fields:
- name: ipAddress
type: string
description: IP Address that started the request
indicators:
- ip
- name: username
required: true
description: Username of the account
indicators:
- username
type: string
- name: status
required: true
type: string
description: The status of the login request
- name: entryPoint
required: true
type: string
description: The method used to login. Either Single Sign On, Universal API or Unknown
- name: timestamp
required: true
type: timestamp
description: Login timestamp
isEventTime: true
timeFormat: '%Y-%m-%dT%H:%M:%S,%f'
fields:
- name: _event_score
required: true
description: The score of the event.
type: bigint
- name: app_metric_info
description: Application metric information. Only present for App metric events.
type: object
fields:
- name: cpu_percentage
description: The CPU percentage used by the application.
type: float
- name: cpu_time_seconds
description: The CPU time used by the application.
type: float
- name: interrupt_wakeups
description: The number of interrupt wakeups.
type: bigint
- name: platform_idle_wakeups
description: The number of platform idle wakeups.
type: bigint
- name: resident_memory_size_mb
description: The resident memory size in MB.
type: float
- name: virtual_memory_size_mb
description: The virtual memory size in MB.
type: float
- name: arguments
description: Arguments that were passed to the event.
type: json
- name: attributes
description: Attributes or metadata associated with the event
type: json
- name: audio_video_device_info
type: object
fields:
- name: audio_device_creator
description: Creator of the audio device.
type: string
- name: audio_device_hog_mode
description: Whether the audio device is in hog mode.
type: bigint
- name: audio_device_id
description: ID of the audio device.
type: string
- name: audio_device_manufacturer
description: Manufacturer of the audio device.
type: string
- name: audio_device_running
description: Whether the audio device is running.
type: bigint
- name: audio_device_uuid
description: UUID of the audio device.
type: string
- name: device_status
description: Status of the device. "On" or "Off".
type: string
- name: audit_class_verification_info
description: Audit class verification information. Only present for AUDIT_CLASS_VERIFICATION_EVENT events.
type: object
fields:
- name: contents
description: Contents of the file.
type: string
- name: osversion
description: Version of the operating system.
type: string
- name: restored_default
description: Whether the file was restored to default.
type: boolean
- name: status
description: Status of the file.
type: int
- name: status_str
description: String representation of the status of the file.
type: string
- name: compliancereporter_license_info
description: Compliance Reporter license information. Only present for LICENSE_INFO_EVENT events.
type: object
fields:
- name: email
type: string
indicators:
- email
- name: expiration_date
type: timestamp
timeFormats:
- '%M/%d/%Y'
- name: status
type: string
- name: time_seconds_epoch
type: timestamp
timeFormats:
- unix
- name: type
type: string
- name: version
type: string
- name: event_attributes
description: Additional attributes or metadata associated with the event.
type: json
- name: exec_args
description: Execution arguments passed to the event.
type: object
fields:
- name: args
description: Command line argument values listed in sequential order.
type: json
- name: args_compiled
description: Comma-separated list of all command line arguments.
type: string
- name: exec_chain
description: Chain of events originating from the same original action .
type: json
- name: exec_chain_child
description: Child event in the chain of events originating from the same original action.
type: object
fields:
- name: parent_path
description: Path to the binary that directly caused this event.
type: string
- name: parent_pid
description: Process ID of the process that directly caused this event.
type: string
- name: parent_uuid
description: GUID of direct parent in execution chain. Correlates to exec_chain_parent.uuid field in parent event.
type: string
- name: exec_chain_parent
description: Parent event in the chain of events originating from the same original action.
type: object
fields:
- name: uuid
description: GUID of child process to claim this event as it's direct parent. Correlates to exec_chain_child.parent.uuid field in parent event.
type: string
- name: exec_env
description: Execution environment for the event.
type: object
fields:
- name: env
description: Key and value pairs for environmental variables for the context of the event.
type: json
- name: env_compiled
description: Comma-separated list of all environmental variables for the context of the event.
type: string
- name: exit
description: Exit information for the event. Only present for AUE_EXIT events.
type: object
fields:
- name: return_value
description: The return value of the event.
type: bigint
- name: status
description: The status of the event.
type: bigint
- name: file_event_info
description: File event information. Only present for COMPLIANCEREPORTER_TAMPER_EVENT events.
type: object
fields:
- name: eventid_wrapped
description: Whether the event ID was wrapped.
type: boolean
- name: hash
description: SHA1 hash of the file.
