Introduction
This table collects information about different authentication events generated by a variety of platforms.
Source tables
The information displayed is extracted from the following tables:
...
auth.jumpcloud.ldap.events
...
auth.jumpcloud.mdm.events
...
auth.jumpcloud.radius.events
...
auth.jumpcloud.software.events
...
auth.jumpcloud.sso.events
...
all.events
auth.okta.events
auth.okta.system
auth.onelogin.events
auth.ping.federate.audit
auth.ping.federate.security_audit
auth.ping.id.mfa
auth.rsa.secureid.runtime
auth.securenvoy
auth.thycotic.secretserver
|
...
...
...
...
...
...
...
box.devo_ea.events_windows
...
box.devo_ua.events_windows
...
box.unix
...
box.unix_cloudwatch
...
box.vmware.esx
...
box.win
...
box.winNxlog
...
box.win_classic
...
box.win_cloudwatch
...
box.win_hf
...
box.win_kinesis
...
box.win_nxlog
...
box.win_quest.change_auditor.leef
...
box.win_snare
...
box.win_solarwinds
...
box.win_winlogbeat
...
cef0.microsoft.microsoftWindows
...
cloud.aws.cloudtrail.events
...
cloud.aws.cloudtrail.signin
...
cloud.azure.ad.signin
...
cloud.azure.sql.audit
...
cloud.azure.vm.applicationevent
...
cloud.azure.vm.securityevent
...
cloud.azure.vm.systemevent
...
cloud.azure.vm.unix
...
cloud.gsuite.reports.login
...
cloud.office365.management_all
...
cloud.office365.oldmanagement
...
crm.salesforceobjects.loginhistory
...
db.mssql.events
...
db.oracle.audit_trail
...
ddi.infoblox.audit
microsoft.microsoftWindows
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.signin
cloud.azure.ad.signin
cloud.azure.sql.audit
cloud.gsuite.reports.login
cloud.office365.management
crm.salesforceobjects.loginhistory
db.mssql.events
db.oracle.audit_trail
ddi.infoblox.audit
firewall.all.vpn.auth
firewall.cisco.asa
firewall.fortinet.event.system
firewall.juniper.srx.system
firewall.paloalto.globalprotect
firewall.paloalto.system
helpdesk.zendesk.audit.logs
network.cisco.switch
network.citrix.adc.sslvpn
siem.logtrust.web.connection
vpn.aws.client
vpn.cisco.asa.anyconnect
|
Table structure
This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:
Note |
---|
Extra fields Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns. |
...
Type | Extra fields |
---|
eventdate | timestamp
|
...
...
...
...
...
-
...
...
...
...
Field
...
Data type
...
Extra fields
...
...
...
-
...
...
...
...
Field transformations
Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.
Rw ui tabs macro |
---|
title | Table 1-3 |
---|
tabIcon | bvicon-table |
---|
|
|
...
[ adn.f5.bigip.apm ] [ adn.f5.bigip.audit ] [ app.lastpass.events ] [ auth.cisco.ise ] Anchor |
---|
| adn.f5.bigip.apm |
---|
| adn.f5.bigip.apm |
---|
| adn.f5.bigip.apmField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | |
|
...
| str
| | action | eventType category |
|
...
...
(eventType = "Login") ? ((category = "allow") ? "LOGIN" : "FAILED") : (eventType = "Logout") ? 'LOGOUT' : 'N/A' |
| str
| | machine | hostName | | str
| | application | - | |
|
...
...
| domain | domain | | str
| | user | userName | | str
| | source_ip | clientIp | | ip4
| | source_hostname | - | |
|
...
...
| str
| | result | eventType category |
|
...
...
(eventType = "Login") ? ((category = "allow") ? "allow" : "deny") : 'N/A' |
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| adn.f5.bigip.audit |
---|
| adn.f5.bigip.audit |
---|
| adn.f5.bigip.auditField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - |
|
...
...
(status = "Login Success") ? 'LOGIN' : (status = "Logout Success") ? 'LOGOUT' : (status = "Login Failure") ? 'FAILED' : 'N/A' |
| str
| | machine | hostName | | str
| | application | loginTty | | str
|
|
...
...
| str
| | user | user | | str
| | source_ip | loginHostIp | | ip4
| | source_hostname | - |
|
...
...
| str
| | result | status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
...
...
...
...
...
...
eventsField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | |
|
...
...
typeCode
...
Code Block |
---|
(Action = "Failed login attempt") ? "FAILED" : "LOGIN" |
| str
| | machine | - |
|
...
host
...
...
...
...
...
...
IP_Address | | ip4
| | source_hostname | - | | str
| | source_user | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
...
...
...
cisco.iseField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
...
...
...
...
Passed-Authentication'}) ? 'LOGIN' : ( |
|
|
...
...
Failed-Attempt'}) ? 'FAILED' : |
|
|
...
