIpAddress	`ip4(callerIpAddress)`	`ip4`
source_hostname	-	`null('')`	`str`
source_user	-	`null('')`	`str`
result	resultType		`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Rw tab

title	Tables 20-23

[ cloud.azure.sql.audit ] [ cloud.gsuite.reports.login ] [ cloud.office365.management ] [ crm.salesforceobjects.loginhistory ]

Anchor
cloud.azure.sql.audit
cloud.azure.sql.audit
cloud.azure.sql.audit

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"azure-sql-audit"`	`str`
action	action_id	`(action_id = "DBAF") ? 'FAILED' : 'LOGIN'`	`str`
machine	hostname		`str`
application	application_name		`str`
user_domain	-	`null('')`	`str`
user	-	`null('')`	`str`
source_ip	client_ip		`ip4`
source_hostname	host_name		`str`
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"gsuite-reports-login"`	`str`
action	-	`null('')`	`str`
machine	hostname		`str`
application	id_applicationName		`str`
user_domain	id_customerId		`str`
user	actor_email		`str`
source_ip	ipAddress	`ip4(ipAddress)`	`ip4`
source_hostname	-	`null('')`	`str`
source_user	actor_profileId		`str`
result	-	`null('')`	`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
cloud.office365.management
cloud.office365.management
cloud.office365.management

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"office365-management"

str

action

Operation

ResultStatus

(Operation = "UserLoggedIn" and ResultStatus = "Success") ? 'LOGIN' : 'FAILED'

str

machine

hostname

str

application

-

null('')

str

user_domain

-

null('')

str

user

UserId

str

source_ip

ActorIpAddress

ip4(ActorIpAddress)

ip4

source_hostname

-

null('')

str

source_user

-

null('')

str

result

LogonError

Operation

ResultStatus

Code Block

'{' + '"Operation": ' + (isnull(Operation) ? 'null' : '"' + str(Operation) + '"') + ', ' + '"LogonError": ' + (isnull(LogonError) ? 'null' : '"' + str(LogonError) + '"') + ', ' + '"ResultStatus": ' + (isnull(ResultStatus) ? 'null' : '"' + str(ResultStatus) + '"') + '}'

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
crm.salesforceobjects.loginhistory
crm.salesforceobjects.loginhistory
crm.salesforceobjects.loginhistory

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"crm.salesforceobjects.loginhistory"

str

action

-

(Status = "Success") ? 'LOGIN'
: 'FAILED';

str

machine

hostname

str

application

Application

str

user_domain

-

Code Block
null('')

str

user

UserId

str

source_ip

SourceIp

Code Block
ip4(SourceIp)

ip4

source_hostname

Code Block
null('')

str

source_user

Code Block
null('')

str

result

Status

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Rw tab

title	Tables 24-30

[ db.mssql.events ] [ db.oracle.audit_trail ] [ ddi.infoblox.audit ] [ firewall.fortinet.event.system ] [ firewall.paloalto.globalprotect ] [ firewall.paloalto.system ] [ helpdesk.zendesk.audit.logs ][ firewall.juniper.srx.system]

Anchor
db.mssql.events
db.mssql.events
db.mssql.events

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"mssql"`	`str`
action	eventID	`(eventID = 18456) ? 'FAILED' : 'LOGIN'`	`str`
machine	hostname2		`str`
application	-	`null('')`	`str`
user_domain	-	`null('')`	`str`
user	user		`str`
source_ip	-	`ip4('')`	`ip4`
source_hostname	-	`null('')`	`str`
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	message		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
db.oracle.audit_trail
db.oracle.audit_trail
db.oracle.audit_trail

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

Code Block
"fortinet-event-system"

str

action

status

action

Code Block
(action = "login" and status = "success") ? 'LOGIN' : (action = "logout") ? 'LOGOUT' : 'FAILED'

str

machine

str

application

method

str

user_domain

-

Code Block
null('')

str

user

str

source_ip

srcIp

Code Block
ip4(srcIp)

ip4

source_hostname

devName

str

source_user

user

str

result

status

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
ddi.infoblox.audit
ddi.infoblox.audit
ddi.infoblox.audit

