[ adn.f5.bigip.apm ] [ adn.f5.bigip.audit ] [ app.lastpass.events ] [ auth.cisco.ise ] Anchor |
---|
| adn.f5.bigip.apm |
---|
| adn.f5.bigip.apm |
---|
| adn.f5.bigip.apmField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | eventType category | Code Block |
---|
(eventType = "Login") ? ((category = "allow") ? "LOGIN" : "FAILED") : (eventType = "Logout") ? 'LOGOUT' : 'N/A' |
| str
| | machine | hostName | | str
| | appapplication | - | | str
| | domain | domain | | str
| | user | userName | | str srcIp
| | source_ip | clientIp | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | eventType category | Code Block |
---|
(eventType = "Login") ? ((category = "allow") ? "allow" : "deny") : 'N/A' |
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| adn.f5.bigip.audit |
---|
| adn.f5.bigip.audit |
---|
| adn.f5.bigip.auditField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | status | Code Block |
---|
(status = "Login Success") ? 'LOGIN' : (status = "Logout Success") ? 'LOGOUT' : (status = "Login Failure") ? 'FAILED' : 'N/A' |
| str
| | machine | hostName | | str
| | appapplication | loginTty | | str
| | domain | - | | str
| | user | user | | str srcIp
| | source_ip | loginHostIp | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.lastpass.events |
---|
| auth.lastpass.events |
---|
| app.lastpass.eventsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | Action | Code Block |
---|
(Action = "Failed login attempt") ? "FAILED" : "LOGIN" |
| str
| | machine | - | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | Username | | str srcIp
| | source_ip | IP_Address | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.cisco.ise |
---|
| auth.cisco.ise |
---|
| auth.cisco.iseField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | typeCode | Code Block |
---|
(typeCode in {'Passed-Authentication'}) ? 'LOGIN' : (typeCode in {'Failed-Attempt'}) ? 'FAILED' : typeCode |
| str
| | machine | host | | str
| | appapplication | DstIp | | str
| | domain | - | | str
| | user | UserName | | str srcIp
| | source_ip | FramedIPAddress | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ auth.duo.administrator.login ] [ auth.duo.authentication.events ] [ auth.jumpcloud.all.events ] [ auth.okta.events ] Anchor |
---|
| auth.duo.administrator.login |
---|
| auth.duo.administrator.login |
---|
| auth.duo.administrator.loginField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"duo-administrator-login" |
| str
| | action | action | Code Block |
---|
(action in {'admin_login'}) ? 'LOGIN' : (action in {'admin_login_error', 'admin_2fa_error'}) ? 'FAILED' : action |
| str
| | machine | host | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | username email | Code Block |
---|
ifthenelse(isnotnull(username) and not isempty(username), username, email) |
| str srcIp
| | source_ip | ip_address | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | error | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.duo.authentication.events |
---|
| auth.duo.authentication.events |
---|
| auth.duo.authentication.eventsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"duo-authentication-events" |
| str
| | action | reason | Code Block |
---|
decode(reason, 'user_approved', 'LOGIN', 'valid_passcode', 'LOGIN', 'allowed_by_policy', 'LOGIN', 'bypass_user', 'LOGIN', 'locked_out', 'LOGOUT', 'invalid_passcode', 'FAILED', 'no_response', 'FAILED', 'user_cancelled', 'FAILED', 'user_disabled', 'FAILED', 'user_mistake', 'FAILED', 'call_timed_out', 'FAILED', 'no_keys_pressed', 'FAILED', 'user_marked_fraud', 'FAILED', reason) |
| str
| | machine | host | | str
| | appapplication | application_name | | str
| | domain | - | | str
| | user | user_name | | str srcIp
| | source_ip | access_device_ip | | ip4 srcHost
| | source_hostname | access_device_hostname2 | | str srcUser
| | source_user | - | | str
| | result | result | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.jumpcloud.all.events |
---|
| auth.jumpcloud.all.events |
---|
| auth.jumpcloud.all.eventsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | source | | str
| | action | event_type | | str
| | machine | system__hostname | | str
| | appapplication | application__name process_name | Code Block |
---|
nvl(process_name, application__name) |
| str
| | domain | - | | str
| | user | username resource__username | Code Block |
---|
nvl(resource__username, username) |
| str srcIp
| | source_ip | client_ipv4 | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | initiated_by__username | | str
| | result | success | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.okta.events |
---|
| auth.okta.events |
