The following set of tables can help you monitor different aspects of the web application itself. This may be useful in case you want to have a general overview of the web application’s normal development, extract specific information or identify abnormal situations that might require corrective measures.
Field formats
Please note that the format of the fields in these tables may vary due to code changes.
siem.logtrust.web.activity
In this table, you can find detailed information about everything that happened in the current domain. You can see below the most relevant fields included in this table along with a brief explanation.
Field | Data type | Description |
|---|---|---|
level |
| Level of importance or urgency of the event
|
domain |
| Domain in which the action takes place |
userid |
| ID associated with the user |
username |
| User who performed the action |
sessionid |
| Session in which the action is framed |
correlationid |
| Unique identifier of the request |
srcHost, srcPort |
| IP address and port from which the connection to Devo is requested |
serverHost, serverPort |
| Server address and port through which the connection to Devo is established |
type |
| Nature of the task performed |
method |
| Data transfer method used |
url, headers, params |
| URL, headers, and parameters of the request |
referer |
| HTTP header field that identifies the address of the web page requested |
userAgent |
| Web browser used to access Devo |
locale |
| Language-variant combination employed by the user |
contentLength, responseLength |
| Number of data bytes contained in the request from the source and the response from the server |
responseTime |
| Total amount of time (in milliseconds) it takes to respond to the request |
result, resourceInfo, errorInfo |
| Result of the request, and info related to the resource and possible errors in the request |
country, region, city |
| Geographic location of the source connection established by the user |
isp, org |
| Internet provider |
siem.logtrust.web.navigation
In this table, you can find specific information about user activity. It contains a data structure similar to the siem.logtrust.web.activity with the difference that it includes only activity triggered by users and excludes platform and server response. You can see below the most relevant fields included in this table along with a brief explanation.
Field | Data type | Description |
|---|---|---|
domain |
| Domain in which the action takes place |
userid |
| ID associated with the user |
sessionid |
| Session in which the action is framed |
userEmail |
| Email address employed by the user to register and log in |
serverHost, serverPort |
| Server address and port through which the connection to Devo is established |
srcHost, srcPort |
| IP address and port from which the connection to Devo is requested |
userAgent |
| Web browser used to access Devo |
referer |
| HTTP header field that identifies the address of the web page requested |
url |
| URL of the request |
origin |
| Origin part of the URL |
section |
| Area of the web application the user accessed |
action |
| Task performed |
type |
| Request type |
message |
| Message in the request |
country, region, city |
| Geographic location of the source connection established by the user |
isp, org |
| Internet provider |
siem.logtrust.web.info
In this table, you can find information about the development of the web application. It can be used to analyze the different events that take place on the platform to have an overview of the global situation. You can see below the most relevant fields included in this table along with a brief explanation.
Field | Data type | Description |
|---|---|---|
level |
| Level of importance or urgency of the event
|
domain |
| Domain in which the event occurred |
userid |
| ID associated with the user |
sessionid |
| Session in which the action is framed |
message |
| Full text describing the nature and content of the error |
siem.logtrust.web.error
In this table, you can find information about the errors that occurred in the web application. It can be used to analyze common errors to possibly identify the cause. It is very similar to the siem.logtrust.web.info table with the difference that it includes only events that contain errors and excludes the rest of the levels. You can see below the most relevant fields included in this table along with a brief explanation.
Field | Data type | Description |
|---|---|---|
level |
| Level of importance or urgency of the event (in this case only ERROR) |
domain |
| Domain in which the error occurred |
userid |
| ID associated with the user |
sessionid |
| Session in which the action is framed |
message |
| Full text describing the nature and content of the error |
siem.logtrust.web.notification
In this table, you can find information about the notifications that occurred in the web application. You can see below the most relevant fields included in this table along with a brief explanation.
