Introduction
This table collects information about different authentication events generated by a variety of platforms.
Source tables
The information displayed is extracted from the following tables:
...
auth.jumpcloud.ldap.events
...
auth.jumpcloud.mdm.events
...
auth.jumpcloud.radius.events
...
auth.jumpcloud.software.events
...
auth.jumpcloud.sso.events
...
all.events
auth.okta.events
auth.okta.system
auth.onelogin.events
auth.ping.federate.audit
auth.ping.federate.security_audit
auth.ping.id.mfa
auth.rsa.secureid.runtime
auth.securenvoy
auth.thycotic.secretserver
|
...
...
...
...
...
...
box.devo_ea.events_windows
...
box.devo_ua.events_windows
...
box.unix
...
box.unix_cloudwatch
...
box.vmware.esx
...
box.win
...
box.winNxlog
...
box.win_classic
...
box.win_cloudwatch
...
box.win_hf
...
box.win_kinesis
...
box.win_nxlog
...
box.win_quest.change_auditor.leef
...
box.win_snare
...
box.win_solarwinds
...
box.win_winlogbeat
...
cef0.microsoft.microsoftWindows
...
cloud.aws.cloudtrail.events
...
cloud.aws.cloudtrail.signin
...
cloud.azure.ad.signin
...
cloud.azure.sql.audit
...
cloud.azure.vm.applicationevent
...
cloud.azure.vm.securityevent
...
cloud.azure.vm.systemevent
...
cloud.azure.vm.unix
...
cloud.gsuite.reports.login
...
cloud.office365.management_all
...
cloud.office365.oldmanagement
...
crm.salesforceobjects.loginhistory
...
db.mssql.events
...
db.oracle.audit_trail
...
ddi.infoblox.audit
...
firewall.fortinet.event.system
...
firewall.juniper.srx.system
...
firewall.paloalto.globalprotect
...
firewall.paloalto.system
...
helpdesk.zendesk.audit.logs
...
network.citrix.adc.sslvpn
...
siem.logtrust.web.connection
...
vpn.aws.client
...
vpn.cisco.asa.anyconnect
Table structure
...
microsoft.microsoftWindows
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.signin
cloud.azure.ad.signin
cloud.azure.sql.audit
cloud.gsuite.reports.login
cloud.office365.management
crm.salesforceobjects.loginhistory
db.mssql.events
db.oracle.audit_trail
ddi.infoblox.audit
firewall.all.vpn.auth
firewall.fortinet.event.system
firewall.juniper.srx.system
helpdesk.zendesk.audit.logs
network.cisco.switch
network.citrix.adc.sslvpn
siem.logtrust.web.connection
vpn.aws.client
vpn.cisco.asa.anyconnect
|
Table structure
This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:
| Note |
|---|
Extra fields Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns. |
...
Type | Extra fields |
|---|
eventdate | timestamp
|
...
...
...
...
-
...
-
...
...
-
...
...
Field
...
Data type
...
Extra fields
...
source_ip
...
ip
...
-
...
source_hostname
...
str
...
-
...
-
...
...
Field transformations
Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.
| Rw ui tabs macro |
|---|
| title | Table 1-3 |
|---|
| tabIcon | bvicon-table |
|---|
|
|
...
[ adn.f5.bigip.apm ] [ adn.f5.bigip.audit ] [ app.lastpass.events ] [ auth.cisco.ise ] | Anchor |
|---|
| adn.f5.bigip.apm |
|---|
| adn.f5.bigip.apm |
|---|
|
adn.f5.bigip.apmField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - |
|
...
| str
| | action | eventType category |
|
...
...
(eventType = "Login") ? ((category = "allow") ? "LOGIN" : "FAILED") : (eventType = "Logout") ? 'LOGOUT' : 'N/A' |
| str
| | machine | hostName | | str
|
|
...
...
...
| domain | domain | | str
| | user | userName | | str
| | srcIp |
|
...
...
...
...
...
...
| str
| | result | eventType category |
|
...
...
(eventType = "Login") ? ((category = "allow") ? "allow" : "deny") : 'N/A' |
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| adn.f5.bigip.audit |
|---|
| adn.f5.bigip.audit |
|---|
|
adn.f5.bigip.auditField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | |
|
...
...
(status = "Login Success") ? 'LOGIN' : (status = "Logout Success") ? 'LOGOUT' : (status = "Login Failure") ? 'FAILED' : 'N/A' |
| str
| | machine | hostName | | str
|
|
...
...
...
...
...
...
...
...
| str
| | result | status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
...
...
...
...
...
...
eventsField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | |
|
...