---|
| auth.okta.eventsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | action_message | Code Block |
---|
(action_message = 'Sign-in successful') ? 'LOGIN' : action_message |
| str
| | machine | - | | str
| | appapplication | targets_id_str | | str
| | domain | - | | str
| | user | actors_login_str | | str srcIp
| | source_ip | actors_ip_address_str | Code Block |
---|
ip4(actors_ip_address_str) |
| ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ auth.okta.system ] [ auth.onelogin.events ] [ auth.ping.federate.audit ] Anchor |
---|
| auth.okta.system |
---|
| auth.okta.system |
---|
| auth.okta.systemField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | legacyEventType | Code Block |
---|
(legacyEventType in {'app.ad.login.success', 'app.ad.agent.user_auth', 'core.user_auth.idp.saml.login_success', 'iwa.auth', 'core.user.factor.attempt_success', 'core.user_auth.radius.login.succeeded', 'app.auth.sso', 'core.user_auth.login_success', 'core.user_auth.idp.social.login_success'}) ? 'LOGIN' : (legacyEventType in {'app.ad.login.expired_password', 'app.ad.login.unknown_failure', 'app.ad.login.locked_account', 'app.ad.login.bad_password', 'app.ad.agent.user_auth.error', 'core.user_auth.idp.saml.saml_validation_failed', 'core.user_auth.idp.saml.response_received_in_response_to_no_matching_key', 'core.user_auth.idp.invalid_user_status', 'iwa.invalid_token', 'core.user.factor.attempt_fail', 'core.user_auth.radius.login.failed', 'core.user_auth.login_failed', 'app.rich_client.login_failure'}) ? 'FAILED' : legacyEventType |
| str
| | machine | - | | str
| | appapplication | target_alternateId_str | | str
| | domain | - | | str
| | user | actor_alternateId | | str srcIp
| | source_ip | client_ipAddress | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | outcome_result | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.onelogin.events |
---|
| auth.onelogin.events |
---|
| auth.onelogin.eventsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"onelogin-events" |
| str
| | action | eventTypeId | Code Block |
---|
(eventTypeId = 5 or eventTypeId = 8) ? 'LOGIN' : ((eventTypeId = 7 or eventTypeId = 29) ? 'LOGOUT' : 'FAILED') |
| str
| | machine | hostname | | str
| | appapplication | appName | | str
| | domain | - | | str
| | user | userName | | str srcIp
| | source_ip | ipaddr | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | riskReasons | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.ping.federate.audit |
---|
| auth.ping.federate.audit |
---|
| auth.ping.federate.auditField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | event | Code Block |
---|
(event in {'SSO'}) ? 'LOGIN' : (event in {'SLO'}) ? 'LOGOUT' : event |
| str
| | machine | pfhost | | str
| | appapplication | app | | str
| | domain | - | | str
| | user | subject | | str srcIp
| | source_ip | ip | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | status | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ auth.ping.federate.security_audit ] [ auth.ping.id.mfa ] [ auth.rsa.secureid.runtime ] [ auth.securenvoy ] Anchor |
---|
| auth.ping.federate.security_audit |
---|
| auth.ping.federate.security_audit |
---|
| auth.ping.federate.security_auditField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | event | Code Block |
---|
(event in {'SSO'}) ? 'LOGIN' : (event in {'SLO'}) ? 'LOGOUT' : event |
| str
| | machine | host | | str
| | appapplication | app | | str
| | domain | - | | str
| | user | subject | | str srcIp
| | source_ip | ip | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.ping.id.mfa |
---|
| auth.ping.id.mfa |
---|
| auth.ping.id.mfaField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | result__status | Code Block |
---|
(result__status = "SUCCESS") ? 'LOGIN' : 'FAILED' |
| str
| | machine | hostname | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | actors__name_str | | str srcIp
| | source_ip | - | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | result__message | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.rsa.secureid.runtime |
---|
| auth.rsa.secureid.runtime |
---|
| auth.rsa.secureid.runtimeField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | result | Code Block |
---|
(result = 'SUCCESS') ? 'LOGIN' : 'FAILED' |
| str
| | machine | machine | | str
| | appapplication | category | | str
| | domain | user_security_domain_id | | str
| | user | user_login_name | | str srcIp
| | source_ip | client_ip | | ip4 srcHost
| | source_hostname | hostname | | str srcUser
| | source_user | user_identity_source_id | | str
| | result | result | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| auth.securenvoy |
