Auth Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resoureId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| process_id | string | processId$ | Identifier provided by the OS for the running process |
| process_create_time_usec | uint64 | processCreateTimeUsec$ | Create time of process requesting authorization |
| process_correlation_id | string | processCorrelationId$ | Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window |
| process_filename | string | processFilename$ | Name of the file name of the process that requested authorization |
| process_file_hash | FileHash | fileHash$ | Hash of the file of the process that requested authorization |
| commandline | string | commandline$ | Full command line of process that made the authorization request |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| action | Auth.Action | action$ | The type of authentication event (ex. LOGON, LOGOFF) |
| auth_category | Auth.AuthCategory | authCategory$ | The type of authentication event (ex. ACCOUNT_LOGON, ACCOUNT_LOCK) |
| action_result | Auth.ActionResult | actionResult$ | The result of the action performed in auth_category (ex. SUCCESS, FAILED) |
| failure_category | Auth.FailureCategory | failureCategory$ | The reason if the action_result is FAILED |
| trust_features | Auth.TrustFeatures | trustFeatures$ | Indicates why a user logon could be legitimate, for example MFA was used |
| auth_system | string | authSystem$ | The system identifying the event (ex. Windows, PAM, SSHD, sudo) |
| target_user_name | string | targetUserName$ | Account that user is logging in to |
| target_domain_name | string | targetDomainName$ | Domain that user is logging in to |
| target_address | string | targetAddress$ | IP address that user is logging in to |
| target_port | string | targetPort$ | Port that user is logging in to. |
| target_port_number | uint32 | targetPortNumber$ | Port that user is logging in to. |
| target_host_name | string | targetHostName$ | Hostname of the Target Ex: Windows workstation name |
| source_user_name | string | sourceUserName$ | Account that user is logging in from |
| source_domain_name | string | sourceDomainName$ | Domain that user is logging in from |
| source_address | string | sourceAddress$ | IP address that user is logging in from |
| source_port | string | sourcePort$ | Port that user is logging in from. |
| source_port_number | uint32 | sourcePortNumber$ | Port that user is logging in from. |
| os | OperatingSystem | os\(.os\) | Operating system, architecture of the user's machine |
| logon_application_family | string | logonApplicationFamily$ | The application used by the user to logon, devoid of version information (ex. chrome, firefox) |
| user_agent | string | userAgent$ | The user-agent string used in the request |
| user_display_name | string | userDisplayName$ | User account's display name |
| member_name | string | memberName$ | Distinguished name of account that was added or removed to/from security-enabled local group |
| session_id | string | sessionId$ | Identifier of the session to match logon/logoff |
| logon_type | Auth.LogonType | logonType$ | Value of logon type (ex. '...Logon Type: 3...') |
| mfa_used | bool | mfaUsed$ | Was MFA used when user was authenticated |
| encryption_type | Auth.EncryptionType | encryptionType$ | Ticket encryption type e.g. 0x12 or 0x17 |
| win_event_level | string | winEventLevel$ | The urgency level the event was assigned by Windows |
| win_summary | string | winSummary$ | The event summary as provided by Windows |
| win_keywords | string | winKeywords$ | Keywords Windows applies to the event |
| win_task_category | string | winTaskCategory$ | The category in which Windows has classified the event |
| win_event_id | string | winEventId$ | Identifier of event generated by the Windows log |
| device_trust_type | string | deviceTrustType$ | Taken from trustType field in deviceDetails from Microsoft Graph Signin Events: https://docs.microsoft.com/en-us/graph/api/resources/devicedetail?view=graph-rest-1.0{: target="_blank"}; Can be used as an indicator of trustworthiness for the sign-in device |
| src_ipblacklist_hits | string | repeated | Provides the names of blacklists matched by the source |