...
...
...
...
...
...
username
email
...
ifthenelse(isnotnull(username) and not isempty(username), username, email)
...
...
...
| ip4
| | source_hostname | - | | str
| | source_user | - | | str
| | result |
|
...
error
...
...
...
...
...
...
...
...
auth.duo.administrator.loginField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
...
...
...
...
...
...
...
: (action in {'admin_login_error', ' |
|
|
...
str
...
machine
...
host
...
...
str
...
application
...
application_name
...
...
str
...
user_domain
...
admin_2fa_error'}) ? 'FAILED' : action |
| str
| | machine | host | | str
| | application | - | | str
| | domain | - | | str
| | user | username email | Code Block |
---|
ifthenelse(isnotnull(username) and not isempty(username), username, email) |
| str
| | source_ip | ip_address | | ip4
| | source_hostname | - | | str
| | source_user | - | | str
|
|
...
user
...
user_name
...
tag
...
tag
...
...
source_ip
...
access_device_ip
...
...
ip4
...
source_hostname
...
access_device_hostname2
...
...
str
...
source_user
...
-
...
null('')
...
str
...
result
...
result
...
...
str
...
message
...
rawMessage
...
...
str
...
hostchain
...
hostchain
...
...
str
...
✓
message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
authentication.events | | auth.duo. |
---|
|
|
...
...
authentication.eventsField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
duo-authentication-events" |
| str
| | action | reason |
|
...
...
str
...
machine
...
-
...
null('')
...
str
...
application
...
targets_id_str
...
...
str
...
user_domain
...
-
...
null('')
...
str
...
user
...
actors_login_str
...
...
str
...
source_ip
...
actors_ip_address_str
...
ip4(actors_ip_address_str)
...
ip4
...
source_hostname
...
-
...
null('')
...
str
...
source_user
...
-
...
null('')
...
str
...
result
...
reason, 'user_approved', 'LOGIN', 'valid_passcode', 'LOGIN', 'allowed_by_policy', 'LOGIN', 'bypass_user', 'LOGIN', 'locked_out', 'LOGOUT', 'invalid_passcode', 'FAILED', 'no_response', 'FAILED', 'user_cancelled', 'FAILED', 'user_disabled', 'FAILED', 'user_mistake', 'FAILED', 'call_timed_out', 'FAILED', 'no_keys_pressed', 'FAILED', 'user_marked_fraud', 'FAILED', reason) |
| str
| | machine | host | | str
| | application | application_name | | str
| | domain | - | | str
| | user | user_name | | str
| | source_ip | access_device_ip | | ip4
| | source_hostname | access_device_hostname2 | | str
| | source_user | - | | str
| | result | result | | str
| | message | rawMessage |
|
...
...
...
...
...
...
...
...
...
...
...
...
all.eventsField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
...
-
...
"okta-system"
...
str
...
action
str
| | action | event_type | | str
| | machine | system__hostname | | str
| | application | application__name process_name | |
|
...
str
...
machine
...
-
...
user_domain
...
-
process_name, application__name) |
| str
| | domain | - | | str
| | user | username resource__username | Code Block |
---|
nvl(resource__username, username) |
| str
| | source_ip | client_ipv4 | | ip4
| | source_hostname | - | | str
| | source_user | initiated_by__username | | str
| | result | success | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.okta.events |
---|
| auth.okta.events |
---|
| auth.okta.eventsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | action_message | Code Block |
---|
(action_message = 'Sign-in successful') ? 'LOGIN' : action_message |
| str
| | machine | - | | str
| | application | targets_id_str | | str
| | domain | - | | str
| | user | actors_login_str | | str
| | source_ip | actors_ip_address_str | Code Block |
---|
ip4(actors_ip_address_str) |
| ip4
| | source_hostname | - | | str
| | source_user | - | | str
|
|
...
application
...
target_alternateId_str
...
...
str
...
source_hostname
...
-
...
null('')
...
str
...
source_user
...
-
...
null('')
...
str
...
result
...
outcome_result
...
...
str
...
user
...
actor_alternateId
...
...
str
...
source_ip
...
client_ipAddress
...
...
ip4
...
...
...
...
...
...
...
Field in union table
...
ping.federate.audit ] Anchor |
---|
| auth.okta.system |
---|
| auth.okta.system |
---|
| auth.okta.systemField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
...
...
...
...
str
...
machine
...
hostname
...
...
str
...
application
...
appName
...
...
str
...
user_domain
...
-
...
null('')
...
str
...
user
...
userName
...
...
str
...
source_ip
...
ipaddr
...
...
ip4
...
source_hostname
...
-
...
null('')
...
str
...
source_user
...
-
...
null('')
...
str
...
result
...
riskReasons
...
...
str
...
message
...
rawMessage
...
...
str
...
hostchain
...
hostchain
...
...
str
...
✓
...
tag
...
tag
...