...
typeCode
...
| Code Block |
|---|
(Action = "Failed login attempt") ? "FAILED" : "LOGIN" |
| str
| | machine | - |
|
...
host
...
...
...
...
...
...
...
...
...
FramedIPAddress
...
...
| srcUser | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
...
...
...
...
...
...
...
iseField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
...
...
...
...
Passed-Authentication'}) ? 'LOGIN' : ( |
|
|
...
...
Failed-Attempt'}) ? 'FAILED' : |
|
|
...
...
...
...
...
...
...
...
source_ip
...
ip_address
...
...
ip4
...
source_hostname
...
...
username
email
...
ifthenelse(isnotnull(username) and not isempty(username), username, email)
...
str
UserName | | str
| | srcIp | FramedIPAddress | | ip4
| | srcHost | - | | str
|
|
...
...
...
...
str
...
...
...
...
...
| .administrator.login | | auth.duo.administrator.login |
|---|
|
auth.duo. |
...
...
loginField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
...
...
...
...
...
...
...
: (action in {'admin_login_error', ' |
|
|
...
admin_2fa_error'}) ? 'FAILED' |
|
|
...
str
...
machine
...
host
...
...
str
...
application
...
application_name
...
...
str
...
user_domain
...
-
| str
| | machine | host | | str
| | app | - | | str
| | domain | - | | str
| | user | username email | | Code Block |
|---|
ifthenelse(isnotnull(username) and not isempty(username), username, email) |
| str
| | srcIp | ip_address | | ip4
| | srcHost | - | | str
|
|
...
source_hostname
...
access_device_hostname2
...
...
str
...
source_user
...
-
...
user_name
...
...
str
...
source_ip
...
access_device_ip
...
...
ip4
...
...
...
...
...
...
| authentication.events | | auth.duo. |
|---|
|
|
...
...
duo.authentication.eventsField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
source_hostname
...
-
...
null('')
...
str
...
source_user
...
-
...
null('')
...
str
...
result
...
-
duo-authentication-events" |
| str
| | action |
|
...
action_message
...
(action_message = 'Sign-in successful') ? 'LOGIN' : action_message
...
str
...
machine
...
-
...
null('')
...
str
...
application
...
targets_id_str
...
...
str
...
user_domain
...
-
...
null('')
...
str
...
user
...
actors_login_str
...
...
str
...
source_ip
...
actors_ip_address_str
...
ip4(actors_ip_address_str)
...
ip4
...
reason | | Code Block |
|---|
decode(reason, 'user_approved', 'LOGIN', 'valid_passcode', 'LOGIN', 'allowed_by_policy', 'LOGIN', 'bypass_user', 'LOGIN', 'locked_out', 'LOGOUT', 'invalid_passcode', 'FAILED', 'no_response', 'FAILED', 'user_cancelled', 'FAILED', 'user_disabled', 'FAILED', 'user_mistake', 'FAILED', 'call_timed_out', 'FAILED', 'no_keys_pressed', 'FAILED', 'user_marked_fraud', 'FAILED', reason) |
| str
| | machine | host | | str
| | app | application_name | | str
| | domain | - | | str
|
|
...
message
...
rawMessage
...
tag
...
tag
...
...
hostchain
...
hostchain
...
...
str
...
✓
srcIp | access_device_ip | | ip4
| | srcHost | access_device_hostname2 | | str
|
|
...
...
...
[ auth.okta.system ] [ auth.onelogin.events ] [ auth.ping.federate.audit ]
...
| | str
| | result | result | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| auth.jumpcloud.all.events |
|---|
| auth.jumpcloud.all.events |
|---|
|
auth.jumpcloud.all.eventsField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
-
...
"okta-system"
...
...
| str
| | machine | system__hostname | | str
| | app | application__name process_name | | Code Block |
|---|
nvl(process_name, application__name) |
| str
| | domain | - | | str
| | user | username resource__username | | Code Block |
|---|
nvl(resource__username, username) |
| str
| | srcIp | client_ipv4 | | ip4
| | srcHost | - | | str
| | srcUser | initiated_by__username | | str
| | result | success | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| auth.okta.events |
|---|
| auth.okta.events |
|---|
|
auth.okta.eventsField in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | action_message | | Code Block |
|---|
(action_message = 'Sign-in successful') ? 'LOGIN' : |
|
|
...
str
...
machine
...
-
...
null('')
...
str
...
application
...
target_alternateId_str
...
...
str
...
user_domain
...
-
...
null('')
...
str
...
user
...
actor_alternateId
...
...
str
...
source_ip
...
client_ipAddress
...