| dest_ipblacklist_hits | string | repeated | Provides the names of blacklists matched by the destination |
| src_ipgeo_summary | GeoSummary | The geographic location of the source IP | |
| dest_ipgeo_summary | GeoSummary | The geographic location of the destination IP | |
| status | string | status$ | |
| sub_status | string | subStatus$ | |
| extra_authenticationpackagename | string | extraAuthenticationpackagename$ | The system performing authentication, Ex. NTLM, Kerberos |
| extra_elevatedtoken | string | extraElevatedtoken$ | Indicates if the session represented by this event has administration privileges |
| extra_failurereason | string | extraFailurereason$ | The reason for a failed login, resource access, et.al. |
| extra_homedirectory | string | extraHomedirector$ | The home directory of the user process associated with the log event |
| extra_impersonationlevel | string | extraImpersonationlevel$ | MS WMI impersonation level |
| extra_keylength | int32 | extraKeylength$ | Length of key protecting the "secure channel" |
| extra_lmpackagename | string | extraLmpackagename$ | If this logon was authenticated via the NTLM protocol (instead of Kerberos for instance) this field tells you which version of NTLM was used |
| extra_logonprocessname | string | extraLogonprocessname$ | The name of the MS trusted logon process, Ex. Winlogon, IKE, et.al. |
| extra_restrictedadminmode | string | extraRestrictedadminmode$ | "Yes" for incoming Remote Desktop Connections where the client specified /restrictedAdmin on the command line |
| extra_samaccountname | string | extraSamaccountname$ | user logon name used to support clients and servers from a previous version of Windows ( Pre-Windows 2000) |
| extra_targetoutbounddomainname | string | extraTargetoutbounddomainname$ | MS domain name of target logon |
| extra_targetoutboundusername | string | extraTargetoutboundusername$ | MS user name of target logon |
| extra_targetservername | string | extraTargetservername$ | Hostname of target logon |
| extra_userprincipalname | string | extraUserpricipalname$ | Internet-style login name for the user based on the Internet standard RFC 822 |
| extra_virtualaccount | string | extraVirtualAccount$ | Indicates MS services are configured to logon with a "Virtual Account" |
| extra_workstationname | string | extraWorkstationname$ | The |
| extra_subject_domain_user_id | string | extraSubjectDomainUserId$ | Identifies the account that requested the logon - NOT the user being logged onto |
| extra_target_domain_user_id | string | extraTargetDomainUserId$ | Identifies the account being logged on |
| application_name | string | applicationName$ | Identifies the application being logged into. Notably for cloud integrations |
| service_name | string | serviceName$ | The name of the service where the user is trying to login |
| service_sid | string | serviceSid$ | Identifies the service where the user is trying to login |
| ticket_options | string | ticketOptions$ | The logon ticket options |
| event_metadata | KeyValuePairsIndexed | event_metadata can be provided by the appliance to add context |
Auth.Action🔗
The type of authentication event
| Name | Number | Description |
|---|---|---|
| UNCLASSIFIED | 0 | |
| LOGON | 1 | A User login/authenticate operation. Or a start of a user session |
| ACCOUNT | 2 | |
| PRIVILEGE | 3 | |
| POLICY | 4 | Account/Domain policy changes For Windows, This computer's Security Settings\Account Policy or Account Lockout Policy policy was modified - either via Local Security Policy or Group Policy in Active Directory. On a Web based Auth platform (Example: Okta) 1. Lifecyle policy changes 2. User session lifetime 3. MFA requirements 4. Password complexity requirements |
| SYSTEM | 5 | System Audit Policy changes For web based Auth providers, 1. API token create/revoke 2. MFA verification request |
| LOG | 6 | |
| LOGOFF | 7 | A User logout operation. Or an end of a user session |
| FAILURE | 8 | A User authentication attempt failure |
| USER_MANAGEMENT | 9 | Actions including 1. Adding a new user to the account 2. Modifying an existing user 3. Removing a user from the account 4. Lifecycle Events 5. Update password/MFA setting |
Auth.AuthCategory🔗
The type of authentication event.