---|
| auth.securenvoy |
---|
| auth.securenvoyField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | - | | str
| | machine | hostchain | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | client | | str srcIp
| | source_ip | - | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ auth.thycotic.secretserver ] [ auth.unix ] [ box.all.win ] Anchor |
---|
| auth.thycotic.secretserver |
---|
| auth.thycotic.secretserver |
---|
| auth.thycotic.secretserverField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"thycotic-secretserver" |
| str
| | action | name | Code Block |
---|
(name in {"USER - LOGOUT"}) ? "LOGOUT" : (name in {"USER - LOGIN"}) ? "LOGIN" : "FAILED" |
| str
| | machine | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | appapplication | - | | str
| | domain | - | | str
| | user | suser | | str srcIp
| | source_ip | src | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | msg | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
auth.unixField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | source | | str
| | action | action | | str
| | machine | machine | | str
| | appapplication | app | | str
| | domain | - | | str
| | user | user | | str srcIp
| | source_ip | srcIp | | ip4 srcHost
| | source_hostname | srcHost | | str srcUser
| | source_user | srcUser | | str
| | result | - | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
box.all.winField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | source | | str
| | action | status eventId | Code Block |
---|
(eventId = 512 or eventId = 4624 or eventId = 4648 or eventId = 4770 or eventId = 303) ? 'LOGIN' : (eventId = 4634) ? 'LOGOUT' : (eventId = 516 or eventId = 1210) ? 'LOCKED' : (eventId = 4768 or eventId = 4769 or eventId = 4772 or eventId = 4773) ? ((status = "0x0") ? 'LOGIN' : (status = "0x12") ? 'LOCKED' : 'FAILED') : (eventId = 4776 or eventId = 4777) ? ((status = "0x0") ? 'LOGIN' : (status = "0xC0000234") ? 'LOCKED' : 'FAILED') : 'FAILED' |
| str
| | machine | machineIp | | str
| | appapplication | sourceName | | str
| | domain | domain | | str
| | user | account | | str srcIp
| | source_ip | srcIp | | ip4 srcHost
| | source_hostname | srcHost | | str srcUser
| | source_user | subjectUsername | | str
| | result | status | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ cef0.microsoft.microsoftWindows ] [ cloud.aws.cloudtrail.events ] [ cloud.aws.cloudtrail.signin ] [ cloud.azure.ad.signin ] Anchor |
---|
| cef0.microsoft.microsoftWindows |
---|
| cef0.microsoft.microsoftWindows |
---|
| cef0.microsoft.microsoftWindowsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"microsoft-microsoft_windows" |
| str
| | action | name | | str
| | machine | shost | | str
| | appapplication | deviceProcessName | | str
| | domain | - | | str
| | user | duser | | str srcIp
| | source_ip | src | | ip4 srcHost
| | source_hostname | shost | | str srcUser
| | source_user | suser | | str
| | result | reason | | str
| | message | msg | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.aws.cloudtrail.events |
---|
| cloud.aws.cloudtrail.events |
---|
| cloud.aws.cloudtrail.eventsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"aws-cloudtrail-events" |
| str
| | action | responseElements_ConsoleLogin | Code Block |
---|
decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin) |
| str
| | machine | - | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | userIdentity_userName | | str srcIp
| | source_ip | sourceIPAddress | Code Block |
---|
ip4(sourceIPAddress) |
| ip4 srcHost
| | source_hostname | requestParameters_host_str | | str srcUser
| | source_user | requestParameters_userName | | str
| | result | responseElements_ConsoleLogin | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.aws.cloudtrail.signin |
---|
| cloud.aws.cloudtrail.signin |
---|
| cloud.aws.cloudtrail.signinField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"aws-cloudtrail-events" |
| str
| | action | responseElements_ConsoleLogin | Code Block |
---|
decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin) |
| str
| | machine | - | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | userIdentity_userName | | str srcIp
| | source_ip | sourceIPAddress | Code Block |
---|
ip4(sourceIPAddress) |
| ip4 srcHost
| | source_hostname | requestParameters_host_str | | str srcUser
| | source_user | requestParameters_userName | | str
| | result | responseElements_ConsoleLogin | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.azure.ad.signin |
---|
| cloud.azure.ad.signin |
---|
| cloud.azure.ad.signinField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"aws-cloudtrail-signin" |
