Document toolboxDocument toolbox

auth.oneidentity

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Last updated: Oct 16, 2023
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with auth.oneidentity identify events generated by authentication services belonging to One Identity.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as auth.oneidentity. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

One Identity Defender Security Server

auth.oneidentity.defender.securityserver

auth.oneidentity.defender.securityserver

One Identity Safeguard

auth.oneidentity.safeguard.events

auth.oneidentity.safeguard.events

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

auth.oneidentity.defender.securityserver

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

user

str

 

ldapsearch

str

 

ip

str

 

nas

str

 

requestId

str

 

sessionId

str

 

rawMessage

str

✓

hostchain

str

✓

tag

str

✓

auth.oneidentity.safeguard.events

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

job_exception

str

 

 

 

job_exit_code

int4

 

 

 

job_message

str

 

 

 

job_start_time

str

 

 

 

job_stop_time

str

 

 

 

job_thread_count

str

 

 

 

scheduler_trigger_id

str

 

 

 

trigger_misfired

bool

 

 

 

trigger_vetoed

bool

 

 

 

event_name

str

 

 

 

event_timestamp

str

 

 

 

appliance_id

str

 

 

 

event_user_id

int4

 

 

 

event_user_display_name

str

 

 

 

event_user_name

str

 

 

 

event_user_domain_name

str

 

 

 

audit_log_uri

str

 

 

 

event_display_name

str

 

 

 

event_description

str

 

 

 

user_id

int4

 

 

 

user_ip

ip4

 

 

 

username

str

 

 

 

user_port

int4

 

 

 

access_request_type

str

 

 

 

account_distinguished_name

str

 

 

 

account_domain_name

str

 

 

 

account_id

int4

 

 

 

account_name

str

 

 

 

action_user_ids

str

replace(replace(stringify(json(action_user_ids_array)), '[', ''), ']', '')

action_user_ids_array

 

approver_access_request_uri

str

 

 

 

asset_id

int4

 

 

 

asset_name

str

 

 

 

asset_network_address

str

 

 

 

asset_platform_type

str

 

 

 

comment

str

 

 

 

duration_in_minutes

int4

 

 

 

offline_workflow_mode

bool

 

 

 

reason

str

 

 

 

reason_code

str

 

 

 

requester

str

 

 

 

requester_access_request_uri

str

 

 

 

requester_id

int4

 

 

 

requester_username

str

 

 

 

request_id

str

 

 

 

required_date

timestamp

 

 

 

reviewer_access_request_uri

str

 

 

 

session_sps_node_ip_address

str

 

 

 

ticket_number

str

 

 

 

was_checked_out

bool

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