...
str
...
✓
...
Field in union table
...
Field in source table
...
Field transformation
...
Data type
...
Extra fields
...
eventdate
...
eventdate
...
...
timestamp
...
source
...
-
...
"ping"
...
str
...
action
...
event
...
Code Block |
---|
(event in {'SSO'}) ? 'LOGIN' : (event in {'SLO'}) ? 'LOGOUT' : event |
...
str
...
machine
...
pfhost
...
...
str
...
application
...
app
...
...
str
...
user_domain
...
-
...
null('')
...
str
...
user
...
subject
...
...
str
...
source_ip
...
ip
...
...
ip4
...
source_hostname
...
-
...
null('')
...
str
...
source_user
...
-
...
null('')
...
str
...
result
...
status
...
...
str
...
message
...
message
...
...
str
...
hostchain
...
hostchain
...
...
str
...
✓
...
tag
...
tag
...
...
str
...
✓
[ auth.ping.federate.security_audit ] [ auth.ping.id.mfa ] [ auth.securenvoy ]
...
Field in union table
...
Field in source table
...
Field transformation
...
Data type
...
Extra fields
...
eventdate
...
eventdate
...
timestamp
...
source
...
-
...
...
str
...
action
...
event
...
Code Block |
---|
(event in {'SSO'}) ? 'LOGIN' : (event in {'SLO'}) ? 'LOGOUT' : event |
...
str
...
machine
...
host
...
str
...
application
...
app
...
str
...
in {'app.ad.login.success', 'app.ad.agent.user_auth', 'core.user_auth.idp.saml.login_success', 'iwa.auth', 'core.user.factor.attempt_success', 'core.user_auth.radius.login.succeeded', 'app.auth.sso', 'core.user_auth.login_success', 'core.user_auth.idp.social.login_success'}) ? 'LOGIN' : (legacyEventType in {'app.ad.login.expired_password', 'app.ad.login.unknown_failure', 'app.ad.login.locked_account', 'app.ad.login.bad_password', 'app.ad.agent.user_auth.error', 'core.user_auth.idp.saml.saml_validation_failed', 'core.user_auth.idp.saml.response_received_in_response_to_no_matching_key', 'core.user_auth.idp.invalid_user_status', 'iwa.invalid_token', 'core.user.factor.attempt_fail', 'core.user_auth.radius.login.failed', 'core.user_auth.login_failed', 'app.rich_client.login_failure'}) ? 'FAILED' : legacyEventType |
| str
| | machine | - | | str
| | application | target_alternateId_str | | str
| | domain | - | | str
| | user |
|
...
actor_alternateId | | str
| | source_ip |
|
...
client_ipAddress | | ip4
| | source_hostname | - | | str
| | source_user | - | | str
| | result |
|
...
outcome_result | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
...
...
...
...
...
eventsField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | |
|
...
...
...
...
eventTypeId = 5 or eventTypeId = |
|
|
...
8) ? 'LOGIN' : ((eventTypeId = 7 or eventTypeId = 29) ? 'LOGOUT' : 'FAILED') |
| str
| | machine | hostname | | str
| | application |
|
...
-
...
...
...
-
...
| | source_hostname | - | | str
| | source_user | - | | str
| | result |
|
...
riskReasons | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
...
...
auth.ping.federate.auditField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
...
-
...
Code Block |
---|
(event in {'SSO'}) ? 'LOGIN' : (event in {'SLO'}) ? 'LOGOUT' : event |
| str
| | machine |
|
...
...
...
-
...
null('')
...
...
client
...
...
| | source_hostname | - | | str
| | source_user | - | | str
| | result |
|
...
-
...
null('')
...
str
...
...
...
...
...
...
...
...
...
...
...
...
...
federate.security_auditField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
...
...
...
...
...
: (event in {'SLO'}) ? 'LOGOUT' : event |
| str
| | machine |
|
...
hostchain
...
split(hostchain, "=", 0)
...
-
...
null('')
...
...
suser
...
...
| ip4
| | source_hostname | - | | str
| | source_user | - | | str
| | result |
|
...
-
...
...
...
...
...
...
...
...
ping.id.mfaField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
source
...
...
action
...
result__status | Code Block |
---|
(result__status = "SUCCESS") ? 'LOGIN' : 'FAILED' |
| str
| | machine |
|
...
machine
...
...
app
...
...
user
...
actors__name_str | | str
| | source_ip | - |
|
...
srcIp
...
...
srcHost
...
result
...
...
source_user
...
...
str
...
...
message
...
message
result | result__message | | str
| | message | rawMessage | | str
| | hostchain | hostchain |
|
...
...
...
...
...
...
...
...
...
...
...
runtimeField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
...
status
...
...
...
str
...
machine
...
machineIp
...
str(machineIp)
...
str
...
application
...
sourceName
...
...
str
...
user_domain
...
domain
...