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

Code Block
"ddi-infoblox-audit"

str

action

Code Block
(action = "Login_Allowed") ? 'LOGIN' : (action = "Logout") ? 'LOGOUT' : 'FAILED'

str

machine

hostname

str

application

-

Code Block
null('')

str

user_domain

-

Code Block
null('')

str

user

admin_user

str

source_ip

srcIp

ip4

source_hostname

-

Code Block
null('')

str

source_user

-

Code Block
null('')

str

result

message

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.fortinet.event.system
firewall.fortinet.event.system
firewall.fortinet.event.system

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"fortinet-event-system"`	`str`
action	status action	`(action = "login" and status = "success") ? 'LOGIN' : (action = "logout") ? 'LOGOUT' : 'FAILED'`	`str`
machine	machine		`str`
application	method		`str`
user_domain	-	`null('')`	`str`
user	user		`str`
source_ip	srcIp	`ip4(srcIp)`	`ip4`
source_hostname	devName		`str`
source_user	user		`str`
result	status		`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
firewall.paloalto.system
firewall.paloalto.system
firewall.paloalto.globalprotect

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"paloalto-globalprotect"`	`str`
action	stage status	`(stage = "login") ? ((status = "success") ? 'LOGIN' : 'FAILED') : (stage = "logout") ? ((status = "success") ? 'LOGOUT' : 'FAILED') : 'FAILED'`	`str`
machine	machine		`str`
application	subType		`str`
user_domain	-	`null('')`	`str`
user	srcuser		`str`
source_ip	public_ip		`ip4`
source_hostname	-	`null('')`	`str`
source_user	-	`null('')`	`str`
result	description		`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
firewall.paloalto.system
firewall.paloalto.system
firewall.paloalto.system

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"paloalto-system"`	`str`
action	eventId	`(eventId = "globalprotectportal-auth-succ" or eventId = "panorama-auth-success") ? 'LOGIN' : 'FAILED'`	`str`
machine	machine		`str`
application	subType		`str`
user_domain	-	`null('')`	`str`
user	user_name		`str`
source_ip	client_ip		`ip4`
source_hostname	-	`null('')`	`str`
source_user	-	`null('')`	`str`
result	description		`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

firewall.juniper.srx.system
Anchor
firewall.juniper.srx.system
firewall.juniper.srx.system

Field in

Field in source table

Field transformation

Data Type

Extra Field

eventdate

timestamp

source

-

Code Block
"juniper-srx-system"

str

action

log_type

Code Block
(log_type = "UI_LOGIN_EVENT") ? 'LOGIN' : (log_type = "UI_LOGOUT_EVENT") ? 'LOGOUT' : 'FAILED'

str

machine

str

application

-

Code Block
null('')

str

user_domain

-

Code Block
null('')

str

user

username

str

source_ip

client_ip

ip4

source_hostname

hostname

str

source_user

-

Code Block
null('')

str

result

-

Code Block
null('')

str

message

str

hostchain

str

✓

tag

str

✓

Anchor
helpdesk.zendesk.audit.logs
helpdesk.zendesk.audit.logs
helpdesk.zendesk.audit.logs

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"helpdesk.zendesk.audit.logs"

str

action

-

(action_label = "Signed in") ? 'LOGIN'
: 'FAILED';

str

machine

-

Code Block
null('')

str

application

-

Code Block
null('')

str

user_domain

-

Code Block
null('')

str

user

source_label

str

source_ip

ip_address

ip4(ip_address)

ip4

source_hostname

Code Block
null('')

str

source_user

Code Block
null('')

str

result

change_description

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Rw tab

title	Tables 31-34

[ network.citrix.adc.sslvpn ] [ siem.logtrust.web.connection ] [ vpn.aws.client ] [ vpn.cisco.asa.anyconnect ]

Anchor
network.citrix.adc.sslvpn
network.citrix.adc.sslvpn
network.citrix.adc.sslvpn

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"citrix-adc-sslvpn"

str

action

subtype

Code Block
(subtype = "LOGIN") ? 'LOGIN' : (subtype = "LOGOUT") ? 'LOGOUT' : 'FAILED'

str

machine

str

application

-

null('')

str

user_domain

-

null('')

str

user

str

source_ip

sourceIp

ip4

source_hostname

vserverIp

str(vserverIp)

str

source_user

-

null('')

str

result

-

null('')

str

message

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
siem.logtrust.web.connection
siem.logtrust.web.connection
siem.logtrust.web.connection

