Document toolboxDocument toolbox

app.lark

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Last updated: Dec 02, 2024 by Pulkit Vajpayee
2 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with app.lark identify events generated by Lark products.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as app.lark. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Lark Suite

app.lark.audit.event

app.lark.audit.event

app.lark.admin.log

app.lark.admin.log

app.lark.dlp.log

app.lark.dlp.log

For more information, read more About Devo tags.

How is the data sent to Devo?

You can use the Lark Suite collector to send events to your Devo domain. Learn more about this in this article. 

Table structure

These are the fields displayed in this table:

app.lark.audit.event

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

audit_context_terminal_type

int4

 

audit_context_web_context_ip

str

 

audit_context_web_context_ipv4

ip4

 

audit_context_web_context_ipv6

ip6

 

audit_context_web_context_user_agent

str

 

audit_context_pc_context_ip

str

 

audit_context_pc_context_ipv4

ip4

 

audit_context_pc_context_ipv6

ip6

 

audit_context_pc_context_app_ver

str

 

audit_context_pc_context_did

str

 

audit_context_pc_context_os

str

 

audit_context_pc_context_region

str

 

audit_context_pc_context_udid

str

 

audit_context_pc_context_ver

str

 

audit_context_pc_context_wifip

str

 

audit_detail_city

str

 

audit_detail_device_model

str

 

audit_detail_mc

str

 

audit_detail_os

str

 

common_drawers_common_draw_info_list

str

 

department_ids

str

 

event_id

str

 

event_module

int4

 

event_name

str

 

event_time

timestamp

 

ip

str

 

ipv4

ip4

 

ipv6

ip6

 

objects

str

 

operator_app

str

 

operator_app_name

str

 

operator_type

int4

 

operator_value

str

 

recipients

str

 

unique_id

str

 

at_devo_pulling_id

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

app.lark.admin.log

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

no

machine

str

no

category_name

str

no

content

str

no

create_time

str

no

event_name

str

no

ip

str

no

ipv4

ip4

no

ipv6

ip6

no

operation_status

int4

no

unique_id

str

no

user_id

str

no

hostchain

str

yes

tag

str

yes

rawMessage

str

yes

app.lark.dlp.log

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

no

machine

str

no

applicable_service

str

no

document_link

str

no

document_name

str

no

document_owner_id

str

no

document_owner_name

str

no

document_type

str

no

evidence_detail_keyword_hits

str

no

evidence_detail_secure_label_hits

str

no

evidence_detail_sensitive_hits

str

no

evidence_detail_trigger_snippets

str

no

hit_policies

str

no

system_action

str

no

time

str

no

trigger

str

no

trigger_event_type

str

no

user_id

str

no

username

str

no

hostchain

str

yes

tag

str

yes

rawMessage

str

yes