...
str
...
user
...
account
...
...
str
...
source_ip
...
srcIp
...
ip4(srcIp)
...
ip4
...
source_hostname
...
srcHost
...
...
str
...
source_user
...
subjectUsername
...
...
str
...
result
...
status
...
...
str
...
message
...
message
...
...
str
...
hostchain
...
hostchain
...
...
str
...
✓
...
tag
...
tag
...
...
str
...
✓
[ cef0.microsoft.microsoftWindows ] [ cloud.aws.cloudtrail.events ] [ cloud.aws.cloudtrail.signin ] [ cloud.azure.ad.signin ]
...
| str
| | machine | machine | | str
| | application | category | | str
| | domain | user_security_domain_id | | str
| | user | user_login_name | | str
| | source_ip | client_ip | | ip4
| | source_hostname | hostname | | str
| | source_user | user_identity_source_id | | str
| | result | result | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.securenvoy |
---|
| auth.securenvoy |
---|
| auth.securenvoyField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | - | | str
| | machine | hostchain | | str
| | application | - | | str
| | domain | - | | str
| | user | client | | str
| | source_ip | - | | ip4
| | source_hostname | - | | str
| | source_user | - | | str
| | result | - | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ auth.thycotic.secretserver ] [ auth.unix ] [ box.all.win ] Anchor |
---|
| auth.thycotic.secretserver |
---|
| auth.thycotic.secretserver |
---|
| auth.thycotic.secretserverField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"thycotic-secretserver" |
| str
| | action | name | Code Block |
---|
(name in {"USER - LOGOUT"}) ? "LOGOUT" : (name in {"USER - LOGIN"}) ? "LOGIN" : "FAILED" |
| str
| | machine | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | application | - | | str
| | domain | - | | str
| | user | suser | | str
| | source_ip | src | | ip4
| | source_hostname | - | | str
| | source_user | - | | str
| | result | - | | str
| | message | msg | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
auth.unixField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | source | | str
| | action | action | | str
| | machine | machine | | str
| | application | app | | str
| | domain | - | | str
| | user | user | | str
| | source_ip | srcIp | | ip4
| | source_hostname | srcHost | | str
| | source_user | srcUser | | str
| | result | - | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
box.all.winField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | source | | str
| | action | status eventId | Code Block |
---|
(eventId = 512 or eventId = 4624 or eventId = 4648 or eventId = 4770 or eventId = 303) ? 'LOGIN' : (eventId = 4634) ? 'LOGOUT' : (eventId = 516 or eventId = 1210) ? 'LOCKED' : (eventId = 4768 or eventId = 4769 or eventId = 4772 or eventId = 4773) ? ((status = "0x0") ? 'LOGIN' : (status = "0x12") ? 'LOCKED' : 'FAILED') : (eventId = 4776 or eventId = 4777) ? ((status = "0x0") ? 'LOGIN' : (status = "0xC0000234") ? 'LOCKED' : 'FAILED') : 'FAILED' |
| str
| | machine | machineIp | | str
| | application | sourceName | | str
| | domain | domain | | str
| | user | account | | str
| | source_ip | srcIp | | ip4
| | source_hostname | srcHost | | str
| | source_user | subjectUsername | | str
| | result | status | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ cef0.microsoft.microsoftWindows ] [ cloud.aws.cloudtrail.events ] [ cloud.aws.cloudtrail.signin ] [ cloud.azure.ad.signin ] Anchor |
---|
| cef0.microsoft.microsoftWindows |
---|
| cef0.microsoft.microsoftWindows |
---|
| cef0.microsoft.microsoftWindowsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"microsoft-microsoft_windows" |
| str
| | action | name | | str
| | machine | shost | | str
| | application | deviceProcessName | | str
| | domain | - | | str
| | user | duser | | str
| | source_ip | src | | ip4
| | source_hostname | shost | | str
| | source_user | suser | | str
| | result | reason | | str
| | message | msg | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.aws.cloudtrail.events |
---|
| cloud.aws.cloudtrail.events |
---|
| cloud.aws.cloudtrail.eventsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"aws-cloudtrail-events" |
| str
| | action | responseElements_ConsoleLogin | Code Block |
---|
decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin) |
| str
| | machine | - | | str
| | application | - | | str
| | domain | - | | str
| | user | userIdentity_userName | | str
| | source_ip | sourceIPAddress | Code Block |
---|
ip4(sourceIPAddress) |
| ip4
| | source_hostname | requestParameters_host_str | | str
| | source_user | requestParameters_userName | | str
| | result | responseElements_ConsoleLogin | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.aws.cloudtrail.signin |