...
ip4
...
source_hostname
...
-
...
null('')
...
str
...
source_user
...
-
...
null('')
...
str
...
result
...
outcome_result
...
...
str
...
message
...
rawMessage
...
...
str
...
hostchain
...
hostchain
...
...
str
...
✓
...
tag
...
tag
...
...
str
...
✓
...
Field in union table
...
Field in source table
...
Field transformation
...
Data type
...
Extra fields
...
eventdate
...
eventdate
...
...
timestamp
...
source
...
-
...
"onelogin-events"
...
str
...
action
...
eventTypeId
...
| Code Block |
|---|
(eventTypeId = 5 or eventTypeId = 8) ? 'LOGIN' : ((eventTypeId = 7 or eventTypeId = 29) ? 'LOGOUT' : 'FAILED') |
...
str
...
machine
...
hostname
...
...
str
...
application
...
appName
...
...
str
...
user_domain
...
-
...
null('')
...
str
...
user
...
userName
...
...
str
...
source_ip
...
ipaddr
...
...
ip4
...
source_hostname
...
-
...
null('')
...
str
...
source_user
...
-
...
null('')
...
str
...
result
...
riskReasons
...
...
str
...
message
...
rawMessage
...
...
str
...
hostchain
...
hostchain
...
...
str
...
✓
...
tag
...
tag
...
...
str
...
✓
...
Field in union table
...
Field in source table
...
Field transformation
...
Data type
...
Extra fields
...
eventdate
...
eventdate
...
...
timestamp
...
source
...
-
...
"ping"
...
str
...
action
...
event
...
| Code Block |
|---|
(event in {'SSO'}) ? 'LOGIN' : (event in {'SLO'}) ? 'LOGOUT' : event |
...
str
...
machine
...
pfhost
...
...
str
...
application
...
app
...
...
str
...
user_domain
...
-
| str
| | machine | - | | str
| | app | targets_id_str | | str
| | domain | - | | str
| | user | actors_login_str | | str
| | srcIp | actors_ip_address_str | | Code Block |
|---|
ip4(actors_ip_address_str) |
| ip4
| | srcHost | - | | str
| | srcUser | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ auth.okta.system ] [ auth.onelogin.events ] [ auth.ping.federate.audit ] | Anchor |
|---|
| auth.okta.system |
|---|
| auth.okta.system |
|---|
|
auth.okta.systemField in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | legacyEventType | | Code Block |
|---|
(legacyEventType in {'app.ad.login.success', 'app.ad.agent.user_auth', 'core.user_auth.idp.saml.login_success', 'iwa.auth', 'core.user.factor.attempt_success', 'core.user_auth.radius.login.succeeded', 'app.auth.sso', 'core.user_auth.login_success', 'core.user_auth.idp.social.login_success'}) ? 'LOGIN' : (legacyEventType in {'app.ad.login.expired_password', 'app.ad.login.unknown_failure', 'app.ad.login.locked_account', 'app.ad.login.bad_password', 'app.ad.agent.user_auth.error', 'core.user_auth.idp.saml.saml_validation_failed', 'core.user_auth.idp.saml.response_received_in_response_to_no_matching_key', 'core.user_auth.idp.invalid_user_status', 'iwa.invalid_token', 'core.user.factor.attempt_fail', 'core.user_auth.radius.login.failed', 'core.user_auth.login_failed', 'app.rich_client.login_failure'}) ? 'FAILED' : legacyEventType |
| str
| | machine | - | | str
| | app | target_alternateId_str | | str
| | domain | - | | str
| | user |
|
...
...
...
...
source_ip
...
ip
...
...
...
...
...
...
message
rawMessage | | str
| | hostchain | hostchain |
|
...
...
...
...
| onelogin.events | | auth.onelogin.events |
|---|
|
auth.onelogin.eventsField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | |
|
...
...
...
eventTypeId = 5 or eventTypeId = 8) ? 'LOGIN' : ( |
|
|
...
(eventTypeId = 7 or eventTypeId = 29) ? 'LOGOUT' : |
|
|
...
...
...
...
...
...
...
...
...
...
...
riskReasons | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
...
...
...
...
...
auditField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | |
|
...
...
...
event in {'SSO'}) ? 'LOGIN' : (event in |
|
|
...
{'SLO'}) ? 'LOGOUT' : event |
| str
| | machine |
|
...
...
...
-
...
...
...
...
...
...
-
...
...
...
...
source_hostname
...
...