| str
| | action | serviceEventDetails_UserAuthentication eventName responseElements_ConsoleLogin responseElements_ExternalIdPDirectoryLogin | Code Block |
---|
decode(eventName, "ConsoleLogin", decode(responseElements_ConsoleLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ConsoleLogin), "ExternalIdPDirectoryLogin", decode(responseElements_ExternalIdPDirectoryLogin, "Success", 'LOGIN', "Failure", 'FAILED', responseElements_ExternalIdPDirectoryLogin), "UserAuthentication", decode(serviceEventDetails_UserAuthentication, "Success", 'LOGIN', "Failure", 'FAILED', serviceEventDetails_UserAuthentication)) |
| str
| | machine | - | | str
| | appapplication | - | | str
| | domain | userIdentity_accountId | | str
| | user | userIdentity_userName | | str srcIp
| | source_ip | sourceIPAddress | Code Block |
---|
ip4(sourceIPAddress) |
| ip4 srcHost
| | source_hostname | eventSource | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ cloud.azure.sql.audit ] [ cloud.gsuite.reports.login ] [ cloud.office365.management ] [ crm.salesforceobjects.loginhistory ] Anchor |
---|
| cloud.azure.sql.audit |
---|
| cloud.azure.sql.audit |
---|
| cloud.azure.sql.auditField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"azure-sql-audit" |
| str
| | action | action_id | Code Block |
---|
(action_id = "DBAF") ? 'FAILED' : 'LOGIN' |
| str
| | machine | hostname | | str
| | appapplication | application_name | | str
| | domain | - | | str
| | user | - | | str srcIp
| | source_ip | client_ip | | ip4 srcHost
| | source_hostname | host_name | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.gsuite.reports.login |
---|
| cloud.gsuite.reports.login |
---|
| cloud.gsuite.reports.loginField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"gsuite-reports-login" |
| str
| | action | - | | str
| | machine | hostname | | str
| | appapplication | id_applicationName | | str
| | domain | id_customerId | | str
| | user | actor_email | | str srcIp
| | source_ip | ipAddress | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | actor_profileId | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.office365.management |
---|
| cloud.office365.management |
---|
| cloud.office365.managementField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"office365-management" |
| str
| | action | ResultStatus Operation | Code Block |
---|
(Operation = "UserLoggedIn" and ResultStatus = "Success") ? 'LOGIN' : 'FAILED' |
| str
| | machine | hostname | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | UserId | | str srcIp
| | source_ip | ActorIpAddress | Code Block |
---|
ip4(ActorIpAddress) |
| ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | ResultStatus Operation LogonError | Code Block |
---|
'{' + '"Operation": ' + (isnull(Operation) ? 'null' : '"' + str(Operation) + '"') + ', ' + '"LogonError": ' + (isnull(LogonError) ? 'null' : '"' + str(LogonError) + '"') + ', ' + '"ResultStatus": ' + (isnull(ResultStatus) ? 'null' : '"' + str(ResultStatus) + '"') + '}' |
| str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| crm.salesforceobjects.loginhistory |
---|
| crm.salesforceobjects.loginhistory |
---|
| crm.salesforceobjects.loginhistoryField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"crm.salesforceobjects.loginhistory" |
| str
| | action | Status | Code Block |
---|
(Status = "Success") ? 'LOGIN' : 'FAILED' |
| str
| | machine | hostname | | str
| | appapplication | Application | | str
| | domain | - | | str
| | user | UserId | | str srcIp
| | source_ip | SourceIp | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | Status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ db.mssql.events ] [ db.oracle.audit_trail ] [ ddi.infoblox.audit ] [ firewall.all.vpn.auth ][ firewall.fortinet.event.system ] Anchor |
---|
| db.mssql.events |
---|
| db.mssql.events |
---|
| db.mssql.eventsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | eventID | Code Block |
---|
(eventID = 18456) ? 'FAILED' : 'LOGIN' |
| str
| | machine | hostname2 | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | user | | str srcIp
| | source_ip | - | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| db.oracle.audit_trail |
---|
| db.oracle.audit_trail |
---|
| db.oracle.audit_trailField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"oracle-audit_trail" |
| str
| | action | CALCULATED_ACTION CALCULATED_STATUS | Code Block |
---|
(CALCULATED_ACTION = "LOGIN") ? ((CALCULATED_STATUS = "SUCCESS") ? "LOGIN" : "FAILED") : "LOGOUT" |
| str
| | machine | USERHOST | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | CLIENT_USER CURRENT_USER USERID | Code Block |
