...
In this table, you can find the complete record of the activity registered in the platform concerning users and their activity inside the platform, as well as roles, credentials, and preferences. It can primarily be used for audition processes but is also applicable to any other operational process requiring a comprehensive record of this activity.
Field | Data type | Description |
|---|---|---|
eventdate |
| Date in which the event was registered in Devo. → 2024-02-14 13:41:31.210 |
hostname |
| Name of the internal component in charge of executing the action. → webapp-2 |
action_date |
| Moment in time when the action occurs, expressed in milliseconds since the Unix epoch. → 1681917780246 |
type |
| Event classification. → AUDIT vs. OPERATIONAL |
domain |
| Domain where the user behind the action was logged in, extracted from the authentication token. → demo, analytics, etc. |
username |
| Email address of the user behind the action, extracted from the authentication token. → user@devo.com |
user_role |
| Role or roles assigned to the user behind the action. → administrator, writer, viewer, etc. |
server_hostname |
| IP address or name of the machine in charge of executing the action. → 25.42.123.789 |
url |
| Url of the action executed. → https://us.devo.com/#/home |
service |
| Name of the service or application where the action was executed. → api, secops, lookups, alerts, users, roles, authentication, Exchange, etc. |
section |
| When applicable, name of the specific part inside the service where the action was executed. → overview, preferences, threats, discover, etc. |
subsection |
| When applicable, name of the specific part inside the section where the action was executed. → general, user activity, threats detected, alert, etc. |
object_name |
| Name of the specific object affected by the action. This is the name assigned to the object when created, which may vary if edited. → Dangerous IPs, Alert pack: Firewall, etc. |
object_id |
| Unique ID of the specific object affected by the action, which is automatically assigned when created and is normally invariable. → 238, map_12345, etc. |
action |
| Description of the action executed. → open.app, preferences.update, authentication.token.seen, roles.uptade, get catalog, etc. |
is_user_action |
| This field indicates whether the action is performed by a user or if it is automatically generated by a system action. → true vs. false |
status |
| This field indicates whtther the action was successfully executed or not. When the action fails, the reason will be included in the exception field. → success vs. failure |
http_status |
| Http status code that your application is returning after performing the action. → 200, 404, etc. |
headers |
| Name of the http headers, without their values, that are sent with executed http action. → content type, authorization, etc. |
metadata |
| Relevant information to give context about the action, such as including the previous and new values when there is a change in the content of an object. → {"from":"Alert coverage"} |
user_ip4 |
| IP of the user performing the action. → 25.42.123.789 |
user_ip6 |
| IP of the user performing the action. → 2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
response_time |
| Duration of the action in milliseconds. → 458 |
exception |
| Trace of the exception generated when the action failed, which is indicated in the status field. → cannot load custom alert |
authentication |
| Authentication type used to log in. → password, SAML, openID, token, API_keys, etc. |
authentication_hash |
| Hash of the authentication token, normally using Scrypt algorithms. → 9fb8020742d78f3fd3a291f110dc1405ad7402fc5e30a582f5123d2744h247f4 |
instance |
| Name of the environment where the action was executed. → hostname1 |
correlation_id |
| Unique ID that identifies the action registered, as well as all the calls and applications involved in the interaction. → c4e6d7b6-4cfa-4f3d-bdaa-791d26f822e1 |