---|
| cloud.aws.cloudtrail.signin |
---|
| cloud.aws.cloudtrail.signinField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"aws-cloudtrail-events" |
| str
| | action | responseElements_ConsoleLogin | Code Block |
---|
decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin) |
| str
| | machine | - | | str
| | application | - | | str
| | domain | - | | str
| | user | userIdentity_userName | | str
| | source_ip | sourceIPAddress | Code Block |
---|
ip4(sourceIPAddress) |
| ip4
| | source_hostname | requestParameters_host_str | | str
| | source_user | requestParameters_userName | | str
| | result | responseElements_ConsoleLogin | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.azure.ad.signin |
---|
| cloud.azure.ad.signin |
---|
| cloud.azure.ad.signinField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"aws-cloudtrail-signin" |
| str
| | action | serviceEventDetails_UserAuthentication eventName responseElements_ConsoleLogin responseElements_ExternalIdPDirectoryLogin | Code Block |
---|
decode(eventName, "ConsoleLogin", decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin), "ExternalIdPDirectoryLogin", decode(responseElements_ExternalIdPDirectoryLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ExternalIdPDirectoryLogin), "UserAuthentication", decode(serviceEventDetails_UserAuthentication, "Success", 'LOGIN', "Failure", 'FAILED', serviceEventDetails_UserAuthentication)) |
| str
| | machine | - | | str
| | application | - | | str
| | domain | userIdentity_accountId | | str
| | user | userIdentity_userName | | str
| | source_ip | sourceIPAddress | Code Block |
---|
ip4(sourceIPAddress) |
| ip4
| | source_hostname | eventSource | | str
| | source_user | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ cloud.azure.sql.audit ] [ cloud.gsuite.reports.login ] [ cloud.office365.management ] [ crm.salesforceobjects.loginhistory ] Anchor |
---|
| cloud.azure.sql.audit |
---|
| cloud.azure.sql.audit |
---|
| cloud.azure.sql.auditField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"azure-sql-audit" |
| str
| | action | action_id | Code Block |
---|
(action_id = "DBAF") ? 'FAILED' : 'LOGIN' |
| str
| | machine | hostname | | str
| | application | application_name | | str
| | domain | - | | str
| | user | - | | str
| | source_ip | client_ip | | ip4
| | source_hostname | host_name | | str
| | source_user | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.gsuite.reports.login |
---|
| cloud.gsuite.reports.login |
---|
| cloud.gsuite.reports.loginField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
...
name
...
...
shost
...
...
...
...
-
...
null('')
...
...
...
...
src
...
ipAddress | | ip4
| | source_hostname | - |
|
...
shost
...
...
suser
...
actor_profileId | | str
| | result | - |
|
...
reason
...
...
...
...
...
...
...
...
...
...
managementField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
...
...
...
(Operation = "UserLoggedIn" and ResultStatus = "Success" |
|
|
...
...
...
...
-
...
null('')
hostname | | str
| | application | - | | str
|
|
...
...
str
...
user
...
userIdentity_userName
...
...
str
...
source_ip
...
sourceIPAddress
...
ip4(sourceIPAddress)
...
ip4
...
source_hostname
...
requestParameters_host_str
...
...
str
...
source_user
...
requestParameters_userName
...
...
result
...
responseElements_ConsoleLogin
...
str
...
message
...
rawMessage
...
...
str
...
hostchain
...
hostchain
...
...
str
...
✓
...
tag
...
tag
...
...
str
...
✓
...
Field in union table
...
Field in source table
...
Field transformation
...
Data type
...
Extra fields
...
eventdate
...
eventdate
...
...
timestamp
...
source
...
-
...
"aws-cloudtrail-signin"
...
str
...
action
...
eventName
serviceEventDetails_UserAuthentication
responseElements_ConsoleLogin
responseElements_ExternalIdPDirectoryLogin
...
Code Block |
---|
decode(eventName, "ConsoleLogin", decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin), "ExternalIdPDirectoryLogin", decode(responseElements_ExternalIdPDirectoryLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ExternalIdPDirectoryLogin), "UserAuthentication", decode(serviceEventDetails_UserAuthentication, "Success", 'LOGIN', "Failure", 'FAILED', serviceEventDetails_UserAuthentication)) |
...
str
...
machine
...
-
...
null('')
...
str
...
application
...
-
...
null('')
...
str
...
user_domain
...
userIdentity_accountId
...
str
...
user
...
userIdentity_userName
...
...
str
...
source_ip
...
sourceIPAddress
...
ip4(sourceIPAddress)
...
ip4
...
source_hostname
...
eventSource
...
str
...
source_user
...
-
...
null('')
...
str
...
result
...
-
...
null('')
...
str
...
message
...
rawMessage
...