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

source

-

"logtrust-app"

str

action

Code Block
(action in {'login', 'api_login', 'changedomain', 'ghost_login'}) ? 'LOGIN' : (action in {'logout', 'api_logout'}) ? 'LOGOUT' : 'FAILED'

str

machine

hostchain

split(hostchain, "=", 0)

str

application

serverHost

str

user_domain

inputDomain

str

user

inputUser

str

source_ip

srcHost

ip4(srcHost)

ip4

source_hostname

srcHost

str

source_user

-

null('')

str

result

-

null('')

str

message

action

'ACTION: ' + action + ' MSG: ' + message

str

hostchain

str

✓

tag

str

✓

Anchor
vpn.aws.client
vpn.aws.client
vpn.aws.client

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"aws-vpn-client"`	`str`
action	connection_log_type connection_attempt_status	`(connection_log_type in {'connection-reset'} ? 'LOGOUT' : (connection_attempt_status in {'successful'} ? "LOGIN" : "FAILED"))`	`str`
machine	hostname		`str`
application	-	`null('')`	`str`
user_domain	-	`null('')`	`str`
user	username		`str`
source_ip	client_ip		`ip4`
source_hostname	-	`null('')`	`str`
source_user	-	`null('')`	`str`
result	connection_attempt_status		`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Anchor
vpn.cisco.asa.anyconnect
vpn.cisco.asa.anyconnect
vpn.cisco.asa.anyconnect

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"cisco-asa-anyconnect"`	`str`
action	EventID	`(EventID = 722022) ? 'LOGIN' : ((EventID = 722023) ? 'LOGOUT' : null(''))`	`str`
machine	host		`str`
application	-	`null('')`	`str`
user_domain	-	`null('')`	`str`
user	User		`str`
source_ip	srcIP		`ip4`
source_hostname	-	`null('')`	`str`
source_user	-	`null('')`	`str`
result	-	`null('')`	`str`
message	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Versions Compared

Old Version 29

New Version 30

Key

Introduction

Source tables

Table structure

Field transformations

Anchor
adn.f5.bigip.apm
adn.f5.bigip.apm
adn.f5.bigip.apm

Anchor
adn.f5.bigip.audit
adn.f5.bigip.audit
adn.f5.bigip.audit

Anchor
auth.cisco.ise
auth.cisco.ise
auth.cisco.ise

Anchor
auth.duo.authentication.events
auth.duo.authentication.events
auth.duo.authentication.events

Anchor
auth.okta.events
auth.okta.events
auth.okta.events

Anchor
auth.okta.system
auth.okta.system
auth.okta.system

Anchor
auth.onelogin.events
auth.onelogin.events
auth.onelogin.events

Anchor
auth.ping.federate.audit
auth.ping.federate.audit
auth.ping.federate.audit

Anchor
auth.ping.federate.security_audit
auth.ping.federate.security_audit
auth.ping.federate.security_audit

Anchor
auth.ping.id.mfa
auth.ping.id.mfa
auth.ping.id.mfa

Anchor
auth.securenvoy
auth.securenvoy
auth.securenvoy

Anchor
auth.thycotic.secretserver
auth.thycotic.secretserver
auth.delinia.secretserver (formerly Thycotic)

Anchor
auth.unix
auth.unix
auth.unix

Anchor
box.all.win
box.all.win
box.all.win

Anchor
cef0.microsoft.microsoftWindows
cef0.microsoft.microsoftWindows
cef0.microsoft.microsoftWindows

Anchor
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.events

Anchor
cloud.azure.sql.audit
cloud.azure.sql.audit
cloud.azure.sql.audit

Anchor
cloud.office365.management
cloud.office365.management
cloud.office365.management

Anchor
crm.salesforceobjects.loginhistory
crm.salesforceobjects.loginhistory
crm.salesforceobjects.loginhistory