| Name | Number | Description |
|---|---|---|
| UNKNOWN_AUTH_CATEGORY | 0 | |
| ACCOUNT_LOGON | 10 | |
| ACCOUNT_LOGOFF | 20 | |
| ACCOUNT_LOCK | 30 | |
| ACCOUNT_UNLOCK | 40 | |
| PASSWORD_CHANGE_ATTEMPT | 50 | The user attempted to change their own password |
| PASSWORD_RESET_ATTEMPT | 60 | The source user attempted to change the target user’s password (ex admin reset) |
| PRE_AUTHENTICATION | 70 | A pre-required step for authentication, such as requesting a Kerberos authentication ticket |
Auth.ActionResult🔗
The result of the action performed in auth_category.
| Name | Number | Description |
|---|---|---|
| UNKNOWN_ACTION_RESULT | 0 | |
| SUCCESS | 10 | The outcome of the auth_category step was successful |
| FAILED | 20 | The outcome of the auth_category step was not successful |
Auth.FailureCategory🔗
The reason if the action_result is FAILED.
| Name | Number | Description |
|---|---|---|
| UNKNOWN_FAILURE_CATEGORY | 0 | |
| INCORRECT_USER_OR_PASSWORD | 10 | |
| EXPIRED_PASSWORD | 20 | |
| INVALID_ACCOUNT | 30 | |
| INCORRECT_MFA | 40 | |
| OUTSIDE_PERMISSIBLE_HOURS | 50 | |
| OVERDUE_PASSWORD_CHANGE | 60 | |
| ACCOUNT_LOCKED_OUT | 70 | |
| ACCOUNT_DISABLED | 80 | |
| OTHER_ERROR | 90 | There is an error reported that is not covered by the other categories here |
Auth.TrustFeatures🔗
| Name | Number | Description |
|---|---|---|
| UNKNOWN_TRUSTED_FEATURES | 0 | |
| MFA_USED | 10 | |
| TRUSTED_IP_ADDRESS | 20 | |
| OTHER_TRUSTED_ACCOUNT | 30 | Account is trusted in some other way, for example Entra ID registered or joined device |
Auth.EncryptionType🔗
| Name | Number | Description |
|---|---|---|
| ENCRYPTION_UNKNOWN | 0 | |
| DES_CBC_CRC | 1 | |
| DES_CBC_MD4 | 2 | |
| DES_CBC_MD5 | 3 | |
| DES3_CBC_MD5 | 4 | |
| DES3_CBC_SHA1 | 5 | |
| DSA_WITH_SHA1_CMSOID | 6 | |
| MD5_WITH_RSA_ENCRYPTION_CMSOID | 7 | |
| SHA1_WITH_RSA_ENCRYPTION_CMSOID | 8 | |
| RC2CBC_ENVOID | 9 | |
| RSA_ENCRYPTION_ENVOID | 10 | |
| RSA_ES_OAEP_ENV_OID | 11 | |
| DES_EDE3_CBC_ENV_OID | 12 | |
| DES3_CBC_SHA1_KD | 13 | |
| AES128_CTS_HMAC_SHA1_96 | 14 | |
| AES256_CTS_HMAC_SHA1_96 | 15 | |
| RC4_HMAC | 16 | |
| RC4_HMAC_EXP | 17 | |
| SUBKEY_KEYMATERIAL | 18 |
Auth.LogonType🔗
Value logon type that maps to WIN32 values
| Name | Number | Description |
|---|---|---|
| SYSTEMONLY | 0 | unused but required since it's proto3 |
| UNKNOWN | 1 | |
| INTERACTIVE | 2 | |
| NETWORK | 3 | |
| BATCH | 4 | |
| SERVICE | 5 | |
| PROXY | 6 | |
| UNLOCK | 7 | |
| NETWORKCLEARTEXT | 8 | |
| NEWCREDENTIALS | 9 | |
| REMOTEINTERACTIVE | 10 | |
| CACHEDINTERACTIVE | 11 | |
| CACHEDREMOTEINTERACTIVE | 12 | |
| CACHEDUNLOCKED | 13 |