...
str
...
hostchain
...
hostchain
...
| | user | UserId | | str
| | source_ip | ActorIpAddress | Code Block |
---|
ip4(ActorIpAddress) |
| ip4
| | source_hostname | - | | str
| | source_user | - | | str
| | result | ResultStatus Operation LogonError | Code Block |
---|
'{' + '"Operation": ' + (isnull(Operation) ? 'null' : '"' + str(Operation) + '"') + ', ' + '"LogonError": ' + (isnull(LogonError) ? 'null' : '"' + str(LogonError) + '"') + ', ' + '"ResultStatus": ' + (isnull(ResultStatus) ? 'null' : '"' + str(ResultStatus) + '"') + '}' |
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag |
|
...
...
...
...
...
...
...
...
...
...
loginhistoryField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
Code Block |
---|
"crm.salesforceobjects.loginhistory" |
| str
| | action |
|
...
...
Status = "Success") ? 'LOGIN' : 'FAILED' |
| str
| | machine |
|
...
hostchain
...
...
properties_appDisplayName
...
...
...
...
...
| ip4
| | source_hostname | - | | str
| | source_user | - | | str
| | result |
|
...
resultType
Status | | str
| | message | rawMessage |
|
...
...
...
...
...
...
...
...
...
db.mssql.eventsField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
...
...
eventID = 18456) ? 'FAILED' |
|
|
...
str
...
machine
...
hostname
...
...
str
...
application
...
application_name
...
...
str
...
user_domain
...
-
...
null('')
...
str
...
user
...
-
...
null('')
...
str
...
source_ip
...
client_ip
...
...
ip4
...
source_hostname
...
host_name
...
...
str
...
source_user
...
| str
| | machine | hostname2 | | str
| | application | - | | str
|
|
...
...
...
...
...
...
Field in union table
...
Field in source table
...
Field transformation
...
Data type
...
Extra fields
...
eventdate
...
eventdate
...
...
timestamp
...
source
...
-
...
"gsuite-reports-login"
...
str
...
action
...
...
...
str
...
✓
...
tag
...
tag
...
...
str
...
✓
...
| ip4
| | source_hostname | - | | str
| | source_user | - | | str
| | result | - | | str
| | message |
|
...
...
...
...
...
...
machine
...
hostname
...
...
str
...
application
...
...
user_domain
...
id_customerId
...
...
str
...
user
...
actor_email
...
...
str
...
source_ip
...
ipAddress
...
ip4(ipAddress)
...
ip4
...
source_hostname
...
-
...
null('')
...
str
...
source_user
...
actor_profileId
...
...
str
...
result
...
-
...
null('')
...
str
...
message
...
rawMessage
...
...
str
...
hostchain
...
hostchain
...
...
str
...
✓
...
tag
...
tag
...
...
str
...
✓
...
Field in union table
...
Field in source table
...
Field transformation
...
Data type
...
Extra fields
...
eventdate
...
eventdate
...
...
timestamp
...
source
...
-
...
"office365-management"
...
str
...
action
...
Operation
ResultStatus
...
(Operation = "UserLoggedIn" and ResultStatus = "Success") ? 'LOGIN' : 'FAILED'
...
str
...
message
...
rawMessage
...
...
str
...
hostchain
...
hostchain
...
Anchor |
---|
| db.oracle.audit_trail |
---|
| db.oracle.audit_trail |
---|
| db.oracle.audit_trailField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"oracle-audit_trail" |
| str
| | action | CALCULATED_ACTION CALCULATED_STATUS | Code Block |
---|
(CALCULATED_ACTION = "LOGIN") ? ((CALCULATED_STATUS = "SUCCESS") ? "LOGIN" : "FAILED") : "LOGOUT" |
| str
| | machine | USERHOST | | str
| | application | - | | str
| | domain | - | | str
| | user | CLIENT_USER CURRENT_USER USERID | Code Block |
---|
isnotnull(CLIENT_USER) ? CLIENT_USER : isnotnull(CURRENT_USER) ? CURRENT_USER : USERID |
| str
| | source_ip | - | | ip4
| | source_hostname | USERHOST | | str
| | source_user | - | | str
| | result |
|
...
user_domain
...
-
...
null('')
...
str
...
user
...
UserId
...
...
str
...
source_ip
...
ActorIpAddress
...
ip4(ActorIpAddress)
...
ip4
...
source_hostname
...
-
...
null('')
...
str
...
source_user
...
-
...
null('')
...
str
...
result
...
LogonError
Operation
ResultStatus
...
Code Block |
---|
'{' + '"Operation": ' + (isnull(Operation) ? 'null' : '"' + str(Operation) + '"') + ', ' + '"LogonError": ' + (isnull(LogonError) ? 'null' : '"' + str(LogonError) + '"') + ', ' + '"ResultStatus": ' + (isnull(ResultStatus) ? 'null' : '"' + str(ResultStatus) + '"') + '}' |
...
str
CALCULATED_STATUS | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| ddi.infoblox.audit |
---|
| ddi.infoblox.audit |
---|
| ddi.infoblox.auditField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"ddi-infoblox-audit" |
| str
| | action | action | Code Block |
---|
(action = "Login_Allowed") ? 'LOGIN' : (action = "Logout") ? 'LOGOUT' : 'FAILED' |
| str
| | machine | hostname | | str
| | application | - | | str
| | domain | - | | str
| | user | admin_user | | str
| | source_ip | srcIp | | ip4
| | source_hostname | - | | str
| | source_user | - | | str
| | result | message | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag |
|
...