...
message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
[ auth.ping.federate.security_audit ] [ auth.ping.id.mfa ] [ auth.rsa.secureid.runtime ] [ auth.securenvoy ] | Anchor |
|---|
| auth.ping.federate.security_audit |
|---|
| auth.ping.federate.security_audit |
|---|
|
auth.ping.federate.security_auditField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
...
machine
...
hostchain
...
...
str
...
application
...
-
...
null('')
...
str
...
user_domain
...
...
"LOGIN"
...
str
| Code Block |
|---|
(event in {'SSO'}) ? 'LOGIN' : (event in {'SLO'}) ? 'LOGOUT' : event |
| str
| | machine | host | | str
| | app | app | | str
| | domain | - | | str
| | user |
|
...
...
...
...
...
-
...
...
...
...
...
...
-
...
null('')
...
...
message
rawMessage | | str
| | hostchain | hostchain |
|
...
...
...
...
...
| ping.id.mfa | | auth.ping.id.mfa |
|---|
|
auth.ping.id.mfaField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
...
...
name
...
result__status | | Code Block |
|---|
(result__status = "SUCCESS") ? 'LOGIN' : 'FAILED' |
| str
| | machine |
|
...
hostchain
...
split(hostchain, "=", 0)
...
...
...
suser
...
...
...
...
source_hostname
...
-
...
...
...
...
| srcUser | - | | str
| | result | result__message |
|
...
...
rawMessage | | str
| | hostchain | hostchain |
|
...
...
...
...
...
secureid.runtimeField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
...
...
action
result | | Code Block |
|---|
(result = 'SUCCESS') ? 'LOGIN' : 'FAILED' |
| str
| | machine | machine |
|
...
...
application
...
...
-
...
security_domain_id | | str
| | user | user_login_name |
|
...
...
...
...
...
...
source_hostname
...
...
...
...
...
...
-
...
null('')
...
...
message
rawMessage | | str
| | hostchain | hostchain |
|
...
...
...
...
...
...
...
...
securenvoyField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
...
status
...
str
...
machine
...
machineIp
...
str(machineIp)
...
str
...
application
...
sourceName
...
...
str
...
user_domain
...
domain
...
...
str
...
user
...
account
...
...
str
...
source_ip
...
srcIp
...
ip4(srcIp)
...
ip4
...
source_hostname
...
srcHost
...
...
str
...
source_user
...
subjectUsername
...
...
str
...
result
...
status
...
...
str
...
message
...
message
...
...
str
...
hostchain
...
hostchain
...
...
str
...
✓
...
tag
...
tag
...
...
str
...
✓
[ cef0.microsoft.microsoftWindows ] [ cloud.aws.cloudtrail.events ] [ cloud.aws.cloudtrail.signin ] [ cloud.azure.ad.signin ]
...
- | | str
| | machine | hostchain | | str
| | app | - | |
|
...
(eventId = 512 or eventId = 4624 or eventId = 4648 or eventId = 4770) ? 'LOGIN' : (eventId = 4634) ? 'LOGOUT' : (eventId = 516 or eventId = 1210) ? 'LOCKED' : (eventId = 4768 or eventId = 4769 or eventId = 4772 or eventId = 4773) ? ((status = "0x0") ? 'LOGIN' : (status = "0x12") ? 'LOCKED' : 'FAILED') : (eventId = 4776 or eventId = 4777) ? ((status = "0x0") ? 'LOGIN' : (status = "0xC0000234") ? 'LOCKED' : 'FAILED') : 'FAILED'
| str
| | domain | - | | str
| | user | client | | str
| | srcIp | - | | ip4
| | srcHost | - | | str
| | srcUser | - | | str
| | result | - | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ auth.thycotic.secretserver ] [ auth.unix ] [ box.all.win ] | Anchor |
|---|
| auth.thycotic.secretserver |
|---|
| auth.thycotic.secretserver |
|---|
|
auth.thycotic.secretserverField in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | Code Block |
|---|
"thycotic-secretserver" |
| str
| | action | name | | Code Block |
|---|
(name in {"USER - LOGOUT"}) ? "LOGOUT" : (name in {"USER - LOGIN"}) ? "LOGIN" : "FAILED" |
| str
| | machine | hostchain | | Code Block |
|---|
split(hostchain, "=", 0) |
| str
| | app | - | | str
| | domain | - | | str
| | user | suser | | str
| | srcIp | src | | ip4
| | srcHost | - | | str
| | srcUser | - | | str
| | result | - | | str
| | message | msg | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Field in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | source | | str
| | action | action | | str
| | machine | machine | | str
| | app | app | | str
| | domain | - | | str
| | user | user | | str
| | srcIp | srcIp | | ip4
| | srcHost | srcHost | | str
| | srcUser | srcUser | | str