type: string
indicators:
- sha1
- name: history_done
description: Whether the history is done.
type: boolean
- name: item_change_owner
description: Whether the item changed owner.
type: boolean
- name: item_cloned
description: Whether the item was cloned.
type: boolean
- name: item_created
description: Whether the item was created.
type: boolean
- name: item_extended_attribute_modified
description: Whether the item's extended attributes were modified.
type: boolean
- name: item_finder_info_modified
description: Whether the item's finder info was modified.
type: boolean
- name: item_inode_metadata_modified
description: Whether the item's inode metadata was modified.
type: boolean
- name: item_is_directory
description: Whether the item is a directory.
type: boolean
- name: item_is_file
description: Whether the item is a file.
type: boolean
- name: item_is_hard_link
description: Whether the item is a hard link.
type: boolean
- name: item_is_last_hard_link
description: Whether the item is the last hard link.
type: boolean
- name: item_is_sym_link
description: Whether the item is a symbolic link.
type: boolean
- name: item_removed
description: Whether the item was removed.
type: boolean
- name: item_renamed
description: Whether the item was renamed.
type: boolean
- name: item_updated
description: Whether the item was updated.
type: boolean
- name: kernel_dropped
description: Whether the kernel dropped the event.
type: boolean
- name: mount
description: Whether the item was mounted.
type: boolean
- name: must_scan_sub_dir
description: Whether the subdirectory must be scanned.
type: boolean
- name: none
description: Whether the item was not modified.
type: boolean
- name: own_event
description: Whether the event was owned.
type: boolean
- name: path
description: Path to the file.
type: string
- name: root_changed
description: Whether the root was changed.
type: boolean
- name: unmount
description: Whether the item was unmounted.
type: boolean
- name: user_dropped
description: Whether the user dropped the event.
type: boolean
- name: hardware_event_info
description: Hardware event information. Only present for HARDWARE_EVENT events.
type: object
fields:
- name: device_attributes
description: Attributes of the device.
type: json
- name: device_class
description: Class of the device.
type: string
- name: device_name
description: Name of the device.
type: string
- name: device_status
description: Status of the device.
type: string
- name: header
required: true
description: Header information for the event. This field contains essential metadata about the event, including event name, timestamp, and version.
type: object
fields:
- name: action
description: Action that caused the event. Only present in PROHIBITED_APP_BLOCKED events.
type: string
- name: event_id
description: ID that identifies the type of audit event.
type: string
- name: event_modifier
description: Modifier for the event. This field is unused and will always be 0.
type: string
- name: event_name
required: true
description: Name of the type of audit event.
type: string
- name: time_seconds_epoch
required: true
description: Unix epoch time when the event occurred.
type: timestamp
timeFormat: unix
isEventTime: true
- name: time_milliseconds_offset
description: Millisecond offset to the time_seconds_epoch field.
type: bigint
- name: version
description: Version of the header format.
type: string
- name: host_info
required: true
description: Information about the host where the event occurred.
type: object
fields:
- name: host_name
description: Network host name of the computer.
type: string
- name: host_uuid
description: Hardware UUID of the logic board.
type: string
- name: osversion
description: Version of the operating system.
type: string
- name: primary_mac_address
description: Primary MAC address of the reporting computer.
type: string
indicators:
- mac
- name: serial_number
description: Serial number of the reporting computer.
type: string
- name: identity
description: Identity information for the event.
type: object
fields:
- name: cd_hash
description: Cd bundle hash of the application or binary performing the action.
type: string
indicators:
- sha1
- name: signer_id
description: Signer ID of the application or binary performing the action.
type: string
- name: signer_id_truncated
description: Whether the signer ID was truncated.
type: boolean
- name: signer_type
description: Signer type of the application or binary performing the action.
type: int
- name: team_id
description: Team ID of the application or binary performing the action.
type: string
- name: team_id_truncated
description: Whether the team ID was truncated.
type: boolean
- name: path
description: File paths involved with event.
type: array
element:
type: string
- name: process
description: Information about the process that performed the action.
type: object
fields:
- name: audit_id
description: ID of the user that auditd is attributing the event to.
type: string
indicators:
- actor_id
- name: audit_user_name
description: Name of the user that auditd is attributing the event to.
type: string
indicators:
- username
- name: effective_group_id
description: ID of the group's privilege that the event was executed with.
type: string
- name: effective_group_name
description: Name of the group's privilege that the event was executed with.