Anchor
db.mssql.events
db.mssql.events
db.mssql.events

Anchor
db.oracle.audit_trail
db.oracle.audit_trail
db.oracle.audit_trail

Anchor
ddi.infoblox.audit
ddi.infoblox.audit
ddi.infoblox.audit

Anchor
firewall.fortinet.event.system
firewall.fortinet.event.system
firewall.fortinet.event.system

Anchor
firewall.paloalto.system
firewall.paloalto.system
firewall.paloalto.globalprotect

Anchor
firewall.paloalto.system
firewall.paloalto.system
firewall.paloalto.system

firewall.juniper.srx.system
Anchor
firewall.juniper.srx.system
firewall.juniper.srx.system

Anchor
helpdesk.zendesk.audit.logs
helpdesk.zendesk.audit.logs
helpdesk.zendesk.audit.logs

Anchor
network.citrix.adc.sslvpn
network.citrix.adc.sslvpn
network.citrix.adc.sslvpn

Anchor
siem.logtrust.web.connection
siem.logtrust.web.connection
siem.logtrust.web.connection

Anchor
vpn.aws.client
vpn.aws.client
vpn.aws.client

Anchor
vpn.cisco.asa.anyconnect
vpn.cisco.asa.anyconnect
vpn.cisco.asa.anyconnect

Page Comparison

Versions Compared

Old Version 29

New Version 30

Key

Introduction

Source tables

Table structure

Field transformations

Anchoradn.f5.bigip.apmadn.f5.bigip.apmadn.f5.bigip.apm

Anchoradn.f5.bigip.auditadn.f5.bigip.auditadn.f5.bigip.audit

Anchorauth.cisco.iseauth.cisco.iseauth.cisco.ise

Anchorauth.duo.administrator.loginauth.duo.administrator.loginauth.duo.administrator.login

Anchorauth.duo.authentication.eventsauth.duo.authentication.eventsauth.duo.authentication.events

Anchorauth.okta.eventsauth.okta.eventsauth.okta.events

Anchorauth.okta.systemauth.okta.systemauth.okta.system

Anchorauth.onelogin.eventsauth.onelogin.eventsauth.onelogin.events

Anchorauth.ping.federate.auditauth.ping.federate.auditauth.ping.federate.audit

Anchorauth.ping.federate.security_auditauth.ping.federate.security_auditauth.ping.federate.security_audit

Anchorauth.ping.id.mfaauth.ping.id.mfaauth.ping.id.mfa

Anchorauth.securenvoyauth.securenvoyauth.securenvoy

Anchorauth.thycotic.secretserverauth.thycotic.secretserverauth.delinia.secretserver (formerly Thycotic)

Anchorauth.unixauth.unixauth.unix

Anchorbox.all.winbox.all.winbox.all.win

Anchorcef0.microsoft.microsoftWindowscef0.microsoft.microsoftWindowscef0.microsoft.microsoftWindows

Anchorcloud.aws.cloudtrail.eventscloud.aws.cloudtrail.eventscloud.aws.cloudtrail.events

Anchorcloud.aws.cloudtrail.signincloud.aws.cloudtrail.signincloud.aws.cloudtrail.signin

Anchorcloud.azure.ad.signincloud.azure.ad.signincloud.azure.ad.signin

Anchorcloud.azure.sql.auditcloud.azure.sql.auditcloud.azure.sql.audit

Anchorcloud.gsuite.reports.logincloud.gsuite.reports.logincloud.gsuite.reports.login

Anchorcloud.office365.managementcloud.office365.managementcloud.office365.management

Anchorcrm.salesforceobjects.loginhistorycrm.salesforceobjects.loginhistorycrm.salesforceobjects.loginhistory

Anchordb.mssql.eventsdb.mssql.eventsdb.mssql.events

Anchordb.oracle.audit_traildb.oracle.audit_traildb.oracle.audit_trail

Anchorddi.infoblox.auditddi.infoblox.auditddi.infoblox.audit

Anchorfirewall.fortinet.event.systemfirewall.fortinet.event.systemfirewall.fortinet.event.system

Anchorfirewall.paloalto.systemfirewall.paloalto.systemfirewall.paloalto.globalprotect

Anchorfirewall.paloalto.systemfirewall.paloalto.systemfirewall.paloalto.system

firewall.juniper.srx.system Anchorfirewall.juniper.srx.systemfirewall.juniper.srx.system