| | result | - | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Field in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | source | | str
| | action | status eventId | | Code Block |
|---|
(eventId = 512 or eventId = 4624 or eventId = 4648 or eventId = 4770 or eventId = 303) ? 'LOGIN' : (eventId = 4634) ? 'LOGOUT' : (eventId = 516 or eventId = 1210) ? 'LOCKED' : (eventId = 4768 or eventId = 4769 or eventId = 4772 or eventId = 4773) ? ((status = "0x0") ? 'LOGIN' : (status = "0x12") ? 'LOCKED' : 'FAILED') : (eventId = 4776 or eventId = 4777) ? ((status = "0x0") ? 'LOGIN' : (status = "0xC0000234") ? 'LOCKED' : 'FAILED') : 'FAILED' |
| str
| | machine | machineIp | | str
| | app | sourceName | | str
| | domain | domain | | str
| | user | account | | str
| | srcIp | srcIp | | ip4
| | srcHost | srcHost | | str
| | srcUser | subjectUsername | | str
| | result | status | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ cef0.microsoft.microsoftWindows ] [ cloud.aws.cloudtrail.events ] [ cloud.aws.cloudtrail.signin ] [ cloud.azure.ad.signin ] | Anchor |
|---|
| cef0.microsoft.microsoftWindows |
|---|
| cef0.microsoft.microsoftWindows |
|---|
|
cef0.microsoft.microsoftWindowsField in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | Code Block |
|---|
"microsoft-microsoft_windows" |
| str
| | action | name | | str
| | machine | shost | | str
| | app | deviceProcessName | | str
| | domain | - | | str
| | user | duser | | str
| | srcIp | src | | ip4
| | srcHost | shost | | str
| | srcUser | suser | | str
| | result | reason | | str
| | message | msg | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| cloud.aws.cloudtrail.events |
|---|
| cloud.aws.cloudtrail.events |
|---|
|
cloud.aws.cloudtrail.eventsField in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | Code Block |
|---|
"aws-cloudtrail-events" |
| str
| | action | responseElements_ConsoleLogin | | Code Block |
|---|
decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin) |
| str
| | machine | - | | str
| | app | - | | str
| | domain | - | | str
| | user | userIdentity_userName | | str
| | srcIp | sourceIPAddress | | Code Block |
|---|
ip4(sourceIPAddress) |
| ip4
| | srcHost | requestParameters_host_str | | str
| | srcUser | requestParameters_userName | | str
| | result | responseElements_ConsoleLogin | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| cloud.aws.cloudtrail.signin |
|---|
| cloud.aws.cloudtrail.signin |
|---|
|
cloud.aws.cloudtrail.signinField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
...
name
...
responseElements_ConsoleLogin | | Code Block |
|---|
decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin) |
| str
| | machine | - |
|
...
shost
...
...
deviceProcessName
...
...
duser
...
...
...
...
source_hostname
...
shost
...
...
str
...
source_user
...
suser
...
| ip4
| | srcHost | requestParameters_host_str | | str
| | srcUser | requestParameters_userName | | str
| | result |
|
...
responseElements_ConsoleLogin |
|
...
...
...
msg
rawMessage | | str
| | hostchain | hostchain |
|
...
...
...
...
...
...
...
...
...
...
...
signinField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
timestamp
...
source
...
-
...
"aws-cloudtrail-events"
...
str
...
action
...
responseElements_ConsoleLogin
...
| | timestamp
| | source | - | | Code Block |
|---|
"aws-cloudtrail-signin" |
| str
| | action | serviceEventDetails_UserAuthentication eventName responseElements_ConsoleLogin responseElements_ExternalIdPDirectoryLogin | | Code Block |
|---|
decode(eventName, "ConsoleLogin", decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin), "ExternalIdPDirectoryLogin", decode(responseElements_ExternalIdPDirectoryLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements |
|
|
...
_ExternalIdPDirectoryLogin), "UserAuthentication", decode(serviceEventDetails_UserAuthentication, "Success", 'LOGIN', "Failure", 'FAILED', serviceEventDetails_UserAuthentication)) |
| str
| | machine | - | | str
|
|
...
...
...
-
userIdentity_accountId | | str
| | user | userIdentity_userName |
|
...
...
| srcIp | sourceIPAddress | | Code Block |
|---|
ip4(sourceIPAddress) |
| ip4
| | srcHost |
|
...
source_hostname
...
...
...
...
source_user
...
requestParameters_userName
...
...
...
...
...
...
...
...
...
...
