Document toolboxDocument toolbox

auth.all

Introduction

This table collects information about different authentication events generated by a variety of platforms.

Source tables

The information displayed is extracted from the following tables:

  • adn.f5.bigip.apm

  • adn.f5.bigip.audit

  • auth.cisco.ise

  • auth.duo.administrator.login

  • auth.duo.authentication.events

  • auth.jumpcloud.directory.events

  • auth.jumpcloud.ldap.events

  • auth.jumpcloud.mdm.events

  • auth.jumpcloud.radius.events

  • auth.jumpcloud.software.events

  • auth.jumpcloud.sso.events

  • auth.jumpcloud.systems.events

  • auth.okta.events

  • auth.okta.system

  • auth.onelogin.events

  • auth.ping.federate.audit

  • auth.ping.federate.security_audit

  • auth.ping.id.mfa

  • auth.rsa.secureid.runtime

  • auth.securenvoy

  • auth.thycotic.secretserver

  • box.audit.unix.audispd

  • box.audit.unix.auditd

  • box.devo_ea.events_linux

  • box.devo_ea.events_windows

  • box.devo_ua.events_windows

  • box.unix

  • box.unix_cloudwatch

  • box.vmware.esx

  • box.win

  • box.winNxlog

  • box.win_classic

  • box.win_cloudwatch

  • box.win_hf

  • box.win_kinesis

  • box.win_nxlog

  • box.win_quest.change_auditor.leef

  • box.win_snare

  • box.win_solarwinds

  • box.win_winlogbeat

  • cef0.microsoft.microsoftWindows

  • cloud.aws.cloudtrail.events

  • cloud.aws.cloudtrail.signin

  • cloud.azure.ad.signin

  • cloud.azure.sql.audit

  • cloud.azure.vm.applicationevent

  • cloud.azure.vm.securityevent

  • cloud.azure.vm.systemevent

  • cloud.azure.vm.unix

  • cloud.gsuite.reports.login

  • cloud.office365.management_all

  • cloud.office365.oldmanagement

  • crm.salesforceobjects.loginhistory

  • db.mssql.events

  • db.oracle.audit_trail

  • ddi.infoblox.audit

  • firewall.fortinet.event.system

  • firewall.juniper.srx.system

  • firewall.paloalto.globalprotect

  • firewall.paloalto.system

  • helpdesk.zendesk.audit.logs

  • network.citrix.adc.sslvpn

  • siem.logtrust.web.connection

  • vpn.aws.client

  • vpn.cisco.asa.anyconnect

Table structure

This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:

Extra fields

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

Field

Data type

Extra fields

Field

Data type

Extra fields

eventdate

timestamp

-

source

str

-

action

str

-

machine

str

-

application

str

-

user_domain

str

-

user

str

-

Field

Data type

Extra fields

Field

Data type

Extra fields

source_ip

ip

-

source_hostname

str

-

source_user

str

-

result

str

-

message

str

-

hostchain

str

tag

str

Field transformations

Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.