From 18a58fc7973a599d32c081c04b86e416c247fe0f Mon Sep 17 00:00:00 2001 From: Kyle Bailey Date: Thu, 28 Jul 2022 13:33:34 -0500 Subject: [PATCH 01/21] Cleanup CODEOWNERS (#459) --- .github/CODEOWNERS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 0bf65633d..64e827855 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -2,5 +2,5 @@ # Each line is a file pattern followed by one or more owners. # These owners will be the default owners for everything in the repo. -* @nhakmiller @lindsey-w @wey-chiang @kostaspap @bseb @k-bailey @panther-labs/detections -schemas/* @alxarch +* @nhakmiller @panther-labs/detections @panther-labs/security + From 3b552f5eaef702e577e3ff3338269442d4b7cf15 Mon Sep 17 00:00:00 2001 From: Weyland <71197790+wey-chiang@users.noreply.github.com> Date: Thu, 28 Jul 2022 15:01:19 -0400 Subject: [PATCH 02/21] Slack Data Models & Alert Context Helper (#458) * Fixed 1Password Unusual Client MITRE ATT&CK mapping * Added Data Models for Slack logs * Added helper for slack alert context * Changed underscores to be dashes for the slack alert context * Added missing newlines --- data_models/slack_accesslogs_data_model.yml | 14 ++++++++++++++ data_models/slack_auditlogs_data_model.yml | 15 +++++++++++++++ data_models/slack_integrationlogs_data_model.yml | 10 ++++++++++ global_helpers/panther_base_helpers.py | 9 +++++++++ 4 files changed, 48 insertions(+) create mode 100644 data_models/slack_accesslogs_data_model.yml create mode 100644 data_models/slack_auditlogs_data_model.yml create mode 100644 data_models/slack_integrationlogs_data_model.yml diff --git a/data_models/slack_accesslogs_data_model.yml b/data_models/slack_accesslogs_data_model.yml new file mode 100644 index 000000000..0d8753902 --- /dev/null +++ b/data_models/slack_accesslogs_data_model.yml @@ -0,0 +1,14 @@ +AnalysisType: datamodel +LogTypes: + - Slack.AccessLogs +DataModelID: Standard.Slack.AccessLogs +DisplayName: Slack Access Logs +Enabled: true +Mappings: + - Name: source_ip + Path: ip + - Name: user_agent + Path: user_agent + - Name: actor_user + Path: username + diff --git a/data_models/slack_auditlogs_data_model.yml b/data_models/slack_auditlogs_data_model.yml new file mode 100644 index 000000000..0b638bb49 --- /dev/null +++ b/data_models/slack_auditlogs_data_model.yml @@ -0,0 +1,15 @@ +AnalysisType: datamodel +LogTypes: + - Slack.AuditLogs +DataModelID: Standard.Slack.AuditLogs +DisplayName: Slack Audit Logs +Enabled: true +Mappings: + - Name: actor_user + Path: $.actor.user.name + - Name: user_agent + Path: $.context.ua + - Name: source_ip + Path: $.context.ip_address + - Name: user + Path: $.entity.user.name diff --git a/data_models/slack_integrationlogs_data_model.yml b/data_models/slack_integrationlogs_data_model.yml new file mode 100644 index 000000000..49f2c8bda --- /dev/null +++ b/data_models/slack_integrationlogs_data_model.yml @@ -0,0 +1,10 @@ +AnalysisType: datamodel +LogTypes: + - Slack.IntegrationLogs +DataModelID: Standard.Slack.IntegrationLogs +DisplayName: Slack Integration Logs +Enabled: true +Mappings: + - Name: actor_user + Path: user_name + diff --git a/global_helpers/panther_base_helpers.py b/global_helpers/panther_base_helpers.py index 14cdf429c..e8dd62b5d 100644 --- a/global_helpers/panther_base_helpers.py +++ b/global_helpers/panther_base_helpers.py @@ -221,6 +221,15 @@ def crowdstrike_detection_alert_context(event: dict): } +def slack_alert_context(event: dict): + return { + "actor-name": deep_get(event, "actor", "user", "name", default=""), + "actor-email": deep_get(event, "actor", "user", "email", default=""), + "actor-ip": deep_get(event, "context", "ip_address", default=""), + "user-agent": deep_get(event, "context", "ua", default="") + } + + def deep_get(dictionary: dict, *keys, default=None): """Safely return the value of an arbitrarily nested map From c6e6863aa0f4982babbe808648253b817c047d27 Mon Sep 17 00:00:00 2001 From: Daria Date: Fri, 29 Jul 2022 11:21:52 -0700 Subject: [PATCH 03/21] Add example lookup table and data file (#446) * Add example lookup table and data file * Update example_cidr_lookup_table.yml * Update example_cidr_lookup_content.csv --- templates/example_cidr_lookup_content.csv | 7 +++++++ templates/example_cidr_lookup_table.yml | 16 ++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 templates/example_cidr_lookup_content.csv create mode 100644 templates/example_cidr_lookup_table.yml diff --git a/templates/example_cidr_lookup_content.csv b/templates/example_cidr_lookup_content.csv new file mode 100644 index 000000000..5a6bb0d90 --- /dev/null +++ b/templates/example_cidr_lookup_content.csv @@ -0,0 +1,7 @@ +network,geoname_id +1.0.0.0/24,2077422 +1.0.1.0/24,1814991 +1.0.2.0/23,1814991 +1.0.4.0/22,2077456 +1.0.8.0/21,1814991 +1.0.16.0/20,1814991 diff --git a/templates/example_cidr_lookup_table.yml b/templates/example_cidr_lookup_table.yml new file mode 100644 index 000000000..d41d2d726 --- /dev/null +++ b/templates/example_cidr_lookup_table.yml @@ -0,0 +1,16 @@ +AnalysisType: lookup_table # always lookup_table +LookupName: simple_cidr_lookup # str +Enabled: true # bool +Description: Lookup table description # str (Optional) +FileName: ./relative/path/to/content.csv # str (Optional) +Reference: An optional reference link # str (Optional) +Schema: Custom.Simple.Cidr # str (should already exist) +LogTypeMap: + PrimaryKey: network # str + AssociatedLogTypes: # [...] + - LogType: Aws.CloudTrail # str + Selectors: # [str] + - 'p_any_ip_addresses' + - LogType: Aws.VPCFlow + Selectors: + - 'p_any_ip_addresses' From 91394021c192a91512c7e6d3e52d4713519f41ce Mon Sep 17 00:00:00 2001 From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com> Date: Tue, 2 Aug 2022 14:05:20 -0500 Subject: [PATCH 04/21] Update GSuite Alerts Rules with Rule Name (#440) * Update GSuite Alerts Rules Add the rule name to the Panther alert title to provide more context * Fix lint error R1705 and C0304 C0304: Final newline missing R1705: Unnecessary "else" after "return" * Fix Line too long issue * Fix Trailing whitespace issue Co-authored-by: Kyle Bailey --- .../gsuite_high_severity_rule.py | 6 ++++++ .../gsuite_high_severity_rule.yml | 21 +++++++++++++++++++ .../gsuite_low_severity_rule.py | 5 +++++ .../gsuite_low_severity_rule.yml | 21 +++++++++++++++++++ .../gsuite_medium_severity_rule.py | 6 ++++++ .../gsuite_medium_severity_rule.yml | 21 +++++++++++++++++++ 6 files changed, 80 insertions(+) diff --git a/gsuite_activityevent_rules/gsuite_high_severity_rule.py b/gsuite_activityevent_rules/gsuite_high_severity_rule.py index 0ae09221c..022f80ff4 100644 --- a/gsuite_activityevent_rules/gsuite_high_severity_rule.py +++ b/gsuite_activityevent_rules/gsuite_high_severity_rule.py @@ -12,3 +12,9 @@ def rule(event): ): return False return True + +def title(event): + if deep_get(event, "parameters", "rule_name"): + return "GSuite High Severity Rule Triggered : " + deep_get(event, "parameters", "rule_name") + + return "GSuite High Severity Rule Triggered" diff --git a/gsuite_activityevent_rules/gsuite_high_severity_rule.yml b/gsuite_activityevent_rules/gsuite_high_severity_rule.yml index a2cb060fb..a4add8eaa 100644 --- a/gsuite_activityevent_rules/gsuite_high_severity_rule.yml +++ b/gsuite_activityevent_rules/gsuite_high_severity_rule.yml @@ -73,3 +73,24 @@ Tests: ] }, } + - + Name: High Severity Rule with Rule Name + ExpectedResult: true + Log: + { + "id": { + "applicationName": "rules", + }, + "actor": { + "email": "some.user@somedomain.com" + }, + "parameters": { + "severity": "HIGH", + "rule_name": "CEO Impersonation", + "triggered_actions": [ + { + "action_type": "MAIL_MARK_AS_PHISHING" + } + ] + }, + } diff --git a/gsuite_activityevent_rules/gsuite_low_severity_rule.py b/gsuite_activityevent_rules/gsuite_low_severity_rule.py index bc0682194..c4869637d 100644 --- a/gsuite_activityevent_rules/gsuite_low_severity_rule.py +++ b/gsuite_activityevent_rules/gsuite_low_severity_rule.py @@ -12,3 +12,8 @@ def rule(event): ): return False return True + +def title(event): + if deep_get(event, "parameters", "rule_name"): + return "GSuite Low Severity Rule Triggered : " + deep_get(event, "parameters", "rule_name") + return "GSuite Low Severity Rule Triggered" diff --git a/gsuite_activityevent_rules/gsuite_low_severity_rule.yml b/gsuite_activityevent_rules/gsuite_low_severity_rule.yml index 0590934ee..fafddc80d 100644 --- a/gsuite_activityevent_rules/gsuite_low_severity_rule.yml +++ b/gsuite_activityevent_rules/gsuite_low_severity_rule.yml @@ -73,3 +73,24 @@ Tests: ] }, } + - + Name: Low Severity Rule with Rule Name + ExpectedResult: true + Log: + { + "id": { + "applicationName": "rules", + }, + "actor": { + "email": "some.user@somedomain.com" + }, + "parameters": { + "severity": "LOW", + "rule_name": "CEO Impersonation", + "triggered_actions": [ + { + "action_type": "MAIL_MARK_AS_PHISHING" + } + ] + }, + } \ No newline at end of file diff --git a/gsuite_activityevent_rules/gsuite_medium_severity_rule.py b/gsuite_activityevent_rules/gsuite_medium_severity_rule.py index 28a89bf35..1cf77742b 100644 --- a/gsuite_activityevent_rules/gsuite_medium_severity_rule.py +++ b/gsuite_activityevent_rules/gsuite_medium_severity_rule.py @@ -11,3 +11,9 @@ def rule(event): ): return False return True + +def title(event): + if deep_get(event, "parameters", "rule_name"): + return "GSuite Medium Severity Rule Triggered: " \ + + deep_get(event, "parameters", "rule_name") + return "GSuite Medium Severity Rule Triggered" diff --git a/gsuite_activityevent_rules/gsuite_medium_severity_rule.yml b/gsuite_activityevent_rules/gsuite_medium_severity_rule.yml index d77a517d2..fee9d7677 100644 --- a/gsuite_activityevent_rules/gsuite_medium_severity_rule.yml +++ b/gsuite_activityevent_rules/gsuite_medium_severity_rule.yml @@ -73,3 +73,24 @@ Tests: ] }, } + - + Name: Medium Severity Rule with Rule Name + ExpectedResult: true + Log: + { + "id": { + "applicationName": "rules", + }, + "actor": { + "email": "some.user@somedomain.com" + }, + "parameters": { + "severity": "MEDIUM", + "rule_name": "CEO Impersonation", + "triggered_actions": [ + { + "action_type": "MAIL_MARK_AS_PHISHING" + } + ] + }, + } \ No newline at end of file From 22a82487abc22b03096e428c51afaaa2869c4d6d Mon Sep 17 00:00:00 2001 From: Weyland <71197790+wey-chiang@users.noreply.github.com> Date: Tue, 2 Aug 2022 15:17:29 -0400 Subject: [PATCH 05/21] Slack Detections - Workspace/Org (#460) * Fixed 1Password Unusual Client MITRE ATT&CK mapping * Added Data Models for Slack logs * Initial commit of Slack Workspace/Org rules * Removed trailing newline * Revert newline deletions * Anonymized IPs * Apply suggestions from code review --- slack_rules/slack_application_dos.py | 56 ++++++ slack_rules/slack_application_dos.yml | 85 ++++++++++ slack_rules/slack_dlp_modified.py | 28 +++ slack_rules/slack_dlp_modified.yml | 109 ++++++++++++ slack_rules/slack_idp_configuration_change.py | 21 +++ .../slack_idp_configuration_change.yml | 137 +++++++++++++++ .../slack_information_barrier_modified.py | 20 +++ .../slack_information_barrier_modified.yml | 108 ++++++++++++ slack_rules/slack_intune_mdm_disabled.py | 9 + slack_rules/slack_intune_mdm_disabled.yml | 81 +++++++++ .../slack_legal_hold_policy_modified.py | 26 +++ .../slack_legal_hold_policy_modified.yml | 159 ++++++++++++++++++ slack_rules/slack_mfa_settings_changed.py | 9 + slack_rules/slack_mfa_settings_changed.yml | 81 +++++++++ slack_rules/slack_org_created.py | 9 + slack_rules/slack_org_created.yml | 70 ++++++++ slack_rules/slack_org_deleted.py | 9 + slack_rules/slack_org_deleted.yml | 70 ++++++++ slack_rules/slack_sso_settings_changed.py | 10 ++ slack_rules/slack_sso_settings_changed.yml | 81 +++++++++ 20 files changed, 1178 insertions(+) create mode 100644 slack_rules/slack_application_dos.py create mode 100644 slack_rules/slack_application_dos.yml create mode 100644 slack_rules/slack_dlp_modified.py create mode 100644 slack_rules/slack_dlp_modified.yml create mode 100644 slack_rules/slack_idp_configuration_change.py create mode 100644 slack_rules/slack_idp_configuration_change.yml create mode 100644 slack_rules/slack_information_barrier_modified.py create mode 100644 slack_rules/slack_information_barrier_modified.yml create mode 100644 slack_rules/slack_intune_mdm_disabled.py create mode 100644 slack_rules/slack_intune_mdm_disabled.yml create mode 100644 slack_rules/slack_legal_hold_policy_modified.py create mode 100644 slack_rules/slack_legal_hold_policy_modified.yml create mode 100644 slack_rules/slack_mfa_settings_changed.py create mode 100644 slack_rules/slack_mfa_settings_changed.yml create mode 100644 slack_rules/slack_org_created.py create mode 100644 slack_rules/slack_org_created.yml create mode 100644 slack_rules/slack_org_deleted.py create mode 100644 slack_rules/slack_org_deleted.yml create mode 100644 slack_rules/slack_sso_settings_changed.py create mode 100644 slack_rules/slack_sso_settings_changed.yml diff --git a/slack_rules/slack_application_dos.py b/slack_rules/slack_application_dos.py new file mode 100644 index 000000000..5af5ff049 --- /dev/null +++ b/slack_rules/slack_application_dos.py @@ -0,0 +1,56 @@ +from datetime import datetime, timedelta +from json import dumps + +from panther_base_helpers import deep_get, slack_alert_context +from panther_oss_helpers import get_string_set, put_string_set, set_key_expiration + +DENIAL_OF_SERVICE_ACTIONS = [ + "bulk_session_reset_by_admin", + "user_session_invalidated", + "user_session_reset_by_admin", +] + + +def rule(event): + # Only evaluate actions that could be used for a DoS + if event.get("action") not in DENIAL_OF_SERVICE_ACTIONS: + return False + + # Generate a unique cache key for each user + user_key = gen_key(event) + + # Retrieve prior entries from the cache, if any + last_reset = get_string_set(user_key) + + # Store the reset info for future use + store_reset_info(user_key, event) + + # If this is the first reset for the user, don't alert + if not last_reset: + return False + + return True + + +def alert_context(event): + return slack_alert_context(event) + + +def gen_key(event): + return f"Slack.AuditLogs.ApplicationDoS{deep_get(event, 'entity', 'user', 'name')}" + + +def store_reset_info(key, event): + # Map the user to the most recent reset + put_string_set( + key, + [ + dumps( + { + "time": event.get("p_event_time"), + } + ) + ], + ) + # Expire the entry after 24 hours + set_key_expiration(key, str((datetime.now() + timedelta(days=1)).timestamp())) diff --git a/slack_rules/slack_application_dos.yml b/slack_rules/slack_application_dos.yml new file mode 100644 index 000000000..4bbe6698f --- /dev/null +++ b/slack_rules/slack_application_dos.yml @@ -0,0 +1,85 @@ +AnalysisType: rule +Filename: slack_application_dos.py +RuleID: Slack.AuditLogs.ApplicationDoS +DisplayName: Slack Denial of Service +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Critical +Description: Detects when slack admin invalidates user session(s) more than once in a 24 hour period which can lead to DoS +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 60 +SummaryAttributes: + - action + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: User Session Reset - First time + ExpectedResult: false + Mocks: + - objectName: get_string_set + returnValue: "" + - objectName: put_string_set + returnValue: "" + - objectName: set_key_expiration + returnValue: "" + Log: + { + "action": "user_session_reset_by_admin", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Session Reset - Multiple Times + ExpectedResult: true + Mocks: + - objectName: get_string_set + returnValue: "{\"time\":\"2021-06-08 22:24:43\"}" + - objectName: put_string_set + returnValue: "" + - objectName: set_key_expiration + returnValue: "" + Log: + { + "action": "user_session_reset_by_admin", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } diff --git a/slack_rules/slack_dlp_modified.py b/slack_rules/slack_dlp_modified.py new file mode 100644 index 000000000..f277a149f --- /dev/null +++ b/slack_rules/slack_dlp_modified.py @@ -0,0 +1,28 @@ +from panther_base_helpers import slack_alert_context + +DLP_ACTIONS = [ + "native_dlp_rule_deactivated", + "native_dlp_violation_deleted", +] + + +def rule(event): + return event.get("action") in DLP_ACTIONS + + +def title(event): + if event.get("action") == "native_dlp_rule_deactivated": + return "Slack DLP Rule Deactivated" + return "Slack DLP Violation Deleted" + + +# DLP violations can be removed by security engineers in the case of FPs +# We still want to alert on these, however those should not constitute a High severity +def severity(event): + if event.get("action") == "native_dlp_violation_deleted": + return "Medium" + return "High" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_dlp_modified.yml b/slack_rules/slack_dlp_modified.yml new file mode 100644 index 000000000..167e7aef5 --- /dev/null +++ b/slack_rules/slack_dlp_modified.yml @@ -0,0 +1,109 @@ +AnalysisType: rule +Filename: slack_dlp_modified.py +RuleID: Slack.AuditLogs.DLPModified +DisplayName: Slack DLP Modified +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: High +Description: > + Detects when a Data Loss Prevention (DLP) rule has been deactivated or a violation has been deleted +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - action + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: Native DLP Rule Deactivated + ExpectedResult: true + Log: + { + "action": "native_dlp_rule_deactivated", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: Native DLP Violation Deleted + ExpectedResult: true + Log: + { + "action": "native_dlp_violation_deleted", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_idp_configuration_change.py b/slack_rules/slack_idp_configuration_change.py new file mode 100644 index 000000000..5ebc6a039 --- /dev/null +++ b/slack_rules/slack_idp_configuration_change.py @@ -0,0 +1,21 @@ +from panther_base_helpers import slack_alert_context + +IDP_CHANGE_ACTIONS ={ + "idp_configuration_added": "Slack IDP Configuration Added", + "idp_configuration_deleted": "Slack IDP Configuration Deleted", + "idp_prod_configuration_updated": "Slack IDP Configuration Updated", +} + + +def rule(event): + return event.get("action") in IDP_CHANGE_ACTIONS + + +def title(event): + if event.get("action") in IDP_CHANGE_ACTIONS: + return IDP_CHANGE_ACTIONS.get(event.get("action")) + return "Slack IDP Configuration Changed" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_idp_configuration_change.yml b/slack_rules/slack_idp_configuration_change.yml new file mode 100644 index 000000000..e3c97ba89 --- /dev/null +++ b/slack_rules/slack_idp_configuration_change.yml @@ -0,0 +1,137 @@ +AnalysisType: rule +Filename: slack_idp_configuration_change.py +RuleID: Slack.AuditLogs.IDPConfigurationChanged +DisplayName: Slack IDP Configuration Changed +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: High +Description: Detects changes to the identity provider (IdP) configuration for Slack organizations. +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - action + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: IDP Configuration Added + ExpectedResult: true + Log: + { + "action": "idp_configuration_added", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 16:48:14" + } + - + Name: IDP Configuration Deleted + ExpectedResult: true + Log: + { + "action": "idp_configuration_deleted", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 16:48:14" + } + - + Name: IDP Configuration Updated + ExpectedResult: true + Log: + { + "action": "idp_prod_configuration_updated", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 16:48:14" + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_information_barrier_modified.py b/slack_rules/slack_information_barrier_modified.py new file mode 100644 index 000000000..ee1a45a77 --- /dev/null +++ b/slack_rules/slack_information_barrier_modified.py @@ -0,0 +1,20 @@ +from panther_base_helpers import slack_alert_context + +INFORMATION_BARRIER_ACTIONS = { + "barrier_deleted": "Slack Information Barrier Deleted", + "barrier_updated": "Slack Information Barrier Updated", +} + + +def rule(event): + return event.get("action") in INFORMATION_BARRIER_ACTIONS + + +def title(event): + if event.get("action") in INFORMATION_BARRIER_ACTIONS: + return INFORMATION_BARRIER_ACTIONS.get(event.get("action")) + return "Slack Information Barrier Modified" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_information_barrier_modified.yml b/slack_rules/slack_information_barrier_modified.yml new file mode 100644 index 000000000..dfc24f3e6 --- /dev/null +++ b/slack_rules/slack_information_barrier_modified.yml @@ -0,0 +1,108 @@ +AnalysisType: rule +Filename: slack_information_barrier_modified.py +RuleID: Slack.AuditLogs.InformationBarrierModified +DisplayName: Slack Information Barrier Modified +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Medium +Description: Detects when a Slack information barrier is deleted/updated +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - action + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: Information Barrier Deleted + ExpectedResult: true + Log: + { + "action": "barrier_deleted", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: Information Barrier Updated + ExpectedResult: true + Log: + { + "action": "barrier_updated", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_intune_mdm_disabled.py b/slack_rules/slack_intune_mdm_disabled.py new file mode 100644 index 000000000..ed6187d13 --- /dev/null +++ b/slack_rules/slack_intune_mdm_disabled.py @@ -0,0 +1,9 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + return event.get("action") == "intune_disabled" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_intune_mdm_disabled.yml b/slack_rules/slack_intune_mdm_disabled.yml new file mode 100644 index 000000000..9c38e84c3 --- /dev/null +++ b/slack_rules/slack_intune_mdm_disabled.yml @@ -0,0 +1,81 @@ +AnalysisType: rule +Filename: slack_intune_mdm_disabled.py +RuleID: Slack.AuditLogs.IntuneMDMDisabled +DisplayName: Slack Intune MDM Disabled +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Critical +Description: Detects the disabling of Microsoft Intune Enterprise MDM within Slack +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: Intune Disabled + ExpectedResult: true + Log: + { + "action": "intune_disabled", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_legal_hold_policy_modified.py b/slack_rules/slack_legal_hold_policy_modified.py new file mode 100644 index 000000000..91fe849b7 --- /dev/null +++ b/slack_rules/slack_legal_hold_policy_modified.py @@ -0,0 +1,26 @@ +from panther_base_helpers import deep_get, slack_alert_context + +LEGAL_HOLD_POLICY_ACTIONS = { + "legal_hold_policy_entities_deleted": "Slack Legal Hold Policy Entities Deleted", + "legal_hold_policy_exclusion_added": "Slack Exclusions Added to Legal Hold Policy", + "legal_hold_policy_released": "Slack Legal Hold Released", + "legal_hold_policy_updated": "Slack Legal Hold Updated", +} + + +def rule(event): + return event.get("action") in LEGAL_HOLD_POLICY_ACTIONS + + +def title(event): + # Only the `legal_hold_policy_updated` event includes relevant data to deduplicate + if event.get("action") == "legal_hold_policy_updated": + return f"Slack Legal Hold Updated " \ + f"[{deep_get(event, 'details', 'old_legal_hold_policy', 'name')}]" + if event.get("action") in LEGAL_HOLD_POLICY_ACTIONS: + return LEGAL_HOLD_POLICY_ACTIONS.get(event.get("action")) + return "Slack Legal Hold Policy Modified" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_legal_hold_policy_modified.yml b/slack_rules/slack_legal_hold_policy_modified.yml new file mode 100644 index 000000000..04af5d518 --- /dev/null +++ b/slack_rules/slack_legal_hold_policy_modified.yml @@ -0,0 +1,159 @@ +AnalysisType: rule +Filename: slack_legal_hold_policy_modified.py +RuleID: Slack.AuditLogs.LegalHoldPolicyModified +DisplayName: Slack Legal Hold Policy Modified +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: High +Description: Detects changes to configured legal hold policies +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: Legal Hold - Entities Deleted + ExpectedResult: true + Log: + { + "action": "legal_hold_policy_entities_deleted", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: Legal Hold - Exclusions Added + ExpectedResult: true + Log: + { + "action": "legal_hold_policy_exclusion_added", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: Legal Hold - Policy Released + ExpectedResult: true + Log: + { + "action": "legal_hold_policy_released", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: Legal Hold - Policy Updated + ExpectedResult: true + Log: + { + "action": "legal_hold_policy_updated", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_mfa_settings_changed.py b/slack_rules/slack_mfa_settings_changed.py new file mode 100644 index 000000000..a96b813a9 --- /dev/null +++ b/slack_rules/slack_mfa_settings_changed.py @@ -0,0 +1,9 @@ +from panther_base_helpers import slack_alert_context + +def rule(event): + return event.get("action") == "pref.two_factor_auth_changed" + + +def alert_context(event): + # TODO: Add details to context + return slack_alert_context(event) diff --git a/slack_rules/slack_mfa_settings_changed.yml b/slack_rules/slack_mfa_settings_changed.yml new file mode 100644 index 000000000..9c0830779 --- /dev/null +++ b/slack_rules/slack_mfa_settings_changed.yml @@ -0,0 +1,81 @@ +AnalysisType: rule +Filename: slack_mfa_settings_changed.py +RuleID: Slack.AuditLogs.MFASettingsChanged +DisplayName: Slack MFA Settings Changed +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: High +Description: Detects changes to Multi-Factor Authentication requirements +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: MFA Auth Changed + ExpectedResult: true + Log: + { + "action": "pref.two_factor_auth_changed", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_org_created.py b/slack_rules/slack_org_created.py new file mode 100644 index 000000000..4dff39c6b --- /dev/null +++ b/slack_rules/slack_org_created.py @@ -0,0 +1,9 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + return event.get("action") == "organization_created" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_org_created.yml b/slack_rules/slack_org_created.yml new file mode 100644 index 000000000..beadd703a --- /dev/null +++ b/slack_rules/slack_org_created.yml @@ -0,0 +1,70 @@ +AnalysisType: rule +Filename: slack_org_created.py +RuleID: Slack.AuditLogs.OrgCreated +DisplayName: Slack Organization Created +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Low +Description: Detects when a Slack organization is created +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: Organization Created + ExpectedResult: true + Log: + { + "action": "organization_created", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: Organization Deleted + ExpectedResult: false + Log: + { + "action": "organization_deleted", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } diff --git a/slack_rules/slack_org_deleted.py b/slack_rules/slack_org_deleted.py new file mode 100644 index 000000000..ba6557b94 --- /dev/null +++ b/slack_rules/slack_org_deleted.py @@ -0,0 +1,9 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + return event.get("action") == "organization_deleted" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_org_deleted.yml b/slack_rules/slack_org_deleted.yml new file mode 100644 index 000000000..64fdd27fd --- /dev/null +++ b/slack_rules/slack_org_deleted.yml @@ -0,0 +1,70 @@ +AnalysisType: rule +Filename: slack_org_deleted.py +RuleID: Slack.AuditLogs.OrgDeleted +DisplayName: Slack Organization Deleted +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Medium +Description: Detects when a Slack organization is deleted +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: Organization Deleted + ExpectedResult: true + Log: + { + "action": "organization_deleted", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: Organization Created + ExpectedResult: false + Log: + { + "action": "organization_created", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } diff --git a/slack_rules/slack_sso_settings_changed.py b/slack_rules/slack_sso_settings_changed.py new file mode 100644 index 000000000..fe2eb4236 --- /dev/null +++ b/slack_rules/slack_sso_settings_changed.py @@ -0,0 +1,10 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + return event.get("action") == "pref.sso_setting_changed" + + +def alert_context(event): + # TODO: Add details to context + return slack_alert_context(event) diff --git a/slack_rules/slack_sso_settings_changed.yml b/slack_rules/slack_sso_settings_changed.yml new file mode 100644 index 000000000..ba40838f6 --- /dev/null +++ b/slack_rules/slack_sso_settings_changed.yml @@ -0,0 +1,81 @@ +AnalysisType: rule +Filename: slack_sso_settings_changed.py +RuleID: Slack.AuditLogs.SSOSettingsChanged +DisplayName: Slack SSO Settings Changed +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: High +Description: Detects changes to Single Sign On (SSO) restrictions +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: SSO Setting Changed + ExpectedResult: true + Log: + { + "action": "pref.sso_setting_changed", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } From aad1873d90d4dab7c6ffbc6362ad4756050c678e Mon Sep 17 00:00:00 2001 From: Weyland <71197790+wey-chiang@users.noreply.github.com> Date: Tue, 2 Aug 2022 15:18:27 -0400 Subject: [PATCH 06/21] Slack Detections - Channel (#461) * Initial commit of Slack Channel detections * Anonymized IPs --- .../slack_private_channel_made_public.py | 9 +++ .../slack_private_channel_made_public.yml | 81 +++++++++++++++++++ .../slack_service_owner_transferred.py | 9 +++ .../slack_service_owner_transferred.yml | 81 +++++++++++++++++++ 4 files changed, 180 insertions(+) create mode 100644 slack_rules/slack_private_channel_made_public.py create mode 100644 slack_rules/slack_private_channel_made_public.yml create mode 100644 slack_rules/slack_service_owner_transferred.py create mode 100644 slack_rules/slack_service_owner_transferred.yml diff --git a/slack_rules/slack_private_channel_made_public.py b/slack_rules/slack_private_channel_made_public.py new file mode 100644 index 000000000..02796c3d7 --- /dev/null +++ b/slack_rules/slack_private_channel_made_public.py @@ -0,0 +1,9 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + return event.get("action") == "private_channel_converted_to_public" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_private_channel_made_public.yml b/slack_rules/slack_private_channel_made_public.yml new file mode 100644 index 000000000..75e2bfef3 --- /dev/null +++ b/slack_rules/slack_private_channel_made_public.yml @@ -0,0 +1,81 @@ +AnalysisType: rule +Filename: slack_private_channel_made_public.py +RuleID: Slack.AuditLogs.PrivateChannelMadePublic +DisplayName: Slack Private Channel Made Public +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: High +Description: Detects when a channel that was previously private is made public +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: Private Channel Made Public + ExpectedResult: true + Log: + { + "action": "private_channel_converted_to_public", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_service_owner_transferred.py b/slack_rules/slack_service_owner_transferred.py new file mode 100644 index 000000000..08ca6e875 --- /dev/null +++ b/slack_rules/slack_service_owner_transferred.py @@ -0,0 +1,9 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + return event.get("action") == "service_owner_transferred" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_service_owner_transferred.yml b/slack_rules/slack_service_owner_transferred.yml new file mode 100644 index 000000000..9c1b5e502 --- /dev/null +++ b/slack_rules/slack_service_owner_transferred.yml @@ -0,0 +1,81 @@ +AnalysisType: rule +Filename: slack_service_owner_transferred.py +RuleID: Slack.AuditLogs.ServiceOwnerTransferred +DisplayName: Slack Service Owner Transferred +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Critical +Description: Detects transferring of service owner on request from primary owner +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: Service Owner Transferred + ExpectedResult: true + Log: + { + "action": "service_owner_transferred", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } From 2a05930feedc289eb70d7bc88c68bbf32db72c9b Mon Sep 17 00:00:00 2001 From: Weyland <71197790+wey-chiang@users.noreply.github.com> Date: Wed, 3 Aug 2022 18:12:06 -0400 Subject: [PATCH 07/21] Initial Commit - Slack Detections - File (#465) --- ...slack_potentially_malicious_file_shared.py | 9 +++ ...lack_potentially_malicious_file_shared.yml | 80 +++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 slack_rules/slack_potentially_malicious_file_shared.py create mode 100644 slack_rules/slack_potentially_malicious_file_shared.yml diff --git a/slack_rules/slack_potentially_malicious_file_shared.py b/slack_rules/slack_potentially_malicious_file_shared.py new file mode 100644 index 000000000..5e80e9df4 --- /dev/null +++ b/slack_rules/slack_potentially_malicious_file_shared.py @@ -0,0 +1,9 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + return event.get("action") == "file_malicious_content_detected" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_potentially_malicious_file_shared.yml b/slack_rules/slack_potentially_malicious_file_shared.yml new file mode 100644 index 000000000..c3f16fffa --- /dev/null +++ b/slack_rules/slack_potentially_malicious_file_shared.yml @@ -0,0 +1,80 @@ +AnalysisType: rule +Filename: slack_potentially_malicious_file_shared.py +RuleID: Slack.AuditLogs.PotentiallyMaliciousFileShared +DisplayName: Slack Potentially Malicious File Shared +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Critical +Description: Detects when a Slack App has had its permission scopes expanded +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: Malicious Content Detected + ExpectedResult: true + Log: + { + "action": "file_malicious_content_detected", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } From a3b6cfbaa365df8ef62793bf0b2edf88635ea7ad Mon Sep 17 00:00:00 2001 From: Weyland <71197790+wey-chiang@users.noreply.github.com> Date: Wed, 3 Aug 2022 18:47:42 -0400 Subject: [PATCH 08/21] Slack Detections - App (#462) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Initial commit for Slack Detections - App * Anonymized IPs * Added example for scope change in the Slack.AuditLogs.AppAccessExpanded detection Co-authored-by: Ed⁦ --- slack_rules/slack_app_access_expanded.py | 46 +++++ slack_rules/slack_app_access_expanded.yml | 235 ++++++++++++++++++++++ slack_rules/slack_app_added.py | 39 ++++ slack_rules/slack_app_added.yml | 184 +++++++++++++++++ slack_rules/slack_app_removed.py | 20 ++ slack_rules/slack_app_removed.yml | 184 +++++++++++++++++ 6 files changed, 708 insertions(+) create mode 100644 slack_rules/slack_app_access_expanded.py create mode 100644 slack_rules/slack_app_access_expanded.yml create mode 100644 slack_rules/slack_app_added.py create mode 100644 slack_rules/slack_app_added.yml create mode 100644 slack_rules/slack_app_removed.py create mode 100644 slack_rules/slack_app_removed.yml diff --git a/slack_rules/slack_app_access_expanded.py b/slack_rules/slack_app_access_expanded.py new file mode 100644 index 000000000..81e178070 --- /dev/null +++ b/slack_rules/slack_app_access_expanded.py @@ -0,0 +1,46 @@ +from panther_base_helpers import deep_get, slack_alert_context + +ACCESS_EXPANDED_ACTIONS = [ + "app_scopes_expanded", + "app_resources_added", + "app_resources_granted", + "bot_token_upgraded", +] + + +def rule(event): + return event.get("action") in ACCESS_EXPANDED_ACTIONS + + +def title(event): + return f"Slack App [{deep_get(event, 'entity', 'app', 'name')}] " \ + f"Access Expanded by [{deep_get(event, 'actor', 'user', 'name')}]" + + +def alert_context(event): + context = slack_alert_context(event) + + # Diff previous and new scopes + new_scopes = deep_get(event, "details", "new_scopes", default=[]) + prv_scopes = deep_get(event, "details", "previous_scopes", default=[]) + + context["scopes_added"] = [x for x in new_scopes if x not in prv_scopes] + context["scoped_removed"] = [x for x in prv_scopes if x not in new_scopes] + + return context + + +def severity(event): + # Used to escalate to High/Critical if the app is granted admin privileges + # May want to escalate to "Critical" depending on security posture + if "admin" in deep_get(event, "entity", "app", "scopes", default=[]): + return "High" + + # Fallback method in case the admin scope is not directly mentioned in entity for whatever + if "admin" in deep_get(event, "details", "new_scope", default=[]): + return "High" + + if "admin" in deep_get(event, "details", "bot_scopes", default=[]): + return "High" + + return "Medium" diff --git a/slack_rules/slack_app_access_expanded.yml b/slack_rules/slack_app_access_expanded.yml new file mode 100644 index 000000000..fe38ea0a2 --- /dev/null +++ b/slack_rules/slack_app_access_expanded.yml @@ -0,0 +1,235 @@ +AnalysisType: rule +Filename: slack_app_access_expanded.py +RuleID: Slack.AuditLogs.AppAccessExpanded +DisplayName: Slack App Access Expanded +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Medium +Description: Detects when a Slack App has had its permission scopes expanded +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - action + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: App Scopes Expanded + ExpectedResult: true + Log: + { + "action": "app_scopes_expanded", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 16:48:14", + "details": { + "granular_bot_token": true, + "is_internal_integration": false, + "is_token_rotation_enabled_app": false, + "new_scopes": [ + "app_mentions:read", + "channels:join", + "channels:read", + "chat:write", + "chat:write.public", + "team:read", + "users:read", + "im:history", + "groups:read", + "reactions:write", + "groups:history", + "channels:history" + ], + "previous_scopes": [ + "app_mentions:read", + "commands", + "channels:join", + "channels:read", + "chat:write", + "chat:write.public", + "users:read", + "groups:read", + "reactions:write", + "groups:history", + "channels:history" + ] + }, + "entity": { + "type": "workspace", + "workspace": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1" + } + }, + "id": "9d9b76ce-47bb-4838-a96a-1b5fd4d1b564" + } + - + Name: App Resources Added + ExpectedResult: true + Log: + { + "action": "app_resources_added", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "entity": { + "type": "workspace", + "workspace": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } + - + Name: App Resources Granted + ExpectedResult: true + Log: + { + "action": "app_resources_granted", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 16:48:14", + "details": { + "export_end_ts": "2022-07-28 09:48:12", + "export_start_ts": "2022-07-27 09:48:12", + "export_type": "STANDARD" + }, + "entity": { + "type": "workspace", + "workspace": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1" + } + }, + "id": "9d9b76ce-47bb-4838-a96a-1b5fd4d1b564" + } + - + Name: Bot Token Upgraded + ExpectedResult: true + Log: + { + "action": "bot_token_upgraded", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "entity": { + "type": "workspace", + "workspace": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_app_added.py b/slack_rules/slack_app_added.py new file mode 100644 index 000000000..b2418ecd3 --- /dev/null +++ b/slack_rules/slack_app_added.py @@ -0,0 +1,39 @@ +from panther_base_helpers import deep_get, slack_alert_context + +APP_ADDED_ACTIONS = [ + "app_approved", + "app_installed", + "org_app_workspace_added", +] + + +def rule(event): + return event.get("action") in APP_ADDED_ACTIONS + + +def title(event): + return f"Slack App [{deep_get(event, 'entity', 'app', 'name')}] " \ + f"Added by [{deep_get(event, 'actor', 'user', 'name')}]" + + +def alert_context(event): + context = slack_alert_context(event) + context["scopes"] = deep_get(event, "entity", "scopes") + + return context + + +def severity(event): + # Used to escalate to High/Critical if the app is granted admin privileges + # May want to escalate to "Critical" depending on security posture + if "admin" in deep_get(event, "entity", "app", "scopes"): + return "High" + + # Fallback method in case the admin scope is not directly mentioned in entity for whatever + if "admin" in deep_get(event, "details", "new_scope"): + return "High" + + if "admin" in deep_get(event, "details", "bot_scopes"): + return "High" + + return "Medium" diff --git a/slack_rules/slack_app_added.yml b/slack_rules/slack_app_added.yml new file mode 100644 index 000000000..9b748e55b --- /dev/null +++ b/slack_rules/slack_app_added.yml @@ -0,0 +1,184 @@ +AnalysisType: rule +Filename: slack_app_added.py +RuleID: Slack.AuditLogs.AppAdded +DisplayName: Slack App Added +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Medium +Description: Detects when a Slack App has been added to a workspace +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: App Approved + ExpectedResult: true + Log: + { + "action": "app_installed", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "E012MH3HS94" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-panther-1", + "id": "T01770N79GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Go-http-client/2.0" + }, + "date_create": "2021-06-08 22:16:15", + "details": { + "app_owner_id": "W012J3AEWAU", + "is_internal_integration": true + }, + "entity": { + "app": { + "id": "A012F34BFEF", + "is_directory_approved": false, + "is_distributed": false, + "name": "app-name", + "scopes": [ + "admin" + ] + }, + "type": "app" + } + } + - + Name: App Installed + ExpectedResult: true + Log: + { + "action": "app_installed", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "E012MH3HS94" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-panther-1", + "id": "T01770N79GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Go-http-client/2.0" + }, + "date_create": "2021-06-08 22:16:15", + "details": { + "app_owner_id": "W012J3AEWAU", + "is_internal_integration": true + }, + "entity": { + "app": { + "id": "A012F34BFEF", + "is_directory_approved": false, + "is_distributed": false, + "name": "app-name", + "scopes": [ + "admin" + ] + }, + "type": "app" + } + } + - + Name: App added to workspace + ExpectedResult: true + Log: + { + "action": "app_installed", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "E012MH3HS94" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-panther-1", + "id": "T01770N79GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Go-http-client/2.0" + }, + "date_create": "2021-06-08 22:16:15", + "details": { + "app_owner_id": "W012J3AEWAU", + "is_internal_integration": true + }, + "entity": { + "app": { + "id": "A012F34BFEF", + "is_directory_approved": false, + "is_distributed": false, + "name": "app-name", + "scopes": [ + "admin" + ] + }, + "type": "app" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_app_removed.py b/slack_rules/slack_app_removed.py new file mode 100644 index 000000000..19aaa7521 --- /dev/null +++ b/slack_rules/slack_app_removed.py @@ -0,0 +1,20 @@ +from panther_base_helpers import deep_get, slack_alert_context + +APP_REMOVED_ACTIONS = [ + "app_restricted", + "app_uninstalled", + "org_app_workspace_removed", +] + + +def rule(event): + return event.get("action") in APP_REMOVED_ACTIONS + + +def title(event): + return f"Slack App [{deep_get(event, 'entity', 'app', 'name')}] " \ + f"Removed by [{deep_get(event, 'actor', 'user', 'name')}]" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_app_removed.yml b/slack_rules/slack_app_removed.yml new file mode 100644 index 000000000..d324c468e --- /dev/null +++ b/slack_rules/slack_app_removed.yml @@ -0,0 +1,184 @@ +AnalysisType: rule +Filename: slack_app_removed.py +RuleID: Slack.AuditLogs.AppRemoved +DisplayName: Slack App Access Expanded +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Medium +Description: Detects when a Slack App has been removed +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: App Restricted + ExpectedResult: true + Log: + { + "action": "app_restricted", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "E012MH3HS94" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-panther-1", + "id": "T01770N79GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Go-http-client/2.0" + }, + "date_create": "2021-06-08 22:16:15", + "details": { + "app_owner_id": "W012J3AEWAU", + "is_internal_integration": true + }, + "entity": { + "app": { + "id": "A012F34BFEF", + "is_directory_approved": false, + "is_distributed": false, + "name": "app-name", + "scopes": [ + "admin" + ] + }, + "type": "app" + } + } + - + Name: App Uninstalled + ExpectedResult: true + Log: + { + "action": "app_uninstalled", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "E012MH3HS94" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-panther-1", + "id": "T01770N79GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Go-http-client/2.0" + }, + "date_create": "2021-06-08 22:16:15", + "details": { + "app_owner_id": "W012J3AEWAU", + "is_internal_integration": true + }, + "entity": { + "app": { + "id": "A012F34BFEF", + "is_directory_approved": false, + "is_distributed": false, + "name": "app-name", + "scopes": [ + "admin" + ] + }, + "type": "app" + } + } + - + Name: App removed from workspace + ExpectedResult: true + Log: + { + "action": "org_app_workspace_removed", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "E012MH3HS94" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-panther-1", + "id": "T01770N79GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Go-http-client/2.0" + }, + "date_create": "2021-06-08 22:16:15", + "details": { + "app_owner_id": "W012J3AEWAU", + "is_internal_integration": true + }, + "entity": { + "app": { + "id": "A012F34BFEF", + "is_directory_approved": false, + "is_distributed": false, + "name": "app-name", + "scopes": [ + "admin" + ] + }, + "type": "app" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } From d89befa0195b5540c1b2e6b643db37713b964bac Mon Sep 17 00:00:00 2001 From: Weyland <71197790+wey-chiang@users.noreply.github.com> Date: Wed, 3 Aug 2022 18:48:52 -0400 Subject: [PATCH 09/21] Slack Detections - EKM (#463) * Initial commit - Slack EKM * Anonymized IPs * Fixed wording for descritpion on Slack.AuditLogs.EKMSlackbotUnenrolled --- slack_rules/slack_ekm_config_changed.py | 11 +++ slack_rules/slack_ekm_config_changed.yml | 81 +++++++++++++++++++ slack_rules/slack_ekm_slackbot_unenrolled.py | 10 +++ slack_rules/slack_ekm_slackbot_unenrolled.yml | 81 +++++++++++++++++++ slack_rules/slack_ekm_unenrolled.py | 10 +++ slack_rules/slack_ekm_unenrolled.yml | 81 +++++++++++++++++++ 6 files changed, 274 insertions(+) create mode 100644 slack_rules/slack_ekm_config_changed.py create mode 100644 slack_rules/slack_ekm_config_changed.yml create mode 100644 slack_rules/slack_ekm_slackbot_unenrolled.py create mode 100644 slack_rules/slack_ekm_slackbot_unenrolled.yml create mode 100644 slack_rules/slack_ekm_unenrolled.py create mode 100644 slack_rules/slack_ekm_unenrolled.yml diff --git a/slack_rules/slack_ekm_config_changed.py b/slack_rules/slack_ekm_config_changed.py new file mode 100644 index 000000000..996f245b3 --- /dev/null +++ b/slack_rules/slack_ekm_config_changed.py @@ -0,0 +1,11 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + # Only alert on the `ekm_logging_config_set` action + return event.get("action") == "ekm_logging_config_set" + + +def alert_context(event): + # TODO: Add details to the context + return slack_alert_context(event) diff --git a/slack_rules/slack_ekm_config_changed.yml b/slack_rules/slack_ekm_config_changed.yml new file mode 100644 index 000000000..e230bdf4c --- /dev/null +++ b/slack_rules/slack_ekm_config_changed.yml @@ -0,0 +1,81 @@ +AnalysisType: rule +Filename: slack_ekm_config_changed.py +RuleID: Slack.AuditLogs.EKMConfigChanged +DisplayName: Slack EKM Config Changed +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: High +Description: Detects when the logging settings for a workspace's EKM configuration has changed +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: EKM Config Changed + ExpectedResult: true + Log: + { + "action": "ekm_logging_config_set", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_ekm_slackbot_unenrolled.py b/slack_rules/slack_ekm_slackbot_unenrolled.py new file mode 100644 index 000000000..71459da86 --- /dev/null +++ b/slack_rules/slack_ekm_slackbot_unenrolled.py @@ -0,0 +1,10 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + # Only alert on the `ekm_slackbot_unenroll_notification_sent` action + return event.get("action") == "ekm_slackbot_unenroll_notification_sent" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_ekm_slackbot_unenrolled.yml b/slack_rules/slack_ekm_slackbot_unenrolled.yml new file mode 100644 index 000000000..b70a7e0f6 --- /dev/null +++ b/slack_rules/slack_ekm_slackbot_unenrolled.yml @@ -0,0 +1,81 @@ +AnalysisType: rule +Filename: slack_ekm_slackbot_unenrolled.py +RuleID: Slack.AuditLogs.EKMSlackbotUnenrolled +DisplayName: Slack EKM Slackbot Unenrolled +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: High +Description: Detects when a workspace is longer enrolled in EKM +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: EKM Slackbot Unenrolled + ExpectedResult: true + Log: + { + "action": "ekm_slackbot_unenroll_notification_sent", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_ekm_unenrolled.py b/slack_rules/slack_ekm_unenrolled.py new file mode 100644 index 000000000..7b5d8e1a4 --- /dev/null +++ b/slack_rules/slack_ekm_unenrolled.py @@ -0,0 +1,10 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + # Only alert on the `ekm_unenrolled` action + return event.get("action") == "ekm_unenrolled" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_ekm_unenrolled.yml b/slack_rules/slack_ekm_unenrolled.yml new file mode 100644 index 000000000..5067e6a53 --- /dev/null +++ b/slack_rules/slack_ekm_unenrolled.yml @@ -0,0 +1,81 @@ +AnalysisType: rule +Filename: slack_ekm_unenrolled.py +RuleID: Slack.AuditLogs.EKMUnenrolled +DisplayName: Slack App Access Expanded +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Critical +Description: Detects when a workspace is no longer enrolled or managed by EKM +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: EKM Unenrolled + ExpectedResult: true + Log: + { + "action": "ekm_unenrolled", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } From d071b43f5549d5a0fe6cd61ae0a54b1b8bcc1250 Mon Sep 17 00:00:00 2001 From: Weyland <71197790+wey-chiang@users.noreply.github.com> Date: Wed, 3 Aug 2022 18:50:06 -0400 Subject: [PATCH 10/21] Slack Detections - User (#464) * Initial commit - Slack Detections - User * Anonymized IP * Downgraded user priv esc to High and updated comment --- slack_rules/slack_passthrough_anomaly.py | 10 ++ slack_rules/slack_passthrough_anomaly.yml | 80 +++++++++ .../slack_user_privilege_escalation.py | 30 ++++ .../slack_user_privilege_escalation.yml | 159 ++++++++++++++++++ 4 files changed, 279 insertions(+) create mode 100644 slack_rules/slack_passthrough_anomaly.py create mode 100644 slack_rules/slack_passthrough_anomaly.yml create mode 100644 slack_rules/slack_user_privilege_escalation.py create mode 100644 slack_rules/slack_user_privilege_escalation.yml diff --git a/slack_rules/slack_passthrough_anomaly.py b/slack_rules/slack_passthrough_anomaly.py new file mode 100644 index 000000000..3ce457d00 --- /dev/null +++ b/slack_rules/slack_passthrough_anomaly.py @@ -0,0 +1,10 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + return event.get("action") == "anomaly" + + +def alert_context(event): + # TODO: Add more details to context + return slack_alert_context(event) diff --git a/slack_rules/slack_passthrough_anomaly.yml b/slack_rules/slack_passthrough_anomaly.yml new file mode 100644 index 000000000..0f79233a3 --- /dev/null +++ b/slack_rules/slack_passthrough_anomaly.yml @@ -0,0 +1,80 @@ +AnalysisType: rule +Filename: slack_passthrough_anomaly.py +RuleID: Slack.AuditLogs.PassthroughAnomaly +DisplayName: Slack Anomaly Detected +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Critical +Description: Passthrough for anomalies detected by Slack +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: Name + ExpectedResult: true + Log: + { + "action": "anomaly", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_user_privilege_escalation.py b/slack_rules/slack_user_privilege_escalation.py new file mode 100644 index 000000000..ee97d2fcd --- /dev/null +++ b/slack_rules/slack_user_privilege_escalation.py @@ -0,0 +1,30 @@ +from panther_base_helpers import slack_alert_context + +USER_PRIV_ESC_ACTIONS = { + "owner_transferred": "Slack Owner Transferred", + "permissions_assigned": "Slack User Assigned Permissions", + "role_change_to_admin": "Slack User Made Admin", + "role_change_to_owner": "Slack User Made Owner", +} + + +def rule(event): + return event.get("action") in USER_PRIV_ESC_ACTIONS + + +def title(event): + if event.get("action") in USER_PRIV_ESC_ACTIONS: + return USER_PRIV_ESC_ACTIONS.get(event.get("action")) + return "Slack User Privilege Escalation" + + +def severity(event): + # Downgrade severity for users assigned permissions + # TODO: Add case to check for admin privileges to escalate to Critical + if event.get("action") == "permissions_assigned": + return "Medium" + return "High" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_user_privilege_escalation.yml b/slack_rules/slack_user_privilege_escalation.yml new file mode 100644 index 000000000..a44a4aa3d --- /dev/null +++ b/slack_rules/slack_user_privilege_escalation.yml @@ -0,0 +1,159 @@ +AnalysisType: rule +Filename: slack_user_privilege_escalation.py +RuleID: Slack.AuditLogs.UserPrivilegeEscalation +DisplayName: Slack User Privilege Escalation +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: High +Description: Detects when a Slack App has had its permission scopes expanded +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: Owner Transferred + ExpectedResult: true + Log: + { + "action": "owner_transferred", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: Permissions Assigned + ExpectedResult: true + Log: + { + "action": "permissions_assigned", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: Role Changed to Admin + ExpectedResult: true + Log: + { + "action": "role_change_to_admin", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: Role Changed to Owner + ExpectedResult: true + Log: + { + "action": "role_change_to_owner", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } From af06d4a5089b5b7470c253d08dec6dcb9c842192 Mon Sep 17 00:00:00 2001 From: George Psarakis Date: Fri, 5 Aug 2022 01:50:12 +0300 Subject: [PATCH 11/21] Remove managed schemas (#421) - Remove associated CI commands for schema testing and linting - Remove associated Makefile commands for publishing a new distribution Co-authored-by: George Papanikolaou --- .circleci/config.yml | 22 - .github/CODEOWNERS | 2 +- .gitignore | 3 + Makefile | 31 - schemas/logs/apache/access_combined.yml | 51 -- schemas/logs/apache/access_common.yml | 45 -- .../apache/tests/access_combined_tests.yml | 21 - .../logs/apache/tests/access_common_tests.yml | 37 -- schemas/logs/aws/alb.yml | 103 --- schemas/logs/aws/aurora_my_sql_audit.yml | 41 -- schemas/logs/aws/cloud_trail.yml | 188 ------ schemas/logs/aws/cloud_trail_digest.yml | 102 --- schemas/logs/aws/cloud_trail_insight.yml | 92 --- schemas/logs/aws/cloud_watch_events.yml | 48 -- schemas/logs/aws/guard_duty.yml | 99 --- schemas/logs/aws/s_3_server_access.yml | 88 --- .../aws/tests/cloud_trail_digest_tests.yml | 98 --- .../aws/tests/cloud_trail_insight_tests.yml | 125 ---- schemas/logs/aws/tests/cloud_trail_tests.yml | 179 ----- schemas/logs/aws/tests/vpc_dns_tests.yml | 121 ---- schemas/logs/aws/tests/waf_web_acl_tests.yml | 616 ------------------ schemas/logs/aws/vpc_dns.yml | 95 --- schemas/logs/aws/vpc_flow.yml | 89 --- schemas/logs/aws/waf_web_acl.yml | 225 ------- schemas/logs/box/event.yml | 112 ---- .../logs/cisco_umbrella/cloud_firewall.yml | 53 -- schemas/logs/cisco_umbrella/dns.yml | 58 -- schemas/logs/cisco_umbrella/ip.yml | 39 -- schemas/logs/cisco_umbrella/proxy.yml | 92 --- schemas/logs/cloudflare/firewall.yml | 106 --- schemas/logs/cloudflare/http_request.yml | 220 ------- schemas/logs/cloudflare/spectrum.yml | 111 ---- .../logs/cloudflare/tests/firewall_tests.yml | 89 --- .../cloudflare/tests/http_request_tests.yml | 150 ----- .../logs/cloudflare/tests/spectrum_tests.yml | 88 --- schemas/logs/crowdstrike/activity_audit.yml | 78 --- schemas/logs/crowdstrike/aid_master.yml | 110 ---- schemas/logs/crowdstrike/app_info.yml | 49 -- schemas/logs/crowdstrike/critical_file.yml | 113 ---- .../logs/crowdstrike/detection_summary.yml | 159 ----- schemas/logs/crowdstrike/dns_request.yml | 119 ---- schemas/logs/crowdstrike/group_identity.yml | 116 ---- schemas/logs/crowdstrike/managed_assets.yml | 53 -- schemas/logs/crowdstrike/network_connect.yml | 132 ---- schemas/logs/crowdstrike/network_listen.yml | 126 ---- .../logs/crowdstrike/not_managed_assets.yml | 81 --- schemas/logs/crowdstrike/process_rollup_2.yml | 258 -------- .../crowdstrike/process_rollup_2_stats.yml | 120 ---- .../synthetic_process_rollup_2.yml | 174 ----- schemas/logs/crowdstrike/unknown.yml | 95 --- schemas/logs/crowdstrike/user_identity.yml | 161 ----- schemas/logs/crowdstrike/user_info.yml | 72 -- .../logs/crowdstrike/user_logon_logoff.yml | 142 ---- schemas/logs/duo/administrator.yml | 35 - schemas/logs/duo/authentication.yml | 161 ----- schemas/logs/duo/offline_enrollment.yml | 36 - schemas/logs/duo/telephony.yml | 33 - schemas/logs/duo/tests/duologs_tests.yml | 174 ----- schemas/logs/fastly/access.yml | 47 -- schemas/logs/fastly/tests/access_tests.yml | 33 - schemas/logs/fluentd/syslog_3164.yml | 36 - schemas/logs/fluentd/syslog_5424.yml | 45 -- schemas/logs/g_suite/reports.yml | 108 --- schemas/logs/gcp/audit_log.yml | 275 -------- schemas/logs/git_lab/api.yml | 116 ---- schemas/logs/git_lab/audit.yml | 59 -- schemas/logs/git_lab/exceptions.yml | 73 --- schemas/logs/git_lab/git.yml | 28 - schemas/logs/git_lab/integrations.yml | 44 -- schemas/logs/git_lab/production.yml | 124 ---- schemas/logs/git_lab/tests/api_tests.yml | 65 -- schemas/logs/git_lab/tests/audit_tests.yml | 35 - schemas/logs/git_lab/tests/git_tests.yml | 20 - .../logs/git_lab/tests/integrations_tests.yml | 54 -- .../logs/git_lab/tests/production_tests.yml | 243 ------- schemas/logs/gravitational/teleport_audit.yml | 179 ----- .../tests/teleport_audit_tests.yml | 381 ----------- schemas/logs/juniper/access.yml | 37 -- schemas/logs/juniper/audit.yml | 31 - schemas/logs/juniper/firewall.yml | 71 -- schemas/logs/juniper/mws.yml | 28 - schemas/logs/juniper/postgres.yml | 37 -- schemas/logs/juniper/security.yml | 82 --- schemas/logs/lacework/alert_details.yml | 116 ---- schemas/logs/lacework/cloud_compliance.yml | 40 -- schemas/logs/lacework/events.yml | 464 ------------- .../lacework/tests/alert_details_tests.yml | 149 ----- .../lacework/tests/cloud_compliance_tests.yml | 71 -- .../audit.azure_active_directory.yml | 154 ----- schemas/logs/microsoft_365/audit.exchange.yml | 249 ------- schemas/logs/microsoft_365/audit.general.yml | 67 -- .../logs/microsoft_365/audit.share_point.yml | 129 ---- schemas/logs/microsoft_365/dlp.all.yml | 254 -------- .../audit.azure_active_directory_tests.yml | 119 ---- .../tests/audit.exchange_tests.yml | 191 ------ .../tests/audit.general_tests.yml | 54 -- .../tests/audit.share_point_tests.yml | 221 ------- schemas/logs/nginx/access.yml | 49 -- schemas/logs/nginx/tests/access_tests.yml | 40 -- schemas/logs/okta/samples/generate_tests.jq | 40 -- .../logs/okta/samples/systemlog_samples.jsonl | 100 --- schemas/logs/okta/system_log.yml | 285 -------- schemas/logs/okta/tests/generated_tests.yml | 499 -------------- .../logs/okta/tests/samples/generate_tests.jq | 41 -- .../tests/samples/systemlog_samples.jsonl | 100 --- schemas/logs/okta/tests/system_log_tests.yml | 98 --- schemas/logs/one_login/events.yml | 208 ------ schemas/logs/one_login/tests/events_tests.yml | 248 ------- schemas/logs/osquery/batch.yml | 52 -- schemas/logs/osquery/differential.yml | 53 -- schemas/logs/osquery/snapshot.yml | 47 -- schemas/logs/osquery/status.yml | 50 -- schemas/logs/ossec/event_info.yml | 221 ------- schemas/logs/ossec/tests/ossec_tests.yml | 167 ----- schemas/logs/salesforce/login.yml | 204 ------ schemas/logs/salesforce/login_as.yml | 117 ---- schemas/logs/salesforce/logout.yml | 209 ------ schemas/logs/salesforce/uri.yml | 149 ----- schemas/logs/slack/access_logs.yml | 51 -- schemas/logs/slack/audit_logs.yml | 233 ------- schemas/logs/slack/integration_logs.yml | 62 -- schemas/logs/slack/tests/slacklogs_tests.yml | 144 ---- schemas/logs/sophos/central.yml | 145 ----- schemas/logs/sophos/tests/central_tests.yml | 233 ------- schemas/logs/suricata/anomaly.yml | 114 ---- schemas/logs/suricata/dns.yml | 167 ----- schemas/logs/syslog/rfc_3164.yml | 40 -- schemas/logs/syslog/rfc_5424.yml | 47 -- schemas/logs/zeek/dns.yml | 90 --- 129 files changed, 4 insertions(+), 15064 deletions(-) delete mode 100644 schemas/logs/apache/access_combined.yml delete mode 100644 schemas/logs/apache/access_common.yml delete mode 100644 schemas/logs/apache/tests/access_combined_tests.yml delete mode 100644 schemas/logs/apache/tests/access_common_tests.yml delete mode 100644 schemas/logs/aws/alb.yml delete mode 100644 schemas/logs/aws/aurora_my_sql_audit.yml delete mode 100644 schemas/logs/aws/cloud_trail.yml delete mode 100644 schemas/logs/aws/cloud_trail_digest.yml delete mode 100644 schemas/logs/aws/cloud_trail_insight.yml delete mode 100644 schemas/logs/aws/cloud_watch_events.yml delete mode 100644 schemas/logs/aws/guard_duty.yml delete mode 100644 schemas/logs/aws/s_3_server_access.yml delete mode 100644 schemas/logs/aws/tests/cloud_trail_digest_tests.yml delete mode 100644 schemas/logs/aws/tests/cloud_trail_insight_tests.yml delete mode 100644 schemas/logs/aws/tests/cloud_trail_tests.yml delete mode 100644 schemas/logs/aws/tests/vpc_dns_tests.yml delete mode 100644 schemas/logs/aws/tests/waf_web_acl_tests.yml delete mode 100644 schemas/logs/aws/vpc_dns.yml delete mode 100644 schemas/logs/aws/vpc_flow.yml delete mode 100644 schemas/logs/aws/waf_web_acl.yml delete mode 100644 schemas/logs/box/event.yml delete mode 100644 schemas/logs/cisco_umbrella/cloud_firewall.yml delete mode 100644 schemas/logs/cisco_umbrella/dns.yml delete mode 100644 schemas/logs/cisco_umbrella/ip.yml delete mode 100644 schemas/logs/cisco_umbrella/proxy.yml delete mode 100644 schemas/logs/cloudflare/firewall.yml delete mode 100644 schemas/logs/cloudflare/http_request.yml delete mode 100644 schemas/logs/cloudflare/spectrum.yml delete mode 100644 schemas/logs/cloudflare/tests/firewall_tests.yml delete mode 100644 schemas/logs/cloudflare/tests/http_request_tests.yml delete mode 100644 schemas/logs/cloudflare/tests/spectrum_tests.yml delete mode 100644 schemas/logs/crowdstrike/activity_audit.yml delete mode 100644 schemas/logs/crowdstrike/aid_master.yml delete mode 100644 schemas/logs/crowdstrike/app_info.yml delete mode 100644 schemas/logs/crowdstrike/critical_file.yml delete mode 100644 schemas/logs/crowdstrike/detection_summary.yml delete mode 100644 schemas/logs/crowdstrike/dns_request.yml delete mode 100644 schemas/logs/crowdstrike/group_identity.yml delete mode 100644 schemas/logs/crowdstrike/managed_assets.yml delete mode 100644 schemas/logs/crowdstrike/network_connect.yml delete mode 100644 schemas/logs/crowdstrike/network_listen.yml delete mode 100644 schemas/logs/crowdstrike/not_managed_assets.yml delete mode 100644 schemas/logs/crowdstrike/process_rollup_2.yml delete mode 100644 schemas/logs/crowdstrike/process_rollup_2_stats.yml delete mode 100644 schemas/logs/crowdstrike/synthetic_process_rollup_2.yml delete mode 100644 schemas/logs/crowdstrike/unknown.yml delete mode 100644 schemas/logs/crowdstrike/user_identity.yml delete mode 100644 schemas/logs/crowdstrike/user_info.yml delete mode 100644 schemas/logs/crowdstrike/user_logon_logoff.yml delete mode 100644 schemas/logs/duo/administrator.yml delete mode 100644 schemas/logs/duo/authentication.yml delete mode 100644 schemas/logs/duo/offline_enrollment.yml delete mode 100644 schemas/logs/duo/telephony.yml delete mode 100644 schemas/logs/duo/tests/duologs_tests.yml delete mode 100644 schemas/logs/fastly/access.yml delete mode 100644 schemas/logs/fastly/tests/access_tests.yml delete mode 100644 schemas/logs/fluentd/syslog_3164.yml delete mode 100644 schemas/logs/fluentd/syslog_5424.yml delete mode 100644 schemas/logs/g_suite/reports.yml delete mode 100644 schemas/logs/gcp/audit_log.yml delete mode 100644 schemas/logs/git_lab/api.yml delete mode 100644 schemas/logs/git_lab/audit.yml delete mode 100644 schemas/logs/git_lab/exceptions.yml delete mode 100644 schemas/logs/git_lab/git.yml delete mode 100644 schemas/logs/git_lab/integrations.yml delete mode 100644 schemas/logs/git_lab/production.yml delete mode 100644 schemas/logs/git_lab/tests/api_tests.yml delete mode 100644 schemas/logs/git_lab/tests/audit_tests.yml delete mode 100644 schemas/logs/git_lab/tests/git_tests.yml delete mode 100644 schemas/logs/git_lab/tests/integrations_tests.yml delete mode 100644 schemas/logs/git_lab/tests/production_tests.yml delete mode 100644 schemas/logs/gravitational/teleport_audit.yml delete mode 100644 schemas/logs/gravitational/tests/teleport_audit_tests.yml delete mode 100644 schemas/logs/juniper/access.yml delete mode 100644 schemas/logs/juniper/audit.yml delete mode 100644 schemas/logs/juniper/firewall.yml delete mode 100644 schemas/logs/juniper/mws.yml delete mode 100644 schemas/logs/juniper/postgres.yml delete mode 100644 schemas/logs/juniper/security.yml delete mode 100644 schemas/logs/lacework/alert_details.yml delete mode 100644 schemas/logs/lacework/cloud_compliance.yml delete mode 100644 schemas/logs/lacework/events.yml delete mode 100644 schemas/logs/lacework/tests/alert_details_tests.yml delete mode 100644 schemas/logs/lacework/tests/cloud_compliance_tests.yml delete mode 100644 schemas/logs/microsoft_365/audit.azure_active_directory.yml delete mode 100644 schemas/logs/microsoft_365/audit.exchange.yml delete mode 100644 schemas/logs/microsoft_365/audit.general.yml delete mode 100644 schemas/logs/microsoft_365/audit.share_point.yml delete mode 100644 schemas/logs/microsoft_365/dlp.all.yml delete mode 100644 schemas/logs/microsoft_365/tests/audit.azure_active_directory_tests.yml delete mode 100644 schemas/logs/microsoft_365/tests/audit.exchange_tests.yml delete mode 100644 schemas/logs/microsoft_365/tests/audit.general_tests.yml delete mode 100644 schemas/logs/microsoft_365/tests/audit.share_point_tests.yml delete mode 100644 schemas/logs/nginx/access.yml delete mode 100644 schemas/logs/nginx/tests/access_tests.yml delete mode 100644 schemas/logs/okta/samples/generate_tests.jq delete mode 100644 schemas/logs/okta/samples/systemlog_samples.jsonl delete mode 100644 schemas/logs/okta/system_log.yml delete mode 100644 schemas/logs/okta/tests/generated_tests.yml delete mode 100644 schemas/logs/okta/tests/samples/generate_tests.jq delete mode 100644 schemas/logs/okta/tests/samples/systemlog_samples.jsonl delete mode 100644 schemas/logs/okta/tests/system_log_tests.yml delete mode 100644 schemas/logs/one_login/events.yml delete mode 100644 schemas/logs/one_login/tests/events_tests.yml delete mode 100644 schemas/logs/osquery/batch.yml delete mode 100644 schemas/logs/osquery/differential.yml delete mode 100644 schemas/logs/osquery/snapshot.yml delete mode 100644 schemas/logs/osquery/status.yml delete mode 100644 schemas/logs/ossec/event_info.yml delete mode 100644 schemas/logs/ossec/tests/ossec_tests.yml delete mode 100644 schemas/logs/salesforce/login.yml delete mode 100644 schemas/logs/salesforce/login_as.yml delete mode 100644 schemas/logs/salesforce/logout.yml delete mode 100644 schemas/logs/salesforce/uri.yml delete mode 100644 schemas/logs/slack/access_logs.yml delete mode 100644 schemas/logs/slack/audit_logs.yml delete mode 100644 schemas/logs/slack/integration_logs.yml delete mode 100644 schemas/logs/slack/tests/slacklogs_tests.yml delete mode 100644 schemas/logs/sophos/central.yml delete mode 100644 schemas/logs/sophos/tests/central_tests.yml delete mode 100644 schemas/logs/suricata/anomaly.yml delete mode 100644 schemas/logs/suricata/dns.yml delete mode 100644 schemas/logs/syslog/rfc_3164.yml delete mode 100644 schemas/logs/syslog/rfc_5424.yml delete mode 100644 schemas/logs/zeek/dns.yml diff --git a/.circleci/config.yml b/.circleci/config.yml index 7808d1417..aacd0a3b5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,16 +1,5 @@ version: 2.1 -commands: - download_pantherlog_tool: - parameters: - version: - type: string - description: The version tag to download - steps: - - run: - name: Download pantherlog tool - command: curl -sSO "https://panther-community-us-east-1.s3.amazonaws.com/<>/tools/dev/pantherlog-linux-amd64" && mv pantherlog-linux-amd64 pantherlog && chmod +x pantherlog - jobs: lint: docker: @@ -34,16 +23,6 @@ jobs: - run: name: Run unit tests command: make test - schema_tests: - docker: - - image: 'cimg/python:3.9' - steps: - - checkout - - download_pantherlog_tool: - version: v1.17.0-RC - - run: - name: Run schema tests - command: ./pantherlog -v && ./pantherlog test ./schemas || true workflows: version: 2 @@ -51,5 +30,4 @@ workflows: jobs: - lint - unit_tests - - schema_tests diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 64e827855..4fe8ba473 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -2,5 +2,5 @@ # Each line is a file pattern followed by one or more owners. # These owners will be the default owners for everything in the repo. -* @nhakmiller @panther-labs/detections @panther-labs/security +* @nhakmiller @panther-labs/detections @panther-labs/security diff --git a/.gitignore b/.gitignore index 3cf6c5c34..c83a74f78 100644 --- a/.gitignore +++ b/.gitignore @@ -63,3 +63,6 @@ dist/ # Vim *.swp + +# Jetbrains +.idea diff --git a/Makefile b/Makefile index fbb361bdb..2e1a2fbed 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,3 @@ -# Find all *.yml files under schemas/ that are not in a '/tests/' path. -schema_files := $(shell find schemas/ -type f -name '*.yml' -and -not -wholename '*/tests/*' | sort | xargs) -# Last release tag -last_release := $(shell git tag --sort=version:refname --list 'v*' | tail -n1) -# Revision SHA1 at current commit -rev := $(shell git rev-parse HEAD) -# Release tag for current commit -release := $(shell git tag --points-at=$(rev) --sort=version:refname --list 'v*' | tail -n1) - dirs := $(shell ls | egrep 'policies|rules|helpers|models|templates' | xargs) ci: @@ -31,7 +22,6 @@ pat-update: fmt: pipenv run isort --profile=black $(dirs) pipenv run black --line-length=100 $(dirs) - prettier -w schemas schemas/**/*.yml install: pipenv install --dev @@ -39,24 +29,3 @@ install: test: pipenv run panther_analysis_tool test -managed-schemas: - mkdir -p dist/managed-schemas; \ - for f in $(schema_files); do \ - echo "---"; \ - cat "$$f"; \ - done > "dist/managed-schemas/manifest.yml"; \ - sha256sum "dist/managed-schemas/manifest.yml" > "dist/managed-schemas/SHA256SUMS"; - -managed-schemas.zip: managed-schemas - rm -f dist/managed-schemas.zip; \ - if [ "$(release)" != "" ]; then \ - echo "$(release)"; \ - else \ - echo "$(last_release)-$(rev)"; \ - fi | zip \ - --archive-comment \ - --junk-paths \ - --recurse-paths \ - -q \ - --no-dir-entries \ - dist/managed-schemas.zip "dist/managed-schemas"; diff --git a/schemas/logs/apache/access_combined.yml b/schemas/logs/apache/access_combined.yml deleted file mode 100644 index 32e56bd0b..000000000 --- a/schemas/logs/apache/access_combined.yml +++ /dev/null @@ -1,51 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Apache.AccessCombined -parser: - fastmatch: - match: - - '%{remote_host_ip_address} %{client_identity_rfc_1413} %{request_user} [%{request_time}] "%{request_method} %{request_uri} %{request_protocol}" %{response_status} %{response_size} "%{referer}" "%{user_agent}"' - trimSpace: true - emptyValues: ["-"] -description: Apache HTTP server access logs using the 'combined' format -referenceURL: https://httpd.apache.org/docs/current/logs.html#combined -version: 0 -fields: - - name: remote_host_ip_address - description: This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. - type: string - indicators: - - hostname - - name: client_identity_rfc_1413 - description: The RFC 1413 identity of the client determined by identd on the clients machine. - type: string - - name: request_user - description: The userid of the person requesting the document as determined by HTTP authentication. - type: string - indicators: - - username - - name: request_time - description: The time that the request was received. - type: timestamp - timeFormat: "%d/%b/%Y:%H:%M:%S %z" - isEventTime: true - - name: request_method - description: The HTTP request method - type: string - - name: request_uri - description: The HTTP request URI - type: string - - name: request_protocol - description: The HTTP request protocol - type: string - - name: response_status - description: The HTTP status of the response - type: smallint - - name: response_size - description: The size of the HTTP response in bytes - type: bigint - - name: user_agent - description: The User-Agent HTTP header - type: string - - name: referer - description: The Referer HTTP header - type: string diff --git a/schemas/logs/apache/access_common.yml b/schemas/logs/apache/access_common.yml deleted file mode 100644 index 7477de5da..000000000 --- a/schemas/logs/apache/access_common.yml +++ /dev/null @@ -1,45 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Apache.AccessCommon -parser: - fastmatch: - match: - - '%{remote_host_ip_address} %{client_identity_rfc_1413} %{request_user} [%{request_time}] "%{request_method} %{request_uri} %{request_protocol}" %{response_status} %{response_size}' - trimSpace: true - emptyValues: ["-"] -description: Apache HTTP server access logs using the 'common' format -referenceURL: https://httpd.apache.org/docs/current/logs.html#common -version: 0 -fields: - - name: remote_host_ip_address - description: This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. - type: string - indicators: - - hostname - - name: client_identity_rfc_1413 - description: The RFC 1413 identity of the client determined by identd on the clients machine. - type: string - - name: request_user - description: The userid of the person requesting the document as determined by HTTP authentication. - type: string - indicators: - - username - - name: request_time - description: The time that the request was received. - type: timestamp - timeFormat: "%d/%b/%Y:%H:%M:%S %z" - isEventTime: true - - name: request_method - description: The HTTP request method - type: string - - name: request_uri - description: The HTTP request URI - type: string - - name: request_protocol - description: The HTTP request protocol - type: string - - name: response_status - description: The HTTP status of the response - type: smallint - - name: response_size - description: The size of the HTTP response in bytes - type: bigint diff --git a/schemas/logs/apache/tests/access_combined_tests.yml b/schemas/logs/apache/tests/access_combined_tests.yml deleted file mode 100644 index 464826153..000000000 --- a/schemas/logs/apache/tests/access_combined_tests.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: ApacheCombined -logType: Apache.AccessCombined -input: 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)" -result: | - { - "remote_host_ip_address": "127.0.0.1", - "request_user": "frank", - "request_time": "10/Oct/2000:13:55:36 -0700", - "request_method": "GET", - "request_uri": "/apache_pb.gif", - "request_protocol": "HTTP/1.0", - "response_status": 200, - "response_size": 2326, - "referer": "http://www.example.com/start.html", - "user_agent": "Mozilla/4.08 [en] (Win98; I ;Nav)", - "p_log_type": "Apache.AccessCombined", - "p_event_time": "2000-10-10T13:55:36-07:00", - "p_any_ip_addresses": ["127.0.0.1"], - "p_any_usernames": ["frank"] - } diff --git a/schemas/logs/apache/tests/access_common_tests.yml b/schemas/logs/apache/tests/access_common_tests.yml deleted file mode 100644 index b90f96236..000000000 --- a/schemas/logs/apache/tests/access_common_tests.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -name: ApacheCommon -logType: Apache.AccessCommon -input: 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 -result: | - { - "remote_host_ip_address": "127.0.0.1", - "request_user": "frank", - "request_time": "10/Oct/2000:13:55:36 -0700", - "request_method": "GET", - "request_uri": "/apache_pb.gif", - "request_protocol": "HTTP/1.0", - "response_status": 200, - "response_size": 2326, - "p_log_type": "Apache.AccessCommon", - "p_event_time": "2000-10-10T13:55:36-07:00", - "p_any_ip_addresses": ["127.0.0.1"], - "p_any_usernames": ["frank"] - } ---- -name: ApacheCommonEmptySize -logType: Apache.AccessCommon -input: 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 - -result: | - { - "remote_host_ip_address": "127.0.0.1", - "request_user": "frank", - "request_time": "10/Oct/2000:13:55:36 -0700", - "request_method": "GET", - "request_uri": "/apache_pb.gif", - "request_protocol": "HTTP/1.0", - "response_status": 200, - "p_log_type": "Apache.AccessCommon", - "p_event_time": "2000-10-10T13:55:36-07:00", - "p_any_ip_addresses": ["127.0.0.1"], - "p_any_usernames": ["frank"] - } diff --git a/schemas/logs/aws/alb.yml b/schemas/logs/aws/alb.yml deleted file mode 100644 index 926d18faf..000000000 --- a/schemas/logs/aws/alb.yml +++ /dev/null @@ -1,103 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: AWS.ALB -parser: - native: - name: AWS.ALB -description: Application Load Balancer logs Layer 7 network logs for your application load balancer. -referenceURL: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html -version: 0 -fields: - - name: type - required: true - description: The type of request or connection. - type: string - - name: timestamp - required: true - description: The time when the load balancer generated a response to the client (UTC). For WebSockets, this is the time when the connection is closed. - type: timestamp - timeFormat: rfc3339 - - name: elb - description: The resource ID of the load balancer. If you are parsing access log entries, note that resources IDs can contain forward slashes (/). - type: string - - name: clientIp - description: The IP address of the requesting client. - type: string - - name: clientPort - description: The port of the requesting client. - type: bigint - - name: targetIp - description: The IP address of the target that processed this request. - type: string - - name: targetPort - description: The port of the target that processed this request. - type: bigint - - name: requestProcessingTime - description: The total time elapsed (in seconds, with millisecond precision) from the time the load balancer received the request until the time it sent it to a target. This value is set to -1 if the load balancer can't dispatch the request to a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request. This value can also be set to -1 if the registered target does not respond before the idle timeout. - type: float - - name: targetProcessingTime - description: The total time elapsed (in seconds, with millisecond precision) from the time the load balancer sent the request to a target until the target started to send the response headers. This value is set to -1 if the load balancer can't dispatch the request to a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request. This value can also be set to -1 if the registered target does not respond before the idle timeout. - type: float - - name: responseProcessingTime - description: The total time elapsed (in seconds, with millisecond precision) from the time the load balancer received the response header from the target until it started to send the response to the client. This includes both the queuing time at the load balancer and the connection acquisition time from the load balancer to the client. This value is set to -1 if the load balancer can't send the request to a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request. - type: float - - name: elbStatusCode - required: true - description: The status code of the response from the load balancer. - type: bigint - - name: targetStatusCode - description: The status code of the response from the target. This value is recorded only if a connection was established to the target and the target sent a response. - type: bigint - - name: receivedBytes - description: The size of the request, in bytes, received from the client (requester). For HTTP requests, this includes the headers. For WebSockets, this is the total number of bytes received from the client on the connection. - type: bigint - - name: sentBytes - description: The size of the response, in bytes, sent to the client (requester). For HTTP requests, this includes the headers. For WebSockets, this is the total number of bytes sent to the client on the connection. - type: bigint - - name: requestHttpMethod - description: The HTTP method parsed from the request. - type: string - - name: requestUrl - description: The HTTP URL parsed from the request. - type: string - - name: requestHttpVersion - description: The HTTP version parsed from the request. - type: string - - name: userAgent - description: A User-Agent string that identifies the client that originated the request. The string consists of one or more product identifiers, product[/version]. If the string is longer than 8 KB, it is truncated. - type: string - - name: sslCipher - description: "[HTTPS listener] The SSL cipher. This value is set to NULL if the listener is not an HTTPS listener." - type: string - - name: sslProtocol - description: "[HTTPS listener] The SSL protocol. This value is set to NULL if the listener is not an HTTPS listener." - type: string - - name: targetGroupArn - description: The Amazon Resource Name (ARN) of the target group. - type: string - - name: traceId - description: The contents of the X-Amzn-Trace-Id header. - type: string - - name: domainName - description: "[HTTPS listener] The SNI domain provided by the client during the TLS handshake. This value is set to NULL if the client doesn't support SNI or the domain doesn't match a certificate and the default certificate is presented to the client." - type: string - - name: chosenCertArn - description: "[HTTPS listener] The ARN of the certificate presented to the client. This value is set to session-reused if the session is reused. This value is set to NULL if the listener is not an HTTPS listener." - type: string - - name: matchedRulePriority - description: The priority value of the rule that matched the request. If a rule matched, this is a value from 1 to 50,000. If no rule matched and the default action was taken, this value is set to 0. If an error occurs during rules evaluation, it is set to -1. For any other error, it is set to NULL. - type: bigint - - name: requestCreationTime - description: The time when the load balancer received the request from the client. - type: timestamp - timeFormat: rfc3339 - - name: actionsExecuted - description: The actions taken when processing the request. This value is a comma-separated list that can include the values described