...
...
...
auditField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
timestamp
...
source
...
-
...
"aws-cloudtrail-signin"
...
str
...
action
...
eventName
serviceEventDetails_UserAuthentication
responseElements_ConsoleLogin
responseElements_ExternalIdPDirectoryLogin
...
| Code Block |
|---|
decode(eventName, "ConsoleLogin", decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin), "ExternalIdPDirectoryLogin", decode(responseElements_ExternalIdPDirectoryLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ExternalIdPDirectoryLogin), "UserAuthentication", decode(serviceEventDetails_UserAuthentication, "Success", 'LOGIN', "Failure", 'FAILED', serviceEventDetails_UserAuthentication)) |
...
str
...
machine
...
-
...
| | timestamp
| | source | - | | Code Block |
|---|
"azure-sql-audit" |
| str
| | action | action_id | | Code Block |
|---|
(action_id = "DBAF") ? 'FAILED' : 'LOGIN' |
| str
| | machine | hostname | | str
| | app | application_name | | str
| | domain | - | | str
| | user | - | | str
| | srcIp | client_ip | | ip4
| | srcHost | host_name | | str
| | srcUser | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| cloud.gsuite.reports.login |
|---|
| cloud.gsuite.reports.login |
|---|
|
cloud.gsuite.reports.loginField in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | Code Block |
|---|
"gsuite-reports-login" |
| str
| | action | - | | str
|
|
...
application
...
-
machine | hostname | | str
| | app | id_applicationName | | str
|
|
...
...
...
...
...
...
...
...
...
...
...
source_hostname
...
eventSource
...
str
...
| | srcHost | - | | str
| | srcUser | actor_profileId | | str
| | result | - | | str
| | message | rawMessage |
|
...
...
...
...
...
...
...
...
...
application
...
properties_appDisplayName
...
...
str
...
user_domain
...
-
...
null('')
...
str
...
user
...
identity
...
...
str
...
source_ip
...
callerIpAddress
...
ip4(callerIpAddress)
...
ip4
...
source_hostname
...
-
...
null('')
...
str
...
source_user
...
managementField in union table | Field in source table | Field transformation |
|---|
|
...
Data type
...
Extra fields
...
eventdate
...
eventdate
...
...
timestamp
...
source
...
-
...
"azure-ad"
...
str
...
action
...
resultType
...
(resultType = 0) ? 'LOGIN' : 'FAILED'
...
str
...
machine
...
hostchain
...
split(hostchain, "=", 0)
...
str
Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | Code Block |
|---|
"office365-management" |
| str
| | action | ResultStatus Operation | | Code Block |
|---|
(Operation = "UserLoggedIn" and ResultStatus = "Success") ? 'LOGIN' : 'FAILED' |
| str
| | machine | hostname | | str
| | app | - | |
|
...
str
...
result
...
resultType
...
...
...
rawMessage
...
...
hostchain
...
...
machine
...
hostname
...
...
str
...
application
...
application_name
...
...
str
...
user_domain
...
-
...
null('')
...
str
...
user
...
-
...
null('')
...
str
...
source_ip
...
client_ip
...
...
ip4
...
source_hostname
...
host_name
...
...
str
...
source_user
...
-
...
null('')
...
str
...
result
...
-
...
null('')
...
str
...
message
...
rawMessage
...
...
str
...
hostchain
...
hostchain
...
...
tag
...
...
str
...
✓
[ cloud.azure.sql.audit ] [ cloud.gsuite.reports.login ] [ cloud.office365.management ] [ crm.salesforceobjects.loginhistory ]
...
Field in union table
...
Field in source table
...
Field transformation
...
Data type
...
Extra fields
...
eventdate
...
eventdate
...
...
timestamp
...
source
...
-
...
"azure-sql-audit"
...
str
...
action
...
action_id
...
(action_id = "DBAF") ? 'FAILED' : 'LOGIN'
...
str
| Code Block |
|---|
ip4(ActorIpAddress) |
| ip4
| | srcHost | - | | str
| | srcUser | - | | str
| | result | ResultStatus Operation LogonError | | Code Block |
|---|
'{' + '"Operation": ' + (isnull(Operation) ? 'null' : '"' + str(Operation) + '"') + ', ' + '"LogonError": ' + (isnull(LogonError) ? 'null' : '"' + str(LogonError) + '"') + ', ' + '"ResultStatus": ' + (isnull(ResultStatus) ? 'null' : '"' + str(ResultStatus) + '"') + '}' |
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag |
|
...
...
...
...
...
...
