...
Field | Data type | Description |
---|---|---|
eventdate |
| Date in which the event was registered in Devo. → 2024-02-14 13:41:31.210 |
hostname |
| Name of the internal component in charge of executing the action. → webapp-2 |
action_date |
| Moment in time when the action occurs, expressed in milliseconds since the Unix epoch. → 1681917780246 |
type |
| Event classification. → AUDIT vs. OPERATIONAL |
domain |
| Domain where the user behind the action was logged in, extracted from the authentication token. → demo, analytics, etc. |
username |
| Email address of the user behind the action, extracted from the authentication token. → user@devo.com |
user_role |
| Role or roles assigned to the user behind the action. → administrator, writer, viewer, etc. |
server_hostname |
| IP address or name of the machine in charge of executing the action. → 25.42.123.789 |
url |
| Url of the action executed. → https://us.devo.com/#/home |
service |
| Name of the service or application where the action was executed. → api, secops, lookups, alerts, users, roles, authentication, etc. |
section |
| When applicable, name of the specific part inside the service where the action was executed. → overview, preferences, threats, etc. |
subsection |
| When applicable, name of the specific part inside the section where the action was executed. → general, user activity, threats detected, etc. |
object_name |
| Name of the specific object affected by the action. This is the name assigned to the object when created, which may vary if edited. → Dangerous IPs |
object_id |
| Unique ID of the specific object affected by the action, which is automatically assigned when created and is normally invariable. → map_12345 |
action |
| Description of the action executed. → open.app, preferences.update, authentication.token.seen, roles.uptade, etc. |
is_user_action |
| This field indicates whether the action is performed by a user or if it is automatically generated by a system action. → true vs. false |
status |
| This field indicates whtther the action was successfully executed or not. When the action fails, the reason will be included in the exception field. → success vs. failure |
http_status |
| Http status code that your application is returning after performing the action. → 200, 404, etc. |
headers |
| Name of the http headers, without their values, that are sent with executed http action. → content type, authorization, etc. |
metadata |
| Relevant information to give context about the action, such as including the previous and new values when there is a change in the content of an object. → {"idfrom":3451,"first_name":"John","last_name":"Doe","email":"john.doe@devo.com"Alert coverage"} |
user_ip4 |
| IP of the user performing the action. → 25.42.123.789 |
user_ip6 |
| IP of the user performing the action. → 2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
response_time |
| Duration of the action in milliseconds. → 458 |
exception |
| Trace of the exception generated when the action failed, which is indicated in the status field. → cannot load custom alert |
authentication |
| Authentication type used to log in. → password, SAML, openID, token, API_keys, etc. |
authentication_hash |
| Hash of the authentication token, normally using Scrypt algorithms. → 9fb8020742d78f3fd3a291f110dc1405ad7402fc5e30a582f5123d2744h247f4 |
instance |
| Name of the environment where the action was executed. → hostname1 |
correlation_id |
| Unique ID that identifies the action registered, as well as all the calls and applications involved in the interaction. → c4e6d7b6-4cfa-4f3d-bdaa-791d26f822e1 |