Field | Data type | Description |
|---|---|---|
level |
| Level of importance or urgency of the notification
|
domain |
| Domain in which the notification occurred |
userName |
| ID associated with the user that caused the notification |
sessionId |
| ID of the session in which the action is framed |
domainId |
| ID of the domain |
userId |
| ID of the user |
notificationId |
| ID of the notification |
text |
| Text of the notification |
creationDate |
| Date when the notification occured |
notificationType |
| Type of notification |
siem.logtrust.collector.counter
Field Name | Data Type |
eventdate |
|
collector |
|
engine |
|
kind |
|
object |
|
events |
|
bytes |
|
client |
|
tag |
|
layouterror |
|
raw |
|
rawSource |
|
rawTagged |
|
__trunk |
|
__containerName |
|
__containerHash |
|
__containerOffset |
|
_beid |
|
_seid |
|
eventid |
|
devo.internal.audit.logs
In this table, you can find the complete record of the activity registered in the platform concerning users, roles, credentials, and preferences. It can primarily be used for audition processes but is also applicable to any other operational process requiring a comprehensive record of this activity.
Field | Data type | Description |
|---|---|---|
eventdate |
| Date in which the event was registered in Devo. → 2024-02-14 13:41:31.210 |
hostname |
| Name of the internal component in charge of executing the action. → webapp-2 |
action_date |
| Moment in time when the action occurs, expressed in milliseconds since the Unix epoch. → 1681917780246 |
type |
| Event classification. → AUDIT vs. OPERATIONAL |
domain |
| Domain where the user behind the action was logged in, extracted from the authentication token. → demo, analytics, etc. |
username |
| Email address of the user behind the action, extracted from the authentication token. → user@devo.com |
user_role |
| Role or roles assigned to the user behind the action. → administrator, writer, viewer, etc. |
server_hostname |
| IP address or name of the machine in charge of executing the action. → 25.42.123.789 |
url |
| Url of the action executed. → https://us.devo.com/#/home |
service |
| Name of the service or application where the action was executed. → api, secops, lookups, alerts, users, roles, authentication, Exchange, etc. |
section |
| When applicable, name of the specific part inside the service where the action was executed. → overview, preferences, threats, discover, etc. |
subsection |
| When applicable, name of the specific part inside the section where the action was executed. → general, user activity, threats detected, alert, etc. |
object_name |
| Name of the specific object affected by the action. This is the name assigned to the object when created, which may vary if edited. → Dangerous IPs, Alert pack: Firewall, etc. |
object_id |
| Unique ID of the specific object affected by the action, which is automatically assigned when created and is normally invariable. → 238, map_12345, etc. |
action |
| Description of the action executed. → open.app, preferences.update, authentication.token.seen, roles.uptade, get catalog, etc. |
is_user_action |
| This field indicates whether the action is performed by a user or if it is automatically generated by a system action. → true vs. false |
status |
| This field indicates whtther the action was successfully executed or not. When the action fails, the reason will be included in the exception field. → success vs. failure |
http_status |
| Http status code that your application is returning after performing the action. → 200, 404, etc. |
headers |
| Name of the http headers, without their values, that are sent with executed http action. → content type, authorization, etc. |
metadata |
| Relevant information to give context about the action, such as including the previous and new values when there is a change in the content of an object. → {"from":"Alert coverage"} |
user_ip4 |
| IP of the user performing the action. → 25.42.123.789 |
user_ip6 |
| IP of the user performing the action. → 2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
response_time |
| Duration of the action in milliseconds. → 458 |
exception |
| Trace of the exception generated when the action failed, which is indicated in the status field. → cannot load custom alert |
authentication |
| Authentication type used to log in. → password, SAML, openID, token, API_keys, etc. |
authentication_hash |
| Hash of the authentication token, normally using Scrypt algorithms. → 9fb8020742d78f3fd3a291f110dc1405ad7402fc5e30a582f5123d2744h247f4 |
instance |
| Name of the environment where the action was executed. → hostname1 |
correlation_id |
| Unique ID that identifies the action registered, as well as all the calls and applications involved in the interaction. → c4e6d7b6-4cfa-4f3d-bdaa-791d26f822e1 |