...
crm.salesforceobjects.loginhistoryField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
crm.salesforceobjects.loginhistory" |
| str
| | action | Status |
|
...
...
(Status = "Success") ? 'LOGIN' : 'FAILED' |
| str
| | machine | hostname |
|
...
...
...
...
...
...
id_customerId
...
...
...
...
...
...
...
...
null('')
...
str
...
source_user
...
actor_profileId
...
...
| srcUser | - | | str
| | result | Status | | str
| | message | rawMessage |
|
...
...
...
...
...
...
...
...
...
...
...
...
eventsField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
...
...
...
source_hostname
...
-
...
null('')
...
str
...
source_user
...
-
eventID = 18456) ? 'FAILED' : 'LOGIN' |
| str
| | machine |
|
...
hostname
...
...
str
...
application
...
-
...
null('')
...
str
...
user_domain
...
-
...
null('')
...
str
...
user
...
UserId
...
...
str
...
source_ip
...
ActorIpAddress
...
ip4(ActorIpAddress)
...
ip4
...
LogonError
ResultStatus
...
...
...
...
str
...
message
...
rawMessage
...
| str
| | user | user | | str
| | srcIp | - | | ip4
| | srcHost | - | | str
| | srcUser | - | | str
| | result | - | | str
| | message | message | | str
| | hostchain | hostchain |
|
...
...
...
...
...
...
...
...
...
...
...
audit_trailField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
| Code Block |
|---|
"oracle-audit_trail" |
| str
| | action |
|
...
-
...
| CALCULATED_ACTION CALCULATED_STATUS | | Code Block |
|---|
(CALCULATED_ACTION = "LOGIN") ? ((CALCULATED_STATUS = "SUCCESS") ? "LOGIN" : "FAILED") : "LOGOUT" |
| str
| | machine |
|
...
hostname
...
...
Application
...
source_hostname
...
...
...
str
...
source_user
...
...
UserId
...
...
str
...
source_ip
...
SourceIp
...
...
ip4
CLIENT_USER CURRENT_USER USERID | | Code Block |
|---|
isnotnull(CLIENT_USER) ? CLIENT_USER : isnotnull(CURRENT_USER) ? CURRENT_USER : USERID |
| str
| | srcIp | - | | ip4
| | srcHost | USERHOST | | str
| | srcUser | - | | str
| | result |
|
...
...
...
...
...
...
...
| Anchor |
|---|
| ddi.infoblox.audit |
|---|
| ddi.infoblox.audit |
|---|
|
|
...
ddi.infoblox.auditField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
...
eventID
...
| Code Block |
|---|
(action = "Login_Allowed") ? 'LOGIN' : (action = "Logout") ? 'LOGOUT' : 'FAILED' |
| str
| | machine |
|
...
hostname2
...
...
...
...
...
...
...
...
...
...
...
-
...
null('')
...
...
message
rawMessage | | str
| | hostchain | hostchain |
|
...
...
...
...
...
| auth | | firewall.all.vpn.auth |
|---|
|
firewall.all.vpn.authField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | |
|
...
...
...
status
action | | Code Block |
|---|
ifthenelse(action = " |
|
|
...
Succeeded", 'LOGIN', 'FAILED') |
| str
| | machine |
|
...
...
...
...
...
-
...
...
...
...
...
...
...
source_user
...
user
...
str
...
action | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
...
...
...
...
...
...
...
...
systemField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
...
...
...
"login" and status = "success") ? 'LOGIN' : (action = " |
|
|
...
logout") ? 'LOGOUT' : 'FAILED' |
| str
| | machine |
|
...
hostname
...
application
...
...
...
...
...
...
...
...
source_hostname
...
-
...
...
str
...
source_user
...
-
...
| ip4
| | srcHost | devName | | str
| | srcUser | user | | str
| | result |
|
...
...
...
...
...
tag
...
tag
...
...
str
...
✓
...
...
...
...
...
...
srx.system Field in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
...
...
...
...
...
UI_LOGIN_EVENT") ? 'LOGIN' : ( |
|
|
...
...
UI_LOGOUT_EVENT") ? 'LOGOUT' : 'FAILED' |
| str
| | machine | machine |
|
...
...
...
application
...
...
...
...
srcIp
...
...
...
...
...
...
...
source_user
...
...
status
...
...
rawMessage
message | | str
| | hostchain | hostchain |
|
...