in Actions Taken. If no action was taken, such as for a malformed request, this value is set to NULL. - type: array - element: - type: string - - name: redirectUrl - description: The URL of the redirect target for the location header of the HTTP response. If no redirect actions were taken, this value is set to NULL. - type: string - - name: errorReason - description: The error reason code. If the request failed, this is one of the error codes described in Error Reason Codes. If the actions taken do not include an authenticate action or the target is not a Lambda function, this value is set to NULL. - type: string diff --git a/schemas/logs/aws/aurora_my_sql_audit.yml b/schemas/logs/aws/aurora_my_sql_audit.yml deleted file mode 100644 index f6d0cd2c0..000000000 --- a/schemas/logs/aws/aurora_my_sql_audit.yml +++ /dev/null @@ -1,41 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: AWS.AuroraMySQLAudit -parser: - native: - name: AWS.AuroraMySQLAudit -description: AuroraMySQLAudit is an RDS Aurora audit log which contains context around database calls. -referenceURL: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.html -version: 0 -fields: - - name: timestamp - description: The timestamp for the logged event with microsecond precision (UTC). - type: timestamp - timeFormat: rfc3339 - - name: serverHost - description: The name of the instance that the event is logged for. - type: string - - name: username - description: The connected user name of the user. - type: string - - name: host - description: The host that the user connected from. - type: string - - name: connectionId - description: The connection ID number for the logged operation. - type: bigint - - name: queryId - description: The query ID number, which can be used for finding the relational table events and related queries. For TABLE events, multiple lines are added. - type: bigint - - name: operation - required: true - description: "The recorded action type. Possible values are: CONNECT, QUERY, READ, WRITE, CREATE, ALTER, RENAME, and DROP." - type: string - - name: database - description: The active database, as set by the USE command. - type: string - - name: object - description: For QUERY events, this value indicates the executed query. For TABLE events, it indicates the table name. - type: string - - name: retCode - description: The return code of the logged operation. - type: bigint diff --git a/schemas/logs/aws/cloud_trail.yml b/schemas/logs/aws/cloud_trail.yml deleted file mode 100644 index 15d7b1b9f..000000000 --- a/schemas/logs/aws/cloud_trail.yml +++ /dev/null @@ -1,188 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: AWS.CloudTrail -parser: - native: - name: AWS.CloudTrail -description: AWSCloudTrail represents the content of a CloudTrail S3 object. -referenceURL: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html -version: 0 -fields: - - name: additionalEventData - description: Additional data about the event that was not part of the request or response. - type: json - - name: apiVersion - description: Identifies the API version associated with the AwsApiCall eventType value. - type: string - - name: awsRegion - required: true - description: The AWS region that the request was made to, such as us-east-2. - type: string - - name: errorCode - description: The AWS service error if the request returns an error. - type: string - - name: errorMessage - description: If the request returns an error, the description of the error. This message includes messages for authorization failures. CloudTrail captures the message logged by the service in its exception handling. - type: string - - name: eventID - required: true - description: GUID generated by CloudTrail to uniquely identify each event. You can use this value to identify a single event. For example, you can use the ID as a primary key to retrieve log data from a searchable database. - type: string - - name: eventName - required: true - description: The requested action, which is one of the actions in the API for that service. - type: string - - name: eventSource - required: true - description: The service that the request was made to. This name is typically a short form of the service name without spaces plus .amazonaws.com. - type: string - - name: eventTime - required: true - description: The date and time the request was made, in coordinated universal time (UTC). - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: eventType - required: true - description: "Identifies the type of event that generated the event record. This can be the one of the following values: AwsApiCall, AwsServiceEvent, AwsConsoleSignIn" - type: string - - name: eventVersion - required: true - description: The version of the log event format. - type: string - - name: managementEvent - description: "A Boolean value that identifies whether the event is a management event. managementEvent is shown in an event record if eventVersion is 1.06 or higher, and the event type is one of the following: AwsApiCall, AwsConsoleAction, AwsConsoleSignIn, AwsServiceEvent" - type: boolean - - name: readOnly - description: Identifies whether this operation is a read-only operation. - type: boolean - - name: recipientAccountId - description: Represents the account ID that received this event. The recipientAccountID may be different from the CloudTrail userIdentity Element accountId. This can occur in cross-account resource access. - type: string - indicators: - - aws_account_id - - name: requestID - description: The value that identifies the request. The service being called generates this value. - type: string - - name: requestParameters - description: The parameters, if any, that were sent with the request. These parameters are documented in the API reference documentation for the appropriate AWS service. - type: json - - name: resources - description: A list of resources accessed in the event. - type: array - element: - type: object - fields: - - name: arn - description: ARN field - type: string - indicators: - - aws_arn - - name: accountId - description: AccountID field - type: string - indicators: - - aws_account_id - - name: type - description: Type field - type: string - - name: responseElements - description: The response element for actions that make changes (create, update, or delete actions). If an action does not change state (for example, a request to get or list objects), this element is omitted. These actions are documented in the API reference documentation for the appropriate AWS service. - type: json - - name: serviceEventDetails - description: Identifies the service event, including what triggered the event and the result. - type: json - - name: sharedEventID - description: GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts. - type: string - - name: sourceIPAddress - required: true - description: The IP address that the request was made from. For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed. - type: string - indicators: - - hostname - - name: userAgent - description: The agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs or the AWS CLI. - type: string - - name: userIdentity - required: true - description: Information about the user that made a request. - type: object - fields: - - name: type - description: Type field - type: string - - name: principalId - description: PrincipalID field - type: string - - name: arn - description: ARN field - type: string - indicators: - - aws_arn - - name: accountId - description: AccountID field - type: string - indicators: - - aws_account_id - - name: accessKeyId - description: AccessKeyID field - type: string - - name: userName - description: Username field - type: string - - name: sessionContext - description: SessionContext field - type: object - fields: - - name: attributes - description: Attributes field - type: object - fields: - - name: mfaAuthenticated - description: MfaAuthenticated field - type: string - - name: creationDate - description: CreationDate field - type: string - - name: sessionIssuer - description: SessionIssuer field - type: object - fields: - - name: type - description: Type field - type: string - - name: principalId - description: PrincipalID field - type: string - - name: arn - description: Arn field - type: string - indicators: - - aws_arn - - name: accountId - description: AccountID field - type: string - indicators: - - aws_account_id - - name: userName - description: Username field - type: string - - name: webIdFederationData - description: WebIDFederationData field - type: object - fields: - - name: federatedProvider - description: FederatedProvider field - type: string - - name: attributes - description: Attributes field - type: json - - name: invokedBy - description: InvokedBy field - type: string - - name: identityProvider - description: IdentityProvider field - type: string - - name: vpcEndpointId - description: Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3. - type: string diff --git a/schemas/logs/aws/cloud_trail_digest.yml b/schemas/logs/aws/cloud_trail_digest.yml deleted file mode 100644 index d9c31b1b3..000000000 --- a/schemas/logs/aws/cloud_trail_digest.yml +++ /dev/null @@ -1,102 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: AWS.CloudTrailDigest -parser: - native: - name: AWS.CloudTrailDigest -description: AWSCloudTrailDigest contains the names of the log files that were delivered to your Amazon S3 bucket during the last hour, the hash values for those log files, and the signature of the previous digest file. -referenceURL: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-digest-file-structure.html -version: 0 -fields: - - name: awsAccountId - required: true - description: The AWS account ID for which the digest file has been delivered. - type: string - indicators: - - aws_account_id - - name: digestStartTime - required: true - description: The starting UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail. - type: timestamp - timeFormat: rfc3339 - - name: digestEndTime - required: true - description: The ending UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail. - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: digestS3Bucket - required: true - description: The name of the Amazon S3 bucket to which the current digest file has been delivered. - type: string - - name: digestS3Object - required: true - description: The Amazon S3 object key (that is, the Amazon S3 bucket location) of the current digest file. - type: string - - name: newestEventTime - description: The UTC time of the most recent event among all of the events in the log files in the digest. - type: timestamp - timeFormat: rfc3339 - - name: oldestEventTime - description: The UTC time of the oldest event among all of the events in the log files in the digest. - type: timestamp - timeFormat: rfc3339 - - name: previousDigestS3Bucket - description: The Amazon S3 bucket to which the previous digest file was delivered. - type: string - - name: previousDigestS3Object - description: The Amazon S3 object key (that is, the Amazon S3 bucket location) of the previous digest file. - type: string - - name: previousDigestHashValue - description: The hexadecimal encoded hash value of the uncompressed contents of the previous digest file. - type: string - indicators: - - sha256 - - name: previousDigestHashAlgorithm - description: The name of the hash algorithm that was used to hash the previous digest file. - type: string - - name: previousDigestSignature - description: The hexadecimal encoded signature of the previous digest file. - type: string - - name: digestPublicKeyFingerprint - required: true - description: The hexadecimal encoded fingerprint of the public key that matches the private key used to sign this digest file. - type: string - - name: digestSignatureAlgorithm - required: true - description: The algorithm used to sign the digest file. - type: string - - name: logFiles - required: true - description: Log files delivered in this digest - type: array - element: - type: object - fields: - - name: s3Bucket - required: true - description: The name of the Amazon S3 bucket for the log file. - type: string - - name: s3Object - required: true - description: The Amazon S3 object key of the current log file. - type: string - - name: hashValue - required: true - description: The hexadecimal encoded hash value of the uncompressed log file content. - type: string - indicators: - - sha256 - - name: hashAlgorithm - required: true - description: The hash algorithm used to hash the log file. - type: string - - name: newestEventTime - required: true - description: The UTC time of the most recent event among the events in the log file. - type: timestamp - timeFormat: rfc3339 - - name: oldestEventTime - required: true - description: The UTC time of the oldest event among the events in the log file. - type: timestamp - timeFormat: rfc3339 diff --git a/schemas/logs/aws/cloud_trail_insight.yml b/schemas/logs/aws/cloud_trail_insight.yml deleted file mode 100644 index 4510f7849..000000000 --- a/schemas/logs/aws/cloud_trail_insight.yml +++ /dev/null @@ -1,92 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: AWS.CloudTrailInsight -parser: - native: - name: AWS.CloudTrailInsight -description: AWSCloudTrailInsight represents the content of a CloudTrail Insight event record S3 object. -referenceURL: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html -version: 0 -fields: - - name: eventVersion - required: true - description: The version of the log event format. - type: string - - name: eventTime - required: true - description: The date and time the request was made, in coordinated universal time (UTC). - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: awsRegion - required: true - description: The AWS region that the request was made to, such as us-east-2. - type: string - - name: eventId - required: true - description: GUID generated by CloudTrail to uniquely identify each event. You can use this value to identify a single event. For example, you can use the ID as a primary key to retrieve log data from a searchable database. - type: string - - name: eventType - required: true - description: "Identifies the type of event that generated the event record. This can be the one of the following values: AwsApiCall, AwsServiceEvent, AwsConsoleSignIn" - type: string - - name: recipientAccountId - description: Represents the account ID that received this event. The recipientAccountID may be different from the CloudTrail userIdentity Element accountId. This can occur in cross-account resource access. - type: string - indicators: - - aws_account_id - - name: sharedEventId - required: true - description: A GUID that is generated by CloudTrail Insights to uniquely identify an Insights event. sharedEventID is common between the start and the end Insights events. - type: string - indicators: - - trace_id - - name: insightDetails - required: true - description: Shows information about the underlying triggers of an Insights event, such as event source, statistics, API name, and whether the event is the start or end of the Insights event. - type: object - fields: - - name: state - required: true - description: Shows whether the event represents the start or end of the insight (the start or end of unusual activity). Values are Start or End. - type: string - - name: eventSource - required: true - description: The AWS API for which unusual activity was detected. - type: string - - name: eventName - required: true - description: The AWS API for which unusual activity was detected. - type: string - - name: insightType - required: true - description: The type of Insights event. Value is ApiCallRateInsight. - type: string - - name: insightContext - description: Data about the rate of calls that triggered the Insights event compared to the normal rate of calls to the subject API per minute. - type: object - fields: - - name: statistics - description: A container for data about the typical average rate of calls to the subject API by an account, the rate of calls that triggered the Insights event, and the duration, in minutes, of the Insights event. - type: object - fields: - - name: baseline - description: Shows the typical average rate of calls to the subject API by an account within a specific AWS Region. - type: object - fields: - - name: average - description: Average value for the insight metric - type: float - - name: insight - description: Shows the unusual rate of calls to the subject API that triggers the logging of an Insights event. - type: object - fields: - - name: average - description: Average value for the insight metric - type: float - - name: insightDuration - description: The duration, in minutes, of an Insights event (the time period from the start to the end of unusual activity on the subject API). insightDuration only occurs in end Insights events. - type: float - - name: eventCategory - required: true - description: Shows the event category that is used in LookupEvents calls. In Insights events, the value is insight. - type: string diff --git a/schemas/logs/aws/cloud_watch_events.yml b/schemas/logs/aws/cloud_watch_events.yml deleted file mode 100644 index cf431688a..000000000 --- a/schemas/logs/aws/cloud_watch_events.yml +++ /dev/null @@ -1,48 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: AWS.CloudWatchEvents -parser: - native: - name: AWS.CloudWatchEvents -description: Amazon CloudWatch Events describe a change in Amazon Web Services (AWS) resources. -referenceURL: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEventsandEventPatterns.html -version: 0 -fields: - - name: id - required: true - description: A unique value is generated for every event. This can be helpful in tracing events as they move through rules to targets, and are processed. - type: string - - name: account - required: true - description: The 12-digit number identifying an AWS account. - type: string - - name: source - required: true - description: Identifies the service that sourced the event. All events sourced from within AWS begin with 'aws'. Customer-generated events can have any value here, as long as it doesn't begin with 'aws'. We recommend the use of Java package-name style reverse domain-name strings. - type: string - - name: resources - required: true - description: This JSON array contains ARNs that identify resources that are involved in the event. Inclusion of these ARNs is at the discretion of the service. For example, Amazon EC2 instance state-changes include Amazon EC2 instance ARNs, Auto Scaling events include ARNs for both instances and Auto Scaling groups, but API calls with AWS CloudTrail do not include resource ARNs. - type: array - element: - type: string - - name: region - required: true - description: Identifies the AWS region where the event originated. - type: string - - name: detail-type - required: true - description: Identifies, in combination with the source field, the fields and values that appear in the detail field. - type: string - - name: version - required: true - description: By default, this is set to 0 (zero) in all events. - type: string - - name: time - required: true - description: The event timestamp, which can be specified by the service originating the event. If the event spans a time interval, the service might choose to report the start time, so this value can be noticeably before the time the event is actually received. - type: timestamp - timeFormat: rfc3339 - - name: detail - required: true - description: A JSON object, whose content is at the discretion of the service originating the event. The detail content in the example above is very simple, just two fields. AWS API call events have detail objects with around 50 fields nested several levels deep. - type: json diff --git a/schemas/logs/aws/guard_duty.yml b/schemas/logs/aws/guard_duty.yml deleted file mode 100644 index 955b97765..000000000 --- a/schemas/logs/aws/guard_duty.yml +++ /dev/null @@ -1,99 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: AWS.GuardDuty -parser: - native: - name: AWS.GuardDuty -description: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS Accounts. -referenceURL: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html -version: 0 -fields: - - name: schemaVersion - required: true - description: The schema format version of this record. - type: string - - name: accountId - required: true - description: The ID of the AWS account in which the activity took place that prompted GuardDuty to generate this finding. - type: string - - name: region - required: true - description: The AWS region in which the finding was generated. - type: string - - name: partition - required: true - description: The AWS partition in which the finding was generated. - type: string - - name: id - required: true - description: A unique identifier for the finding. - type: string - - name: arn - required: true - description: A unique identifier formatted as an ARN for the finding. - type: string - - name: type - required: true - description: A concise yet readable description of the potential security issue. - type: string - - name: resource - required: true - description: The AWS resource against which the activity took place that prompted GuardDuty to generate this finding. - type: json - - name: severity - required: true - description: The value of the severity can fall anywhere within the 0.1 to 8.9 range. - type: float - - name: createdAt - required: true - description: The initial creation time of the finding (UTC). - type: timestamp - timeFormat: rfc3339 - - name: updatedAt - required: true - description: The last update time of the finding (UTC). - type: timestamp - timeFormat: rfc3339 - - name: title - required: true - description: A short description of the finding. - type: string - - name: description - required: true - description: A long description of the finding. - type: string - - name: service - required: true - description: Additional information about the affected service. - type: object - fields: - - name: additionalInfo - description: AdditionalInfo field - type: json - - name: action - description: Action field - type: json - - name: serviceName - required: true - description: ServiceName field - type: string - - name: detectorId - required: true - description: DetectorID field - type: string - - name: resourceRole - description: ResourceRole field - type: string - - name: eventFirstSeen - description: EventFirstSeen field - type: timestamp - timeFormat: rfc3339 - - name: eventLastSeen - description: EventLastSeen field - type: timestamp - timeFormat: rfc3339 - - name: archived - description: Archived field - type: boolean - - name: count - description: Count field - type: bigint diff --git a/schemas/logs/aws/s_3_server_access.yml b/schemas/logs/aws/s_3_server_access.yml deleted file mode 100644 index 90cb983fe..000000000 --- a/schemas/logs/aws/s_3_server_access.yml +++ /dev/null @@ -1,88 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: AWS.S3ServerAccess -parser: - native: - name: AWS.S3ServerAccess -description: S3ServerAccess is an AWS S3 Access Log. -referenceURL: https://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.html -version: 0 -fields: - - name: bucketowner - required: true - description: The canonical user ID of the owner of the source bucket. The canonical user ID is another form of the AWS account ID. - type: string - - name: bucket - description: The name of the bucket that the request was processed against. If the system receives a malformed request and cannot determine the bucket, the request will not appear in any server access log. - type: string - - name: time - description: The time at which the request was received (UTC). - type: timestamp - timeFormat: rfc3339 - - name: remoteip - description: The apparent internet address of the requester. Intermediate proxies and firewalls might obscure the actual address of the machine making the request. - type: string - - name: requester - description: The canonical user ID of the requester, or NULL for unauthenticated requests. If the requester was an IAM user, this field returns the requester's IAM user name along with the AWS root account that the IAM user belongs to. This identifier is the same one used for access control purposes. - type: string - - name: requestid - description: A string generated by Amazon S3 to uniquely identify each request. - type: string - - name: operation - description: The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT. - type: string - - name: key - description: The key part of the request, URL encoded, or NULL if the operation does not take a key parameter. - type: string - - name: requesturi - description: The Request-URI part of the HTTP request message. - type: string - - name: httpstatus - description: The numeric HTTP status code of the response. - type: bigint - - name: errorcode - description: The Amazon S3 Error Code, or NULL if no error occurred. - type: string - - name: bytessent - description: The number of response bytes sent, excluding HTTP protocol overhead, or NULL if zero. - type: bigint - - name: objectsize - description: The total size of the object in question. - type: bigint - - name: totaltime - description: The number of milliseconds the request was in flight from the server's perspective. This value is measured from the time your request is received to the time that the last byte of the response is sent. Measurements made from the client's perspective might be longer due to network latency. - type: bigint - - name: turnaroundtime - description: The number of milliseconds that Amazon S3 spent processing your request. This value is measured from the time the last byte of your request was received until the time the first byte of the response was sent. - type: bigint - - name: referrer - description: The value of the HTTP Referer header, if present. HTTP user-agents (for example, browsers) typically set this header to the URL of the linking or embedding page when making a request. - type: string - - name: useragent - description: The value of the HTTP User-Agent header. - type: string - - name: versionid - description: The version ID in the request, or NULL if the operation does not take a versionId parameter. - type: string - - name: hostid - description: The x-amz-id-2 or Amazon S3 extended request ID. - type: string - - name: signatureversion - description: The signature version, SigV2 or SigV4, that was used to authenticate the request or NULL for unauthenticated requests. - type: string - - name: ciphersuite - description: The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or NULL for HTTP. - type: string - - name: authenticationtype - description: The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or NULL for unauthenticated requests. - type: string - - name: hostheader - description: The endpoint used to connect to Amazon S3. - type: string - - name: tlsVersion - description: "The Transport Layer Security (TLS) version negotiated by the client. The value is one of following: TLSv1, TLSv1.1, TLSv1.2; or NULL if TLS wasn't used." - type: string - - name: additionalFields - description: The remaining columns in the record as an array. - type: array - element: - type: string diff --git a/schemas/logs/aws/tests/cloud_trail_digest_tests.yml b/schemas/logs/aws/tests/cloud_trail_digest_tests.yml deleted file mode 100644 index e6d357c32..000000000 --- a/schemas/logs/aws/tests/cloud_trail_digest_tests.yml +++ /dev/null @@ -1,98 +0,0 @@ ---- -name: CloudTrail Digest logs -logType: AWS.CloudTrailDigest -input: | - { - "awsAccountId": "111122223333", - "digestStartTime": "2015-08-17T14:01:31Z", - "digestEndTime": "2015-08-17T15:01:31Z", - "digestS3Bucket": "S3-bucket-name", - "digestS3Object": "AWSLogs/111122223333/CloudTrail-Digest/us-east-2/2015/08/17/111122223333_CloudTrail-Digest_us-east-2_your-trail-name_us-east-2_20150817T150131Z.json.gz", - "digestPublicKeyFingerprint": "31e8b5433410dfb61a9dc45cc65b22ff", - "digestSignatureAlgorithm": "SHA256withRSA", - "newestEventTime": "2015-08-17T14:52:27Z", - "oldestEventTime": "2015-08-17T14:42:27Z", - "previousDigestS3Bucket": "S3-bucket-name", - "previousDigestS3Object": "AWSLogs/111122223333/CloudTrail-Digest/us-east-2/2015/08/17/111122223333_CloudTrail-Digest_us-east-2_your-trail-name_us-east-2_20150817T140131Z.json.gz", - "previousDigestHashValue": "97fb791cf91ffc440d274f8190dbdd9aa09c34432aba82739df18b6d3c13df2d", - "previousDigestHashAlgorithm": "SHA-256", - "previousDigestSignature": "50887ccffad4c002b97caa37cc9dc626e3c680207d41d27fa5835458e066e0d3652fc4dfc30937e4d5f4cc7f796e7a258fb50a43ac427f2237f6e505d4efaf373d156e15e3b68dea9f58111d395b62628d6bd367a9024d2183b5c5f6e19466d3a996b92df705bc997b8a0e13430f241d733cf95df4e41bb6c304c3f58363043572ea57a27085639ce187e679c0d81c7519b1184fa77fb7ab0b0e40a32dace6e1eefc3995c5ae182da49b62b26398cebb52a2201a6387b75b89c83e5570bcb9bba6c34a80f2f00a1c6ebe07d1ff149eccd812dc805bb3eeff6657db32a6cb48d2d096404eb76181877bc6ebb8cd0b23f823200155b2fd8848d428e46e8456328a", - "logFiles": [ - { - "s3Bucket": "S3-bucket-name", - "s3Object": "AWSLogs/111122223333/CloudTrail/us-east-2/2015/08/17/111122223333_CloudTrail_us-east-2_20150817T1445Z_9nYN7gp2eWAJHIfT.json.gz", - "hashValue": "9bb6196fc6b84d6f075a56548feca262bd99ba3c2de41b618e5b6e22c1fc71f6", - "hashAlgorithm": "SHA-256", - "newestEventTime": "2015-08-17T14:52:27Z", - "oldestEventTime": "2015-08-17T14:42:27Z" - } - ] - } -result: | - { - "awsAccountId": "111122223333", - "digestStartTime": "2015-08-17T14:01:31Z", - "digestEndTime": "2015-08-17T15:01:31Z", - "digestS3Bucket": "S3-bucket-name", - "digestS3Object": "AWSLogs/111122223333/CloudTrail-Digest/us-east-2/2015/08/17/111122223333_CloudTrail-Digest_us-east-2_your-trail-name_us-east-2_20150817T150131Z.json.gz", - "digestPublicKeyFingerprint": "31e8b5433410dfb61a9dc45cc65b22ff", - "digestSignatureAlgorithm": "SHA256withRSA", - "newestEventTime": "2015-08-17T14:52:27Z", - "oldestEventTime": "2015-08-17T14:42:27Z", - "previousDigestS3Bucket": "S3-bucket-name", - "previousDigestS3Object": "AWSLogs/111122223333/CloudTrail-Digest/us-east-2/2015/08/17/111122223333_CloudTrail-Digest_us-east-2_your-trail-name_us-east-2_20150817T140131Z.json.gz", - "previousDigestHashValue": "97fb791cf91ffc440d274f8190dbdd9aa09c34432aba82739df18b6d3c13df2d", - "previousDigestHashAlgorithm": "SHA-256", - "previousDigestSignature": "50887ccffad4c002b97caa37cc9dc626e3c680207d41d27fa5835458e066e0d3652fc4dfc30937e4d5f4cc7f796e7a258fb50a43ac427f2237f6e505d4efaf373d156e15e3b68dea9f58111d395b62628d6bd367a9024d2183b5c5f6e19466d3a996b92df705bc997b8a0e13430f241d733cf95df4e41bb6c304c3f58363043572ea57a27085639ce187e679c0d81c7519b1184fa77fb7ab0b0e40a32dace6e1eefc3995c5ae182da49b62b26398cebb52a2201a6387b75b89c83e5570bcb9bba6c34a80f2f00a1c6ebe07d1ff149eccd812dc805bb3eeff6657db32a6cb48d2d096404eb76181877bc6ebb8cd0b23f823200155b2fd8848d428e46e8456328a", - "logFiles": [ - { - "s3Bucket": "S3-bucket-name", - "s3Object": "AWSLogs/111122223333/CloudTrail/us-east-2/2015/08/17/111122223333_CloudTrail_us-east-2_20150817T1445Z_9nYN7gp2eWAJHIfT.json.gz", - "hashValue": "9bb6196fc6b84d6f075a56548feca262bd99ba3c2de41b618e5b6e22c1fc71f6", - "hashAlgorithm": "SHA-256", - "newestEventTime": "2015-08-17T14:52:27Z", - "oldestEventTime": "2015-08-17T14:42:27Z" - } - ], - "p_any_aws_account_ids": ["111122223333"], - "p_event_time": "2015-08-17T15:01:31Z", - "p_any_sha256_hashes": [ - "97fb791cf91ffc440d274f8190dbdd9aa09c34432aba82739df18b6d3c13df2d", - "9bb6196fc6b84d6f075a56548feca262bd99ba3c2de41b618e5b6e22c1fc71f6" - ], - "p_log_type": "AWS.CloudTrailDigest" - } ---- -name: CloudTrail Digest logs first record -logType: AWS.CloudTrailDigest -input: | - { - "awsAccountId": "123456789012", - "digestStartTime": "2020-04-21T12:28:23Z", - "digestEndTime": "2020-04-21T13:28:23Z", - "digestS3Bucket": "cloudtrail-test-eu-west-1", - "digestS3Object": "AWSLogs/123456789012/CloudTrail-Digest/eu-west-1/2020/04/21/123456789012_CloudTrail-Digest_eu-west-1_TestTrail_eu-west-1_20200421T132823Z.json.gz", - "digestPublicKeyFingerprint": "f0249abde0f55218ac45bd3750055109", - "digestSignatureAlgorithm": "SHA256withRSA", - "newestEventTime": null, - "oldestEventTime": null, - "previousDigestS3Bucket": null, - "previousDigestS3Object": null, - "previousDigestHashValue": null, - "previousDigestHashAlgorithm": null, - "previousDigestSignature": null, - "logFiles": [] - } -result: | - { - "awsAccountId": "123456789012", - "digestStartTime": "2020-04-21T12:28:23Z", - "digestEndTime": "2020-04-21T13:28:23Z", - "digestS3Bucket": "cloudtrail-test-eu-west-1", - "digestS3Object": "AWSLogs/123456789012/CloudTrail-Digest/eu-west-1/2020/04/21/123456789012_CloudTrail-Digest_eu-west-1_TestTrail_eu-west-1_20200421T132823Z.json.gz", - "digestPublicKeyFingerprint": "f0249abde0f55218ac45bd3750055109", - "digestSignatureAlgorithm": "SHA256withRSA", - "p_any_aws_account_ids": ["123456789012"], - "p_event_time": "2020-04-21T13:28:23Z", - "p_log_type": "AWS.CloudTrailDigest" - } diff --git a/schemas/logs/aws/tests/cloud_trail_insight_tests.yml b/schemas/logs/aws/tests/cloud_trail_insight_tests.yml deleted file mode 100644 index 06db692d5..000000000 --- a/schemas/logs/aws/tests/cloud_trail_insight_tests.yml +++ /dev/null @@ -1,125 +0,0 @@ ---- -name: CloudTrail Insights -logType: AWS.CloudTrailInsight -input: | - { - "Records": [ - { - "eventVersion": "1.07", - "eventTime": "2019-10-17T10:05:00Z", - "awsRegion": "us-east-1", - "eventID": "aab985f2-3a56-48cc-a8a5-e0af77606f5f", - "eventType": "AwsCloudTrailInsight", - "recipientAccountId": "123456789012", - "sharedEventID": "12edc982-3348-4794-83d3-a3db26525049", - "insightDetails": { - "state": "Start", - "eventSource": "ssm.amazonaws.com", - "eventName": "UpdateInstanceAssociationStatus", - "insightType": "ApiCallRateInsight", - "insightContext": { - "statistics": { - "baseline": { - "average": 1.7561507937 - }, - "insight": { - "average": 50.1 - } - } - } - }, - "eventCategory": "Insight" - }, - { - "eventVersion": "1.07", - "eventTime": "2019-10-17T10:13:00Z", - "awsRegion": "us-east-1", - "eventID": "ce7b8ac1-3f89-4dae-8d2a-6560e32f591a", - "eventType": "AwsCloudTrailInsight", - "recipientAccountId": "123456789012", - "sharedEventID": "12edc982-3348-4794-83d3-a3db26525049", - "insightDetails": { - "state": "End", - "eventSource": "ssm.amazonaws.com", - "eventName": "UpdateInstanceAssociationStatus", - "insightType": "ApiCallRateInsight", - "insightContext": { - "statistics": { - "baseline": { - "average": 1.7561507937 - }, - "insight": { - "average": 50 - }, - "insightDuration": 8 - } - } - }, - "eventCategory": "Insight" - } - ] - } -results: - - | - { - "eventVersion": "1.07", - "eventTime": "2019-10-17T10:05:00Z", - "awsRegion": "us-east-1", - "eventId": "aab985f2-3a56-48cc-a8a5-e0af77606f5f", - "eventType": "AwsCloudTrailInsight", - "recipientAccountId": "123456789012", - "sharedEventId": "12edc982-3348-4794-83d3-a3db26525049", - "insightDetails": { - "state": "Start", - "eventSource": "ssm.amazonaws.com", - "eventName": "UpdateInstanceAssociationStatus", - "insightType": "ApiCallRateInsight", - "insightContext": { - "statistics": { - "baseline": { - "average": 1.7561507937 - }, - "insight": { - "average": 50.1 - } - } - } - }, - "eventCategory": "Insight", - "p_event_time": "2019-10-17T10:05:00Z", - "p_any_aws_account_ids": ["123456789012"], - "p_any_trace_ids": ["12edc982-3348-4794-83d3-a3db26525049"], - "p_log_type": "AWS.CloudTrailInsight" - } - - | - { - "eventVersion": "1.07", - "eventTime": "2019-10-17T10:13:00Z", - "awsRegion": "us-east-1", - "eventId": "ce7b8ac1-3f89-4dae-8d2a-6560e32f591a", - "eventType": "AwsCloudTrailInsight", - "recipientAccountId": "123456789012", - "sharedEventId": "12edc982-3348-4794-83d3-a3db26525049", - "insightDetails": { - "state": "End", - "eventSource": "ssm.amazonaws.com", - "eventName": "UpdateInstanceAssociationStatus", - "insightType": "ApiCallRateInsight", - "insightContext": { - "statistics": { - "baseline": { - "average": 1.7561507937 - }, - "insight": { - "average": 50 - }, - "insightDuration": 8 - } - } - }, - "eventCategory": "Insight", - "p_event_time": "2019-10-17T10:13:00Z", - "p_any_aws_account_ids": ["123456789012"], - "p_any_trace_ids": ["12edc982-3348-4794-83d3-a3db26525049"], - "p_log_type": "AWS.CloudTrailInsight" - } diff --git a/schemas/logs/aws/tests/cloud_trail_tests.yml b/schemas/logs/aws/tests/cloud_trail_tests.yml deleted file mode 100644 index 515f660f1..000000000 --- a/schemas/logs/aws/tests/cloud_trail_tests.yml +++ /dev/null @@ -1,179 +0,0 @@ ---- -name: cloud_trail_generate_data_key -logType: AWS.CloudTrail -input: | - { - "eventVersion":"1.05", - "userIdentity":{ - "type":"AWSService", - "invokedBy":"cloudtrail.amazonaws.com" - }, - "eventTime":"2018-08-26T14:17:23Z", - "eventSource":"kms.amazonaws.com", - "eventName":"GenerateDataKey", - "awsRegion":"us-west-2", - "sourceIPAddress":"cloudtrail.amazonaws.com", - "userAgent":"cloudtrail.amazonaws.com", - "requestParameters":{ - "keySpec":"AES_256", - "encryptionContext":{ - "aws:cloudtrail:arn":"arn:aws:cloudtrail:us-west-2:888888888888:trail/panther-lab-cloudtrail", - "aws:s3:arn": "arn:aws:s3:::panther-lab-cloudtrail/AWSLogs/888888888888/CloudTrail/us-west-2/2018/08/26/888888888888_CloudTrail_us-west-2_20180826T1410Z_inUwlhwpSGtlqmIN.json.gz" - }, - "keyId":"arn:aws:kms:us-west-2:888888888888:key/72c37aae-1000-4058-93d4-86374c0fe9a0" - }, - "responseElements":null, - "requestID":"3cff2472-5a91-4bd9-b6d2-8a7a1aaa9086", - "eventID":"7a215e16-e0ad-4f6c-82b9-33ff6bbdedd2", - "readOnly":true, - "resources":[ - {"arn":"arn:aws:kms:us-west-2:888888888888:key/72c37aae-1000-4058-93d4-86374c0fe9a0","accountId":"888888888888","type":"AWS::KMS::Key"} - ], - "eventType":"AwsApiCall", - "recipientAccountId":"777777777777", - "sharedEventID":"238c190c-1a30-4756-8e08-19fc36ad1b9f" - } -result: | - { - "eventVersion":"1.05", - "userIdentity":{ - "type":"AWSService", - "invokedBy":"cloudtrail.amazonaws.com" - }, - "eventTime":"2018-08-26T14:17:23Z", - "eventSource":"kms.amazonaws.com", - "eventName":"GenerateDataKey", - "awsRegion":"us-west-2", - "sourceIPAddress":"cloudtrail.amazonaws.com", - "userAgent":"cloudtrail.amazonaws.com", - "requestParameters":{ - "keySpec":"AES_256", - "encryptionContext":{ - "aws:cloudtrail:arn":"arn:aws:cloudtrail:us-west-2:888888888888:trail/panther-lab-cloudtrail", - "aws:s3:arn": "arn:aws:s3:::panther-lab-cloudtrail/AWSLogs/888888888888/CloudTrail/us-west-2/2018/08/26/888888888888_CloudTrail_us-west-2_20180826T1410Z_inUwlhwpSGtlqmIN.json.gz" - }, - "keyId":"arn:aws:kms:us-west-2:888888888888:key/72c37aae-1000-4058-93d4-86374c0fe9a0" - }, - "responseElements":null, - "requestID":"3cff2472-5a91-4bd9-b6d2-8a7a1aaa9086", - "eventID":"7a215e16-e0ad-4f6c-82b9-33ff6bbdedd2", - "readOnly":true, - "resources":[ - {"arn":"arn:aws:kms:us-west-2:888888888888:key/72c37aae-1000-4058-93d4-86374c0fe9a0","accountId":"888888888888","type":"AWS::KMS::Key"} - ], - "eventType":"AwsApiCall", - "recipientAccountId":"777777777777", - "sharedEventID":"238c190c-1a30-4756-8e08-19fc36ad1b9f", - "p_event_time": "2018-08-26T14:17:23Z", - "p_any_aws_arns": [ - "arn:aws:cloudtrail:us-west-2:888888888888:trail/panther-lab-cloudtrail", - "arn:aws:kms:us-west-2:888888888888:key/72c37aae-1000-4058-93d4-86374c0fe9a0", - "arn:aws:s3:::panther-lab-cloudtrail/AWSLogs/888888888888/CloudTrail/us-west-2/2018/08/26/888888888888_CloudTrail_us-west-2_20180826T1410Z_inUwlhwpSGtlqmIN.json.gz" - ], - "p_any_domain_names": [ - "cloudtrail.amazonaws.com" - ], - "p_any_aws_account_ids": ["777777777777","888888888888"], - "p_log_type": "AWS.CloudTrail" - } ---- -name: cloud_trail_decrypt -logType: AWS.CloudTrail -input: | - { - "eventVersion":"1.05", - "userIdentity":{ - "type":"AssumedRole", - "principalId":"AROAQXSBWDWTDYDZAXXXX:panther-log-processor", - "arn":"arn:aws:sts::888888888888:assumed-role/panther-app-LogProcessor-XXXXXXXXXXXX-FunctionRole-XXXXXXXXXX/panther-log-processor", - "accountId":"888888888888", - "accessKeyId":"ASIA123456789EXAMPLE", - "sessionContext":{ - "sessionIssuer":{ - "type":"Role", - "principalId":"AROAQXSBWDWTDYDZAXXXX", - "arn":"arn:aws:iam::888888888888:role/panther-app-LogProcessor-XXXXXXXXXXXX-FunctionRole-XXXXXXXXXX", - "accountId":"888888888888", - "userName":"panther-app-LogProcessor-XXXXXXXXXXXX-FunctionRole-XXXXXXXXXX" - }, - "attributes":{ - "mfaAuthenticated":"false", - "creationDate":"2018-02-20T13:13:35Z" - } - } - }, - "eventTime":"2018-08-26T14:17:23Z", - "eventSource":"kms.amazonaws.com", - "eventName":"Decrypt", - "awsRegion":"us-east-1", - "sourceIPAddress":"1.2.3.4", - "userAgent":"aws-internal/3 aws-sdk-java/1.11.706 Linux/4.14.77-70.59.amzn1.x86_64 OpenJDK_64-Bit_Server_VM/25.242-b08 java/1.8.0_242 vendor/Oracle_Corporation", - "requestParameters":{ - "encryptionContext":{ - "aws:lambda:FunctionArn":"arn:aws:lambda:us-east-1:888888888888:function:panther-log-processor" - }, - "encryptionAlgorithm":"SYMMETRIC_DEFAULT" - }, - "responseElements":null, - "requestID": "3c5a008c-80d5-491a-bf76-0cac924f6ebb", - "eventID":"1852a808-86e8-4b4c-9d4d-01a85b6a39cd", - "readOnly":true, - "resources":[ - {"accountId":"888888888888","type":"AWS::KMS::Key","arn":"arn:aws:kms:us-east-1:888888888888:key/90be6df2-db60-4237-ad9b-a49260XXXXX"} - ], - "eventType":"AwsApiCall" - } -result: | - { - "eventVersion":"1.05", - "userIdentity":{ - "type":"AssumedRole", - "principalId":"AROAQXSBWDWTDYDZAXXXX:panther-log-processor", - "arn":"arn:aws:sts::888888888888:assumed-role/panther-app-LogProcessor-XXXXXXXXXXXX-FunctionRole-XXXXXXXXXX/panther-log-processor", - "accountId":"888888888888", - "accessKeyId":"ASIA123456789EXAMPLE", - "sessionContext":{ - "sessionIssuer":{ - "type":"Role", - "principalId":"AROAQXSBWDWTDYDZAXXXX", - "arn":"arn:aws:iam::888888888888:role/panther-app-LogProcessor-XXXXXXXXXXXX-FunctionRole-XXXXXXXXXX", - "accountId":"888888888888", - "userName":"panther-app-LogProcessor-XXXXXXXXXXXX-FunctionRole-XXXXXXXXXX" - }, - "attributes":{ - "mfaAuthenticated":"false", - "creationDate":"2018-02-20T13:13:35Z" - } - } - }, - "eventTime":"2018-08-26T14:17:23Z", - "eventSource":"kms.amazonaws.com", - "eventName":"Decrypt", - "awsRegion":"us-east-1", - "sourceIPAddress":"1.2.3.4", - "userAgent":"aws-internal/3 aws-sdk-java/1.11.706 Linux/4.14.77-70.59.amzn1.x86_64 OpenJDK_64-Bit_Server_VM/25.242-b08 java/1.8.0_242 vendor/Oracle_Corporation", - "requestParameters":{ - "encryptionContext":{ - "aws:lambda:FunctionArn":"arn:aws:lambda:us-east-1:888888888888:function:panther-log-processor" - }, - "encryptionAlgorithm":"SYMMETRIC_DEFAULT" - }, - "responseElements":null, - "requestID": "3c5a008c-80d5-491a-bf76-0cac924f6ebb", - "eventID":"1852a808-86e8-4b4c-9d4d-01a85b6a39cd", - "readOnly":true, - "resources":[ - {"accountId":"888888888888","type":"AWS::KMS::Key","arn":"arn:aws:kms:us-east-1:888888888888:key/90be6df2-db60-4237-ad9b-a49260XXXXX"} - ], - "eventType":"AwsApiCall", - "p_event_time": "2018-08-26T14:17:23Z", - "p_any_aws_arns": [ - "arn:aws:iam::888888888888:role/panther-app-LogProcessor-XXXXXXXXXXXX-FunctionRole-XXXXXXXXXX", - "arn:aws:kms:us-east-1:888888888888:key/90be6df2-db60-4237-ad9b-a49260XXXXX", - "arn:aws:lambda:us-east-1:888888888888:function:panther-log-processor", - "arn:aws:sts::888888888888:assumed-role/panther-app-LogProcessor-XXXXXXXXXXXX-FunctionRole-XXXXXXXXXX/panther-log-processor" - ], - "p_any_aws_account_ids": ["888888888888"], - "p_any_ip_addresses": ["1.2.3.4"], - "p_log_type": "AWS.CloudTrail" - } diff --git a/schemas/logs/aws/tests/vpc_dns_tests.yml b/schemas/logs/aws/tests/vpc_dns_tests.yml deleted file mode 100644 index ad93c4cc9..000000000 --- a/schemas/logs/aws/tests/vpc_dns_tests.yml +++ /dev/null @@ -1,121 +0,0 @@ ---- -name: vpc_dns_example -logType: AWS.VPCDns -input: | - { - "version": "1.000000", - "account_id": "111122223333", - "region": "us-west-2", - "vpc_id": "vpc-7example", - "query_timestamp": "2020-07-27T16:32:20Z", - "query_name": "api.example.com.", - "query_type": "A", - "query_class": "IN", - "rcode": "NOERROR", - "answers": [ - { - "Rdata": "192.0.2.44", - "Type": "A", - "Class": "IN" - }, - { - "Rdata": "198.51.100.6", - "Type": "A", - "Class": "IN" - }, - { - "Rdata": "203.0.113.8", - "Type": "A", - "Class": "IN" - }, - { - "Rdata": "203.0.113.9", - "Type": "A", - "Class": "IN" - }, - { - "Rdata": "foo@bar.com.", - "Type": "CNAME", - "Class": "IN" - }, - { - "Rdata": "xn--fa-hia.com.", - "Type": "CNAME", - "Class": "IN" - }, - { - "Rdata": "static-someip.rackbank.com.", - "Type": "PTR", - "Class": "IN" - } - ], - "srcaddr": "192.0.2.15", - "srcport": "50637", - "transport": "UDP", - "srcids": { - "instance": "i-0d15cd0d3example", - "resolver-endpoint": "rslvr-out-2345678dfghexample" - } - } -result: | - { - "version": "1.000000", - "account_id": "111122223333", - "region": "us-west-2", - "vpc_id": "vpc-7example", - "query_timestamp": "2020-07-27T16:32:20Z", - "query_name": "api.example.com.", - "query_type": "A", - "query_class": "IN", - "rcode": "NOERROR", - "answers": [ - { - "Rdata": "192.0.2.44", - "Type": "A", - "Class": "IN" - }, - { - "Rdata": "198.51.100.6", - "Type": "A", - "Class": "IN" - }, - { - "Rdata": "203.0.113.8", - "Type": "A", - "Class": "IN" - }, - { - "Rdata": "203.0.113.9", - "Type": "A", - "Class": "IN" - }, - { - "Rdata": "foo@bar.com.", - "Type": "CNAME", - "Class": "IN" - }, - { - "Rdata": "xn--fa-hia.com.", - "Type": "CNAME", - "Class": "IN" - }, - { - "Rdata": "static-someip.rackbank.com.", - "Type": "PTR", - "Class": "IN" - } - ], - "srcaddr": "192.0.2.15", - "srcport": "50637", - "transport": "UDP", - "srcids": { - "instance": "i-0d15cd0d3example", - "resolver-endpoint": "rslvr-out-2345678dfghexample" - }, - "p_event_time": "2020-07-27T16:32:20Z", - "p_log_type": "AWS.VPCDns", - "p_any_aws_account_ids": ["111122223333"], - "p_any_aws_instance_ids": ["i-0d15cd0d3example"], - "p_any_ip_addresses": ["192.0.2.15", "192.0.2.44", "198.51.100.6", "203.0.113.8", "203.0.113.9"], - "p_any_domain_names": ["api.example.com", "faß.com", "foo@bar.com", "static-someip.rackbank.com"] - } diff --git a/schemas/logs/aws/tests/waf_web_acl_tests.yml b/schemas/logs/aws/tests/waf_web_acl_tests.yml deleted file mode 100644 index 041015882..000000000 --- a/schemas/logs/aws/tests/waf_web_acl_tests.yml +++ /dev/null @@ -1,616 +0,0 @@ ---- -name: waf_web_acl_no_match -logType: AWS.WAFWebACL -input: | - { - "timestamp": 1610452695501, - "formatVersion": 1, - "webaclId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE:regional/webacl/panther_web_dev/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f", - "terminatingRuleId": "Default_Action", - "terminatingRuleType": "REGULAR", - "action": "ALLOW", - "terminatingRuleMatchDetails": [], - "httpSourceName": "ALB", - "httpSourceId": "123456789EXAMPLE-app/web/768dd9170f08bb0d", - "ruleGroupList": [], - "rateBasedRuleList": [], - "nonTerminatingMatchingRules": [], - "httpRequest": { - "clientIp": "10.0.0.1", - "country": "GR", - "headers": [ - { - "name": "Host", - "value": "web-123456789.us-west-2.elb.amazonaws.com" - }, - { - "name": "user-agent", - "value": "curl/7.64.1" - }, - { - "name": "accept", - "value": "*/*" - } - ], - "uri": "/", - "args": "o=11 AND 1=1", - "httpVersion": "HTTP/2.0", - "httpMethod": "HEAD", - "requestId": "1-5ffd8ed7-1c9649c448649a15241ac25a" - } - } -result: | - { - "timestamp": 1610452695501, - "formatVersion": 1, - "webaclId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE:regional/webacl/panther_web_dev/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f", - "terminatingRuleId": "Default_Action", - "terminatingRuleType": "REGULAR", - "action": "ALLOW", - "httpSourceName": "ALB", - "httpSourceId": "123456789EXAMPLE-app/web/768dd9170f08bb0d", - "httpRequest": { - "clientIp": "10.0.0.1", - "country": "GR", - "headers": [ - { - "name": "Host", - "value": "web-123456789.us-west-2.elb.amazonaws.com" - }, - { - "name": "user-agent", - "value": "curl/7.64.1" - }, - { - "name": "accept", - "value": "*/*" - } - ], - "uri": "/", - "args": "o=11 AND 1=1", - "httpVersion": "HTTP/2.0", - "httpMethod": "HEAD", - "requestId": "1-5ffd8ed7-1c9649c448649a15241ac25a" - }, - "p_event_time": "2021-01-12T11:58:15.501Z", - "p_any_ip_addresses": ["10.0.0.1"], - "p_any_trace_ids": ["1-5ffd8ed7-1c9649c448649a15241ac25a"], - "p_log_type": "AWS.WAFWebACL" - } ---- -name: waf_web_acl_rule_exclusion -logType: AWS.WAFWebACL -input: | - { - "timestamp": 1610450198436, - "formatVersion": 1, - "webaclId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE:regional/webacl/panther_web_dev/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f", - "terminatingRuleId": "Default_Action", - "terminatingRuleType": "REGULAR", - "action": "ALLOW", - "terminatingRuleMatchDetails": [], - "httpSourceName": "ALB", - "httpSourceId": "123456789EXAMPLE-app/web/768dd9170f08bb0d", - "ruleGroupList": [ - { - "ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet", - "terminatingRule": null, - "nonTerminatingMatchingRules": [], - "excludedRules": [ - { - "exclusionType": "EXCLUDED_AS_COUNT", - "ruleId": "SQLi_QUERYARGUMENTS" - } - ] - } - ], - "rateBasedRuleList": [], - "nonTerminatingMatchingRules": [], - "httpRequest": { - "clientIp": "10.0.0.1", - "country": "GR", - "headers": [ - { - "name": "Host", - "value": "web-123456789.us-west-2.elb.amazonaws.com" - }, - { - "name": "user-agent", - "value": "curl/7.64.1" - }, - { - "name": "accept", - "value": "*/*" - } - ], - "uri": "/", - "args": "o=10 AND 1=1", - "httpVersion": "HTTP/2.0", - "httpMethod": "HEAD", - "requestId": "1-5ffd8516-7f16578f3b0262c41c10f7a9" - } - } -result: | - { - "timestamp": 1610450198436, - "formatVersion": 1, - "webaclId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE:regional/webacl/panther_web_dev/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f", - "terminatingRuleId": "Default_Action", - "terminatingRuleType": "REGULAR", - "action": "ALLOW", - "httpSourceName": "ALB", - "httpSourceId": "123456789EXAMPLE-app/web/768dd9170f08bb0d", - "ruleGroupList": [ - { - "ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet", - "excludedRules": [ - { - "exclusionType": "EXCLUDED_AS_COUNT", - "ruleId": "SQLi_QUERYARGUMENTS" - } - ] - } - ], - "httpRequest": { - "clientIp": "10.0.0.1", - "country": "GR", - "headers": [ - { - "name": "Host", - "value": "web-123456789.us-west-2.elb.amazonaws.com" - }, - { - "name": "user-agent", - "value": "curl/7.64.1" - }, - { - "name": "accept", - "value": "*/*" - } - ], - "uri": "/", - "args": "o=10 AND 1=1", - "httpVersion": "HTTP/2.0", - "httpMethod": "HEAD", - "requestId": "1-5ffd8516-7f16578f3b0262c41c10f7a9" - }, - "p_event_time": "2021-01-12T11:16:38.436Z", - "p_any_ip_addresses": ["10.0.0.1"], - "p_any_trace_ids": ["1-5ffd8516-7f16578f3b0262c41c10f7a9"], - "p_log_type": "AWS.WAFWebACL" - } ---- -name: waf_web_acl_non_terminating_rule -logType: AWS.WAFWebACL -input: | - { - "timestamp": 1610451138169, - "formatVersion": 1, - "webaclId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE:regional/webacl/panther_web_dev/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f", - "terminatingRuleId": "Default_Action", - "terminatingRuleType": "REGULAR", - "action": "ALLOW", - "terminatingRuleMatchDetails": [], - "httpSourceName": "ALB", - "httpSourceId": "123456789EXAMPLE-app/web/768dd9170f08bb0d", - "ruleGroupList": [ - { - "ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet", - "terminatingRule": { - "ruleId": "SQLi_QUERYARGUMENTS", - "action": "BLOCK", - "ruleMatchDetails": null - }, - "nonTerminatingMatchingRules": [], - "excludedRules": null - } - ], - "rateBasedRuleList": [], - "nonTerminatingMatchingRules": [ - { - "ruleId": "AWS-AWSManagedRulesSQLiRuleSet", - "action": "COUNT", - "ruleMatchDetails": [ - { - "conditionType": "SQL_INJECTION", - "location": "ALL_QUERY_ARGS", - "matchedData": [ - "10", - "AND", - "1" - ] - } - ] - } - ], - "httpRequest": { - "clientIp": "10.0.0.1", - "country": "GR", - "headers": [ - { - "name": "Host", - "value": "web-123456789.us-west-2.elb.amazonaws.com" - }, - { - "name": "user-agent", - "value": "curl/7.64.1" - }, - { - "name": "accept", - "value": "*/*" - } - ], - "uri": "/", - "args": "o=10 AND 1=1", - "httpVersion": "HTTP/2.0", - "httpMethod": "HEAD", - "requestId": "1-5ffd88c2-174f31437530757342a794dd" - } - } -result: | - { - "timestamp": 1610451138169, - "formatVersion": 1, - "webaclId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE:regional/webacl/panther_web_dev/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f", - "terminatingRuleId": "Default_Action", - "terminatingRuleType": "REGULAR", - "action": "ALLOW", - "httpSourceName": "ALB", - "httpSourceId": "123456789EXAMPLE-app/web/768dd9170f08bb0d", - "ruleGroupList": [ - { - "ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet", - "terminatingRule": { - "ruleId": "SQLi_QUERYARGUMENTS", - "action": "BLOCK" - } - } - ], - "nonTerminatingMatchingRules": [ - { - "ruleId": "AWS-AWSManagedRulesSQLiRuleSet", - "action": "COUNT", - "ruleMatchDetails": [ - { - "conditionType": "SQL_INJECTION", - "location": "ALL_QUERY_ARGS", - "matchedData": [ - "10", - "AND", - "1" - ] - } - ] - } - ], - "httpRequest": { - "clientIp": "10.0.0.1", - "country": "GR", - "headers": [ - { - "name": "Host", - "value": "web-123456789.us-west-2.elb.amazonaws.com" - }, - { - "name": "user-agent", - "value": "curl/7.64.1" - }, - { - "name": "accept", - "value": "*/*" - } - ], - "uri": "/", - "args": "o=10 AND 1=1", - "httpVersion": "HTTP/2.0", - "httpMethod": "HEAD", - "requestId": "1-5ffd88c2-174f31437530757342a794dd" - }, - "p_event_time": "2021-01-12T11:32:18.169Z", - "p_any_ip_addresses": ["10.0.0.1"], - "p_any_trace_ids": ["1-5ffd88c2-174f31437530757342a794dd"], - "p_log_type": "AWS.WAFWebACL" - } ---- -name: waf_web_acl_regular_rule_block_action -logType: AWS.WAFWebACL -input: | - { - "timestamp": 1610442057134, - "formatVersion": 1, - "webaclId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE:regional/webacl/panther_web_dev/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f", - "terminatingRuleId": "block_badbot_by_user_agent", - "terminatingRuleType": "REGULAR", - "action": "BLOCK", - "terminatingRuleMatchDetails": [], - "httpSourceName": "ALB", - "httpSourceId": "123456789EXAMPLE-app/web/768dd9170f08bb0d", - "ruleGroupList": [], - "rateBasedRuleList": [], - "nonTerminatingMatchingRules": [], - "httpRequest": { - "clientIp": "10.0.0.1", - "country": "GR", - "headers": [ - { - "name": "Host", - "value": "web-123456789.us-west-2.elb.amazonaws.com" - }, - { - "name": "accept", - "value": "*/*" - }, - { - "name": "user-agent", - "value": "Badbot" - }, - { - "name": "x-redacted-header", - "value": "REDACTED" - } - ], - "uri": "/", - "args": "", - "httpVersion": "HTTP/2.0", - "httpMethod": "HEAD", - "requestId": "1-5ffd6549-297a96021598ace405676378" - } - } -result: | - { - "timestamp": 1610442057134, - "formatVersion": 1, - "webaclId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE:regional/webacl/panther_web_dev/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f", - "terminatingRuleId": "block_badbot_by_user_agent", - "terminatingRuleType": "REGULAR", - "action": "BLOCK", - "httpSourceName": "ALB", - "httpSourceId": "123456789EXAMPLE-app/web/768dd9170f08bb0d", - "httpRequest": { - "clientIp": "10.0.0.1", - "country": "GR", - "headers": [ - { - "name": "Host", - "value": "web-123456789.us-west-2.elb.amazonaws.com" - }, - { - "name": "accept", - "value": "*/*" - }, - { - "name": "user-agent", - "value": "Badbot" - }, - { - "name": "x-redacted-header", - "value": "REDACTED" - } - ], - "uri": "/", - "args": "", - "httpVersion": "HTTP/2.0", - "httpMethod": "HEAD", - "requestId": "1-5ffd6549-297a96021598ace405676378" - }, - "p_event_time": "2021-01-12T09:00:57.134Z", - "p_any_ip_addresses": ["10.0.0.1"], - "p_any_trace_ids": ["1-5ffd6549-297a96021598ace405676378"], - "p_log_type": "AWS.WAFWebACL" - } ---- -name: waf_web_acl_rate_based_rule_block_action -logType: AWS.WAFWebACL -input: | - { - "timestamp": 1610380059751, - "formatVersion": 1, - "webaclId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE:regional/webacl/panther_web_dev/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f", - "terminatingRuleId": "sign_in_rate_limiting", - "terminatingRuleType": "RATE_BASED", - "action": "BLOCK", - "terminatingRuleMatchDetails": [], - "httpSourceName": "ALB", - "httpSourceId": "123456789EXAMPLE-app/web/768dd9170f08bb0d", - "ruleGroupList": [], - "rateBasedRuleList": [ - { - "rateBasedRuleId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE_MANAGED:regional/ipset/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f_89ddcf0e-dac0-41af-a40a-a198e316aa04_IPV4/89ddcf0e-dac0-41af-a40a-a198e316aa04", - "rateBasedRuleName": "sign_in_rate_limiting", - "limitKey": "IP", - "maxRateAllowed": 100, - "limitValue": "10.0.0.1" - } - ], - "nonTerminatingMatchingRules": [], - "httpRequest": { - "clientIp": "10.0.0.1", - "country": "GR", - "headers": [ - { - "name": "Host", - "value": "web-123456789.us-west-2.elb.amazonaws.com" - }, - { - "name": "user-agent", - "value": "curl/7.64.1" - }, - { - "name": "accept", - "value": "*/*" - } - ], - "uri": "/sign-in", - "args": "", - "httpVersion": "HTTP/2.0", - "httpMethod": "HEAD", - "requestId": "1-5ffc731b-3b2ebfc665f7de91566b9199" - } - } -result: | - { - "timestamp": 1610380059751, - "formatVersion": 1, - "webaclId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE:regional/webacl/panther_web_dev/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f", - "terminatingRuleId": "sign_in_rate_limiting", - "terminatingRuleType": "RATE_BASED", - "action": "BLOCK", - "httpSourceName": "ALB", - "httpSourceId": "123456789EXAMPLE-app/web/768dd9170f08bb0d", - "rateBasedRuleList": [ - { - "rateBasedRuleId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE_MANAGED:regional/ipset/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f_89ddcf0e-dac0-41af-a40a-a198e316aa04_IPV4/89ddcf0e-dac0-41af-a40a-a198e316aa04", - "rateBasedRuleName": "sign_in_rate_limiting", - "limitKey": "IP", - "maxRateAllowed": 100, - "limitValue": "10.0.0.1" - } - ], - "httpRequest": { - "clientIp": "10.0.0.1", - "country": "GR", - "headers": [ - { - "name": "Host", - "value": "web-123456789.us-west-2.elb.amazonaws.com" - }, - { - "name": "user-agent", - "value": "curl/7.64.1" - }, - { - "name": "accept", - "value": "*/*" - } - ], - "uri": "/sign-in", - "args": "", - "httpVersion": "HTTP/2.0", - "httpMethod": "HEAD", - "requestId": "1-5ffc731b-3b2ebfc665f7de91566b9199" - }, - "p_event_time": "2021-01-11T15:47:39.751Z", - "p_any_ip_addresses": ["10.0.0.1"], - "p_any_trace_ids": ["1-5ffc731b-3b2ebfc665f7de91566b9199"], - "p_log_type": "AWS.WAFWebACL" - } ---- -name: waf_web_rule_group_block_action -logType: AWS.WAFWebACL -input: | - { - "timestamp": 1610380267298, - "formatVersion": 1, - "webaclId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE:regional/webacl/panther_web_dev/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f", - "terminatingRuleId": "AWS-AWSManagedRulesSQLiRuleSet", - "terminatingRuleType": "MANAGED_RULE_GROUP", - "action": "BLOCK", - "terminatingRuleMatchDetails": [ - { - "conditionType": "SQL_INJECTION", - "location": "ALL_QUERY_ARGS", - "matchedData": [ - "10", - "AND", - "1" - ] - } - ], - "httpSourceName": "ALB", - "httpSourceId": "123456789EXAMPLE-app/web/768dd9170f08bb0d", - "ruleGroupList": [ - { - "ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet", - "terminatingRule": { - "ruleId": "SQLi_QUERYARGUMENTS", - "action": "BLOCK", - "ruleMatchDetails": null - }, - "nonTerminatingMatchingRules": [], - "excludedRules": null - } - ], - "rateBasedRuleList": [], - "nonTerminatingMatchingRules": [], - "httpRequest": { - "clientIp": "10.0.0.1", - "country": "GR", - "headers": [ - { - "name": "Host", - "value": "web-123456789.us-west-2.elb.amazonaws.com" - }, - { - "name": "user-agent", - "value": "curl/7.64.1" - }, - { - "name": "accept", - "value": "*/*" - } - ], - "uri": "/", - "args": "o=10 AND 1=1", - "httpVersion": "HTTP/2.0", - "httpMethod": "HEAD", - "requestId": "1-5ffc73eb-280dd24d31bf31450ebdb518" - } - } -result: | - { - "timestamp": 1610380267298, - "formatVersion": 1, - "webaclId": "arn:aws:wafv2:us-west-2:123456789EXAMPLE:regional/webacl/panther_web_dev/f96fe2f4-a2f4-4c06-a4bc-afd495bd675f", - "terminatingRuleId": "AWS-AWSManagedRulesSQLiRuleSet", - "terminatingRuleType": "MANAGED_RULE_GROUP", - "action": "BLOCK", - "terminatingRuleMatchDetails": [ - { - "conditionType": "SQL_INJECTION", - "location": "ALL_QUERY_ARGS", - "matchedData": [ - "10", - "AND", - "1" - ] - } - ], - "httpSourceName": "ALB", - "httpSourceId": "123456789EXAMPLE-app/web/768dd9170f08bb0d", - "ruleGroupList": [ - { - "ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet", - "terminatingRule": { - "ruleId": "SQLi_QUERYARGUMENTS", - "action": "BLOCK" - } - } - ], - "httpRequest": { - "clientIp": "10.0.0.1", - "country": "GR", - "headers": [ - { - "name": "Host", - "value": "web-123456789.us-west-2.elb.amazonaws.com" - }, - { - "name": "user-agent", - "value": "curl/7.64.1" - }, - { - "name": "accept", - "value": "*/*" - } - ], - "uri": "/", - "args": "o=10 AND 1=1", - "httpVersion": "HTTP/2.0", - "httpMethod": "HEAD", - "requestId": "1-5ffc73eb-280dd24d31bf31450ebdb518" - }, - "p_event_time": "2021-01-11T15:51:07.298Z", - "p_any_ip_addresses": ["10.0.0.1"], - "p_any_trace_ids": ["1-5ffc73eb-280dd24d31bf31450ebdb518"], - "p_log_type": "AWS.WAFWebACL" - } diff --git a/schemas/logs/aws/vpc_dns.yml b/schemas/logs/aws/vpc_dns.yml deleted file mode 100644 index 2872697b2..000000000 --- a/schemas/logs/aws/vpc_dns.yml +++ /dev/null @@ -1,95 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: AWS.VPCDns -parser: - native: - name: AWS.VPCDns -description: DNS query logs of the queries that VPC DNS resolvers forward to Route 53. -referenceURL: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs-format.html -version: 0 -fields: - - name: version - required: true - description: The version number of the query log format. If we add fields to the log or change the format of existing fields, we'll increment this value. - type: string - - name: account_id - required: true - description: The ID of the AWS account that created the VPC. - type: string - indicators: - - aws_account_id - - name: region - required: true - description: The AWS Region that you created the VPC in. - type: string - - name: vpc_id - required: true - description: The ID of the VPC that the query originated in. - type: string - - name: query_timestamp - required: true - description: The date and time that the query was submitted, in ISO 8601 format and Coordinated Universal Time (UTC) - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: query_name - required: true - description: The domain name (example.com) or subdomain name (www.example.com) that was specified in the query. - type: string - - name: query_type - required: true - description: Either the DNS record type that was specified in the request, or ANY. For information about the types that Route 53 supports. - type: string - - name: query_class - required: true - description: The class of the query. - type: string - - name: rcode - required: true - description: The DNS response code that Resolver returned in response to the DNS query. The response code indicates whether the query was valid or not. The most common response code is NOERROR, meaning that the query was valid. If the response is not valid, Resolver returns a response code that explains why not. For a list of possible response codes, see DNS RCODEs on the IANA website. - type: string - - name: answers - required: true - description: Answers to the query - type: array - element: - type: object - fields: - - name: Rdata - required: true - description: The value that Resolver returned in response to the query. For example, for an A record, this is an IP address in IPv4 format. For a CNAME record, this is the domain name in the CNAME record. - type: string - - name: Type - required: true - description: The DNS record type (such as A, MX, or CNAME) of the value that Resolver is returning in response to the query. - type: string - - name: Class - required: true - description: The class of the Resolver response to the query. - type: string - - name: srcaddr - required: true - description: The IP address of the instance that the query originated from. - type: string - indicators: - - ip - - name: srcport - required: true - description: The port on the instance that the query originated from. - type: string - - name: transport - required: true - description: The protocol used to submit the DNS query. - type: string - - name: srcids - required: true - description: The list of IDs of the sources the DNS query originated from or passed through. - type: object - fields: - - name: instance - description: The ID of the instance that the query originated from. - type: string - indicators: - - aws_instance_id - - name: resolver-endpoint - description: The ID of the resolver endpoint that passes the DNS query to on-premises DNS servers. - type: string diff --git a/schemas/logs/aws/vpc_flow.yml b/schemas/logs/aws/vpc_flow.yml deleted file mode 100644 index 456259057..000000000 --- a/schemas/logs/aws/vpc_flow.yml +++ /dev/null @@ -1,89 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: AWS.VPCFlow -parser: - native: - name: AWS.VPCFlow -description: VPCFlow is a VPC NetFlow log, which is a layer 3 representation of network traffic in EC2. -referenceURL: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html -version: 0 -fields: - - name: version - description: The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3. - type: bigint - - name: account - description: The AWS account ID for the flow log. - type: string - - name: interfaceId - description: The ID of the network interface for which the traffic is recorded. - type: string - - name: srcAddr - description: The source address for incoming traffic, or the IPv4 or IPv6 address of the network interface for outgoing traffic on the network interface. The IPv4 address of the network interface is always its private IPv4 address. - type: string - - name: dstAddr - description: The destination address for outgoing traffic, or the IPv4 or IPv6 address of the network interface for incoming traffic on the network interface. The IPv4 address of the network interface is always its private IPv4 address. - type: string - - name: srcPort - description: The source port of the traffic. - type: bigint - - name: dstPort - description: The destination port of the traffic. - type: bigint - - name: protocol - description: The IANA protocol number of the traffic. - type: bigint - - name: packets - description: The number of packets transferred during the flow. - type: bigint - - name: bytes - description: The number of bytes transferred during the flow. - type: bigint - - name: start - required: true - description: The time of the start of the flow (UTC). - type: timestamp - timeFormat: rfc3339 - - name: end - required: true - description: The time of the end of the flow (UTC). - type: timestamp - timeFormat: rfc3339 - - name: action - description: "The action that is associated with the traffic. ACCEPT: The recorded traffic was permitted by the security groups or network ACLs. REJECT: The recorded traffic was not permitted by the security groups or network ACLs." - type: string - - name: status - required: true - description: "The logging status of the flow log. OK: Data is logging normally to the chosen destinations. NODATA: There was no network traffic to or from the network interface during the capture window. SKIPDATA: Some flow log records were skipped during the capture window. This may be because of an internal capacity constraint, or an internal error." - type: string - - name: vpcId - description: The ID of the VPC that contains the network interface for which the traffic is recorded. - type: string - - name: subNetId - description: The ID of the subnet that contains the network interface for which the traffic is recorded. - type: string - - name: instanceId - description: The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you. Returns a '-' symbol for a requester-managed network interface; for example, the network interface for a NAT gateway. - type: string - - name: tcpFlags - description: "The bitmask value for the following TCP flags: SYN: 2, SYN-ACK: 18, FIN: 1, RST: 4. ACK is reported only when it's accompanied with SYN. TCP flags can be OR-ed during the aggregation interval. For short connections, the flags might be set on the same line in the flow log record, for example, 19 for SYN-ACK and FIN, and 3 for SYN and FIN." - type: bigint - - name: trafficType - description: "The type of traffic: IPv4, IPv6, or EFA." - type: string - - name: pktSrcAddr - description: The packet-level (original) source IP address of the traffic. Use this field with the srcaddr field to distinguish between the IP address of an intermediate layer through which traffic flows, and the original source IP address of the traffic. For example, when traffic flows through a network interface for a NAT gateway, or where the IP address of a pod in Amazon EKS is different from the IP address of the network interface of the instance node on which the pod is running. - type: string - - name: pktDstAddr - description: The packet-level (original) destination IP address for the traffic. Use this field with the dstaddr field to distinguish between the IP address of an intermediate layer through which traffic flows, and the final destination IP address of the traffic. For example, when traffic flows through a network interface for a NAT gateway, or where the IP address of a pod in Amazon EKS is different from the IP address of the network interface of the instance node on which the pod is running. - type: string - - name: pktSrcAwsService - description: "The name of the subset of IP address ranges for the pkt-srcaddr field, if the source IP address is for an AWS service. The possible values are: AMAZON | AMAZON_APPFLOW | AMAZON_CONNECT | API_GATEWAY | CHIME_MEETINGS | CHIME_VOICECONNECTOR | CLOUD9 | CLOUDFRONT | CODEBUILD | DYNAMODB | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR | KINESIS_VIDEO_STREAMS | ROUTE53 | ROUTE53_HEALTHCHECKS | S3 | WORKSPACES_GATEWAYS." - type: string - - name: pktDstAwsService - description: The name of the subset of IP address ranges for the pkt-dstaddr field, if the destination IP address is for an AWS service. For a list of possible values, see the pkt-src-aws-service field. - type: string - - name: flowDirection - description: "The direction of the flow with respect to the interface where traffic is captured. The possible values are: ingress | egress." - type: string - - name: trafficPath - description: The path that egress traffic takes to the destination. To determine whether the traffic is egress traffic, check the flow-direction field. The possible values are as follows. If none of the values apply, the field is set to -. If the network interface is attached to an instance based on the Nitro System, the possible values include 7 and 8 but not 2. With instances not based on the Nitro System (for example, T2 and M4), the possible values include 2 but not 7 or 8. 1 — Through another resource in the same VPC, 2 — Through an internet gateway or a gateway VPC endpoint, 3 — Through a virtual private gateway, 4 — Through an intra-region VPC peering connection, 5 — Through an inter-region VPC peering connection, 6 — Through a local gateway, 7 — Through a gateway VPC endpoint, 8 — Through an internet gateway - type: smallint diff --git a/schemas/logs/aws/waf_web_acl.yml b/schemas/logs/aws/waf_web_acl.yml deleted file mode 100644 index f9d61d057..000000000 --- a/schemas/logs/aws/waf_web_acl.yml +++ /dev/null @@ -1,225 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: AWS.WAFWebACL -parser: - native: - name: AWS.WAFWebACL -description: WAF Web ACL traffic information logs. -referenceURL: https://docs.aws.amazon.com/waf/latest/developerguide/logging.html -version: 0 -fields: - - name: action - required: true - description: "The action applied by WAF. Possible values for a terminating rule: ALLOW and BLOCK. COUNT is not a valid value for a terminating rule." - type: string - - name: formatVersion - description: The format version for the log. - type: smallint - - name: httpRequest - required: true - description: The metadata about the request. - type: object - fields: - - name: args - description: The HTTP Request query string. - type: string - - name: clientIp - description: The IP address of the client sending the request. - type: string - indicators: - - ip - - name: country - description: The source country of the request. If AWS WAF is unable to determine the country of origin, it sets this field to -. - type: string - - name: headers - description: The list of headers. - type: array - element: - type: object - fields: - - name: name - description: The header name. - type: string - - name: value - description: The header value. - type: string - - name: httpMethod - description: The HTTP method in the request. - type: string - - name: httpVersion - description: The HTTP version, e.g. HTTP/2.0. - type: string - - name: requestId - description: The ID of the request, which is generated by the underlying host service. For Application Load Balancer, this is the trace ID. For all others, this is the request ID. - type: string - indicators: - - trace_id - - name: uri - description: The URI of the request. - type: string - - name: httpSourceId - required: true - description: The source ID. This field shows the ID of the associated resource. - type: string - - name: httpSourceName - description: "The source of the request. Possible values: CF for Amazon CloudFront, APIGW for Amazon API Gateway, ALB for Application Load Balancer, and APPSYNC for AWS AppSync." - type: string - - name: nonTerminatingMatchingRules - description: The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match). - type: array - element: - type: object - fields: - - name: ruleId - description: The Rule ID. - type: string - - name: action - description: The configured rule action. For non-terminating rules the value is always COUNT. - type: string - - name: ruleMatchDetails - description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements. - type: array - element: - type: object - fields: - - name: conditionType - description: The vulnerability type, either SQL_INJECTION or XSS - type: string - - name: location - description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc. - type: string - - name: matchedData - description: The list of strings that provides the match, e.g. ["10", "AND", "1"] - type: array - element: - type: string - - name: rateBasedRuleList - description: The list of rate-based rules that acted on the request. - type: array - element: - type: object - fields: - - name: limitKey - description: "The field that AWS WAF uses to determine if requests are likely arriving from a single source and thus subject to rate monitoring. Possible value: IP." - type: string - - name: limitValue - description: The IP address used by a rate-based rule to aggregate requests for rate limiting. If a request contains an IP address that isn't valid, the limitvalue is INVALID. - type: string - - name: maxRateAllowed - description: The maximum number of requests, which have an identical value in the field that is specified by limitKey, allowed in a five-minute period. If the number of requests exceeds the maxRateAllowed and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule. - type: bigint - - name: rateBasedRuleId - description: The ID of the rate-based rule that acted on the request. If this has terminated the request, the ID for rateBasedRuleId is the same as the ID for terminatingRuleId. - type: string - - name: rateBasedRuleName - description: The name of the rate-based rule that acted on the request. - type: string - - name: ruleGroupList - description: The list of rule groups that acted on this request. In the preceding code example, there is only one. - type: array - element: - type: object - fields: - - name: excludedRules - description: The list of rules in the rule group that you have excluded. The action for these rules is set to COUNT. - type: array - element: - type: object - fields: - - name: exclusionType - description: A type that indicates that the excluded rule has the action COUNT (most likely value is EXCLUDED_AS_COUNT). - type: string - - name: ruleId - description: The ID of the rule within the rule group that is excluded. - type: string - - name: nonTerminatingMatchingRules - description: The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match). - type: array - element: - type: object - fields: - - name: ruleId - description: The Rule ID. - type: string - - name: action - description: The configured rule action. For non-terminating rules the value is always COUNT. - type: string - - name: ruleMatchDetails - description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements. - type: array - element: - type: object - fields: - - name: conditionType - description: The vulnerability type, either SQL_INJECTION or XSS - type: string - - name: location - description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc. - type: string - - name: matchedData - description: The list of strings that provides the match, e.g. ["10", "AND", "1"] - type: array - element: - type: string - - name: ruleGroupId - description: The ID of the rule group. If the rule blocked the request, the ID for ruleGroupID is the same as the ID for terminatingRuleId. - type: string - - name: terminatingRule - description: The rule within the rule group that terminated the request. If this is a non-null value, it also contains a ruleid and action. In this case, the action is always BLOCK. - type: object - fields: - - name: ruleId - description: The Rule ID. - type: string - - name: action - description: The configured rule action. For non-terminating rules the value is always COUNT. - type: string - - name: ruleMatchDetails - description: Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements. - type: array - element: - type: object - fields: - - name: conditionType - description: The vulnerability type, either SQL_INJECTION or XSS - type: string - - name: location - description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc. - type: string - - name: matchedData - description: The list of strings that provides the match, e.g. ["10", "AND", "1"] - type: array - element: - type: string - - name: terminatingRuleId - description: The ID of the rule that terminated the request. If nothing terminates the request, the value is Default_Action. - type: string - - name: terminatingRuleMatchDetails - description: Detailed information about the terminating rule that matched the request. A terminating rule has an action that ends the inspection process against a web request. Possible actions for a terminating rule are ALLOW and BLOCK. This is only populated for SQL injection and cross-site scripting (XSS) match rule statements. As with all rule statements that inspect for more than one thing, AWS WAF applies the action on the first match and stops inspecting the web request. A web request with a terminating action could contain other threats, in addition to the one reported in the log. - type: array - element: - type: object - fields: - - name: conditionType - description: The vulnerability type, either SQL_INJECTION or XSS - type: string - - name: location - description: The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc. - type: string - - name: matchedData - description: The list of strings that provides the match, e.g. ["10", "AND", "1"] - type: array - element: - type: string - - name: terminatingRuleType - description: "The type of rule that terminated the request. Possible values: RATE_BASED, REGULAR, GROUP, and MANAGED_RULE_GROUP." - type: string - - name: timestamp - required: true - description: The timestamp in milliseconds. - type: timestamp - timeFormat: unix_ms - isEventTime: true - - name: webaclId - required: true - description: The GUID of the web ACL. - type: string diff --git a/schemas/logs/box/event.yml b/schemas/logs/box/event.yml deleted file mode 100644 index b0a23b3d5..000000000 --- a/schemas/logs/box/event.yml +++ /dev/null @@ -1,112 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Box.Event -parser: - native: - name: Box.Event -description: Contains events for the entire enterprise -referenceURL: https://developer.box.com/reference/get-events -version: 0 -fields: - - name: additional_details - description: This object provides additional information about the event if available. - type: json - - name: created_at - description: The timestamp of the event - type: timestamp - timeFormat: rfc3339 - - name: created_by - description: The user that performed the action represented by the event. - type: object - fields: - - name: id - description: The unique identifier for this object - type: string - - name: type - description: The object type (always 'user') - type: string - - name: login - description: The primary email address of this user - type: string - - name: name - description: The display name of this user - type: string - - name: event_id - required: true - description: The ID of the event object. You can use this to detect duplicate events - type: string - - name: event_type - required: true - description: The event type that triggered this event - type: string - - name: type - required: true - description: The object type (always 'event') - type: string - - name: source - required: true - description: The item that triggered this event - type: object - fields: - - name: id - description: The unique identifier for this object - type: string - - name: type - description: The object type (always 'user') - type: string - - name: login - description: The primary email address of this user - type: string - - name: name - description: The display name of this user - type: string - - name: item_id - description: The unique identifier that represents the item. - type: string - - name: item_name - description: The name of the item. - type: string - - name: item_type - description: The type of the item that the event represents. Can be file or folder. - type: string - - name: owned_by - description: The user who owns this item. - type: object - fields: - - name: id - description: The unique identifier for this object - type: string - - name: type - description: The object type (always 'user') - type: string - - name: login - description: The primary email address of this user - type: string - - name: name - description: The display name of this user - type: string - - name: parent - description: The optional folder that this folder is located within. - type: object - fields: - - name: etag - description: The HTTP etag of this folder. - type: string - - name: id - description: The unique identifier that represent a folder. - type: string - - name: type - required: true - description: The type of the object (always 'folder') - type: string - - name: name - description: The name of the folder - type: string - - name: sequence_id - description: A numeric identifier that represents the most recent user event that has been applied to this item. - type: string - - name: session_id - description: The event type that triggered this event - type: string - - name: ip_address - description: The IP address the request was made from. - type: string diff --git a/schemas/logs/cisco_umbrella/cloud_firewall.yml b/schemas/logs/cisco_umbrella/cloud_firewall.yml deleted file mode 100644 index d4a4fffba..000000000 --- a/schemas/logs/cisco_umbrella/cloud_firewall.yml +++ /dev/null @@ -1,53 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: CiscoUmbrella.CloudFirewall -parser: - native: - name: CiscoUmbrella.CloudFirewall -description: Cloud Firewall logs show traffic that has been handled by network tunnels. -referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs -version: 0 -fields: - - name: timestamp - required: true - description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41). - type: timestamp - timeFormat: rfc3339 - - name: originId - description: The unique identity of the network tunnel. - type: string - - name: identity - description: The name of the network tunnel. - type: string - - name: identityType - description: The type of identity that made the request. Should always be 'CDFW Tunnel Device'. - type: string - - name: direction - description: The direction of the packet. It is destined either towards the internet or to the customer's network. - type: string - - name: ipProtocol - description: The actual IP protocol of the traffic. It could be TCP, UDP, ICMP. - type: int - - name: packetSize - description: The size of the packet that Umbrella CDFW received. - type: int - - name: sourceIp - description: The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address. - type: string - - name: sourcePort - description: The internal port number of the user-generated traffic towards the CDFW. - type: int - - name: destinationIp - description: The destination IP address of the user-generated traffic towards the CDFW. - type: string - - name: destinationPort - description: The destination port number of the user-generated traffic towards the CDFW. - type: int - - name: dataCenter - description: The name of the Umbrella Data Center that processed the user-generated traffic. - type: string - - name: ruleId - description: The ID of the rule that processed the user traffic. - type: string - - name: verdict - description: The final verdict whether to allow or block the traffic based on the rule. - type: string diff --git a/schemas/logs/cisco_umbrella/dns.yml b/schemas/logs/cisco_umbrella/dns.yml deleted file mode 100644 index 238d9c6e4..000000000 --- a/schemas/logs/cisco_umbrella/dns.yml +++ /dev/null @@ -1,58 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: CiscoUmbrella.DNS -parser: - native: - name: CiscoUmbrella.DNS -description: DNS logs show traffic that has reached our DNS resolvers. -referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs -version: 0 -fields: - - name: timestamp - required: true - description: When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone. - type: timestamp - timeFormat: rfc3339 - - name: policyIdentity - description: The first identity that matched the request. - type: string - - name: identities - description: All identities associated with this request. - type: array - element: - type: string - - name: internalIp - description: The internal IP address that made the request. - type: string - - name: externalIp - description: The external IP address that made the request. - type: string - - name: action - description: Whether the request was allowed or blocked. - type: string - - name: queryType - description: The type of DNS request that was made. For more information, see Common DNS Request Types. - type: string - - name: responseCode - description: The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella). - type: string - - name: domain - description: The domain that was requested. - type: string - - name: categories - description: The security or content categories that the destination matches. - type: array - element: - type: string - - name: policyIdentityType - description: The first identity type matched with this request. Available in version 3 and above. - type: string - - name: identityTypes - description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above. - type: array - element: - type: string - - name: blockedCategories - description: The categories that resulted in the destination being blocked. Available in version 4 and above. - type: array - element: - type: string diff --git a/schemas/logs/cisco_umbrella/ip.yml b/schemas/logs/cisco_umbrella/ip.yml deleted file mode 100644 index 181140269..000000000 --- a/schemas/logs/cisco_umbrella/ip.yml +++ /dev/null @@ -1,39 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: CiscoUmbrella.IP -parser: - native: - name: CiscoUmbrella.IP -description: IP logs show traffic that has been handled by the IP Layer Enforcement feature. -referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-ip-logs -version: 0 -fields: - - name: timestamp - required: true - description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41). - type: timestamp - timeFormat: rfc3339 - - name: identity - description: The first identity that matched the request. - type: string - - name: sourceIp - description: The IP of the computer making the request. - type: string - - name: sourcePort - description: The port the request was made on. - type: int - - name: destinationIp - description: The destination IP requested. - type: string - - name: destinationPort - description: The destination port the request was made on. - type: int - - name: categories - description: Which security categories, if any, matched against the destination IP address/port requested. - type: array - element: - type: string - - name: identityTypes - description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above. - type: array - element: - type: string diff --git a/schemas/logs/cisco_umbrella/proxy.yml b/schemas/logs/cisco_umbrella/proxy.yml deleted file mode 100644 index b62a663dd..000000000 --- a/schemas/logs/cisco_umbrella/proxy.yml +++ /dev/null @@ -1,92 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: CiscoUmbrella.Proxy -parser: - native: - name: CiscoUmbrella.Proxy -description: Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway or the Selective Proxy. -referenceURL: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs -version: 0 -fields: - - name: timestamp - description: The timestamp of the request transaction in UTC (2015-01-16 17:48:41). - type: timestamp - timeFormat: rfc3339 - - name: identity - description: The first identity that matched the request. - type: string - - name: identities - description: Which identities, in order of granularity, made the request through the intelligent proxy. - type: array - element: - type: string - - name: internalIp - description: The internal IP address of the computer making the request. - type: string - - name: externalIp - description: The egress IP address of the network where the request originated. - type: string - - name: destinationIp - description: The destination IP address of the request. - type: string - - name: contentType - description: The type of web content, typically text/html. - type: string - - name: verdict - description: Whether the destination was blocked or allowed. - type: string - - name: url - description: The URL requested. - type: string - - name: referrer - description: The referring domain or URL. - type: string - - name: userAgent - description: The browser agent that made the request. - type: string - - name: statusCode - description: The HTTP status code; should always be 200 or 201. - type: int - - name: requestSize - description: Request size in bytes. - type: bigint - - name: responseSize - description: Response size in bytes. - type: bigint - - name: responseBodySize - description: Response body size in bytes. - type: bigint - - name: sha - description: SHA256 hex digest of the response content. - type: string - - name: categories - description: The security categories for this request, such as Malware. - type: array - element: - type: string - - name: avDetections - description: The detection name according to the antivirus engine used in file inspection. - type: array - element: - type: string - - name: puas - description: A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. - type: array - element: - type: string - - name: ampDisposition - description: The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. - type: string - - name: ampMalwareName - description: If Malicious, the name of the malware according to AMP. - type: string - - name: ampScore - description: The score of the malware from AMP. This field is not currently used and will be blank. - type: string - - name: identityType - description: The type of identity that made the request. For example, Roaming Computer, Network, and so on. - type: string - - name: blockedCategories - description: The categories that resulted in the destination being blocked. Available in version 4 and above. - type: array - element: - type: string diff --git a/schemas/logs/cloudflare/firewall.yml b/schemas/logs/cloudflare/firewall.yml deleted file mode 100644 index 2d799365a..000000000 --- a/schemas/logs/cloudflare/firewall.yml +++ /dev/null @@ -1,106 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Cloudflare.Firewall -parser: - native: - name: Cloudflare.Firewall -description: Cloudflare Firewall logs. When selecting event fields on the Cloudflare UI, make sure you include the "Datetime" field as it is required by Panther. -referenceURL: https://developers.cloudflare.com/logs/log-fields#firewall-events -version: 0 -fields: - - name: Action - description: The code of the first-class action the Cloudflare Firewall took on this request - type: string - - name: ClientASN - description: The ASN number of the visitor - type: bigint - - name: ClientASNDescription - description: The ASN of the visitor as string - type: string - - name: ClientCountry - description: Country from which request originated - type: string - - name: ClientIP - description: The visitor's IP address (IPv4 or IPv6) - type: string - indicators: - - ip - - name: ClientIPClass - description: "The classification of the visitor's IP address, possible values are: unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService |securityScanner | noRecord | scan | backupService | mobilePlatform | tor" - type: string - - name: ClientRefererHost - description: The referer host - type: string - indicators: - - hostname - - name: ClientRefererPath - description: The referer path requested by visitor - type: string - - name: ClientRefererQuery - description: The referer query-string was requested by the visitor - type: string - - name: ClientRefererScheme - description: The referer url scheme requested by the visitor - type: string - - name: ClientRequestHost - description: The HTTP hostname requested by the visitor - type: string - indicators: - - hostname - - name: ClientRequestMethod - description: The HTTP method used by the visitor - type: string - - name: ClientRequestPath - description: The path requested by visitor - type: string - - name: ClientRequestProtocol - description: The version of HTTP protocol requested by the visitor - type: string - - name: ClientRequestQuery - description: The query-string was requested by the visitor - type: string - - name: ClientRequestScheme - description: The url scheme requested by the visitor - type: string - - name: ClientRequestUserAgent - description: Visitor's user-agent string - type: string - - name: Datetime - required: true - description: The date and time the event occurred at the edge - type: timestamp - timeFormat: cloudflare - isEventTime: true - - name: EdgeColoCode - description: The airport code of the Cloudflare datacenter that served this request - type: string - - name: EdgeResponseStatus - description: HTTP response status code returned to browser - type: smallint - - name: Kind - description: "The kind of event, currently only possible values are: firewall" - type: string - - name: MatchIndex - description: Rules match index in the chain - type: bigint - - name: Metadata - description: Additional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over time - type: json - - name: OriginResponseStatus - description: HTTP origin response status code returned to browser - type: smallint - - name: OriginatorRayID - description: The RayID of the request that issued the challenge/jschallenge - type: string - indicators: - - trace_id - - name: RayID - description: The RayID of the request - type: string - indicators: - - trace_id - - name: RuleID - description: The Cloudflare security product-specific RuleID triggered by this request - type: string - - name: Source - description: The Cloudflare security product triggered by this request - type: string diff --git a/schemas/logs/cloudflare/http_request.yml b/schemas/logs/cloudflare/http_request.yml deleted file mode 100644 index a5ec9f30b..000000000 --- a/schemas/logs/cloudflare/http_request.yml +++ /dev/null @@ -1,220 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Cloudflare.HttpRequest -parser: - native: - name: Cloudflare.HttpRequest -description: Cloudflare http request logs. When selecting event fields on the Cloudflare UI, make sure you include the "EdgeStartTimestamp" field as it is required by Panther. -referenceURL: https://developers.cloudflare.com/logs/log-fields#http-requests -version: 0 -fields: - - name: BotScore - description: Cloudflare Bot Score (available for Bot Management customers; please contact your account team to enable) - type: bigint - - name: BotScoreSrc - description: Underlying detection engine or source on where a Bot Score is calculated. Possible values are Not Computed | Heuristics | Machine Learning | Behavioral Analysis | Verified Bot - type: string - - name: CacheCacheStatus - description: unknown | miss | expired | updating | stale | hit | ignored | bypass | revalidated - type: string - - name: CacheResponseBytes - description: Number of bytes returned by the cache - type: bigint - - name: CacheResponseStatus - description: HTTP status code returned by the cache to the edge; all requests (including non-cacheable ones) go through the cache; also see CacheStatus field - type: smallint - - name: CacheTieredFill - description: Tiered Cache was used to serve this request - type: boolean - - name: ClientASN - description: Client AS number - type: bigint - - name: ClientCountry - description: Country of the client IP address - type: string - - name: ClientDeviceType - description: Client device type - type: string - - name: ClientIP - description: IP address of the client - type: string - indicators: - - ip - - name: ClientIPClass - description: unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService | securityScanner | noRecord | scan |backupService | mobilePlatform | tor - type: string - - name: ClientRequestBytes - description: Number of bytes in the client request - type: bigint - - name: ClientRequestHost - description: Host requested by the client - type: string - indicators: - - hostname - - name: ClientRequestMethod - description: HTTP method of client request - type: string - - name: ClientRequestPath - description: URI path requested by the client - type: string - - name: ClientRequestProtocol - description: HTTP protocol of client request - type: string - - name: ClientRequestReferer - description: HTTP request referrer - type: string - indicators: - - hostname - - name: ClientRequestURI - description: URI requested by the client - type: string - - name: ClientRequestUserAgent - description: User agent reported by the client - type: string - - name: ClientSSLProtocol - description: Client SSL (TLS) protocol - type: string - - name: ClientSrcPort - description: Client source port - type: int - - name: ClientXRequestedWith - description: X-Requested-With HTTP header - type: string - - name: EdgeColoCode - description: IATA airport code of data center that received the request - type: string - - name: EdgeColoID - description: Cloudflare edge colo id - type: bigint - - name: EdgeEndTimestamp - description: Timestamp at which the edge finished sending response to the client - type: timestamp - timeFormat: cloudflare - - name: EdgePathingOp - description: Indicates what type of response was issued for this request (unknown = no specific action) - type: string - - name: EdgePathingSrc - description: Details how the request was classified based on security checks (unknown = no specific classification) - type: string - - name: EdgePathingStatus - description: Indicates what data was used to determine the handling of this request (unknown = no data) - type: string - - name: EdgeRateLimitAction - description: The action taken by the blocking rule; empty if no action taken - type: string - - name: EdgeRateLimitID - description: The internal rule ID of the rate-limiting rule that triggered a block (ban) or simulate action. 0 if no action taken - type: string - - name: EdgeRequestHost - description: Host header on the request from the edge to the origin - type: string - indicators: - - hostname - - name: EdgeResponseBytes - description: Number of bytes returned by the edge to the client - type: bigint - - name: EdgeResponseCompressionRatio - description: Edge response compression ratio - type: float - - name: EdgeResponseContentType - description: Edge response Content-Type header value - type: string - - name: EdgeResponseStatus - description: HTTP status code returned by Cloudflare to the client - type: smallint - - name: EdgeServerIP - description: IP of the edge server making a request to the origin - type: string - indicators: - - ip - - name: EdgeStartTimestamp - required: true - description: Timestamp at which the edge received request from the client - type: timestamp - timeFormat: cloudflare - isEventTime: true - - name: FirewallMatchesActions - description: Array of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. Possible actions are allow | log | simulate | drop | challenge | jschallenge | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass - type: array - element: - type: string - - name: FirewallMatchesRuleIDs - description: Array of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources. - type: array - element: - type: string - - name: FirewallMatchesSources - description: The firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. Possible sources are asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit |bic | hot | l7ddos | sanitycheck | protect - type: array - element: - type: string - - name: OriginIP - description: IP of the origin server - type: string - indicators: - - ip - - name: OriginResponseBytes - description: Number of bytes returned by the origin server - type: bigint - - name: OriginResponseHTTPExpires - description: Value of the origin 'expires' header in RFC1123 format - type: timestamp - timeFormat: layout=Mon, 02 Jan 2006 15:04:05 MST - - name: OriginResponseHTTPLastModified - description: Value of the origin 'last-modified' header in RFC1123 format - type: timestamp - timeFormat: layout=Mon, 02 Jan 2006 15:04:05 MST - - name: OriginResponseStatus - description: Status returned by the origin server - type: smallint - - name: OriginResponseTime - description: Number of nanoseconds it took the origin to return the response to edge - type: bigint - - name: OriginSSLProtocol - description: SSL (TLS) protocol used to connect to the origin - type: string - - name: ParentRayID - description: Ray ID of the parent request if this request was made using a Worker script - type: string - indicators: - - trace_id - - name: RayID - description: ID of the request - type: string - indicators: - - trace_id - - name: SecurityLevel - description: The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system - type: string - - name: WAFAction - description: Action taken by the WAF, if triggered - type: string - - name: WAFFlags - description: "Additional configuration flags: simulate (0x1) | null" - type: string - - name: WAFMatchedVar - description: The full name of the most-recently matched variable - type: string - - name: WAFProfile - description: low | med | high - type: string - - name: WAFRuleID - description: ID of the applied WAF rule - type: string - - name: WAFRuleMessage - description: Rule message associated with the triggered rule - type: string - - name: WorkerCPUTime - description: Amount of time in microseconds spent executing a worker, if any - type: bigint - - name: WorkerStatus - description: Status returned from worker daemon - type: string - - name: WorkerSubrequest - description: Whether or not this request was a worker subrequest - type: boolean - - name: WorkerSubrequestCount - description: Number of subrequests issued by a worker when handling this request - type: bigint - - name: ZoneID - description: Internal zone ID - type: bigint diff --git a/schemas/logs/cloudflare/spectrum.yml b/schemas/logs/cloudflare/spectrum.yml deleted file mode 100644 index 7a555ae97..000000000 --- a/schemas/logs/cloudflare/spectrum.yml +++ /dev/null @@ -1,111 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Cloudflare.Spectrum -parser: - native: - name: Cloudflare.Spectrum -description: Cloudflare Spectrum logs. When selecting event fields on the Cloudflare UI, make sure you include the "Timestamp" field as it is required by Panther. -referenceURL: https://developers.cloudflare.com/logs/log-fields#spectrum-events -version: 0 -fields: - - name: Application - description: The unique public ID of the application on which the event occurred - type: string - - name: ClientASN - description: Client AS number - type: bigint - - name: ClientBytes - description: The number of bytes read from the client by the Spectrum service - type: bigint - - name: ClientCountry - description: Country of the client IP address - type: string - - name: ClientIP - description: IP address of the client - type: string - indicators: - - ip - - name: ClientMatchedIpFirewall - description: Whether the connection matched any IP Firewall rules; UNKNOWN | ALLOW | BLOCK_ERROR | BLOCK_IP | BLOCK_COUNTRY | BLOCK_ASN | WHITELIST_IP |WHITELIST_COUNTRY | WHITELIST_ASN - type: string - - name: ClientPort - description: Client port - type: int - - name: ClientProto - description: Transport protocol used by client; tcp | udp | unix - type: string - - name: ClientTcpRtt - description: The TCP round-trip time in nanoseconds between the client and Spectrum - type: bigint - - name: ClientTlsCipher - description: The cipher negotiated between the client and Spectrum - type: string - - name: ClientTlsClientHelloServerName - description: The server name in the Client Hello message from client to Spectrum - type: string - - name: ClientTlsProtocol - description: The TLS version negotiated between the client and Spectrum; unknown | none | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3 - type: string - - name: ClientTlsStatus - description: Indicates state of TLS session from the client to Spectrum; UNKNOWN | OK | INTERNAL_ERROR | INVALID_CONFIG | INVALID_SNI | HANDSHAKE_FAILED | KEYLESS_RPC - type: string - - name: ColoCode - description: IATA airport code of data center that received the request - type: string - - name: ConnectTimestamp - description: Timestamp at which both legs of the connection (client/edge, edge/origin or nexthop) were established - type: timestamp - timeFormat: cloudflare - - name: DisconnectTimestamp - description: Timestamp at which the connection was closed - type: timestamp - timeFormat: cloudflare - - name: Event - description: connect | disconnect | clientFiltered | tlsError | resolveOrigin | originError - type: string - - name: IpFirewall - description: Whether IP Firewall was enabled at time of connection - type: boolean - - name: OriginBytes - description: The number of bytes read from the origin by Spectrum - type: bigint - - name: OriginIP - description: Origin IP address - type: string - indicators: - - ip - - name: OriginPort - description: Origin port - type: int - - name: OriginProto - description: Transport protocol used by origin; tcp | udp | unix - type: string - - name: OriginTcpRtt - description: The TCP round-trip time in nanoseconds between Spectrum and the origin - type: bigint - - name: OriginTlsCipher - description: The cipher negotiated between Spectrum and the origin - type: string - - name: OriginTlsFingerprint - description: SHA256 hash of origin certificate - type: string - - name: OriginTlsMode - description: If and how the upstream connection is encrypted; unknown | off | flexible | full | strict - type: string - - name: OriginTlsProtocol - description: The TLS version negotiated between Spectrum and the origin; unknown | none | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3 - type: string - - name: OriginTlsStatus - description: The state of the TLS session from Spectrum to the origin; UNKNOWN | OK | INTERNAL_ERROR | INVALID_CONFIG | INVALID_SNI | HANDSHAKE_FAILED | KEYLESS_RPC - type: string - - name: ProxyProtocol - description: Which form of proxy protocol is applied to the given connection; off | v1 | v2 | simple - type: string - - name: Status - description: A code indicating reason for connection closure - type: bigint - - name: Timestamp - required: true - description: Timestamp at which the event took place - type: timestamp - timeFormat: cloudflare - isEventTime: true diff --git a/schemas/logs/cloudflare/tests/firewall_tests.yml b/schemas/logs/cloudflare/tests/firewall_tests.yml deleted file mode 100644 index deca924cf..000000000 --- a/schemas/logs/cloudflare/tests/firewall_tests.yml +++ /dev/null @@ -1,89 +0,0 @@ ---- -name: firewall -logType: Cloudflare.Firewall -input: | - { - "Action": "firewall-action", - "ClientASN": 123, - "ClientASNDescription": "123", - "ClientCountry": "Greece", - "ClientIP": "128.127.128.127", - "ClientIPClass": "clean", - "ClientRefererHost": "example-referrer.com", - "ClientRefererPath": "/ref-path", - "ClientRefererQuery": "?query=param", - "ClientRefererScheme": "https", - "ClientRequestHost": "example.com", - "ClientRequestMethod": "POST", - "ClientRequestPath": "/", - "ClientRequestProtocol": "HTTP 1.1", - "ClientRequestQuery": "/", - "ClientRequestScheme": "https", - "ClientRequestUserAgent": "firefox", - "Datetime": 1600365601, - "EdgeColoCode": "IATA-123", - "EdgeResponseStatus": 200, - "Kind": "firewall", - "MatchIndex": 1234, - "Metadata": { - "Metadata1": "metadata-1", - "Metadata2": "metadata-2" - }, - "OriginResponseStatus": 200, - "OriginatorRayID": "originator-ray-id", - "RayID": "ray-id", - "RuleID": "rule-id", - "Source": "cloudflare-security-product" - } -result: | - { - "Action": "firewall-action", - "ClientASN": 123, - "ClientASNDescription": "123", - "ClientCountry": "Greece", - "ClientIP": "128.127.128.127", - "ClientIPClass": "clean", - "ClientRefererHost": "example-referrer.com", - "ClientRefererPath": "/ref-path", - "ClientRefererQuery": "?query=param", - "ClientRefererScheme": "https", - "ClientRequestHost": "example.com", - "ClientRequestMethod": "POST", - "ClientRequestPath": "/", - "ClientRequestProtocol": "HTTP 1.1", - "ClientRequestQuery": "/", - "ClientRequestScheme": "https", - "ClientRequestUserAgent": "firefox", - "Datetime": "2020-09-17T18:00:01Z", - "EdgeColoCode": "IATA-123", - "EdgeResponseStatus": 200, - "Kind": "firewall", - "MatchIndex": 1234, - "Metadata": { - "Metadata1": "metadata-1", - "Metadata2": "metadata-2" - }, - "OriginResponseStatus": 200, - "OriginatorRayID": "originator-ray-id", - "RayID": "ray-id", - "RuleID": "rule-id", - "Source": "cloudflare-security-product", - "p_log_type": "Cloudflare.Firewall", - "p_event_time":"2020-09-17T18:00:01Z", - "p_any_domain_names": ["example-referrer.com", "example.com"], - "p_any_ip_addresses": ["128.127.128.127"], - "p_any_trace_ids": ["originator-ray-id", "ray-id"] - } ---- -name: firewall required fields only -logType: Cloudflare.Firewall -input: | - { - "Datetime": "2020-09-17T18:00:00Z" - } -result: | - { - "Datetime": "2020-09-17T18:00:00Z", - "p_log_type": "Cloudflare.Firewall", - "p_event_time":"2020-09-17T18:00:00Z" - } diff --git a/schemas/logs/cloudflare/tests/http_request_tests.yml b/schemas/logs/cloudflare/tests/http_request_tests.yml deleted file mode 100644 index 4708a49e3..000000000 --- a/schemas/logs/cloudflare/tests/http_request_tests.yml +++ /dev/null @@ -1,150 +0,0 @@ ---- -name: http_request -logType: Cloudflare.HttpRequest -input: | - { - "BotScore":10, - "BotScoreSrc":"Heuristics", - "CacheCacheStatus":"hit", - "CacheResponseBytes": 1024, - "CacheResponseStatus": 200, - "CacheTieredFill":true, - "ClientASN": 123, - "ClientCountry":"Greece", - "ClientDeviceType":"mobile", - "ClientIP": "127.0.0.1", - "ClientIPClass": "clean", - "ClientRequestBytes": 2048, - "ClientRequestHost": "example.com", - "ClientRequestMethod": "POST", - "ClientRequestPath": "/path", - "ClientRequestProtocol": "HTTP 1.1", - "ClientRequestReferer": "example.com", - "ClientRequestURI": "/", - "ClientRequestUserAgent": "firefox", - "ClientSSLProtocol": "TLS 1.3", - "ClientSrcPort": 12800, - "ClientXRequestedWith": "XMLHttpRequest", - "EdgeColoCode": "9F", - "EdgeColoID": 123, - "EdgeEndTimestamp": "2020-08-07T07:52:09Z", - "EdgePathingOp": "unknown", - "EdgePathingSrc": "unknown", - "EdgePathingStatus": "unknown", - "EdgeRateLimitAction":"", - "EdgeRateLimitID": "rule-id", - "EdgeRequestHost": "example-edge.com", - "EdgeResponseBytes":1024, - "EdgeResponseCompressionRatio": 0.3, - "EdgeResponseContentType": "application/json", - "EdgeResponseStatus":200, - "EdgeServerIP": "127.127.127.127", - "EdgeStartTimestamp": 1600365600, - "FirewallMatchesActions": ["jschallengeFailed", "jschallengeBypassed"], - "FirewallMatchesRuleIDs": ["rule1", "rule2"], - "FirewallMatchesSources": ["sanitycheck","protect"], - "OriginIP": "128.128.128.128", - "OriginResponseBytes":512, - "OriginResponseHTTPExpires": "Fri, 21 Oct 2016 07:28:00 GMT", - "OriginResponseHTTPLastModified": "Fri, 21 Oct 2016 07:28:00 GMT", - "OriginResponseStatus": 200, - "OriginResponseTime": 1000000, - "OriginSSLProtocol": "TLS 1.3", - "ParentRayID": "parent-ray-id", - "RayID": "ray-id", - "SecurityLevel": "high", - "WAFAction": "none", - "WAFFlags": "simulate (0x1) | null", - "WAFMatchedVar": "some-variable", - "WAFProfile": "low", - "WAFRuleID": "waf-rule-id", - "WAFRuleMessage": "waf-rule-message", - "WorkerCPUTime": 1000000, - "WorkerStatus": "OK", - "WorkerSubrequest": true, - "WorkerSubrequestCount": 10, - "ZoneID": 123 - } -result: | - { - "BotScore":10, - "BotScoreSrc":"Heuristics", - "CacheCacheStatus":"hit", - "CacheResponseBytes": 1024, - "CacheResponseStatus": 200, - "CacheTieredFill":true, - "ClientASN": 123, - "ClientCountry":"Greece", - "ClientDeviceType":"mobile", - "ClientIP": "127.0.0.1", - "ClientIPClass": "clean", - "ClientRequestBytes": 2048, - "ClientRequestHost": "example.com", - "ClientRequestMethod": "POST", - "ClientRequestPath": "/path", - "ClientRequestProtocol": "HTTP 1.1", - "ClientRequestReferer": "example.com", - "ClientRequestURI": "/", - "ClientRequestUserAgent": "firefox", - "ClientSSLProtocol": "TLS 1.3", - "ClientSrcPort": 12800, - "ClientXRequestedWith": "XMLHttpRequest", - "EdgeColoCode": "9F", - "EdgeColoID": 123, - "EdgeEndTimestamp": "2020-08-07T07:52:09Z", - "EdgePathingOp": "unknown", - "EdgePathingSrc": "unknown", - "EdgePathingStatus": "unknown", - "EdgeRateLimitAction":"", - "EdgeRateLimitID": "rule-id", - "EdgeRequestHost": "example-edge.com", - "EdgeResponseBytes":1024, - "EdgeResponseCompressionRatio": 0.3, - "EdgeResponseContentType": "application/json", - "EdgeResponseStatus":200, - "EdgeServerIP": "127.127.127.127", - "EdgeStartTimestamp": "2020-09-17T18:00:00Z", - "FirewallMatchesActions": ["jschallengeFailed", "jschallengeBypassed"], - "FirewallMatchesRuleIDs": ["rule1", "rule2"], - "FirewallMatchesSources": ["sanitycheck","protect"], - "OriginIP": "128.128.128.128", - "OriginResponseBytes":512, - "OriginResponseHTTPExpires": "Fri, 21 Oct 2016 07:28:00 GMT", - "OriginResponseHTTPLastModified": "Fri, 21 Oct 2016 07:28:00 GMT", - "OriginResponseStatus": 200, - "OriginResponseTime": 1000000, - "OriginSSLProtocol": "TLS 1.3", - "ParentRayID": "parent-ray-id", - "RayID": "ray-id", - "SecurityLevel": "high", - "WAFAction": "none", - "WAFFlags": "simulate (0x1) | null", - "WAFMatchedVar": "some-variable", - "WAFProfile": "low", - "WAFRuleID": "waf-rule-id", - "WAFRuleMessage": "waf-rule-message", - "WorkerCPUTime": 1000000, - "WorkerStatus": "OK", - "WorkerSubrequest": true, - "WorkerSubrequestCount": 10, - "ZoneID": 123, - - "p_log_type": "Cloudflare.HttpRequest", - "p_event_time":"2020-09-17T18:00:00Z", - "p_any_domain_names": ["example-edge.com", "example.com"], - "p_any_ip_addresses": ["127.0.0.1", "127.127.127.127", "128.128.128.128"], - "p_any_trace_ids": ["parent-ray-id", "ray-id"] - } ---- -name: httprequest required fields only -logType: Cloudflare.HttpRequest -input: | - { - "EdgeStartTimestamp": "2020-09-17T18:00:00Z" - } -result: | - { - "EdgeStartTimestamp": "2020-09-17T18:00:00Z", - "p_log_type": "Cloudflare.HttpRequest", - "p_event_time":"2020-09-17T18:00:00Z" - } diff --git a/schemas/logs/cloudflare/tests/spectrum_tests.yml b/schemas/logs/cloudflare/tests/spectrum_tests.yml deleted file mode 100644 index 5fa7652c8..000000000 --- a/schemas/logs/cloudflare/tests/spectrum_tests.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- -name: spectrum -logType: Cloudflare.Spectrum -input: | - { - "Application": "app-123", - "ClientASN": 123, - "ClientBytes": 1024, - "ClientCountry": "Greece", - "ClientIP": "127.127.127.127", - "ClientMatchedIpFirewall": "ALLOW", - "ClientPort": 1040, - "ClientProto": "tcp", - "ClientTcpRtt": 200000, - "ClientTlsCipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "ClientTlsClientHelloServerName": "hello-server-name", - "ClientTlsProtocol": "TLS 1.3", - "ClientTlsStatus": "OK", - "ColoCode": "IATA-123", - "ConnectTimestamp": "2020-08-07T07:52:09Z", - "DisconnectTimestamp": "2020-08-07T07:52:09Z", - "Event": "connect", - "IpFirewall": true, - "OriginBytes": 512, - "OriginIP": "128.128.128.128", - "OriginPort": 443, - "OriginProto": "tcp", - "OriginTcpRtt": 100000, - "OriginTlsCipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "OriginTlsFingerprint": "tls-fingerprint", - "OriginTlsMode": "unknown", - "OriginTlsProtocol": "SSLv3", - "OriginTlsStatus": "KEYLESS_RPC", - "ProxyProtocol": "simple", - "Status": 123, - "Timestamp": 1600368586194526741 - } -result: | - { - "Application": "app-123", - "ClientASN": 123, - "ClientBytes": 1024, - "ClientCountry": "Greece", - "ClientIP": "127.127.127.127", - "ClientMatchedIpFirewall": "ALLOW", - "ClientPort": 1040, - "ClientProto": "tcp", - "ClientTcpRtt": 200000, - "ClientTlsCipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "ClientTlsClientHelloServerName": "hello-server-name", - "ClientTlsProtocol": "TLS 1.3", - "ClientTlsStatus": "OK", - "ColoCode": "IATA-123", - "ConnectTimestamp": "2020-08-07T07:52:09Z", - "DisconnectTimestamp": "2020-08-07T07:52:09Z", - "Event": "connect", - "IpFirewall": true, - "OriginBytes": 512, - "OriginIP": "128.128.128.128", - "OriginPort": 443, - "OriginProto": "tcp", - "OriginTcpRtt": 100000, - "OriginTlsCipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "OriginTlsFingerprint": "tls-fingerprint", - "OriginTlsMode": "unknown", - "OriginTlsProtocol": "SSLv3", - "OriginTlsStatus": "KEYLESS_RPC", - "ProxyProtocol": "simple", - "Status": 123, - "Timestamp": "2020-09-17T18:49:46Z", - - "p_log_type": "Cloudflare.Spectrum", - "p_event_time":"2020-09-17T18:49:46.194526741Z", - "p_any_ip_addresses": ["127.127.127.127", "128.128.128.128"] - } ---- -name: spectrum required fields only -logType: Cloudflare.Spectrum -input: | - { - "Timestamp": "2020-09-17T18:00:00Z" - } -result: | - { - "Timestamp": "2020-09-17T18:00:00Z", - "p_log_type": "Cloudflare.Spectrum", - "p_event_time":"2020-09-17T18:00:00Z" - } diff --git a/schemas/logs/crowdstrike/activity_audit.yml b/schemas/logs/crowdstrike/activity_audit.yml deleted file mode 100644 index 093fb1a3b..000000000 --- a/schemas/logs/crowdstrike/activity_audit.yml +++ /dev/null @@ -1,78 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.ActivityAudit -parser: - native: - name: Crowdstrike.ActivityAudit -description: Contains activity audit information -referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-authentication -version: 0 -fields: - - name: AgentIdString - description: The Agent ID - type: string - - name: cid - description: The customer ID. A 32-character (hex) identifier in the CrowdStrike cloud. - type: string - indicators: - - trace_id - - name: ExternalApiType - required: true - description: The external API type - type: string - - name: Nonce - description: The nonce - type: bigint - - name: ServiceName - description: The service name - type: string - - name: UserId - description: User that performed the operation, e.g. person that performed the operation to create a new user account. - type: string - indicators: - - email - - name: UserIp - description: IP address of user that performs the operation. - type: string - indicators: - - ip - - name: CustomerIdString - description: Unique ID assigned by CS for each customer. - type: string - - name: EventType - required: true - description: Will be Event_ExternalApiEvent - type: string - - name: OperationName - description: The operation name - type: string - - name: UTCTimestamp - description: The timestamp - type: timestamp - timeFormat: unix_ms - - name: timestamp - required: true - description: The timestamp - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: AuditKeyValues - description: The AuditKeyValues - type: array - element: - type: object - fields: - - name: Key - description: The Key - type: string - - name: ValueString - description: The value as a string - type: string - - name: eid - description: The EID - type: bigint - - name: Success - description: If the operation was successful or not - type: boolean - - name: EventUUID - description: The EventUUID - type: string diff --git a/schemas/logs/crowdstrike/aid_master.yml b/schemas/logs/crowdstrike/aid_master.yml deleted file mode 100644 index de1849ee6..000000000 --- a/schemas/logs/crowdstrike/aid_master.yml +++ /dev/null @@ -1,110 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.AIDMaster -parser: - native: - name: Crowdstrike.AIDMaster -description: Sensor and Host information provided by Falcon Insight -referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-aid-master -version: 0 -fields: - - name: Time - required: true - description: Timestamp of when the event was received by the CrowdStrike cloud. This is not to be confused with the time the event was generated locally on the system (the _timeevent). This is the timestamp of the event from the cloud's point of view. This value can be converted to any time format and can be used for calculations. - type: timestamp - timeFormat: unix - isEventTime: true - - name: AgentLoadFlags - required: true - description: "Whether the sensor loaded during or after the Windows host's boot process. Example values: 0, 1" - type: int - - name: AgentLocalTime - required: true - description: The local time for the sensor in epoch format. - type: timestamp - timeFormat: unix - - name: AgentTimeOffset - required: true - description: The time since the last reboot in epoch format. - type: float - - name: AgentVersion - required: true - description: The version of the sensor running on a host. - type: string - - name: aid - required: true - description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time. - type: string - - name: cid - required: true - description: The customer ID. - type: string - - name: aip - required: true - description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network. - type: string - indicators: - - ip - - name: BiosManufacturer - description: The manufacturer of the host's BIOS. - type: string - - name: BiosVersion - description: The version of the host's BIOS. - type: string - - name: ChassisType - description: Type of system chassis, as defined in SMBIOS Standard. - type: string - - name: City - description: The system's city of origin. - type: string - - name: Country - description: The system's country of origin. - type: string - - name: Continent - description: The sensor's continent, as seen from the CrowdStrike cloud. - type: string - - name: ComputerName - description: The name of the host. - type: string - - name: ConfigIDBuild - description: Build number used as part of the ConfigID. - type: string - - name: event_platform - description: "The platform the sensor is running on. Example values: 'Win', 'Lin', 'Mac'." - type: string - - name: FirstSeen - description: The first time the sensor was seen by the CrowdStrike cloud in epoch format. - type: timestamp - timeFormat: unix - - name: MachineDomain - description: The Windows domain name to which the host is currently joined. - type: string - - name: OU - description: The organizational unit of the host as seen by the sensor (defined by system admin). - type: string - - name: PointerSize - description: "The processor architecture (in decimal, non-hex format): '4' for 32-bit, '8' for 64-bit, or 'none' for unknown." - type: string - - name: ProductType - description: "The type of product (in decimal, non-hex format). Example values: '1' (Workstation), '2' (Domain Controller), '3' (Server)." - type: string - - name: ServicePackMajor - description: "The major version # of the OS Service Pack (in decimal, non-hex format)." - type: string - - name: SiteName - description: The site name of the domain to which the host is joined (defined by system admin). - type: string - - name: SystemManufacturer - description: The host's system manufacturer. - type: string - - name: SystemProductName - description: The host's product name. - type: string - - name: Timezone - description: The sensor's time zone, as seen from the CrowdStrike cloud. - type: string - - name: Version - description: The host's system version. - type: string - - name: HostHiddenStatus - description: Whether the host is visible or not. - type: string diff --git a/schemas/logs/crowdstrike/app_info.yml b/schemas/logs/crowdstrike/app_info.yml deleted file mode 100644 index 5fb4ca0d3..000000000 --- a/schemas/logs/crowdstrike/app_info.yml +++ /dev/null @@ -1,49 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.AppInfo -parser: - native: - name: Crowdstrike.AppInfo -description: Detected Application Information provided by Falcon Discover -referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-appinfo -version: 0 -fields: - - name: _time - required: true - description: The host's local time in epoch format. - type: timestamp - timeFormat: unix - isEventTime: true - - name: cid - required: true - description: The customer ID. - type: string - - name: CompanyName - required: true - description: The name of the company. - type: string - - name: detectioncount - required: true - description: The number of detections. - type: bigint - - name: FileName - required: true - description: The name of the file. - type: string - - name: SHA256HashData - required: true - description: The file hash bashed on SHA-256. - type: string - indicators: - - sha256 - - name: FileDescription - description: The description of the file, if any. - type: string - - name: FileVersion - description: The version of the file. - type: string - - name: ProductName - description: The name of the product. - type: string - - name: ProductVersion - description: The version of the product. - type: string diff --git a/schemas/logs/crowdstrike/critical_file.yml b/schemas/logs/crowdstrike/critical_file.yml deleted file mode 100644 index 48c4c9b44..000000000 --- a/schemas/logs/crowdstrike/critical_file.yml +++ /dev/null @@ -1,113 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.CriticalFile -parser: - native: - name: Crowdstrike.CriticalFile -description: This event is generated every time a critical file is accessed or modified -referenceURL: https://falcon.us-2.crowdstrike.com/support/documentation/26/events-data-dictionary -version: 0 -fields: - - name: event_simpleName - required: true - description: Event name - type: string - - name: name - required: true - description: The event name - type: string - - name: aid - description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time. - type: string - indicators: - - trace_id - - name: aip - description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network. - type: string - indicators: - - ip - - name: cid - description: CID - type: string - indicators: - - trace_id - - name: id - description: ID - type: string - - name: event_platform - description: The platform the sensor was running on - type: string - - name: timestamp - description: Timestamp when the event was received by the CrowdStrike cloud. - type: timestamp - timeFormat: unix_ms - isEventTime: true - - name: _time - description: Timestamp when the event was received by the CrowdStrike cloud (human readable) - type: timestamp - timeFormat: layout=01/02/2006 15:04:05.999 - - name: ComputerName - description: The name of the host. - type: string - indicators: - - hostname - - name: ConfigBuild - description: Config build - type: string - - name: ConfigStateHash - description: Config state hash - type: string - - name: Entitlements - description: Entitlements - type: string - - name: TreeId - description: If this event is part of a detection tree, the tree ID it is part of - type: string - indicators: - - trace_id - - name: TreeId_decimal - description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format) - type: bigint - - name: ContextThreadId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextThreadId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: ContextTimeStamp - description: The time at which an event occurred on the system, as seen by the sensor. - type: timestamp - timeFormat: unix - - name: ContextTimeStamp_decimal - description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format). - type: timestamp - timeFormat: unix_ms - - name: ContextProcessId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextProcessId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: InContext - description: In context (N/A on iOS) - type: string - - name: EffectiveTransmissionClass - description: Effective transmission class - type: bigint - - name: GID - description: The user Group ID - type: bigint - - name: TargetFileName - description: The file that was accessed - type: string - - name: UID - description: The User ID - type: bigint - - name: UnixMode - description: The unix file permissions - type: string - - name: FileIdentifier - description: The file identifier - type: string - - name: USN - description: The USN - type: bigint diff --git a/schemas/logs/crowdstrike/detection_summary.yml b/schemas/logs/crowdstrike/detection_summary.yml deleted file mode 100644 index 7b2e5c87c..000000000 --- a/schemas/logs/crowdstrike/detection_summary.yml +++ /dev/null @@ -1,159 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.DetectionSummary -parser: - native: - name: Crowdstrike.DetectionSummary -description: Detection Summary events include multiple detections, when multiple malicious behaviors are detected. -referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events#section-detection-summary -version: 0 -fields: - - name: cid - description: Customer ID - type: string - indicators: - - trace_id - - name: Technique - description: The name of the technique associated to the behavior. - type: string - - name: ProcessId - description: Process ID. - type: bigint - - name: AgentIdString - description: Agent Id. - type: string - - name: DetectName - description: "NOTE: The DetectName field has been replaced by Objective, Tactic, and Technique as we have aligned with MITRE’s ATT&CK. DetectName will be deprecated January 16, 2019 - more information" - type: string - - name: ComputerName - description: Host name. - type: string - - name: ProcessStartTime - description: Timestamp of when a process started. - type: timestamp - timeFormat: unix - - name: GrandparentCommandLine - description: Effective transmission class - type: string - - name: MACAddress - description: The MAC Address - type: string - - name: CommandLine - description: The command line execution of the process. - type: string - - name: Objective - description: The name of the objective associated to the behavior. - type: string - - name: Nonce - description: The nonce. - type: bigint - - name: SHA256String - description: SHA256 hash. - type: string - indicators: - - sha256 - - name: ExternalApiType - required: true - description: The type of the External API - type: string - - name: PatternDispositionValue - description: The pattern disposition value. - type: bigint - - name: DetectId - description: "The Detection ID for the detection. Can be used in other APIs, such as Detection Resolution and ThreatGraph. Example: ldt:05c0273d48f2432271b2f1d1b49264b5:4297692922" - type: string - - name: Severity - description: The severity - type: bigint - - name: PatternDispositionDescription - description: The description of the pattern associated to the action taken on the behavior. - type: string - - name: SeverityName - description: The severity name. - type: string - - name: MD5String - description: MD5 hash - type: string - indicators: - - md5 - - name: EventUUID - description: Event UUID - type: string - - name: UserName - description: User name. - type: string - indicators: - - username - - name: FilePath - description: Full path of the file, excluding the file name. - type: string - - name: timestamp - description: The timestamp - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: ParentCommandLine - description: The command line of the parent process. - type: string - - name: DetectDescription - description: "A description of what an adversary was trying to do in the environment and guidance on how to begin an investigation. NOTE: While these descriptions are robust and drive a helpful console experience, we encourage you to not use this field to drive workflows, as values are updated and added regularly." - type: string - - name: LocalIP - description: The local IP. - type: string - indicators: - - ip - - name: ProcessEndTime - description: Timestamp of when a process ended in UNIX EPOCH time. - type: timestamp - timeFormat: unix - - name: SHA1String - description: SHA1 hash - type: string - indicators: - - sha1 - - name: OriginSourceIpAddress - description: The OriginSourceIpAddress. - type: string - indicators: - - ip - - name: GrandparentImageFileName - description: The GrandparentImageFileName - type: string - - name: MachineDomain - description: The Windows Domain Name to which the machine is currently joined. - type: string - - name: ParentImageFileName - description: The ParentImageFileName - type: string - - name: FalconHostLink - description: Link to view detection event in Falcon console. - type: string - - name: UTCTimestamp - description: The UTC timestamp. - type: timestamp - timeFormat: unix_ms - - name: FileName - description: File name if a file is involved in the detection. - type: string - - name: ParentProcessId - description: Parent Process ID. - type: bigint - - name: EventType - required: true - description: The EventType. - type: string - - name: CustomerIdString - description: Unique ID assigned by CS for each customer. - type: string - - name: Tactic - description: The name of the tactic associated to the behavior. - type: string - - name: SensorId - description: Falcon sensor Agent ID. - type: string - - name: eid - description: The EID. - type: bigint - - name: PatternDispositionFlags - description: The pattern disposition flags - type: json diff --git a/schemas/logs/crowdstrike/dns_request.yml b/schemas/logs/crowdstrike/dns_request.yml deleted file mode 100644 index aef7b60fc..000000000 --- a/schemas/logs/crowdstrike/dns_request.yml +++ /dev/null @@ -1,119 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.DNSRequest -parser: - native: - name: Crowdstrike.DNSRequest -description: This event is generated for every attempted DNS name resolution on a host. -version: 0 -fields: - - name: event_simpleName - required: true - description: Event name - type: string - - name: name - required: true - description: The event name - type: string - - name: aid - description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time. - type: string - indicators: - - trace_id - - name: aip - description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network. - type: string - indicators: - - ip - - name: cid - description: CID - type: string - indicators: - - trace_id - - name: id - description: ID - type: string - - name: event_platform - description: The platform the sensor was running on - type: string - - name: timestamp - description: Timestamp when the event was received by the CrowdStrike cloud. - type: timestamp - timeFormat: unix_ms - isEventTime: true - - name: _time - description: Timestamp when the event was received by the CrowdStrike cloud (human readable) - type: timestamp - timeFormat: layout=01/02/2006 15:04:05.999 - - name: ComputerName - description: The name of the host. - type: string - indicators: - - hostname - - name: ConfigBuild - description: Config build - type: string - - name: ConfigStateHash - description: Config state hash - type: string - - name: Entitlements - description: Entitlements - type: string - - name: TreeId - description: If this event is part of a detection tree, the tree ID it is part of - type: string - indicators: - - trace_id - - name: TreeId_decimal - description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format) - type: bigint - - name: ContextThreadId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextThreadId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: ContextTimeStamp - description: The time at which an event occurred on the system, as seen by the sensor. - type: timestamp - timeFormat: unix - - name: ContextTimeStamp_decimal - description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format). - type: timestamp - timeFormat: unix_ms - - name: ContextProcessId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextProcessId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: InContext - description: In context (N/A on iOS) - type: string - - name: EffectiveTransmissionClass - description: Effective transmission class - type: bigint - - name: DomainName - description: The domain name requested - type: string - indicators: - - domain - - name: InterfaceIndex - description: The network interface index (Windows only) - type: bigint - - name: DualRequest - description: If the event is dual request (Windows only) - type: bigint - - name: DnsRequestCount - description: The number of DNS requests (Windows only) - type: bigint - - name: AppIdentifier - description: The identifier of the app that made the request (Android, iOS) - type: string - - name: IpAddress - description: The device ip address (Android, iOS) - type: string - indicators: - - ip - - name: RequestType - description: The DNS request type - type: string diff --git a/schemas/logs/crowdstrike/group_identity.yml b/schemas/logs/crowdstrike/group_identity.yml deleted file mode 100644 index f610911ad..000000000 --- a/schemas/logs/crowdstrike/group_identity.yml +++ /dev/null @@ -1,116 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.GroupIdentity -parser: - native: - name: Crowdstrike.GroupIdentity -description: Provides the sensor boot unique mapping between GID, AuthenticationId, UserPrincipal, and UserSid. Available only for the Mac platform. -referenceURL: https://developer.crowdstrike.com/crowdstrike/page/event-explorer#section-event-GroupIdentity -version: 0 -fields: - - name: name - required: true - description: The event name - type: string - - name: aid - description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time. - type: string - indicators: - - trace_id - - name: aip - description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network. - type: string - indicators: - - ip - - name: cid - description: CID - type: string - indicators: - - trace_id - - name: id - description: ID - type: string - - name: event_platform - description: The platform the sensor was running on - type: string - - name: timestamp - description: Timestamp when the event was received by the CrowdStrike cloud. - type: timestamp - timeFormat: unix_ms - isEventTime: true - - name: _time - description: Timestamp when the event was received by the CrowdStrike cloud (human readable) - type: timestamp - timeFormat: layout=01/02/2006 15:04:05.999 - - name: ComputerName - description: The name of the host. - type: string - indicators: - - hostname - - name: ConfigBuild - description: Config build - type: string - - name: ConfigStateHash - description: Config state hash - type: string - - name: Entitlements - description: Entitlements - type: string - - name: TreeId - description: If this event is part of a detection tree, the tree ID it is part of - type: string - indicators: - - trace_id - - name: TreeId_decimal - description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format) - type: bigint - - name: ContextThreadId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextThreadId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: ContextTimeStamp - description: The time at which an event occurred on the system, as seen by the sensor. - type: timestamp - timeFormat: unix - - name: ContextTimeStamp_decimal - description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format). - type: timestamp - timeFormat: unix_ms - - name: ContextProcessId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextProcessId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: InContext - description: In context (N/A on iOS) - type: string - - name: event_simpleName - required: true - description: Event Name - type: string - - name: GID - required: true - description: The user Group ID. - type: bigint - - name: AuthenticationUuid - required: true - description: AuthenticationUUID field - type: string - - name: AuthenticationUuidAsString - required: true - description: AuthenticationUUIDAsString field - type: string - - name: AuthenticationId - required: true - description: "Values: INVALID_LUID (0), NETWORK_SERVICE (996), LOCAL_SERVICE (997), SYSTEM (999), RESERVED_LUID_MAX (1000)" - type: int - - name: UserPrincipal - required: true - description: UserPrincipal field - type: string - - name: UserSid - required: true - description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system. - type: string diff --git a/schemas/logs/crowdstrike/managed_assets.yml b/schemas/logs/crowdstrike/managed_assets.yml deleted file mode 100644 index ab034db0c..000000000 --- a/schemas/logs/crowdstrike/managed_assets.yml +++ /dev/null @@ -1,53 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.ManagedAssets -parser: - native: - name: Crowdstrike.ManagedAssets -description: "Sensor and Host information provided by Falcon Insight (Network Information: IP Address, LAN/Ethernet Interface, Gateway Address, MAC Address)" -referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-managedassets -version: 0 -fields: - - name: _time - required: true - description: The host's local time in epoch format. - type: timestamp - timeFormat: unix - isEventTime: true - - name: aid - required: true - description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time. - type: string - - name: cid - required: true - description: The customer ID. - type: string - - name: GatewayIP - required: true - description: The gateway of the system where the sensor is installed. - type: string - indicators: - - ip - - name: GatewayMAC - required: true - description: The MAC address of the gateway. - type: string - - name: MacPrefix - required: true - description: An identifier unique to the organization. - type: string - - name: MAC - required: true - description: The MAC address of the system. - type: string - - name: LocalAddressIP4 - required: true - description: The device's local IP address in IPv4 format. - type: string - indicators: - - ip - - name: InterfaceAlias - description: The user-friendly name of the IP interface. - type: string - - name: InterfaceDescription - description: The network adapter used for the IP interface. - type: string diff --git a/schemas/logs/crowdstrike/network_connect.yml b/schemas/logs/crowdstrike/network_connect.yml deleted file mode 100644 index 2f3e09846..000000000 --- a/schemas/logs/crowdstrike/network_connect.yml +++ /dev/null @@ -1,132 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.NetworkConnect -parser: - native: - name: Crowdstrike.NetworkConnect -description: This event is generated when an application attempts a remote connection on an interface -version: 0 -fields: - - name: event_simpleName - required: true - description: Event name - type: string - - name: name - required: true - description: The event name - type: string - - name: aid - description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time. - type: string - indicators: - - trace_id - - name: aip - description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network. - type: string - indicators: - - ip - - name: cid - description: CID - type: string - indicators: - - trace_id - - name: id - description: ID - type: string - - name: event_platform - description: The platform the sensor was running on - type: string - - name: timestamp - description: Timestamp when the event was received by the CrowdStrike cloud. - type: timestamp - timeFormat: unix_ms - isEventTime: true - - name: _time - description: Timestamp when the event was received by the CrowdStrike cloud (human readable) - type: timestamp - timeFormat: layout=01/02/2006 15:04:05.999 - - name: ComputerName - description: The name of the host. - type: string - indicators: - - hostname - - name: ConfigBuild - description: Config build - type: string - - name: ConfigStateHash - description: Config state hash - type: string - - name: Entitlements - description: Entitlements - type: string - - name: TreeId - description: If this event is part of a detection tree, the tree ID it is part of - type: string - indicators: - - trace_id - - name: TreeId_decimal - description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format) - type: bigint - - name: ContextThreadId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextThreadId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: ContextTimeStamp - description: The time at which an event occurred on the system, as seen by the sensor. - type: timestamp - timeFormat: unix - - name: ContextTimeStamp_decimal - description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format). - type: timestamp - timeFormat: unix_ms - - name: ContextProcessId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextProcessId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: InContext - description: In context (N/A on iOS) - type: string - - name: LocalAddressIP4 - description: Local IPv4 address for the connection - type: string - indicators: - - ip - - name: LocalAddressIP6 - description: Local IPv6 address for the connection - type: string - indicators: - - ip - - name: RemoteAddressIP4 - description: Remote IPv4 address for the connection - type: string - indicators: - - ip - - name: RemoteAddressIP6 - description: Remote IPv6 address for the connection - type: string - indicators: - - ip - - name: ConnectionFlags - description: Connection flags (PROMISCUOUS_MODE_SIO_RCVALL = 2, RAW_SOCKET = 1, PROMISCUOUS_MODE_SIO_RCVALL_IGMPMCAST = 4, PROMISCUOUS_MODE_SIO_RCVALL_MCAST = 8) - type: int - - name: Protocol - description: IP Protocol (ICMP = 1, TCP = 6, UDP = 17) - type: int - - name: LocalPort - description: Connection local port - type: int - - name: RemotePort - description: Connection remote port - type: int - - name: ConnectionDirection - description: Direction of the connection (OUTBOUND = 0, INBOUND = 1, NEITHER = 2, BOTH = 3) - type: int - - name: IcmpType - description: ICMP type (N/A on iOS) - type: string - - name: IcmpCode - description: ICMP code (N/A on iOS) - type: string diff --git a/schemas/logs/crowdstrike/network_listen.yml b/schemas/logs/crowdstrike/network_listen.yml deleted file mode 100644 index 9dd38b853..000000000 --- a/schemas/logs/crowdstrike/network_listen.yml +++ /dev/null @@ -1,126 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.NetworkListen -parser: - native: - name: Crowdstrike.NetworkListen -description: This event is generated when an application establishes a socket in listening mode -version: 0 -fields: - - name: event_simpleName - required: true - description: event name - type: string - - name: name - required: true - description: The event name - type: string - - name: aid - description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time. - type: string - indicators: - - trace_id - - name: aip - description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network. - type: string - indicators: - - ip - - name: cid - description: CID - type: string - indicators: - - trace_id - - name: id - description: ID - type: string - - name: event_platform - description: The platform the sensor was running on - type: string - - name: timestamp - description: Timestamp when the event was received by the CrowdStrike cloud. - type: timestamp - timeFormat: unix_ms - isEventTime: true - - name: _time - description: Timestamp when the event was received by the CrowdStrike cloud (human readable) - type: timestamp - timeFormat: layout=01/02/2006 15:04:05.999 - - name: ComputerName - description: The name of the host. - type: string - indicators: - - hostname - - name: ConfigBuild - description: Config build - type: string - - name: ConfigStateHash - description: Config state hash - type: string - - name: Entitlements - description: Entitlements - type: string - - name: TreeId - description: If this event is part of a detection tree, the tree ID it is part of - type: string - indicators: - - trace_id - - name: TreeId_decimal - description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format) - type: bigint - - name: ContextThreadId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextThreadId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: ContextTimeStamp - description: The time at which an event occurred on the system, as seen by the sensor. - type: timestamp - timeFormat: unix - - name: ContextTimeStamp_decimal - description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format). - type: timestamp - timeFormat: unix_ms - - name: ContextProcessId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextProcessId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: InContext - description: In context (N/A on iOS) - type: string - - name: LocalAddressIP4 - description: Local IPv4 address for the connection - type: string - indicators: - - ip - - name: LocalAddressIP6 - description: Local IPv6 address for the connection - type: string - indicators: - - ip - - name: RemoteAddressIP4 - description: Remote IPv4 address for the connection - type: string - indicators: - - ip - - name: RemoteAddressIP6 - description: Remote IPv6 address for the connection - type: string - indicators: - - ip - - name: ConnectionFlags - description: Connection flags (PROMISCUOUS_MODE_SIO_RCVALL = 2, RAW_SOCKET = 1, PROMISCUOUS_MODE_SIO_RCVALL_IGMPMCAST = 4, PROMISCUOUS_MODE_SIO_RCVALL_MCAST = 8) - type: int - - name: Protocol - description: IP Protocol (ICMP = 1, TCP = 6, UDP = 17) - type: int - - name: LocalPort - description: Connection local port - type: int - - name: RemotePort - description: Connection remote port - type: int - - name: ConnectionDirection - description: Direction of the connection (OUTBOUND = 0, INBOUND = 1, NEITHER = 2, BOTH = 3) - type: int diff --git a/schemas/logs/crowdstrike/not_managed_assets.yml b/schemas/logs/crowdstrike/not_managed_assets.yml deleted file mode 100644 index 1d29630fe..000000000 --- a/schemas/logs/crowdstrike/not_managed_assets.yml +++ /dev/null @@ -1,81 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.NotManagedAssets -parser: - native: - name: Crowdstrike.NotManagedAssets -description: Unmanaged Host discovery information provided by Falcon Insight -referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-notmanaged -version: 0 -fields: - - name: _time - required: true - description: The host's local time in epoch format. - type: timestamp - timeFormat: unix - isEventTime: true - - name: aip - required: true - description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network. - type: string - indicators: - - ip - - name: aipcount - required: true - description: The number of public-facing IP addresses. - type: bigint - - name: localipCount - required: true - description: The number of local IP addresses. - type: bigint - - name: cid - required: true - description: The customer ID. - type: string - - name: CurrentLocalIP - required: true - description: The current local IP address of the machine, found via the IPv4 network discovery protocol. - type: string - indicators: - - ip - - name: subnet - description: The subnet of the system. - type: string - - name: MAC - required: true - description: The MAC address of the system. - type: string - - name: MacPrefix - required: true - description: An identifier unique to the organization. - type: string - - name: discovererCount - required: true - description: The number of aid's that have discovered this system. - type: bigint - - name: discoverer_aid - description: The agent IDs that have discovered this system. - type: array - element: - type: string - - name: discoverer_devicetype - description: The type of device that discovered this system ('VM' or 'Server'). - type: string - - name: FirstDiscoveredDate - description: The first time the system was discovered in epoch format. - type: timestamp - timeFormat: unix - - name: LastDiscoveredBy - description: The most recent time the system was discovered in epoch format. - type: timestamp - timeFormat: unix - - name: LocalAddressIP4 - description: The device's local IP address in IPv4 format. - type: string - indicators: - - ip - - name: ComputerName - description: The name of the host that discovered the neighbor. - type: string - - name: NeighborName - description: The neighbor's host name. - type: string diff --git a/schemas/logs/crowdstrike/process_rollup_2.yml b/schemas/logs/crowdstrike/process_rollup_2.yml deleted file mode 100644 index 94e129511..000000000 --- a/schemas/logs/crowdstrike/process_rollup_2.yml +++ /dev/null @@ -1,258 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.ProcessRollup2 -parser: - native: - name: Crowdstrike.ProcessRollup2 -description: This event (often called "PR2" for short) is generated for a process that is running or has finished running on a host and contains information about that process. -version: 0 -fields: - - name: event_simpleName - required: true - description: Event name - type: string - - name: name - required: true - description: The event name - type: string - - name: aid - description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time. - type: string - indicators: - - trace_id - - name: aip - description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network. - type: string - indicators: - - ip - - name: cid - description: CID - type: string - indicators: - - trace_id - - name: id - description: ID - type: string - - name: event_platform - description: The platform the sensor was running on - type: string - - name: timestamp - description: Timestamp when the event was received by the CrowdStrike cloud. - type: timestamp - timeFormat: unix_ms - isEventTime: true - - name: _time - description: Timestamp when the event was received by the CrowdStrike cloud (human readable) - type: timestamp - timeFormat: layout=01/02/2006 15:04:05.999 - - name: ComputerName - description: The name of the host. - type: string - indicators: - - hostname - - name: ConfigBuild - description: Config build - type: string - - name: ConfigStateHash - description: Config state hash - type: string - - name: Entitlements - description: Entitlements - type: string - - name: TreeId - description: If this event is part of a detection tree, the tree ID it is part of - type: string - indicators: - - trace_id - - name: TreeId_decimal - description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format) - type: bigint - - name: TargetProcessId - description: The unique ID of a target process - type: bigint - - name: SourceProcessId - description: The unique ID of creating process. - type: bigint - - name: SourceThreadId - description: The unique ID of thread from creating process. - type: bigint - - name: ParentProcessId - description: The unique ID of the parent process. - type: bigint - - name: ImageFileName - description: The full path to an executable (PE) file. The context of this field provides more information as to its meaning. For ProcessRollup2 events, this is the full path to the main executable for the created process - type: string - - name: CommandLine - description: The command line used to create this process. May be empty in some circumstances - type: string - - name: RawProcessId - description: The operating system’s internal PID. For matching, use the UPID fields which guarantee a unique process identifier - type: bigint - - name: ProcessStartTime - description: The time the process began in UNIX epoch time (in decimal, non-hex format). - type: timestamp - timeFormat: unix - - name: ProcessEndTime - description: The time the process finished (in decimal, non-hex format). - type: timestamp - timeFormat: unix - - name: SHA256HashData - description: The SHA256 hash of a file. In most cases, the hash of the file referred to by the ImageFileName field. - type: string - indicators: - - sha256 - - name: SHA1HashData - description: The SHA1 hash of a file - type: string - indicators: - - sha1 - - name: MD5HashData - description: The MD5 hash of a file - type: string - indicators: - - md5 - - name: ImageSubsystem - description: Subsystem of the image filename (Windows only) - type: string - - name: UserSid - description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system. (Windows only) - type: string - - name: AuthenticationId - description: The authentication identifier (Windows only) - type: string - - name: IntegrityLevel - description: The integrity level (Windows only) - type: string - - name: ProcessCreateFlags - description: Captured flags from original process create. This is a bitfield. (Windows only) - type: string - - name: ProcessParameterFlags - description: Flags from the ‘NtCreateUserProcess’ API. This bitfield includes data like if DLL redirection is enabled. (Windows only) - type: string - - name: ProcessSxsFlags - description: Flags from the communications path with the Windows Subsystem Process. This bitfield includes data like if there’s a manifest and if it’s local or not. (Windows only) - type: string - - name: ParentAuthenticationId - description: The authentication identifier for the parent process (Windows only) - type: string - - name: TokenType - description: The token type (Windows only) - type: string - - name: SessionId - description: The id of the session (Windows only) - type: string - - name: WindowFlags - description: Flags from the window (Windows only) - type: string - - name: ShowWindowFlags - description: Window visibility flags (Windows only) - type: string - - name: WindowStartingPositionHorizontal - description: Start horizontal position of the process window (Windows only) - type: bigint - - name: WindowStartingPositionVertical - description: Start vertical position of the process window (Windows only) - type: bigint - - name: WindowStartingWidth - description: Start width of the process window (Windows only) - type: bigint - - name: WindowStartingHeight - description: Start height of the process window (Windows only) - type: bigint - - name: Desktop - description: The desktop of the process window (Windows only) - type: string - - name: WindowStation - description: The process window station (Windows only) - type: string - - name: WindowTitle - description: The title of the process window (WindowsOnly) - type: string - - name: LinkName - description: Link name (Windows only) - type: string - - name: ApplicationUserModelId - description: Application user model id (WindowsOnly) - type: string - - name: CallStackModuleNames - description: Call stack module names (Windows only) - type: string - - name: CallStackModuleNamesVersion - description: Call stack module names version (Windows only) - type: string - - name: RpcClientProcessId - description: RPC client process id (Windows only) - type: string - - name: CsaProcessDataCollectionInstanceId - description: CSA process data collection instance id (Windows only) - type: string - - name: OriginalCommandLine - description: The original command line used to create this process (Windows only) - type: string - - name: CreateProcessType - description: Create process type (Windows only) - type: string - - name: ZoneIdentifier - description: Zone identifier (Windows only) - type: string - - name: HostUrl - description: Host URL (Windows only) - type: string - - name: ReferrerUrl - description: Referrer URL (Windows only) - type: string - indicators: - - url - - name: GrandParent - description: Grant parent (Windows only) - type: string - - name: BaseFileName - description: Base file name (Windows only) - type: string - - name: Tags - description: Process tags comma separated list (Windows, Mac) - type: string - - name: ParentBaseFileName - description: Parent process base file name (Windows, Mac) - type: string - - name: ProcessGroupId - description: Process group id (Windows, Mac) - type: bigint - - name: UID - description: UID (Mac, Linux, Android) - type: bigint - - name: RUID - description: RUID (Mac, Linux, Android) - type: bigint - - name: SVUID - description: SVUID (Mac, Linux, Android) - type: bigint - - name: GID - description: GID (Mac, Linux, Android) - type: bigint - - name: RGID - description: RGID (Mac, Linux, Android) - type: bigint - - name: SVGID - description: SVGID (Mac, Linux, Android) - type: bigint - - name: SessionProcessId - description: Session process id (Mac, Linux) - type: bigint - - name: MachOSubType - description: MachOSubType (Mac only) - type: string - - name: TtyName - description: TTY name (Linux only) - type: string - - name: OciContainerId - description: OCI Container id (Linux only) - type: string - - name: SourceAndroidComponentName - description: Source component name (Android only) - type: string - - name: TargetAndroidComponentName - description: Target component name (Android only) - type: string - - name: TargetAndroidComponentType - description: Target component type (Android only) - type: string diff --git a/schemas/logs/crowdstrike/process_rollup_2_stats.yml b/schemas/logs/crowdstrike/process_rollup_2_stats.yml deleted file mode 100644 index 03a408460..000000000 --- a/schemas/logs/crowdstrike/process_rollup_2_stats.yml +++ /dev/null @@ -1,120 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.ProcessRollup2Stats -parser: - native: - name: Crowdstrike.ProcessRollup2Stats -description: When a process finishes running, the sensor generates and sends a ProcessRollup2 event. Mac and Linux sensors send far more ProcessRollup2 events than Windows (roughly 20x as many), so rather than send events for every process on those hosts, the sensor sends an initial ProcessRollup2 event, followed 10 minutes later by a ProcessRollup2Stats event with a SHA256 hash and the count of how many times the hash executed in the last 10 minutes. -version: 0 -fields: - - name: event_simpleName - required: true - description: event name - type: string - - name: name - required: true - description: The event name - type: string - - name: aid - description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time. - type: string - indicators: - - trace_id - - name: aip - description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network. - type: string - indicators: - - ip - - name: cid - description: CID - type: string - indicators: - - trace_id - - name: id - description: ID - type: string - - name: event_platform - description: The platform the sensor was running on - type: string - - name: timestamp - description: Timestamp when the event was received by the CrowdStrike cloud. - type: timestamp - timeFormat: unix_ms - isEventTime: true - - name: _time - description: Timestamp when the event was received by the CrowdStrike cloud (human readable) - type: timestamp - timeFormat: layout=01/02/2006 15:04:05.999 - - name: ComputerName - description: The name of the host. - type: string - indicators: - - hostname - - name: ConfigBuild - description: Config build - type: string - - name: ConfigStateHash - description: Config state hash - type: string - - name: Entitlements - description: Entitlements - type: string - - name: TreeId - description: If this event is part of a detection tree, the tree ID it is part of - type: string - indicators: - - trace_id - - name: TreeId_decimal - description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format) - type: bigint - - name: ContextThreadId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextThreadId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: ContextTimeStamp - description: The time at which an event occurred on the system, as seen by the sensor. - type: timestamp - timeFormat: unix - - name: ContextTimeStamp_decimal - description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format). - type: timestamp - timeFormat: unix_ms - - name: ContextProcessId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextProcessId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: InContext - description: In context (N/A on iOS) - type: string - - name: EffectiveTransmissionClass - description: Effective transmission class - type: bigint - - name: SHA256HashData - description: The SHA256 hash of a file. In most cases, the hash of the file referred to by the ImageFileName field. - type: string - indicators: - - sha256 - - name: CommandLine - description: The command line used to create this process. May be empty in some circumstances - type: string - - name: UID - description: UID (Mac) - type: bigint - - name: ProcessCount - description: The ProcessCount. - type: bigint - - name: Timeout - description: The timeout - type: bigint - - name: ParentProcessId - description: The unique ID of the parent process. - type: bigint - - name: SuppressType - description: "Values: GLOBAL (0) PARENT (1) UID (2) UIDNORMALIZED (3) PREFILTER (4) TIMEOUT_CHECK (5)" - type: bigint - - name: BoundedCount - description: The bounded count - type: bigint diff --git a/schemas/logs/crowdstrike/synthetic_process_rollup_2.yml b/schemas/logs/crowdstrike/synthetic_process_rollup_2.yml deleted file mode 100644 index 0a6146fb3..000000000 --- a/schemas/logs/crowdstrike/synthetic_process_rollup_2.yml +++ /dev/null @@ -1,174 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.SyntheticProcessRollup2 -parser: - native: - name: Crowdstrike.SyntheticProcessRollup2 -description: A synthetic version of the process rollup (PR2) event -version: 0 -fields: - - name: event_simpleName - required: true - description: event name - type: string - - name: name - required: true - description: The event name - type: string - - name: aid - description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time. - type: string - indicators: - - trace_id - - name: aip - description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network. - type: string - indicators: - - ip - - name: cid - description: CID - type: string - indicators: - - trace_id - - name: id - description: ID - type: string - - name: event_platform - description: The platform the sensor was running on - type: string - - name: timestamp - description: Timestamp when the event was received by the CrowdStrike cloud. - type: timestamp - timeFormat: unix_ms - isEventTime: true - - name: _time - description: Timestamp when the event was received by the CrowdStrike cloud (human readable) - type: timestamp - timeFormat: layout=01/02/2006 15:04:05.999 - - name: ComputerName - description: The name of the host. - type: string - indicators: - - hostname - - name: ConfigBuild - description: Config build - type: string - - name: ConfigStateHash - description: Config state hash - type: string - - name: Entitlements - description: Entitlements - type: string - - name: TreeId - description: If this event is part of a detection tree, the tree ID it is part of - type: string - indicators: - - trace_id - - name: TreeId_decimal - description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format) - type: bigint - - name: ContextThreadId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextThreadId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: ContextTimeStamp - description: The time at which an event occurred on the system, as seen by the sensor. - type: timestamp - timeFormat: unix - - name: ContextTimeStamp_decimal - description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format). - type: timestamp - timeFormat: unix_ms - - name: ContextProcessId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextProcessId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: InContext - description: In context (N/A on iOS) - type: string - - name: TargetProcessId - description: The unique ID of a target process - type: bigint - - name: SourceProcessId - description: The unique ID of creating process. - type: bigint - - name: SourceThreadId - description: The unique ID of thread from creating process. - type: bigint - - name: ParentProcessId - description: The unique ID of the parent process. - type: bigint - - name: ImageFileName - description: The full path to an executable (PE) file. The context of this field provides more information as to its meaning. For ProcessRollup2 events, this is the full path to the main executable for the created process - type: string - - name: CommandLine - description: The command line used to create this process. May be empty in some circumstances - type: string - - name: RawProcessId - description: The operating system’s internal PID. For matching, use the UPID fields which guarantee a unique process identifier - type: bigint - - name: ProcessStartTime - description: The time the process began in UNIX epoch time (in decimal, non-hex format). - type: timestamp - timeFormat: unix - - name: ProcessEndTime - description: The time the process finished (in decimal, non-hex format). - type: timestamp - timeFormat: unix - - name: SHA256HashData - description: The SHA256 hash of a file. In most cases, the hash of the file referred to by the ImageFileName field. - type: string - indicators: - - sha256 - - name: SHA1HashData - description: The SHA1 hash of a file - type: string - indicators: - - sha1 - - name: MD5HashData - description: The MD5 hash of a file - type: string - indicators: - - md5 - - name: SyntheticPR2Flags - description: PR2 flags (PROCESS_RUNDOWN = 0, PROCESS_HOLLOWED = 1, IMAGEHASH_FAILURE = 4, FILE_PATH_EXCLUDED = 8, PROCESS_FORK_FOLDING = 16, APP_MONITORING = 2) - type: int - - name: ImageSubsystem - description: Subsystem of the image filename (Windows only) - type: string - - name: UserSid - description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system. (Windows only) - type: string - - name: AuthenticationId - description: The authentication identifier (Windows only) - type: string - - name: IntegrityLevel - description: The integrity level (Windows only) - type: string - - name: ProcessGroupId - description: Process group id (Mac) - type: bigint - - name: UID - description: UID (Mac) - type: bigint - - name: RUID - description: RUID (Mac) - type: bigint - - name: SVUID - description: SVUID (Mac) - type: bigint - - name: GID - description: GID (Mac) - type: bigint - - name: RGID - description: RGID (Mac) - type: bigint - - name: SVGID - description: SVGID (Mac) - type: bigint - - name: SessionProcessId - description: Session process id (Mac) - type: bigint diff --git a/schemas/logs/crowdstrike/unknown.yml b/schemas/logs/crowdstrike/unknown.yml deleted file mode 100644 index 9a1c96c26..000000000 --- a/schemas/logs/crowdstrike/unknown.yml +++ /dev/null @@ -1,95 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.Unknown -parser: - native: - name: Crowdstrike.Unknown -description: This table contains all the Crowdstrike events that don't match to any of the registered types -referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/streaming-api-events -version: 0 -fields: - - name: event_simpleName - description: Event name - type: string - - name: name - required: true - description: The event name - type: string - - name: aid - description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time. - type: string - indicators: - - trace_id - - name: aip - description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network. - type: string - indicators: - - ip - - name: cid - description: CID - type: string - indicators: - - trace_id - - name: id - description: ID - type: string - - name: event_platform - description: The platform the sensor was running on - type: string - - name: timestamp - description: Timestamp when the event was received by the CrowdStrike cloud. - type: timestamp - timeFormat: unix_ms - isEventTime: true - - name: _time - description: Timestamp when the event was received by the CrowdStrike cloud (human readable) - type: timestamp - timeFormat: layout=01/02/2006 15:04:05.999 - - name: ComputerName - description: The name of the host. - type: string - indicators: - - hostname - - name: ConfigBuild - description: Config build - type: string - - name: ConfigStateHash - description: Config state hash - type: string - - name: Entitlements - description: Entitlements - type: string - - name: TreeId - description: If this event is part of a detection tree, the tree ID it is part of - type: string - indicators: - - trace_id - - name: TreeId_decimal - description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format) - type: bigint - - name: ContextThreadId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextThreadId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: ContextTimeStamp - description: The time at which an event occurred on the system, as seen by the sensor. - type: timestamp - timeFormat: unix - - name: ContextTimeStamp_decimal - description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format). - type: timestamp - timeFormat: unix_ms - - name: ContextProcessId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextProcessId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: InContext - description: In context (N/A on iOS) - type: string - - name: unknown_payload - required: true - description: The full JSON payload of the event - type: json diff --git a/schemas/logs/crowdstrike/user_identity.yml b/schemas/logs/crowdstrike/user_identity.yml deleted file mode 100644 index 276487ebb..000000000 --- a/schemas/logs/crowdstrike/user_identity.yml +++ /dev/null @@ -1,161 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.UserIdentity -parser: - native: - name: Crowdstrike.UserIdentity -description: The UserIdentity event is generated when a user logs in to a host. It conveys important security-related characteristics associated with a user to the CrowdStrike cloud, such as the user name. It’s normally generated once per security principal, and is thus not on its own a sign of a suspicious activity. Available for Mac & Windows platforms. -referenceURL: https://developer.crowdstrike.com/crowdstrike/page/event-explorer#section-event-UserIdentity -version: 0 -fields: - - name: name - required: true - description: The event name - type: string - - name: aid - description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time. - type: string - indicators: - - trace_id - - name: aip - description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network. - type: string - indicators: - - ip - - name: cid - description: CID - type: string - indicators: - - trace_id - - name: id - description: ID - type: string - - name: event_platform - description: The platform the sensor was running on - type: string - - name: timestamp - description: Timestamp when the event was received by the CrowdStrike cloud. - type: timestamp - timeFormat: unix_ms - isEventTime: true - - name: _time - description: Timestamp when the event was received by the CrowdStrike cloud (human readable) - type: timestamp - timeFormat: layout=01/02/2006 15:04:05.999 - - name: ComputerName - description: The name of the host. - type: string - indicators: - - hostname - - name: ConfigBuild - description: Config build - type: string - - name: ConfigStateHash - description: Config state hash - type: string - - name: Entitlements - description: Entitlements - type: string - - name: TreeId - description: If this event is part of a detection tree, the tree ID it is part of - type: string - indicators: - - trace_id - - name: TreeId_decimal - description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format) - type: bigint - - name: ContextThreadId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextThreadId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: ContextTimeStamp - description: The time at which an event occurred on the system, as seen by the sensor. - type: timestamp - timeFormat: unix - - name: ContextTimeStamp_decimal - description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format). - type: timestamp - timeFormat: unix_ms - - name: ContextProcessId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextProcessId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: InContext - description: In context (N/A on iOS) - type: string - - name: event_simpleName - required: true - description: Event Name - type: string - - name: AuthenticationId - required: true - description: "Values: INVALID_LUID (0), NETWORK_SERVICE (996), LOCAL_SERVICE (997), SYSTEM (999), RESERVED_LUID_MAX (1000)" - type: int - - name: UserPrincipal - required: true - description: UserPrincipal field - type: string - - name: UserSid - required: true - description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system. - type: string - - name: AuthenticationUuid - description: AuthenticationUUID field - type: string - - name: AuthenticationUuidAsString - description: AuthenticationUUIDAsString field - type: string - - name: UID - description: The User ID. - type: bigint - - name: UserName - description: UserName field - type: string - indicators: - - username - - name: UserCanonical - description: UserCanonical field - type: string - - name: LogonId - description: LogonID field - type: string - - name: LogonDomain - description: LogonDomain field - type: string - - name: AuthenticationPackage - description: AuthenticationPackage field - type: string - - name: LogonType - description: "Values: INTERACTIVE (2), NETWORK (3), BATCH (4), SERVICE (5), PROXY (6), UNLOCK (7), NETWORK_CLEARTEXT (8), CACHED_UNLOCK (13), NEW_CREDENTIALS (9), REMOTE_INTERACTIVE (10), CACHED_INTERACTIVE (11), CACHED_REMOTE_INTERACTIVE (12)" - type: int - - name: LogonTime - description: LogonTime field - type: timestamp - timeFormat: unix - - name: LogonServer - description: LogonServer field - type: string - - name: UserFlags - description: "Values: LOGON_OPTIMIZED (0x4000), LOGON_WINLOGON (0x8000), LOGON_PKINIT (0x10000), LOGON_NOT_OPTIMIZED (0x20000)" - type: bigint - - name: PasswordLastSet - description: PasswordLastSet field - type: timestamp - timeFormat: unix - - name: RemoteAccount - description: RemoteAccount field - type: int - - name: UserIsAdmin - description: UserIsAdmin field - type: int - - name: SessionId - description: SessionID field - type: string - indicators: - - trace_id - - name: UserLogonFlags - description: "Values: LOGON_IS_SYNTHETIC (0x00000001), USER_IS_ADMIN (0x00000002), USER_IS_LOCAL (0x00000004), USER_IS_BUILT_IN (0x00000008), USER_IDENTITY_MISSING (0x00000010)" - type: int diff --git a/schemas/logs/crowdstrike/user_info.yml b/schemas/logs/crowdstrike/user_info.yml deleted file mode 100644 index eff4b007d..000000000 --- a/schemas/logs/crowdstrike/user_info.yml +++ /dev/null @@ -1,72 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.UserInfo -parser: - native: - name: Crowdstrike.UserInfo -description: User Account & Logon information provided by Falcon Discover -referenceURL: https://developer.crowdstrike.com/crowdstrike/docs/falcon-data-replicator-guide#section-userinfo -version: 0 -fields: - - name: _time - required: true - description: The host's local time in epoch format. - type: timestamp - timeFormat: unix - isEventTime: true - - name: cid - required: true - description: The customer ID. - type: string - - name: AccountType - required: true - description: "The type of account set for the user: 'Domain User', 'Domain Administrator', 'Local User'." - type: string - - name: DomainUser - required: true - description: "Indicates if the user's credentials are part of a domain controller: 'Yes', 'No'." - type: string - - name: UserName - required: true - description: The username of the system. - type: string - indicators: - - username - - name: UserSid_readable - required: true - description: The user SID associated with this process. - type: string - - name: LastLoggedOnHost - description: The host that was last logged into the system. - type: string - - name: LocalAdminAccess - description: "Indicates whether a local user is an admin: 'Yes', 'No'." - type: string - - name: LoggedOnHostCount - description: The number of hosts logged in at _time. - type: int - - name: LogonInfo - description: The login information. - type: string - - name: LogonTime - description: The last login time by this user in epoch format. - type: timestamp - timeFormat: unix - - name: LogonType - description: "Values defined as follows, INTERACTIVE: The security principal is logging on interactively, NETWORK: The security principal is logging on using a network, TERMINAL SERVER: The security principal has logged in via a terminal server." - type: string - - name: monthsincereset - description: The number of months since this user's password was last reset. - type: int - - name: PasswordLastSet - description: The last time in epoch format that this user's password in the system was set. - type: timestamp - timeFormat: unix - - name: User - description: A system username with domain. - type: string - - name: UserIsAdmin - description: Indicates whether the user account has administrator privileges. - type: smallint - - name: UserLogonFlags_decimal - description: A bitfield for various bits of a UserLogon, or failed user logon. - type: int diff --git a/schemas/logs/crowdstrike/user_logon_logoff.yml b/schemas/logs/crowdstrike/user_logon_logoff.yml deleted file mode 100644 index f98dd4690..000000000 --- a/schemas/logs/crowdstrike/user_logon_logoff.yml +++ /dev/null @@ -1,142 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Crowdstrike.UserLogonLogoff -parser: - native: - name: Crowdstrike.UserLogonLogoff -description: Contains the UserLogon and UserLogoff events -referenceURL: https://falcon.us-2.crowdstrike.com/support/documentation/26/events-data-dictionary -version: 0 -fields: - - name: event_simpleName - required: true - description: event name - type: string - - name: name - required: true - description: The event name - type: string - - name: aid - description: The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a new aid. In those situations, a single host could have multiple aid values over time. - type: string - indicators: - - trace_id - - name: aip - description: The sensor’s IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location of a computer, depending on your network. - type: string - indicators: - - ip - - name: cid - description: CID - type: string - indicators: - - trace_id - - name: id - description: ID - type: string - - name: event_platform - description: The platform the sensor was running on - type: string - - name: timestamp - description: Timestamp when the event was received by the CrowdStrike cloud. - type: timestamp - timeFormat: unix_ms - isEventTime: true - - name: _time - description: Timestamp when the event was received by the CrowdStrike cloud (human readable) - type: timestamp - timeFormat: layout=01/02/2006 15:04:05.999 - - name: ComputerName - description: The name of the host. - type: string - indicators: - - hostname - - name: ConfigBuild - description: Config build - type: string - - name: ConfigStateHash - description: Config state hash - type: string - - name: Entitlements - description: Entitlements - type: string - - name: TreeId - description: If this event is part of a detection tree, the tree ID it is part of - type: string - indicators: - - trace_id - - name: TreeId_decimal - description: If this event is part of a detection tree, the tree ID it is part of. (in decimal, non-hex format) - type: bigint - - name: ContextThreadId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextThreadId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: ContextTimeStamp - description: The time at which an event occurred on the system, as seen by the sensor. - type: timestamp - timeFormat: unix - - name: ContextTimeStamp_decimal - description: The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format). - type: timestamp - timeFormat: unix_ms - - name: ContextProcessId - description: The unique ID of a process that was spawned by another process. - type: string - - name: ContextProcessId_decimal - description: The unique ID of a process that was spawned by another process (in decimal, non-hex format). - type: bigint - - name: InContext - description: In context (N/A on iOS) - type: string - - name: UserIsAdmin - description: Indicates whether the user account has administrator privileges - type: int - - name: UserLogonFlags - description: "Values: LOGON_IS_SYNTHETIC (0x00000001), USER_IS_ADMIN (0x00000002), USER_IS_LOCAL (0x00000004), USER_IS_BUILT_IN (0x00000008), USER_IDENTITY_MISSING (0x00000010)" - type: bigint - - name: UserName - description: The username - type: string - indicators: - - username - - name: UserPrincipal - description: The user principal - type: string - - name: UserSid - description: The User Security Identifier (UserSID) of the user who executed the command. A UserSID uniquely identifies a user in a system - type: string - - name: LogonTime - description: The logon time - type: timestamp - timeFormat: unix - - name: LogonType - description: "Values: INTERACTIVE (2) NETWORK (3) BATCH (4) SERVICE (5) PROXY (6) UNLOCK (7) NETWORK_CLEARTEXT (8) CACHED_UNLOCK (13) REMOTE_INTERACTIVE (10) NEW_CREDENTIALS (9) CACHED_INTERACTIVE (11) CACHED_REMOTE_INTERACTIVE (12)" - type: bigint - - name: PasswordLastSet - description: The time the password was last set - type: timestamp - timeFormat: unix - - name: RawProcessId - description: The operating system’s internal PID. For matching, use the UPID fields which guarantee a unique process identifier - type: bigint - - name: UID - description: The User ID - type: bigint - - name: UserGroupsBitmask - description: The user group bitmask - type: bigint - - name: EffectiveTransmissionClass - description: The user principal - type: bigint - - name: AuthenticationId - description: The authentication identifier - type: string - - name: LogoffTime - description: The logoff time - type: timestamp - timeFormat: unix - - name: UserLogoffType - description: "Values: LOGOFF_EVENT_SOURCE (0x01) LOGOFF_PROFILE_UNLOAD (0x02) ETW (0x03) SYNTHETIC (0x04)" - type: bigint diff --git a/schemas/logs/duo/administrator.yml b/schemas/logs/duo/administrator.yml deleted file mode 100644 index 71a2b42e6..000000000 --- a/schemas/logs/duo/administrator.yml +++ /dev/null @@ -1,35 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Duo.Administrator -parser: - native: - name: Duo.Administrator -description: Duo administrator log events. -referenceURL: https://duo.com/docs/adminapi#administrator-logs -version: 0 -fields: - - name: action - required: true - description: The type of change that was performed. - type: string - - name: description - description: String detailing what changed, either as free-form text or serialized JSON. - type: string - - name: isotimestamp - required: true - description: ISO8601 timestamp of the event. - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: object - description: 'The object that was acted on. For example: "jsmith" (for users), "(555) 713-6275 x456" (for phones), or "HOTP 8-digit 123456" (for tokens).' - type: string - - name: timestamp - description: Unix timestamp of the event. - type: timestamp - timeFormat: unix - - name: username - required: true - description: 'The full name of the administrator who performed the action in the Duo Admin Panel. If the action was performed with the API this will be "API". Automatic actions like deletion of inactive users have "System" for the username. Changes synchronized from Directory Sync will have a username of the form (example) "AD Sync: name of directory".' - type: string - indicators: - - username diff --git a/schemas/logs/duo/authentication.yml b/schemas/logs/duo/authentication.yml deleted file mode 100644 index 717eaaa11..000000000 --- a/schemas/logs/duo/authentication.yml +++ /dev/null @@ -1,161 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Duo.Authentication -parser: - native: - name: Duo.Authentication -description: Duo authentication log events(v2). -referenceURL: https://duo.com/docs/adminapi#authentication-logs -version: 0 -fields: - - name: access_device - description: Browser, plugin, and operating system information for the endpoint used to access the Duo-protected resource. Values present only when the application accessed features Duo’s inline browser prompt. - type: object - fields: - - name: browser - description: The web browser used for access. - type: string - - name: browser_version - description: The browser version. - type: string - - name: flash_version - description: The Flash plugin version used, if present, otherwise "uninstalled". - type: string - - name: hostname - description: The hostname, if present, otherwise "null". - type: string - indicators: - - hostname - - name: ip - description: The access device's IP address, if present, otherwise "null". - type: string - indicators: - - ip - - name: is_encryption_enabled - description: Reports the disk encryption state as detected by the Duo Device Health app. One of "true", "false", or "unknown". - type: string - - name: is_firewall_enabled - description: Reports the firewall state as detected by the Duo Device Health app. One of "true", "false", or "unknown". - type: string - - name: is_password_set - description: Reports the system password state as detected by the Duo Device Health app. One of "true", "false", or "unknown". - type: string - - name: java_version - description: The Java plugin version used, if present, otherwise "uninstalled". - type: string - - name: location - description: The GeoIP location of the access device, if available. The response may not include all location parameters. - type: object - fields: - - name: city - description: The city name. - type: string - - name: country - description: The country code. - type: string - - name: state - description: The state, county, province, or prefecture. - type: string - - name: os - description: The device operating system name. - type: string - - name: os_version - description: The device operating system version. - type: string - - name: security_agents - description: Reports the security agents present on the endpoint as detected by the Duo Device Health app. - type: array - element: - type: string - - name: alias - description: The username alias used to log in. No value if the user logged in with their username instead of a username alias. - type: string - indicators: - - username - - name: application - description: Information about the application accessed. - type: object - fields: - - name: key - description: The application's integration_key. - type: string - - name: name - description: The application's name. - type: string - - name: auth_device - description: Information about the device used to approve or deny authentication. - type: object - fields: - - name: ip - description: The IP address of the authentication device. - type: string - indicators: - - ip - - name: location - description: The GeoIP location of the authentication device, if available. May not include all location parameters. - type: object - fields: - - name: city - description: The city name. - type: string - - name: country - description: The country code. - type: string - - name: state - description: The state, county, province, or prefecture. - type: string - - name: name - description: The name of the authentication device. - type: string - - name: email - description: The email address of the user, if known to Duo, otherwise none. - type: string - indicators: - - email - - name: event_type - description: 'The type of activity logged. one of: "authentication" or "enrollment".' - type: string - - name: factor - description: 'The authentication factor. One of: "phone_call", "passcode", "yubikey_passcode", "digipass_go_7_token", "hardware_token", "duo_mobile_passcode", "bypass_code", "sms_passcode", "sms_refresh", "duo_push", "u2f_token", "remembered_device", or "trusted_network".' - type: string - - name: isotimestamp - required: true - description: ISO8601 timestamp of the event. - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: ood_software - description: If authentication was denied due to out-of-date software, shows the name of the software, i.e. "Chrome", "Flash", etc. No value if authentication was successful or authentication denial was not due to out-of-date software. - type: string - - name: reason - description: 'Provide the reason for the authentication attempt result. If result is "SUCCESS" then one of: "allow_unenrolled_user", "allowed_by_policy", "allow_unenrolled_user_on_trusted_network", "bypass_user", "remembered_device", "trusted_location", "trusted_network", "user_approved", "valid_passcode". If result is "FAILURE" then one of: "anonymous_ip", "anomalous_push", "could_not_determine_if_endpoint_was_trusted", "denied_by_policy", "denied_network", "deny_unenrolled_user", "endpoint_is_not_in_management_system", "endpoint_failed_google_verification", "endpoint_is_not_trusted", "factor_restricted", "invalid_management_certificate_collection_state", "invalid_device", "invalid_passcode", "invalid_referring_hostname_provided", "location_restricted", "locked_out", "no_activated_duo_mobile_account", "no_disk_encryption", "no_duo_certificate_present", "touchid_disabled", "no_referring_hostname_provided", "no_response", "no_screen_lock", "no_web_referer_match", "out_of_date", "platform_restricted", "rooted_device", "software_restricted", "user_cancelled", "user_disabled", "user_mistake", "user_not_in_permitted_group", "user_provided_invalid_certificate", or "version_restricted". If result is "ERROR" then: "error". If result is "FRAUD" then: "user_marked_fraud".' - type: string - - name: result - description: 'The result of the authentication attempt. One of: "SUCCESS", "FAILURE", "ERROR", or "FRAUD".' - type: string - - name: timestamp - description: Unix timestamp of the event. - type: timestamp - timeFormat: unix - - name: txid - required: true - description: The transaction ID of the event. - type: string - indicators: - - trace_id - - name: user - description: Information about the authenticating user. - type: object - fields: - - name: groups - description: Duo group membership information for the user. - type: array - element: - type: string - - name: key - description: The user's user_id. - type: string - - name: name - description: The user's username. - type: string - indicators: - - username diff --git a/schemas/logs/duo/offline_enrollment.yml b/schemas/logs/duo/offline_enrollment.yml deleted file mode 100644 index 2c7ab45e4..000000000 --- a/schemas/logs/duo/offline_enrollment.yml +++ /dev/null @@ -1,36 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Duo.OfflineEnrollment -parser: - native: - name: Duo.OfflineEnrollment -description: Duo Authentication for Windows Logon offline enrollment events. -referenceURL: https://duo.com/docs/adminapi#offline-enrollment-logs -version: 0 -fields: - - name: action - required: true - description: The offline enrollment operation. One of "o2fa_user_provisioned", "o2fa_user_deprovisioned", or "o2fa_user_reenrolled". - type: string - - name: description - description: Information about the Duo Windows Logon client system as reported by the application. - type: string - - name: isotimestamp - required: true - description: ISO8601 timestamp of the event. - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: object - required: true - description: The Duo Windows Logon integration's name. - type: string - - name: timestamp - description: Unix timestamp of the event. - type: timestamp - timeFormat: unix - - name: username - required: true - description: The Duo username. - type: string - indicators: - - username diff --git a/schemas/logs/duo/telephony.yml b/schemas/logs/duo/telephony.yml deleted file mode 100644 index 138a3048a..000000000 --- a/schemas/logs/duo/telephony.yml +++ /dev/null @@ -1,33 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Duo.Telephony -parser: - native: - name: Duo.Telephony -description: Duo telephony log events. -referenceURL: https://duo.com/docs/adminapi#telephony-logs -version: 0 -fields: - - name: context - description: 'How this telephony event was initiated. One of: "administrator login", "authentication", "enrollment", or "verify".' - type: string - - name: credits - description: How many telephony credits this event cost. - type: int - - name: isotimestamp - required: true - description: ISO8601 timestamp of the event. - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: phone - required: true - description: The phone number that initiated this event. - type: string - - name: timestamp - description: Unix timestamp of the event. - type: timestamp - timeFormat: unix - - name: type - required: true - description: The event type. Either "sms" or "phone". - type: string diff --git a/schemas/logs/duo/tests/duologs_tests.yml b/schemas/logs/duo/tests/duologs_tests.yml deleted file mode 100644 index 4d74cecbd..000000000 --- a/schemas/logs/duo/tests/duologs_tests.yml +++ /dev/null @@ -1,174 +0,0 @@ -# Copyright (C) 2020 Panther Labs Inc -# -# Panther Enterprise is licensed under the terms of a commercial license available from -# Panther Labs Inc ("Panther Commercial License") by contacting contact@runpanther.com. -# All use, distribution, and/or modification of this software, whether commercial or non-commercial, -# falls under the Panther Commercial License to the extent it is permitted. - -name: authentication logs -logType: Duo.Authentication -input: | - { - "access_device": { - "browser": "Chrome", - "browser_version": "67.0.3396.99", - "flash_version": "uninstalled", - "hostname": "example.com", - "ip": "169.232.89.219", - "is_encryption_enabled": true, - "is_firewall_enabled": true, - "is_password_set": true, - "java_version": "uninstalled", - "location": { - "city": "Ann Arbor", - "country": "United States", - "state": "Michigan" - }, - "os": "Mac OS X", - "os_version": "10.14.1", - "security_agents": [] - }, - "alias": "", - "application": { - "key": "DIY231J8BR23QK4UKBY8", - "name": "Microsoft Azure Active Directory" - }, - "auth_device": { - "ip": "192.168.225.254", - "location": { - "city": "Ann Arbor", - "country": "United States", - "state": "Michigan" - }, - "name": "My iPhone X (734-555-2342)" - }, - "email": "narroway@example.com", - "event_type": "authentication", - "factor": "duo_push", - "isotimestamp": "2020-02-13T18:56:20.351346+00:00", - "ood_software": "null", - "reason": "user_approved", - "result": "success", - "timestamp": 1581620180, - "txid": "340a23e3-23f3-23c1-87dc-1491a23dfdbb", - "user": { - "groups": [ - "Duo Users", - "CorpHQ Users" - ], - "key": "DU3KC77WJ06Y5HIV7XKQ", - "name": "narroway@example.com" - } - } -result: | - { - "access_device": { - "browser": "Chrome", - "browser_version": "67.0.3396.99", - "flash_version": "uninstalled", - "hostname": "example.com", - "ip": "169.232.89.219", - "is_encryption_enabled": "true", - "is_firewall_enabled": "true", - "is_password_set": "true", - "java_version": "uninstalled", - "location": { - "city": "Ann Arbor", - "country": "United States", - "state": "Michigan" - }, - "os": "Mac OS X", - "os_version": "10.14.1" - }, - "alias": "", - "application": { - "key": "DIY231J8BR23QK4UKBY8", - "name": "Microsoft Azure Active Directory" - }, - "auth_device": { - "ip": "192.168.225.254", - "location": { - "city": "Ann Arbor", - "country": "United States", - "state": "Michigan" - }, - "name": "My iPhone X (734-555-2342)" - }, - "email": "narroway@example.com", - "event_type": "authentication", - "factor": "duo_push", - "isotimestamp": "2020-02-13T18:56:20.351346Z", - "ood_software": "null", - "reason": "user_approved", - "result": "success", - "timestamp": 1581620180, - "txid": "340a23e3-23f3-23c1-87dc-1491a23dfdbb", - "user": { - "groups": [ - "Duo Users", - "CorpHQ Users" - ], - "key": "DU3KC77WJ06Y5HIV7XKQ", - "name": "narroway@example.com" - }, - - "p_log_type": "Duo.Authentication", - "p_event_time":"2020-02-13T18:56:20.351346Z", - "p_any_domain_names":["example.com"], - "p_any_ip_addresses": ["169.232.89.219", "192.168.225.254"], - "p_any_emails":["narroway@example.com"], - "p_any_usernames":["narroway@example.com"], - "p_any_trace_ids": ["340a23e3-23f3-23c1-87dc-1491a23dfdbb"] - } - ---- -name: administrator logs -logType: Duo.Administrator -input: | - { - "action": "user_update", - "description": "{\"notes\": \"Joe asked for their nickname to be displayed instead of Joseph.\", \"realname\": \"Joe Smith\"}", - "isotimestamp": "2020-01-24T15:09:42+00:00", - "object": "jsmith", - "timestamp": 1579878582, - "username": "admin" - } -result: | - { - "action": "user_update", - "description": "{\"notes\": \"Joe asked for their nickname to be displayed instead of Joseph.\", \"realname\": \"Joe Smith\"}", - "isotimestamp": "2020-01-24T15:09:42Z", - "object": "jsmith", - "timestamp": 1579878582, - "username": "admin", - - "p_log_type": "Duo.Administrator", - "p_event_time": "2020-01-24T15:09:42Z", - "p_any_usernames":["admin"] - } - ---- -name: offline enrollment logs -logType: Duo.OfflineEnrollment -input: | - { - "action": "o2fa_user_provisioned", - "description": "{\"user_agent\": \"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\", \"hostname\": \"WKSW10x64\", \"factor\": \"duo_otp\"}", - "isotimestamp": "2019-08-30T16:10:05+02:00", - "object": "Acme Laptop Windows Logon", - "timestamp": 1567181405, - "username": "narroway" - } -result: | - { - "action": "o2fa_user_provisioned", - "description": "{\"user_agent\": \"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\", \"hostname\": \"WKSW10x64\", \"factor\": \"duo_otp\"}", - "isotimestamp": "2019-08-30T16:10:05+02:00", - "object": "Acme Laptop Windows Logon", - "timestamp": 1567181405, - "username": "narroway", - - "p_log_type": "Duo.OfflineEnrollment", - "p_event_time": "2019-08-30T14:10:05Z", - "p_any_usernames":["narroway"] - } diff --git a/schemas/logs/fastly/access.yml b/schemas/logs/fastly/access.yml deleted file mode 100644 index 0fce037ae..000000000 --- a/schemas/logs/fastly/access.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Fastly.Access -parser: - fastmatch: - match: - - '%{remote_host_ip_address} %{client_identity_rfc_1413} %{request_user} [%{request_time}] "%{request_method} %{request_uri} %{request_protocol}" %{response_status} %{response_size}' - trimSpace: true - emptyValues: ["-"] -description: |- - Fastly logs in the Common Log Format. To ensure Panther can parse the logs, make sure - to select "Blank" in the "Log line format" field when creating an S3 logging endpoint for your Fastly service. -referenceURL: https://docs.fastly.com/en/guides/useful-log-formats#common-log-format-clf -version: 0 -fields: - - name: remote_host_ip_address - description: This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. - type: string - indicators: - - hostname - - name: client_identity_rfc_1413 - description: The RFC 1413 identity of the client determined by identd on the clients machine. - type: string - - name: request_user - description: The userid of the person requesting the document as determined by HTTP authentication. - type: string - indicators: - - username - - name: request_time - description: The time that the request was received. - type: timestamp - timeFormat: "%d/%b/%Y:%H:%M:%S %z" - isEventTime: true - - name: request_method - description: The HTTP request method - type: string - - name: request_uri - description: The HTTP request URI - type: string - - name: request_protocol - description: The HTTP request protocol - type: string - - name: response_status - description: The HTTP status of the response - type: smallint - - name: response_size - description: The size of the HTTP response in bytes - type: bigint diff --git a/schemas/logs/fastly/tests/access_tests.yml b/schemas/logs/fastly/tests/access_tests.yml deleted file mode 100644 index c36f98dea..000000000 --- a/schemas/logs/fastly/tests/access_tests.