---|
isnotnull(CLIENT_USER) ? CLIENT_USER : isnotnull(CURRENT_USER) ? CURRENT_USER : USERID |
| str srcIp
| | source_ip | - | | ip4 srcHost
| | source_hostname | USERHOST | | str srcUser
| | source_user | - | | str
| | result | CALCULATED_STATUS | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| ddi.infoblox.audit |
---|
| ddi.infoblox.audit |
---|
| ddi.infoblox.auditField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"ddi-infoblox-audit" |
| str
| | action | action | Code Block |
---|
(action = "Login_Allowed") ? 'LOGIN' : (action = "Logout") ? 'LOGOUT' : 'FAILED' |
| str
| | machine | hostname | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | admin_user | | str srcIp
| | source_ip | srcIp | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | message | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.all.vpn.auth |
---|
| firewall.all.vpn.auth |
---|
| firewall.all.vpn.authField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"firewall-all-vpn-auth" |
| str
| | action | action | Code Block |
---|
ifthenelse(action = "Succeeded", 'LOGIN', 'FAILED') |
| str
| | machine | - | | str
| | appapplication | type | | str
| | domain | fwcluster | | str
| | user | user | | str srcIp
| | source_ip | srcIp | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | action | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.cisco.asa |
---|
| firewall.cisco.asa |
---|
| firewall.cisco.asaField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"firewall-cisco-asa" |
| str
| | action | eventId | Code Block |
---|
(eventId in {int8(113004), int8(113012), int8(611101), int8(716038)}) ? 'LOGIN' : (eventId in {int8(113005), int8(113014), int8(113015), int8(402120), int8(611102), int8(716039), int8(722003), int8(751005), int8(751011)}) ? 'FAILED' : null('') |
| str
| | machine | machine | | str
| | appapplication | appName | | str
| | domain | - | | str
| | user | user eventId usrName | Code Block |
---|
(eventId in {int8(113004), int8(113005), int8(113012), int8(113014), int8(113015), int8(402120), int8(611101), int8(611102), int8(751005), int8(751011)}) ? user : (eventId in {int8(716038), int8(716039)}) ? usrName : null('') |
| str srcIp
| | source_ip | userIP srcIp | Code Block |
---|
isnotnull(srcIp) ? srcIp : userIP |
| ip4 srcHost
| | source_hostname | local_host | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | reason eventId errorMessage | Code Block |
---|
decode(eventId, int8(113005), reason, int8(113015), reason, int8(402120), errorMessage, null('')) |
| str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.fortinet.event.system |
---|
| firewall.fortinet.event.system |
---|
| firewall.fortinet.event.systemField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"fortinet-event-system" |
| str
| | action | status action | Code Block |
---|
(action = "login" and status = "success") ? 'LOGIN' : (action = "logout") ? 'LOGOUT' : 'FAILED' |
| str
| | machine | machine | | str
| | appapplication | method | | str
| | domain | - | | str
| | user | user | | str srcIp
| | source_ip | srcIp | | ip4 srcHost
| | source_hostname | devName | | str srcUser
| | source_user | user | | str
| | result | status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ firewall.juniper.srx.system] [ firewall.paloalto.globalprotect ] [ firewall.paloalto.system ] [ helpdesk.zendesk.audit.logs ] Anchor |
---|
| firewall.juniper.srx.system |
---|
| firewall.juniper.srx.system |
---|
| firewall.juniper.srx.system Field in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"juniper-srx-system" |
| str
| | action | log_type | Code Block |
---|
(log_type = "UI_LOGIN_EVENT") ? 'LOGIN' : (log_type = "UI_LOGOUT_EVENT") ? 'LOGOUT' : 'FAILED' |
| str
| | machine | machine | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | username | | str srcIp
| | source_ip | client_ip | | ip4 srcHost
| | source_hostname | hostname | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.paloalto.system |
---|
| firewall.paloalto.system |
---|
| firewall.paloalto.globalprotectField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"paloalto-globalprotect" |
| str
| | action | status stage | Code Block |
---|
(stage = "login") ? ((status = "success") ? 'LOGIN' : 'FAILED') : (stage = "logout") ? ((status = "success") ? 'LOGOUT' : 'FAILED') : 'FAILED' |
| str
| | machine | machine | | str
| | appapplication | subType | | str
| | domain | - | | str
| | user | srcuser | | str srcIp
| | source_ip | public_ip | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | description | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.paloalto.system |
---|