type: string
- name: effective_user_id
description: ID of the user's privilege that the event was executed with.
type: string
indicators:
- actor_id
- name: effective_user_name
description: Name of the user's privilege that the event was executed with.
type: string
indicators:
- username
- name: group_id
description: ID of the group that originated this event.
type: string
- name: group_name
description: Name of the group that originated this event.
type: string
- name: process_hash
description: SHA1 hash of the binary file that was executed.
type: string
indicators:
- sha1
- name: process_id
description: ID of the process performing the logged action.
type: string
- name: process_name
description: Path to the process performing the logged action.
type: string
- name: process_information
description: Information about the process that performed the action.
type: json
- name: responsible_process_id
description: ID of the process that originated this event.
type: string
- name: responsible_process_name
description: Name of the process that originated this event at the start of the process chain.
type: string
- name: session_id
description: Session ID number the event originated from.
type: string
indicators:
- trace_id
- name: terminal_id
description: Information about the terminal where the event originated.
type: object
fields:
- name: addr
description: Network address information for the terminal.
type: array
element:
type: bigint
- name: ip_address
description: IP address of the controlling computer.
type: string
indicators:
- ip
- name: port
description: Port number that the process is connecting to.
type: bigint
- name: type
description: Type of connection (4 = IPv4, 6 = IPv6).
type: bigint
- name: user_id
description: ID of the user that originated this event.
type: string
indicators:
- actor_id
- name: user_name
description: Name of the user that originated this event.
type: string
indicators:
- username
- name: return
description: Event output information.
type: object
fields:
- name: description
description: Description of the event output.
type: string
- name: error
description: Event outcome error code.
type: int
- name: return_value
description: Event outcome return value (if any) returned.
type: int
- name: signal_event_info
description: Signal event information. Only present for SIGNAL_EVENT events.
type: object
fields:
- name: signal
description: Signal number.
type: int
- name: socket_inet
description: Internet socket information.
type: object
fields:
- name: addr
description: Network address information for the socket.
type: array
element:
type: bigint
- name: family
description: Address family of the socket.
type: string
- name: id
description: ID of the socket.
type: string
- name: ip_address
description: IP address of the socket.
type: string
indicators:
- ip
- name: port
description: Port number that the process is connecting to.
type: bigint
- name: socket_unix
description: Unix socket information.
type: object
fields:
- name: family
description: Address family of the socket.
type: string
- name: path
description: Path of the socket.
type: string
- name: subject
description: Subject information for the event.
type: object
fields:
- name: audit_id
description: ID of the user that auditd is attributing the event to.
type: string
indicators:
- actor_id
- name: audit_user_name
description: Name of the user that auditd is attributing the event to.
type: string
indicators:
- username
- name: effective_group_id
description: ID of the group's privilege that the event was executed with.
type: string
- name: effective_group_name
description: Name of the group's privilege that the event was executed with.
type: string
- name: effective_user_id
description: ID of the user's privilege that the event was executed with.
type: string
indicators:
- actor_id
- name: effective_user_name
description: Name of the user's privilege that the event was executed with.
type: string
indicators:
- username
- name: group_id
description: ID of the group that originated this event.
type: string
- name: group_name
description: Name of the group that originated this event.
type: string
- name: process_hash
description: SHA1 hash of the binary file that was executed.
type: string
indicators:
- sha1
- name: process_id
description: ID of the process performing the logged action.
type: string
- name: process_name
description: Path to the process performing the logged action.
type: string
- name: process_information
description: Information about the process that performed the action.
type: json
- name: responsible_process_id
description: ID of the process that originated this event.
type: string
- name: responsible_process_name
description: Name of the process that originated this event at the start of the process chain.
type: string
- name: session_id
description: Session ID number the event originated from.
type: string
indicators:
- trace_id
- name: terminal_id
description: Information about the terminal where the event originated.
type: object
fields:
- name: addr
description: Network address information for the terminal.
type: array
element:
type: bigint
- name: ip_address
description: IP address of the controlling computer.
type: string
indicators:
- ip
- name: port
description: Port number that the process is connecting to.
type: bigint
- name: type
description: Type of connection (4 = IPv4, 6 = IPv6).
type: bigint
- name: user_id
description: ID of the user that originated this event.
type: string
indicators:
- actor_id
- name: user_name
description: Name of the user that originated this event.
type: string
indicators:
- username
- name: texts
description: Descriptions of the event.
type: array
element:
type: string
