/
auth.all
Document toolboxDocument toolbox

auth.all

Owned by Former user (Deleted)
Last updated: Mar 12, 2025 by Virginia Camuñas Núñez
15 min read
[ 1 Scope ] [ 2 Send data to Devo ] [ 3 Source tables ] [ 4 Table structure ] [ 5 Secure it ] [ 6 Field transformations ]

Scope

This table collects information about various authentication events generated by different platforms, including cloud distributors, virtual private networks (VPNs), databases, firewalls, and application delivery services. Working with this table will help you detect credential access threats.

Send data to Devo

Among the 41 compatible data sources, the most popular and security-critical are:

Source tables

The information displayed is extracted from the following tables:

  • adn.f5.bigip.apm

  • adn.f5.bigip.audit

  • app.lastpass.events

  • auth.cisco.ise

  • auth.duo.administrator.login

  • auth.duo.authentication.events

  • auth.jumpcloud.all.events

  • auth.okta.events

  • auth.okta.system

  • auth.onelogin.events

  • auth.ping.federate.audit

  • auth.ping.federate.security_audit

  • auth.ping.id.mfa

  • auth.rsa.secureid.runtime

  • auth.securenvoy

  • auth.thycotic.secretserver

  • auth.unix

  • box.all.win

  • cef0.microsoft.microsoftWindows

  • cloud.aws.cloudtrail.events

  • cloud.aws.cloudtrail.signin

  • cloud.azure.ad.signin

  • cloud.azure.sql.audit

  • cloud.gsuite.reports.login

  • cloud.office365.management

  • crm.salesforceobjects.loginhistory

  • db.mssql.events

  • db.oracle.audit_trail

  • ddi.infoblox.audit

  • firewall.all.vpn.auth

  • firewall.cisco.asa

  • firewall.fortinet.event.system

  • firewall.juniper.srx.system

  • firewall.paloalto.globalprotect

  • firewall.paloalto.system

  • helpdesk.zendesk.audit.logs

  • network.cisco.switch

  • network.citrix.adc.sslvpn

  • siem.logtrust.web.connection

  • vpn.aws.client

  • vpn.cisco.asa.anyconnect

Table structure

This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:

Extra fields

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

source

str

 

action

str

 

machine

str

 

hostname

str

 

application

str

 

domain

str

 

user

str

 

source_ip

ip4

 

source_ipv4

ip4

 

source_hostname

str

 

source_user

str

 

username

str

 

user_identity_username

str

 

result

str

 

message

str

hostchain

str

tag

str

Secure it

The following Exchange Alert Packs help monitor events from this table by specifically installing the included alerts:

Field transformations

Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.

 

Related content