| firewall.paloalto.system |
---|
| firewall.paloalto.systemField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | globalprotectstatusstage (stage=login") ? ((status = "success") ? 'LOGIN' : 'FAILED') : (stage = "logout") ? ((status = "success") ? 'LOGOUT' : 'FAILED')globalprotectportal-auth-succ", "panorama-auth-success", "auth-success"} ? 'LOGIN' : 'FAILED' |
| str
| | machine | machine | | str
| appsubTypesrcusersrcIppublicip4
| srcHost | -null(''srcUser | - | Code Block | null('') | | source_ipv4 | source_ipv4 | | ip4
| | source_hostname | source_hostname | | str
| | source_username | source_username | | str
| | result | description | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| helpdesk.zendesk.audit.logs |
---|
| helpdesk.zendesk.audit.logs |
---|
| helpdesk.zendesk.audit.logsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"helpdesk.zendesk.audit.logs" |
| str
| | action | action_label | Code Block |
---|
(action_label = "Signed in") ? 'LOGIN' : 'FAILED' |
| str
| | machine | - | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | source_label | | str srcIp
| | source_ip | ip_address | Code Block |
---|
ip4(ip_address) |
| ip4
| | | srcHost | - | | str srcUser
| | source_user | - | | str
| | result | change_description | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ network.cisco.switch ][ network.citrix.adc.sslvpn ] [ siem.logtrust.web.connection ] [ vpn.aws.client ] [ vpn.cisco.asa.anyconnect ] Anchor |
---|
| network.citrix.adc.sslvpn |
---|
| network.citrix.adc.sslvpn |
---|
| network.cisco.switchField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"network-cisco-switch" |
| str
| | action | message | Code Block |
---|
(message -> "pam_aaa:Authentication success") ? 'LOGIN' : 'FAILED' |
| str
| | machine | machine | | str
| | appapplication | process | | str
| | domain | - | | str
| | user | user | | str srcIp
| | source_ip | srcIp | | ip4 srcHost
| | source_hostname | hostname | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | message | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| network.citrix.adc.sslvpn |
---|
| network.citrix.adc.sslvpn |
---|
| network.citrix.adc.sslvpnField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"citrix-adc-sslvpn" |
| str
| | action | subtype | Code Block |
---|
(subtype = "LOGIN") ? 'LOGIN' : (subtype = "LOGOUT") ? 'LOGOUT' : 'FAILED' |
| str
| | machine | machine | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | user | | str srcIp
| | source_ip | sourceIp | | ip4 srcHost
| | source_hostname | vserverIp | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| siem.logtrust.web.connection |
---|
| siem.logtrust.web.connection |
---|
| siem.logtrust.web.connectionField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | action | action | Code Block |
---|
(action in {'login', 'api_login', 'changedomain', 'ghost_login'}) ? 'LOGIN' : (action in {'logout', 'api_logout'}) ? 'LOGOUT' : 'FAILED' |
| str
| | machine | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | appapplication | serverHost | | str
| | domain | inputDomain | | str
| | user | inputUser | | str
| | srcIp | srcHostsource_ip | source_hostname | | ip4 srcHost
| | source_hostname | srcHost | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | message action | Code Block |
---|
'ACTION: ' + action + ' MSG: ' + message |
| str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| vpn.aws.client |
---|
| vpn.aws.client |
---|
| vpn.aws.clientField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"aws-vpn-client" |
| str
| | action | connection_log_type connection_attempt_status | Code Block |
---|
(connection_log_type in {'connection-reset'} ? 'LOGOUT' : (connection_attempt_status in {'successful'} ? "LOGIN" : "FAILED")) |
| str
| | machine | hostname | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | username | | str srcIp
| | source_ip | client_ip | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | connection_attempt_status | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| vpn.cisco.asa.anyconnect |
---|
| vpn.cisco.asa.anyconnect |
---|
| vpn.cisco.asa.anyconnectField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"cisco-asa-anyconnect" |
| str
| | action | EventID | Code Block |
---|
(EventID = 722022) ? 'LOGIN' : ((EventID = 722023) ? 'LOGOUT' : null('')) |
| str
| | machine | host | | str
| | appapplication | - | | str
| | domain | - | | str
| | user | User | | str srcIp
| | source_ip | srcIP | | ip4 srcHost
| | source_hostname | - | | str srcUser
| | source_user | - | | str
| | result | - | | str
| | message | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|