Anchorhelpdesk.zendesk.audit.logshelpdesk.zendesk.audit.logshelpdesk.zendesk.audit.logs

Anchornetwork.citrix.adc.sslvpnnetwork.citrix.adc.sslvpnnetwork.citrix.adc.sslvpn

Anchorsiem.logtrust.web.connectionsiem.logtrust.web.connectionsiem.logtrust.web.connection

Anchorvpn.aws.clientvpn.aws.clientvpn.aws.client

Anchorvpn.cisco.asa.anyconnectvpn.cisco.asa.anyconnectvpn.cisco.asa.anyconnect

Anchor
adn.f5.bigip.apm
adn.f5.bigip.apm
adn.f5.bigip.apm

Anchor
adn.f5.bigip.audit
adn.f5.bigip.audit
adn.f5.bigip.audit

Anchor
auth.cisco.ise
auth.cisco.ise
auth.cisco.ise

Anchor
auth.duo.administrator.login
auth.duo.administrator.login
auth.duo.administrator.login

Anchor
auth.duo.authentication.events
auth.duo.authentication.events
auth.duo.authentication.events

Anchor
auth.okta.events
auth.okta.events
auth.okta.events

Anchor
auth.okta.system
auth.okta.system
auth.okta.system

Anchor
auth.onelogin.events
auth.onelogin.events
auth.onelogin.events

Anchor
auth.ping.federate.audit
auth.ping.federate.audit
auth.ping.federate.audit

Anchor
auth.ping.federate.security_audit
auth.ping.federate.security_audit
auth.ping.federate.security_audit

Anchor
auth.ping.id.mfa
auth.ping.id.mfa
auth.ping.id.mfa

Anchor
auth.securenvoy
auth.securenvoy
auth.securenvoy

Anchor
auth.thycotic.secretserver
auth.thycotic.secretserver
auth.delinia.secretserver (formerly Thycotic)

Anchor
auth.unix
auth.unix
auth.unix

Anchor
box.all.win
box.all.win
box.all.win

Anchor
cef0.microsoft.microsoftWindows
cef0.microsoft.microsoftWindows
cef0.microsoft.microsoftWindows

Anchor
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.events

Anchor
cloud.aws.cloudtrail.signin
cloud.aws.cloudtrail.signin
cloud.aws.cloudtrail.signin

Anchor
cloud.azure.ad.signin
cloud.azure.ad.signin
cloud.azure.ad.signin

Anchor
cloud.azure.sql.audit
cloud.azure.sql.audit
cloud.azure.sql.audit

Anchor
cloud.gsuite.reports.login
cloud.gsuite.reports.login
cloud.gsuite.reports.login

Anchor
cloud.office365.management
cloud.office365.management
cloud.office365.management

Anchor
crm.salesforceobjects.loginhistory
crm.salesforceobjects.loginhistory
crm.salesforceobjects.loginhistory

Anchor
db.mssql.events
db.mssql.events
db.mssql.events

Anchor
db.oracle.audit_trail
db.oracle.audit_trail
db.oracle.audit_trail

Anchor
ddi.infoblox.audit
ddi.infoblox.audit
ddi.infoblox.audit

Anchor
firewall.fortinet.event.system
firewall.fortinet.event.system
firewall.fortinet.event.system

Anchor
firewall.paloalto.system
firewall.paloalto.system
firewall.paloalto.globalprotect

Anchor
firewall.paloalto.system
firewall.paloalto.system
firewall.paloalto.system

firewall.juniper.srx.system
Anchor
firewall.juniper.srx.system
firewall.juniper.srx.system

Anchor
helpdesk.zendesk.audit.logs
helpdesk.zendesk.audit.logs
helpdesk.zendesk.audit.logs

Anchor
network.citrix.adc.sslvpn
network.citrix.adc.sslvpn
network.citrix.adc.sslvpn

Anchor
siem.logtrust.web.connection
siem.logtrust.web.connection
siem.logtrust.web.connection

Anchor
vpn.aws.client
vpn.aws.client
vpn.aws.client

Anchor
vpn.cisco.asa.anyconnect
vpn.cisco.asa.anyconnect
vpn.cisco.asa.anyconnect