...
| Anchor |
|---|
| firewall.paloalto.system |
|---|
| firewall.paloalto.system |
|---|
|
firewall.paloalto.globalprotectField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
| timestamp
| | source | - | | Code Block |
|---|
"paloalto-globalprotect" |
| str
| | action | status stage |
|
...
| Code Block |
|---|
(stage = "login") ? ((status = "success") ? 'LOGIN' : 'FAILED') : (stage = "logout") ? ((status = "success") ? 'LOGOUT' : 'FAILED') : 'FAILED' |
| str
| | machine | machine |
|
...
...
...
...
...
...
| srcUser | - | | str
| | result | description | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| firewall.paloalto.system |
|---|
| firewall.paloalto.system |
|---|
|
firewall.paloalto.systemField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate |
|
...
...
...
eventId
| Code Block |
|---|
(stage = "login") ? ((status = "success") ? 'LOGIN' : 'FAILED') : (stage = "logout") ? ((status = "success") ? 'LOGOUT' : 'FAILED') : 'FAILED' |
| str
| | machine | machine |
|
...
...
...
...
...
...
...
...
| srcUser | - | | str
| | result | description | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
...
...
...
...
...
...
...
...
...
...
...
logsField in union table | Field in source table | Field transformation |
|---|
|
...
...
...
...
helpdesk.zendesk.audit.logs" |
| str
| | action |
|
...
log_type
...
action_label | | Code Block |
|---|
(action_label = " |
|
|
...
...
...
machine
...
...
...
...
...
...
...
...
...
...
source_hostname
...
hostname
...
...
str
...
...
...
| result | change_description | | str
| | message |
|
...
rawMessage | | str
| | hostchain | hostchain |
|
...
...
...
str
...
✓
...
[ network.cisco.switch ][ network.citrix.adc.sslvpn ] [ siem.logtrust.web.connection ] [ vpn.aws.client ] [ vpn.cisco.asa.anyconnect ] | Anchor |
|---|
| network.citrix.adc.sslvpn |
|---|
| network.citrix.adc.sslvpn |
|---|
|
network.cisco.switchField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | |
|
...
...
...
message -> "pam_aaa:Authentication success") ? 'LOGIN' |
|
|
...
...
...
-
...
...
-
...
...
...
...
source_ip
...
...
...
...
...
...
message
...
...
result
...
change_description
...
str
message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag |
|
...
str
...
✓
...
| Anchor |
|---|
| network.citrix.adc.sslvpn |
|---|
| network.citrix.adc.sslvpn |
|---|
|
network.citrix.adc.sslvpnField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | Code Block |
|---|
"citrix-adc-sslvpn" |
| str
| | action | subtype | | Code Block |
|---|
(subtype = "LOGIN") ? 'LOGIN' : (subtype = "LOGOUT") ? 'LOGOUT' : 'FAILED' |
| str
| | machine | machine | | str
|
|
...
...
...
...
...
| srcUser | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| siem.logtrust.web.connection |
|---|
| siem.logtrust.web.connection |
|---|
|
siem.logtrust.web.connectionField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | action | | Code Block |
|---|
(action in {'login', 'api_login', 'changedomain', 'ghost_login'}) ? 'LOGIN' : (action in {'logout', 'api_logout'}) ? 'LOGOUT' : 'FAILED' |
| str
| | machine | hostchain | | Code Block |
|---|
split(hostchain, "=", 0) |
| str
|
|
...
...
| domain | inputDomain | | str
| | user | inputUser | | str
|
|
...
...
...
...
| str
| | message | message action | | Code Block |
|---|
'ACTION: ' + action + ' MSG: ' + message |
| str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| vpn.aws.client |
|---|
| vpn.aws.client |
|---|
|
vpn.aws.clientField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | Code Block |
|---|
"aws-vpn-client" |
| str
| | action | connection_log_type connection_attempt_status | | Code Block |
|---|
(connection_log_type in {'connection-reset'} ? 'LOGOUT' : (connection_attempt_status in {'successful'} ? "LOGIN" : "FAILED")) |
| str
| | machine | hostname | | str
|
|
...
...
| domain | - | | str
| | user | username | | str
|
|
...
...
...
| srcUser | - | | str
| | result | connection_attempt_status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
| Anchor |
|---|
| vpn.cisco.asa.anyconnect |
|---|
| vpn.cisco.asa.anyconnect |
|---|
|
vpn.cisco.asa.anyconnectField in union table | Field in source table | Field transformation |
|---|
|
...
Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | source | - | | Code Block |
|---|
"cisco-asa-anyconnect" |
| str
| | action | EventID | | Code Block |
|---|
(EventID = 722022) ? 'LOGIN' : ((EventID = 722023) ? 'LOGOUT' : null('')) |
| str
| | machine | host | | str
|
|
...
...
...
...
...
| srcUser | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