...
...
...
...
...
...
...
...
...
authField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
Code Block |
---|
"firewall-all-vpn-auth" |
| str
| | action |
|
...
...
...
...
...
...
...
hostname
...
...
Application
...
...
-
...
...
...
...
...
...
ip4
...
...
...
...
...
...
...
tag
...
tag
...
...
str
...
✓
[ db.mssql.events ] [ db.oracle.audit_trail ] [ ddi.infoblox.audit ] [ firewall.fortinet.event.system ] [ firewall.paloalto.globalprotect ] [ firewall.paloalto.system ] [ helpdesk.zendesk.audit.logs ][ firewall.juniper.srx.system]
...
Anchor |
---|
| firewall.cisco.asa |
---|
| firewall.cisco.asa |
---|
| firewall.cisco.asaField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - |
|
...
machine
...
hostname2
...
...
str
...
application
...
-
...
null('')
...
str
...
user_domain
...
-
...
null('')
...
str
...
user
...
user
...
...
str
...
source_ip
...
-
...
ip4('')
...
ip4
...
source_hostname
...
-
...
null('')
...
str
...
source_user
...
-
...
null('')
...
str
...
result
...
-
| Code Block |
---|
"firewall-cisco-asa" |
| str
| | action |
|
...
eventID
...
(eventID = 18456) ? 'FAILED' : 'LOGIN'
...
str
...
hostchain
...
hostchain
...
...
str
...
✓
...
tag
...
eventId | Code Block |
---|
(eventId in {int8(113004), int8(113012), int8(611101), int8(716038)}) ? 'LOGIN' : (eventId in {int8(113005), int8(113014), int8(113015), int8(402120), int8(611102), int8(716039), int8(722003), int8(751005), int8(751011)}) ? 'FAILED' : null('') |
| str
|
|
...
message
...
message
...
...
str
...
machine
...
machine
...
str
...
application
...
method
...
str
...
user_domain
...
-
...
...
Field in union table
...
Field in source table
...
Field transformation
...
Data type
...
Extra fields
...
eventdate
...
eventdate
...
timestamp
...
source
...
-
...
Code Block |
---|
"fortinet-event-system" |
...
str
...
action
...
status
action
...
Code Block |
---|
(action = "login" and status = "success") ? 'LOGIN' : (action = "logout") ? 'LOGOUT' : 'FAILED' |
...
str
appName | | str
| | domain | - | | str
| | user | user eventId usrName | Code Block |
---|
(eventId in {int8(113004), int8(113005), int8(113012), int8(113014), int8(113015), int8(402120), int8(611101), int8(611102), int8(751005), int8(751011)}) ? user : (eventId in {int8(716038), int8(716039)}) ? usrName : null('') |
| str
|
|
...
user
...
user
...
str
...
isnotnull(srcIp) ? srcIp : userIP |
| ip4
| | source_hostname | local_host |
|
...
...
...
...
| reason eventId errorMessage | Code Block |
---|
decode(eventId, int8(113005), reason, int8(113015), reason, int8(402120), errorMessage, null('')) |
| str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
|
---|
| firewall.fortinet.event.system |
---|
| firewall.fortinet.event.system |
---|
| firewall.fortinet.event.systemField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
...
...
...
"login" and status = "success") ? 'LOGIN' : (action = " |
|
|
...
logout") ? 'LOGOUT' : 'FAILED' |
| str
| | machine |
|
...
...
...
...
-
...
...
...
...
...
-
...
...
-
...
...
message
status | | str
| | message | rawMessage |
|
...
...
...
...
...
...
...
...
...
srx.system Field in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
...
...
...
...
...
...
"UI_LOGIN_EVENT") ? 'LOGIN' : ( |
|
|
...
...
UI_LOGOUT_EVENT") ? 'LOGOUT' : 'FAILED' |
| str
| | machine | machine |
|
...
...
...
...
...
...
...
devName
...
...
status
...
...
...
...
Anchor |
---|
| firewall.paloalto.system |
---|
| firewall.paloalto.system |
---|
| firewall.paloalto.globalprotectField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate |
|
...
| | timestamp
| | source | - | Code Block |
---|
"paloalto-globalprotect" |
| str
| | action | status stage |
|
...
Code Block |
---|
(stage = "login") ? ((status = "success") ? 'LOGIN' : 'FAILED') : (stage = "logout") ? ((status = "success") ? 'LOGOUT' : 'FAILED') : 'FAILED' |
| str
| | machine | machine |
|
...
...
| domain | - | | str
| | user | srcuser | | str
| | source_ip | public_ip | | ip4
| | source_hostname | - | | str
| | source_user | - | | str
| | result | description | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.paloalto.system |
---|
| firewall.paloalto.system |
---|
| firewall.paloalto.systemField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"paloalto-system" |
| str
| | action | eventId | |
|
...
...
in {"globalprotectportal-auth-succ" |
|
|
...
, "panorama-auth-success" |
|
|
...
, "auth-success"} ? 'LOGIN' : 'FAILED' |
| str
| | machine | machine | | str
| | application | application |
|
...
...
| domain | - | | str
| | user | user_name | | str
| | source_ip | client_ip | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_hostname |
|
...
-
...
source_hostname | | str
| | source_ |
|
...
...
-
...
source_username | | str
| | result | description | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
...
...
...
...
...
...
...
...
...
...
...
logsField in union table | Field in source table | Field transformation |
---|
|
...
...
...
...
helpdesk.zendesk.audit.logs" |
| str
| | action |
|
...
...
...
...
...
...
...
...
machine
...
...
...
username
...
...
...
...
source_hostname
...
hostname
...
...
str
...
source_user
...
...
| | result | change_description | | str
| | message |
|
...
rawMessage | | str
| | hostchain | hostchain |
|
...
...
tag
...
tag
...
...
str
...
✓
...
[ network.cisco.switch ][ network.citrix.adc.sslvpn ] [ siem.logtrust.web.connection ] [ vpn.aws.client ] [ vpn.cisco.asa.anyconnect ] Anchor |
---|
| network.citrix.adc.sslvpn |
---|
| network.citrix.adc.sslvpn |
---|
| network.cisco.switchField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | |
|
...
...
...
message -> "pam_aaa:Authentication success") ? 'LOGIN' |
|
|
...
...
application
...
-
...
...
-
...
...
str
machine | | str
| | application | process | | str
|
|
...
...
...
...
| | source_hostname | hostname | | str
| | source_ |
|
...
...
...
...
...
result
...
change_description
...
| | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
...
[ network.citrix.adc.sslvpn ] [ siem.logtrust.web.connection ] [ vpn.aws.client ] [ vpn.cisco.asa.anyconnect ]
...
Anchor |
---|
| network.citrix.adc.sslvpn |
---|
| network.citrix.adc.sslvpn |
---|
| network.citrix.adc.sslvpnField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"citrix-adc-sslvpn" |
| str
| | action | subtype | Code Block |
---|
(subtype = "LOGIN") ? 'LOGIN' : (subtype = "LOGOUT") ? 'LOGOUT' : 'FAILED' |
| str
| | machine | machine | | str
| | application | - | | str
|
|
...
| domain | - | | str
| | user | user | | str
| | source_ip | sourceIp | | ip4
| | source_hostname | vserverIp | | str
| | source_user | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| siem.logtrust.web.connection |
---|
| siem.logtrust.web.connection |
---|
| siem.logtrust.web.connectionField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | action | Code Block |
---|
(action in {'login', 'api_login', 'changedomain', 'ghost_login'}) ? 'LOGIN' : (action in {'logout', 'api_logout'}) ? 'LOGOUT' : 'FAILED' |
| str
| | machine | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | application | serverHost | | str
|
|
...
| domain | inputDomain | | str
| | user | inputUser | | str
| | source_ip | source_hostname |
|
...
| ip4
| | source_hostname | srcHost | | str
| | source_user | - | | str
| | result | - | | str
| | message | message action | Code Block |
---|
'ACTION: ' + action + ' MSG: ' + message |
| str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| vpn.aws.client |
---|
| vpn.aws.client |
---|
| vpn.aws.clientField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"aws-vpn-client" |
| str
| | action | connection_log_type connection_attempt_status | Code Block |
---|
(connection_log_type in {'connection-reset'} ? 'LOGOUT' : (connection_attempt_status in {'successful'} ? "LOGIN" : "FAILED")) |
| str
| | machine | hostname | | str
| | application | - | | str
|
|
...
| domain | - | | str
| | user | username | | str
| | source_ip | client_ip | | ip4
| | source_hostname | - | | str
| | source_user | - | | str
| | result | connection_attempt_status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| vpn.cisco.asa.anyconnect |
---|
| vpn.cisco.asa.anyconnect |
---|
| vpn.cisco.asa.anyconnectField in union table | Field in source table | Field transformation |
---|
|
...
Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"cisco-asa-anyconnect" |
| str
| | action | EventID | Code Block |
---|
(EventID = 722022) ? 'LOGIN' : ((EventID = 722023) ? 'LOGOUT' : null('')) |
| str
| | machine | host | | str
| | application | - | | str
|
|
...
| domain | - | | str
| | user | User | | str
| | source_ip | srcIP | | ip4
| | source_hostname | - | | str
| | source_user | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|