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -name: FastlyAccess404 -logType: Fastly.Access -input: 127.0.0.1 - - [11/Sep/2020:13:20:27 +0000] "GET / HTTP/1.1" 404 345 -result: | - { - "remote_host_ip_address": "127.0.0.1", - "request_time": "11/Sep/2020:13:20:27 +0000", - "request_method": "GET", - "request_uri": "/", - "request_protocol": "HTTP/1.1", - "response_status": 404, - "response_size": 345, - "p_log_type": "Fastly.Access", - "p_event_time": "2020-09-11T13:20:27+00:00", - "p_any_ip_addresses": ["127.0.0.1"] - } ---- -name: FastlyAccess404EmptyResponseSize -logType: Fastly.Access -input: 127.0.0.1 - - [11/Sep/2020:13:20:27 +0000] "GET / HTTP/1.1" 404 - -result: | - { - "remote_host_ip_address": "127.0.0.1", - "request_time": "11/Sep/2020:13:20:27 +0000", - "request_method": "GET", - "request_uri": "/", - "request_protocol": "HTTP/1.1", - "response_status": 404, - "p_log_type": "Fastly.Access", - "p_event_time": "2020-09-11T13:20:27+00:00", - "p_any_ip_addresses": ["127.0.0.1"] - } diff --git a/schemas/logs/fluentd/syslog_3164.yml b/schemas/logs/fluentd/syslog_3164.yml deleted file mode 100644 index 345a08b58..000000000 --- a/schemas/logs/fluentd/syslog_3164.yml +++ /dev/null @@ -1,36 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Fluentd.Syslog3164 -parser: - native: - name: Fluentd.Syslog3164 -description: Fluentd syslog parser for the RFC3164 format (ie. BSD-syslog messages) -referenceURL: https://docs.fluentd.org/parser/syslog#rfc3164-log -version: 0 -fields: - - name: pri - description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message. - type: smallint - - name: host - required: true - description: Hostname identifies the machine that originally sent the syslog message. - type: string - - name: ident - required: true - description: Appname identifies the device or application that originated the syslog message. - type: string - - name: pid - description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting. - type: bigint - - name: message - required: true - description: Message contains free-form text that provides information about the event. - type: string - - name: time - required: true - description: Timestamp of the syslog message in UTC. - type: timestamp - timeFormat: rfc3339 - - name: tag - required: true - description: Tag of the syslog message - type: string diff --git a/schemas/logs/fluentd/syslog_5424.yml b/schemas/logs/fluentd/syslog_5424.yml deleted file mode 100644 index f6f9eff57..000000000 --- a/schemas/logs/fluentd/syslog_5424.yml +++ /dev/null @@ -1,45 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Fluentd.Syslog5424 -parser: - native: - name: Fluentd.Syslog5424 -description: Fluentd syslog parser for the RFC5424 format (ie. BSD-syslog messages) -referenceURL: https://docs.fluentd.org/parser/syslog#rfc5424-log -version: 0 -fields: - - name: pri - description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message. - type: smallint - - name: host - required: true - description: Hostname identifies the machine that originally sent the syslog message. - type: string - - name: ident - required: true - description: Appname identifies the device or application that originated the syslog message. - type: string - - name: pid - required: true - description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting. - type: bigint - - name: msgid - required: true - description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic. - type: string - - name: extradata - required: true - description: ExtraData contains syslog strucured data as string - type: string - - name: message - required: true - description: Message contains free-form text that provides information about the event. - type: string - - name: time - required: true - description: Timestamp of the syslog message in UTC. - type: timestamp - timeFormat: rfc3339 - - name: tag - required: true - description: Tag of the syslog message - type: string diff --git a/schemas/logs/g_suite/reports.yml b/schemas/logs/g_suite/reports.yml deleted file mode 100644 index d01dd9edf..000000000 --- a/schemas/logs/g_suite/reports.yml +++ /dev/null @@ -1,108 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: GSuite.Reports -parser: - native: - name: GSuite.Reports -description: Contains the activity events for a specific account and application such as the Admin console application or the Google Drive application. -referenceURL: https://developers.google.com/admin-sdk/reports/v1/reference/activities/list#response -version: 0 -fields: - - name: id - required: true - description: Unique identifier for each activity record. - type: object - fields: - - name: applicationName - description: Application name to which the event belongs. - type: string - - name: customerId - description: The unique identifier for a G suite account. - type: string - - name: time - description: Time of occurrence of the activity. - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: uniqueQualifier - description: Unique qualifier if multiple events have the same time. - type: string - - name: actor - description: User doing the action. - type: object - fields: - - name: email - description: The primary email address of the actor. May be absent if there is no email address associated with the actor. - type: string - indicators: - - email - - name: profileId - description: The unique G Suite profile ID of the actor. May be absent if the actor is not a G Suite user. - type: string - - name: callerType - description: The type of actor. - type: string - - name: key - description: Only present when callerType is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - type: string - - name: kind - required: true - description: The type of API resource. For an activity report, the value is reports#activities. - type: string - - name: ownerDomain - description: This is the domain that is affected by the report's event. For example domain of Admin console or the Drive application's document owner. - type: string - indicators: - - domain - - name: ipAddress - description: IP address of the user doing the action. This is the Internet Protocol (IP) address of the user when logging into G Suite which may or may not reflect the user's physical location. For example, the IP address can be the user's proxy server's address or a virtual private network (VPN) address. The API supports IPv4 and IPv6. - type: string - indicators: - - ip - - name: events - description: Activity events in the report. - type: array - element: - type: object - fields: - - name: type - description: Type of event. The G Suite service or feature that an administrator changes is identified in the type property which identifies an event using the eventName property. For a full list of the API's type categories, see the list of event names for various applications above in applicationName. - type: string - - name: name - description: Name of the event. This is the specific name of the activity reported by the API. And each eventName is related to a specific G Suite service or feature which the API organizes into types of events. - type: string - - name: parameters - description: Parameter value pairs for various applications. For more information about eventName parameters, see the list of event names for various applications above in applicationName. - type: array - element: - type: object - fields: - - name: name - description: The name of the parameter. - type: string - - name: value - description: String value of the parameter. - type: string - - name: intValue - description: Integer value of the parameter. - type: bigint - - name: boolValue - description: Boolean value of the parameter. - type: boolean - - name: multiValue - description: String values of the parameter. - type: array - element: - type: string - - name: multiIntValue - description: Integer values of the parameter. - type: array - element: - type: bigint - - name: messageValue - description: "Nested parameter value pairs associated with this parameter. Complex value type for a parameter are returned as a list of parameter values. For example, the address parameter may have a value as [{parameter: [{name: city, value: abc}]}]" - type: json - - name: multiMessageValue - description: List of messageValue objects. - type: array - element: - type: json diff --git a/schemas/logs/gcp/audit_log.yml b/schemas/logs/gcp/audit_log.yml deleted file mode 100644 index 9eba9f2ff..000000000 --- a/schemas/logs/gcp/audit_log.yml +++ /dev/null @@ -1,275 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: GCP.AuditLog -parser: - native: - name: GCP.AuditLog -description: | - Cloud Audit Logs maintains three audit logs for each Google Cloud project, folder, and organization: Admin Activity, Data Access, and System Event. - Google Cloud services write audit log entries to these logs to help you answer the questions of "who did what, where, and when?" within your Google Cloud resources. - - Panther Enterprise Only -referenceURL: https://cloud.google.com/logging/docs/audit -version: 0 -fields: - - name: logName - required: true - description: The resource name of the log to which this log entry belongs. - type: string - - name: severity - description: The severity of the log entry. The default value is LogSeverity.DEFAULT. - type: string - - name: insertId - description: A unique identifier for the log entry. - type: string - - name: resource - description: The monitored resource that produced this log entry. - type: object - fields: - - name: type - required: true - description: Type of resource that produced this log entry - type: string - - name: labels - required: true - description: Labels describing the resource - type: json - - name: timestamp - description: The time the event described by the log entry occurred. - type: timestamp - timeFormat: rfc3339 - - name: receiveTimestamp - required: true - description: The time the log entry was received by Logging. - type: timestamp - timeFormat: rfc3339 - - name: labels - description: A set of user-defined (key, value) data that provides additional information about the log entry. - type: json - - name: operation - description: Information about an operation associated with the log entry, if applicable. - type: object - fields: - - name: id - description: Whether or not an entity was served from cache (with or without validation). - type: string - - name: producer - description: An arbitrary producer identifier. The combination of id and producer must be globally unique. - type: string - - name: first - description: This is the first entry in an operation - type: boolean - - name: last - description: This is the last entry in an operation - type: boolean - - name: trace - description: Resource name of the trace associated with the log entry, if any. - type: string - - name: httpRequest - description: Information about the HTTP request associated with this log entry, if applicable. - type: object - fields: - - name: requestMethod - description: The request HTTP method. - type: string - - name: requestURL - description: The scheme (http, https), the host name, the path and the query portion of the URL that was requested. - type: string - - name: requestSize - description: The size of the HTTP request message in bytes, including the request headers and the request body. - type: bigint - - name: status - description: The response HTTP status code - type: smallint - - name: responseSize - description: The size of the HTTP response message sent back to the client, in bytes, including the response headers and the response body. - type: bigint - - name: userAgent - description: The user agent sent by the client. - type: string - - name: remoteIP - description: The IP address (IPv4 or IPv6) of the client that issued the HTTP request. - type: string - - name: serverIP - description: The IP address (IPv4 or IPv6) of the origin server that the request was sent to. - type: string - - name: referer - description: The referer URL of the request - type: string - - name: latency - description: The request processing latency in seconds on the server, from the time the request was received until the response was sent. - type: string - - name: cacheLookup - description: Whether or not a cache lookup was attempted. - type: boolean - - name: cacheHit - description: Whether or not an entity was served from cache (with or without validation). - type: boolean - - name: cacheValidatedWithOriginServer - description: Whether or not an entity was served from cache (with or without validation). - type: boolean - - name: cacheFillBytes - description: Whether or not an entity was served from cache (with or without validation). - type: bigint - - name: protocol - description: Protocol used for the request. - type: string - - name: spanId - description: The span ID within the trace associated with the log entry. - type: string - - name: traceSampled - description: The sampling decision of the trace associated with the log entry. - type: boolean - - name: sourceLocation - description: Source code location information associated with the log entry, if any. - type: object - fields: - - name: file - description: Source file name. Depending on the runtime environment, this might be a simple name or a fully-qualified name. - type: string - - name: line - description: Line within the source file. 1-based; 0 indicates no line number available. - type: bigint - - name: function - description: Human-readable name of the function or method being invoked, with optional context such as the class or package name. - type: string - - name: protoPayload - required: true - description: The AuditLog payload - type: object - fields: - - name: "@type" - required: true - description: The type of payload - type: string - - name: serviceName - description: The name of the API service performing the operation - type: string - - name: methodName - description: The name of the service method or operation. For API calls, this should be the name of the API method. - type: string - - name: resourceName - description: The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. - type: string - - name: numResponseItems - description: The number of items returned from a List or Query API method, if applicable. - type: bigint - - name: status - description: The status of the overall operation. - type: object - fields: - - name: code - description: The status code, which should be an enum value of google.rpc.Code. - type: int - - name: message - description: A developer-facing error message, which should be in English. - type: string - - name: details - description: A list of messages that carry the error details. There is a common set of message types for APIs to use. - type: json - - name: authenticationInfo - description: Authentication information. - type: object - fields: - - name: principalSubject - description: String representation of identity of requesting party. Populated for both first and third party identities. - type: string - - name: serviceAccountKeyName - description: The name of the service account key used to create or exchange credentials for authenticating the service account making the request. This is a scheme-less URI full resource name. - type: string - - name: principalEmail - description: The email address of the authenticated user making the request. - type: string - - name: authoritySelector - description: The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. - type: string - - name: thirdPartyPrincipal - description: The third party identification (if any) of the authenticated user making the request. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property. - type: json - - name: serviceAccountDelegationInfo - description: Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities present, they are guaranteed to be sorted based on the original ordering of the identity delegation events. - type: array - element: - type: object - fields: - - name: firstPartyPrincipal - description: First party (Google) identity as the real authority. - type: object - fields: - - name: principalEmail - description: The email address of a Google account. - type: string - - name: serviceMetadata - description: Metadata about the service that uses the service account. - type: json - - name: thirdPartyPrincipal - description: Third party identity as the real authority. - type: object - fields: - - name: thirdPartyClaims - description: Metadata about third party identity. - type: json - - name: authorizationInfo - description: Authorization information. If there are multiple resources or permissions involved, then there is one AuthorizationInfo element for each {resource, permission} tuple. - type: array - element: - type: object - fields: - - name: resource - description: The resource being accessed, as a REST-style string. - type: string - - name: permission - description: The required IAM permission - type: string - - name: granted - description: Whether or not authorization for resource and permission was granted. - type: boolean - - name: resourceAttributes - description: Resource attributes used in IAM condition evaluation. This field contains resource attributes like resource type and resource name. To get the whole view of the attributes used in IAM condition evaluation, the user must also look into AuditLog.request_metadata.request_attributes. - type: object - fields: - - name: service - description: The name of the service that this resource belongs to, such as pubsub.googleapis.com. The service may be different from the DNS hostname that actually serves the request. - type: string - - name: name - description: The stable identifier (name) of a resource on the service. - type: string - - name: type - description: The type of the resource. The syntax is platform-specific because different platforms define their resources differently. - type: string - - name: labels - description: The labels or tags on the resource, such as AWS resource tags and Kubernetes resource labels. - type: string - - name: uid - description: The unique identifier of the resource. UID is unique in the time and space for this resource within the scope of the service. It is typically generated by the server on successful creation of a resource and must not be changed. UID is used to uniquely identify resources with resource name reuses. This should be a UUID4. - type: string - - name: requestMetadata - description: Metadata about the request - type: object - fields: - - name: callerIP - description: The IP address of the caller. - type: string - - name: callerSuppliedUserAgent - description: The user agent of the caller. This information is not authenticated and should be treated accordingly. - type: string - - name: callerNetwork - description: The network of the caller. Set only if the network host project is part of the same GCP organization (or project) as the accessed resource. - type: string - - name: requestAttributes - description: Request attributes used in IAM condition evaluation. This field contains request attributes like request time and access levels associated with the request. - type: json - - name: destinationAttributes - description: The destination of a network activity, such as accepting a TCP connection. - type: json - - name: request - description: The operation request. This may not include all request parameters, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property. - type: json - - name: response - description: The operation response. This may not include all response parameters, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property. - type: json - - name: serviceData - description: Other service-specific data about the request, response, and other activities. - type: json - - name: metadata - description: Other service-specific data about the request, response, and other information associated with the current audited event. - type: json diff --git a/schemas/logs/git_lab/api.yml b/schemas/logs/git_lab/api.yml deleted file mode 100644 index 5577b05b6..000000000 --- a/schemas/logs/git_lab/api.yml +++ /dev/null @@ -1,116 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: GitLab.API -parser: - native: - name: GitLab.API -description: |- - GitLab log for API requests received from GitLab. - NOTE: We are using the latest version of GitLab API logs. Some fields differ from the official documentation -referenceURL: https://docs.gitlab.com/ee/administration/logs.html#api_jsonlog -version: 0 -fields: - - name: time - required: true - description: The request timestamp - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: severity - required: true - description: The log level - type: string - - name: duration_s - required: true - description: The time spent serving the request (in seconds) - type: float - - name: db_duration_s - description: The time spent quering the database (in seconds) - type: float - - name: view_duration_s - description: The time spent rendering the view for the Rails controller (in seconds) - type: float - - name: status - required: true - description: The HTTP response status code - type: smallint - - name: method - required: true - description: The HTTP method of the request - type: string - - name: path - required: true - description: The URL path for the request - type: string - - name: params - description: The URL query parameters - type: array - element: - type: object - fields: - - name: key - required: true - description: Query parameter name - type: string - - name: value - description: Query parameter value - type: json - - name: host - required: true - description: Hostname serving the request - type: string - indicators: - - hostname - - name: ua - description: User-Agent HTTP header - type: string - - name: route - required: true - description: Rails route for the API endpoint - type: string - - name: remote_ip - description: The remote IP address of the HTTP request - type: string - indicators: - - ip - - name: user_id - description: The user id of the request - type: bigint - - name: username - description: The username of the request - type: string - indicators: - - username - - name: gitaly_calls - description: Total number of calls made to Gitaly - type: bigint - - name: gitaly_duration_s - description: Total time taken by Gitaly calls - type: float - - name: redis_calls - description: Total number of calls made to Redis - type: bigint - - name: redis_duration_s - description: Total time to retrieve data from Redis - type: float - - name: correlation_id - description: Request unique id across logs - type: string - indicators: - - trace_id - - name: queue_duration_s - description: Total time that the request was queued inside GitLab Workhorse - type: float - - name: meta.user - description: User that invoked the request - type: string - indicators: - - username - - name: meta.project - description: Project associated with the request - type: string - - name: meta.root_namespace - description: Root namespace - type: string - - name: meta.caller_id - description: Caller ID - type: string diff --git a/schemas/logs/git_lab/audit.yml b/schemas/logs/git_lab/audit.yml deleted file mode 100644 index e314fa3da..000000000 --- a/schemas/logs/git_lab/audit.yml +++ /dev/null @@ -1,59 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: GitLab.Audit -parser: - native: - name: GitLab.Audit -description: GitLab log file containing changes to group or project settings -referenceURL: https://docs.gitlab.com/ee/administration/logs.html#audit_jsonlog -version: 0 -fields: - - name: severity - required: true - description: The log level - type: string - - name: time - required: true - description: The event timestamp - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: author_id - required: true - description: User id that made the change - type: bigint - - name: entity_id - required: true - description: Id of the entity that was modified - type: bigint - - name: entity_type - required: true - description: Type of the modified entity - type: string - - name: change - required: true - description: Type of change to the settings - type: string - - name: from - required: true - description: Old setting value - type: string - - name: to - required: true - description: New setting value - type: string - - name: author_name - required: true - description: Name of the user that made the change - type: string - - name: target_id - required: true - description: Target id of the modified setting - type: bigint - - name: target_type - required: true - description: Target type of the modified setting - type: string - - name: target_details - required: true - description: Details of the target of the modified setting - type: string diff --git a/schemas/logs/git_lab/exceptions.yml b/schemas/logs/git_lab/exceptions.yml deleted file mode 100644 index ca3d3b23c..000000000 --- a/schemas/logs/git_lab/exceptions.yml +++ /dev/null @@ -1,73 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: GitLab.Exceptions -parser: - native: - name: GitLab.Exceptions -description: GitLab log file containing changes to group or project settings -referenceURL: https://docs.gitlab.com/ee/administration/logs.html#exceptions_jsonlog -version: 0 -fields: - - name: severity - required: true - description: The log level - type: string - - name: time - required: true - description: The event timestamp - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: correlation_id - description: Request unique id across logs - type: string - indicators: - - trace_id - - name: extra.server - description: Information about the server on which the exception occurred - type: object - fields: - - name: os - description: Server OS info - type: object - fields: - - name: name - description: OS name - type: string - - name: version - description: OS version - type: string - - name: build - description: OS build - type: string - - name: runtime - description: Runtime executing gitlab code - type: object - fields: - - name: name - description: Runtime name - type: string - - name: version - description: Runtime version - type: string - - name: extra.project_id - description: Project id where the exception occurred - type: bigint - - name: extra.relation_key - description: Relation on which the exception occurred - type: string - - name: extra.relation_index - description: Relation index on which the exception occurred - type: bigint - - name: exception.class - required: true - description: Class name of the exception that occurred - type: string - - name: exception.message - required: true - description: Message of the exception that occurred - type: string - - name: exception.backtrace - description: Stack trace of the exception that occurred - type: array - element: - type: string diff --git a/schemas/logs/git_lab/git.yml b/schemas/logs/git_lab/git.yml deleted file mode 100644 index 9a0b75a80..000000000 --- a/schemas/logs/git_lab/git.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: GitLab.Git -parser: - native: - name: GitLab.Git -description: GitLab log file containing all failed requests from GitLab to Git repositories. -referenceURL: https://docs.gitlab.com/ee/administration/logs.html#git_jsonlog -version: 0 -fields: - - name: severity - required: true - description: The log level - type: string - - name: time - required: true - description: The event timestamp - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: correlation_id - description: Unique id across logs - type: string - indicators: - - trace_id - - name: message - required: true - description: The error message from git - type: string diff --git a/schemas/logs/git_lab/integrations.yml b/schemas/logs/git_lab/integrations.yml deleted file mode 100644 index 149405b75..000000000 --- a/schemas/logs/git_lab/integrations.yml +++ /dev/null @@ -1,44 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: GitLab.Integrations -parser: - native: - name: GitLab.Integrations -description: GitLab log with information about integrations activities such as Jira, Asana, and Irker services. -referenceURL: https://docs.gitlab.com/ee/administration/logs.html#integrations_jsonlog -version: 0 -fields: - - name: severity - required: true - description: The log level - type: string - - name: time - required: true - description: The event timestamp - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: service_class - required: true - description: The class name of the integrated service - type: string - - name: project_id - required: true - description: The project id the integration was running on - type: bigint - - name: project_path - required: true - description: The project path the integration was running on - type: string - - name: message - required: true - description: The log message from the service - type: string - - name: client_url - required: true - description: The client url of the service - type: string - indicators: - - url - - name: error - description: The error name if an error has occurred - type: string diff --git a/schemas/logs/git_lab/production.yml b/schemas/logs/git_lab/production.yml deleted file mode 100644 index 90b889ed0..000000000 --- a/schemas/logs/git_lab/production.yml +++ /dev/null @@ -1,124 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: GitLab.Production -parser: - native: - name: GitLab.Production -description: GitLab log for Production controller requests received from GitLab -referenceURL: https://docs.gitlab.com/ee/administration/logs.html#production_jsonlog -version: 0 -fields: - - name: method - required: true - description: The HTTP method of the request - type: string - - name: path - required: true - description: The URL path for the request - type: string - - name: format - description: The response output format - type: string - - name: controller - description: The Production controller class name - type: string - - name: action - description: The Production controller action - type: string - - name: status - required: true - description: The HTTP response status code - type: bigint - - name: time - required: true - description: The request timestamp - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: params - description: The URL query parameters - type: array - element: - type: object - fields: - - name: key - required: true - description: Query parameter name - type: string - - name: value - description: Query parameter value - type: json - - name: remote_ip - description: The remote IP address of the HTTP request - type: string - indicators: - - ip - - name: user_id - description: The user id of the request - type: bigint - - name: username - description: The username of the request - type: string - indicators: - - username - - name: ua - description: The User-Agent of the requester - type: string - - name: queue_duration_s - description: Total time that the request was queued inside GitLab Workhorse - type: float - - name: gitaly_calls - description: Total number of calls made to Gitaly - type: bigint - - name: gitaly_duration_s - description: Total time taken by Gitaly calls - type: float - - name: redis_calls - description: Total number of calls made to Redis - type: bigint - - name: redis_duration_s - description: Total time to retrieve data from Redis - type: float - - name: redis_read_bytes - description: Total bytes read from Redis - type: bigint - - name: redis_write_bytes - description: Total bytes written to Redis - type: bigint - - name: correlation_id - description: Request unique id across logs - type: string - indicators: - - trace_id - - name: cpu_s - description: Total time spent on CPU - type: float - - name: db_duration_s - description: Total time to retrieve data from PostgreSQL - type: float - - name: view_duration_s - description: Total time taken inside the Rails views - type: float - - name: duration_s - required: true - description: Total time taken to retrieve the request - type: float - - name: meta.caller_id - description: Caller ID - type: string - - name: location - description: (Applies only to redirects) The redirect URL - type: string - - name: exception.class - description: Class name of the exception that occurred - type: string - - name: exception.message - description: Message of the exception that occurred - type: string - - name: exception.backtrace - description: Stack trace of the exception that occurred - type: array - element: - type: string - - name: etag_route - description: Route name etag (on redirects) - type: string diff --git a/schemas/logs/git_lab/tests/api_tests.yml b/schemas/logs/git_lab/tests/api_tests.yml deleted file mode 100644 index d56524255..000000000 --- a/schemas/logs/git_lab/tests/api_tests.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -name: TestGitLabAPI -logType: GitLab.API -input: | - { - "time":"2018-10-29T12:49:42.123Z", - "severity":"INFO", - "duration_s":709.08, - "db_duration_s":14.59, - "view_duration_s":694.49, - "status":200, - "method":"GET", - "path":"/api/v4/projects", - "params":[{"key":"action","value":"git-upload-pack"},{"key":"changes","value":"_any"},{"key":"key_id","value":"secret"},{"key":"secret_token","value":"[FILTERED]"}], - "host":"localhost", - "remote_ip":"::1", - "ua":"Ruby", - "route":"/api/:version/projects", - "user_id":1, - "username":"root", - "queue_duration_s":100.31, - "gitaly_calls":30, - "gitaly_duration_s":5.36, - "redis_calls": 10, - "redis_duration_s": 5.1, - "correlation_id": "895c51dc-96c8-4f18-8be4-65252b17a324", - "meta.user":"testuser", - "meta.project":"testuser/jumbotron", - "meta.root_namespace":"testnamespace", - "meta.caller_id":"/api/:version/internal/post_receive" - } -result: | - { - "time":"2018-10-29T12:49:42.123Z", - "severity":"INFO", - "duration_s":709.08, - "db_duration_s":14.59, - "view_duration_s":694.49, - "status":200, - "method":"GET", - "path":"/api/v4/projects", - "params":[{"key":"action","value":"git-upload-pack"},{"key":"changes","value":"_any"},{"key":"key_id","value":"secret"},{"key":"secret_token","value":"[FILTERED]"}], - "host":"localhost", - "remote_ip":"::1", - "ua":"Ruby", - "route":"/api/:version/projects", - "user_id":1, - "username":"root", - "queue_duration_s":100.31, - "gitaly_calls":30, - "gitaly_duration_s":5.36, - "redis_calls": 10, - "redis_duration_s": 5.1, - "correlation_id": "895c51dc-96c8-4f18-8be4-65252b17a324", - "meta.user":"testuser", - "meta.project":"testuser/jumbotron", - "meta.root_namespace":"testnamespace", - "meta.caller_id":"/api/:version/internal/post_receive", - "p_event_time": "2018-10-29T12:49:42.123Z", - "p_any_ip_addresses": ["::1"], - "p_any_trace_ids": ["895c51dc-96c8-4f18-8be4-65252b17a324"], - "p_any_usernames": ["root", "testuser"], - "p_any_domain_names": ["localhost"], - "p_log_type": "GitLab.API" - } diff --git a/schemas/logs/git_lab/tests/audit_tests.yml b/schemas/logs/git_lab/tests/audit_tests.yml deleted file mode 100644 index 33494d9d7..000000000 --- a/schemas/logs/git_lab/tests/audit_tests.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -name: TestGitLabAudit -logType: GitLab.Audit -input: | - { - "severity":"INFO", - "time":"2018-10-17T17:38:22.523Z", - "author_id":3, - "entity_id":2, - "entity_type":"Project", - "change":"visibility", - "from":"Private", - "to":"Public", - "author_name":"John Doe4", - "target_id":2, - "target_type":"Project", - "target_details":"namespace2/project2" - } -result: | - { - "severity":"INFO", - "time":"2018-10-17T17:38:22.523Z", - "author_id":3, - "entity_id":2, - "entity_type":"Project", - "change":"visibility", - "from":"Private", - "to":"Public", - "author_name":"John Doe4", - "target_id":2, - "target_type":"Project", - "target_details":"namespace2/project2", - "p_event_time": "2018-10-17T17:38:22.523Z", - "p_log_type": "GitLab.Audit" - } diff --git a/schemas/logs/git_lab/tests/git_tests.yml b/schemas/logs/git_lab/tests/git_tests.yml deleted file mode 100644 index 3a400bda1..000000000 --- a/schemas/logs/git_lab/tests/git_tests.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -name: TestGit -logType: GitLab.Git -input: | - { - "severity":"ERROR", - "time":"2019-07-19T22:16:12.528Z", - "correlation_id":"FeGxww5Hj64", - "message":"Command failed [1]: /usr/bin/git --git-dir=/Users/vsizov/gitlab-development-kit/gitlab/tmp/tests/gitlab-satellites/group184/gitlabhq/.git --work-tree=/Users/vsizov/gitlab-development-kit/gitlab/tmp/tests/gitlab-satellites/group184/gitlabhq merge --no-ff -mMerge branch 'feature_conflict' into 'feature' source/feature_conflict\n\nerror: failed to push some refs to '/Users/vsizov/gitlab-development-kit/repositories/gitlabhq/gitlab_git.git'" - } -result: | - { - "severity":"ERROR", - "time":"2019-07-19T22:16:12.528Z", - "correlation_id":"FeGxww5Hj64", - "message":"Command failed [1]: /usr/bin/git --git-dir=/Users/vsizov/gitlab-development-kit/gitlab/tmp/tests/gitlab-satellites/group184/gitlabhq/.git --work-tree=/Users/vsizov/gitlab-development-kit/gitlab/tmp/tests/gitlab-satellites/group184/gitlabhq merge --no-ff -mMerge branch 'feature_conflict' into 'feature' source/feature_conflict\n\nerror: failed to push some refs to '/Users/vsizov/gitlab-development-kit/repositories/gitlabhq/gitlab_git.git'", - "p_event_time": "2019-07-19T22:16:12.528Z", - "p_any_trace_ids": ["FeGxww5Hj64"], - "p_log_type": "GitLab.Git" - } diff --git a/schemas/logs/git_lab/tests/integrations_tests.yml b/schemas/logs/git_lab/tests/integrations_tests.yml deleted file mode 100644 index 796f136d1..000000000 --- a/schemas/logs/git_lab/tests/integrations_tests.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -name: TestIntegrationsError -logType: GitLab.Integrations -input: | - { - "severity":"ERROR", - "time":"2018-09-06T14:56:20.439Z", - "service_class":"JiraService", - "project_id":8, - "project_path":"h5bp/html5-boilerplate", - "message":"Error sending message", - "client_url":"http://jira.gitlap.com:8080", - "error":"execution expired" - } -result: | - { - "severity":"ERROR", - "time":"2018-09-06T14:56:20.439Z", - "service_class":"JiraService", - "project_id":8, - "project_path":"h5bp/html5-boilerplate", - "message":"Error sending message", - "client_url":"http://jira.gitlap.com:8080", - "error":"execution expired", - "p_event_time": "2018-09-06T14:56:20.439Z", - "p_any_domain_names": ["jira.gitlap.com"], - "p_log_type": "GitLab.Integrations" - } ---- -name: TestIntegrations -logType: GitLab.Integrations -input: | - { - "severity":"INFO", - "time":"2018-09-06T17:15:16.365Z", - "service_class":"JiraService", - "project_id":3, - "project_path":"namespace2/project2", - "message":"Successfully posted", - "client_url":"http://jira.example.com" - } -result: | - { - "severity":"INFO", - "time":"2018-09-06T17:15:16.365Z", - "service_class":"JiraService", - "project_id":3, - "project_path":"namespace2/project2", - "message":"Successfully posted", - "client_url":"http://jira.example.com", - "p_event_time": "2018-09-06T17:15:16.365Z", - "p_any_domain_names": ["jira.example.com"], - "p_log_type": "GitLab.Integrations" - } diff --git a/schemas/logs/git_lab/tests/production_tests.yml b/schemas/logs/git_lab/tests/production_tests.yml deleted file mode 100644 index 7678c2cff..000000000 --- a/schemas/logs/git_lab/tests/production_tests.yml +++ /dev/null @@ -1,243 +0,0 @@ ---- -name: TestGitLabProduction -logType: GitLab.Production -input: | - { - "method":"GET", - "path":"/gitlab/gitlab-foss/issues/1234", - "format":"html", - "controller":"Projects::IssuesController", - "action":"show", - "status":200, - "time":"2017-08-08T20:15:54.821Z", - "params":[{"key":"param_key","value":"param_value"}], - "remote_ip":"18.245.0.1", - "user_id":1, - "username":"admin", - "queue_duration_s":0.0, - "gitaly_calls":16, - "gitaly_duration_s":0.16, - "redis_calls":115, - "redis_duration_s":0.13, - "redis_read_bytes":1507378, - "redis_write_bytes":2920, - "correlation_id":"O1SdybnnIq7", - "cpu_s":17.50, - "db_duration_s":0.08, - "view_duration_s":2.39, - "duration_s":20.54 - } -result: | - { - "method":"GET", - "path":"/gitlab/gitlab-foss/issues/1234", - "format":"html", - "controller":"Projects::IssuesController", - "action":"show", - "status":200, - "time":"2017-08-08T20:15:54.821Z", - "params":[{"key":"param_key","value":"param_value"}], - "remote_ip":"18.245.0.1", - "user_id":1, - "username":"admin", - "queue_duration_s":0.0, - "gitaly_calls":16, - "gitaly_duration_s":0.16, - "redis_calls":115, - "redis_duration_s":0.13, - "redis_read_bytes":1507378, - "redis_write_bytes":2920, - "correlation_id":"O1SdybnnIq7", - "cpu_s":17.50, - "db_duration_s":0.08, - "view_duration_s":2.39, - "duration_s":20.54, - "p_event_time": "2017-08-08T20:15:54.821Z", - "p_any_ip_addresses": ["18.245.0.1"], - "p_any_trace_ids": ["O1SdybnnIq7"], - "p_any_usernames": ["admin"], - "p_log_type": "GitLab.Production" - } ---- -name: TestGitLabProductionException -logType: GitLab.Production -input: | - { - "method": "GET", - "path": "/admin", - "format": "html", - "controller": "Admin::DashboardController", - "action": "index", - "status": 500, - "time": "2019-11-14T13:12:46.156Z", - "params": [], - "remote_ip": "127.0.0.1", - "user_id": 1, - "username": "root", - "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0", - "queue_duration": 274.35, - "correlation_id": "KjDVUhNvvV3", - "queue_duration_s":0.0, - "gitaly_calls":16, - "gitaly_duration_s":0.16, - "redis_calls":115, - "redis_duration_s":0.13, - "cpu_s":17.50, - "db_duration_s":0.08, - "view_duration_s":2.39, - "duration_s":20.54, - "exception.class": "NameError", - "exception.message": "undefined local variable or method for #", - "exception.backtrace": [ - "ee/lib/gitlab/jira/middleware.rb:19:in call"] - } -result: | - { - "method": "GET", - "path": "/admin", - "format": "html", - "controller": "Admin::DashboardController", - "action": "index", - "status": 500, - "time": "2019-11-14T13:12:46.156Z", - "remote_ip": "127.0.0.1", - "user_id": 1, - "username": "root", - "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0", - "correlation_id": "KjDVUhNvvV3", - "queue_duration_s":0.0, - "gitaly_calls":16, - "gitaly_duration_s":0.16, - "redis_calls":115, - "redis_duration_s":0.13, - "cpu_s":17.50, - "db_duration_s":0.08, - "view_duration_s":2.39, - "duration_s":20.54, - "exception.class": "NameError", - "exception.message": "undefined local variable or method for #", - "exception.backtrace": ["ee/lib/gitlab/jira/middleware.rb:19:in call"], - "p_event_time": "2019-11-14T13:12:46.156Z", - "p_any_ip_addresses": ["127.0.0.1"], - "p_any_trace_ids": ["KjDVUhNvvV3"], - "p_any_usernames": ["root"], - "p_log_type": "GitLab.Production" - } ---- -name: TestGitLabProductionRedirect -logType: GitLab.Production -input: | - { - "method":"GET", - "path":"/index.php", - "format":null, - "controller":"ApplicationController", - "action":"route_not_found", - "status":302, - "location":"http://34.222.254.254/users/sign_in", - "time":"2020-07-05T19:35:32.337Z", - "params":[{"key":"vars","value":{"0":"md5","1":["HelloThinkPHP"]}}], - "remote_ip":"195.54.254.254", - "user_id":null, - "username":null, - "ua":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", - "queue_duration_s":0.007208, - "correlation_id":"DScuWzVUYA5", - "meta.caller_id":"ApplicationController#route_not_found", - "redis_calls":1, - "redis_duration_s":0.000292, - "cpu_s":0.02, - "db_duration_s":0.0, - "view_duration_s":0.0, - "duration_s":0.00341, - "tag":"test" - } -result: | - { - "method":"GET", - "path":"/index.php", - "controller":"ApplicationController", - "action":"route_not_found", - "status":302, - "location":"http://34.222.254.254/users/sign_in", - "time":"2020-07-05T19:35:32.337Z", - "params":[{"key":"vars","value":{"0":"md5","1":["HelloThinkPHP"]}}], - "remote_ip":"195.54.254.254", - "ua":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", - "queue_duration_s":0.007208, - "correlation_id":"DScuWzVUYA5", - "meta.caller_id":"ApplicationController#route_not_found", - "redis_calls":1, - "redis_duration_s":0.000292, - "cpu_s":0.02, - "db_duration_s":0.0, - "view_duration_s":0.0, - "duration_s":0.00341, - "p_event_time": "2020-07-05T19:35:32.337Z", - "p_any_ip_addresses": ["195.54.254.254"], - "p_any_trace_ids": ["DScuWzVUYA5"], - "p_log_type": "GitLab.Production" - } ---- -name: TestProductionRedirect304 -logType: GitLab.Production -input: | - { - "method": "GET", - "path": "/super-secret-confidential-space-plans/space-marines/pipelines.json", - "format": "json", - "controller": null, - "action": null, - "status": 304, - "params": [ - { - "key": "scope", - "value": "all" - }, - { - "key": "page", - "value": "1" - } - ], - "remote_ip": null, - "user_id": null, - "username": null, - "ua": null, - "queue_duration_s": null, - "redis_calls": 1, - "redis_duration_s": 0.000105, - "etag_route": "project_pipelines", - "correlation_id": null, - "cpu_s": 0.0, - "db_duration_s": 0.0, - "view_duration_s": 0.0, - "duration_s": 9.0e-05, - "time": "2019-11-14T13:12:46.156Z" - } -result: | - { - "method": "GET", - "path": "/super-secret-confidential-space-plans/space-marines/pipelines.json", - "format": "json", - "status": 304, - "params": [ - { - "key": "scope", - "value": "all" - }, - { - "key": "page", - "value": "1" - } - ], - "redis_calls": 1, - "redis_duration_s": 0.000105, - "etag_route": "project_pipelines", - "cpu_s": 0.0, - "db_duration_s": 0.0, - "view_duration_s": 0.0, - "duration_s": 9.0e-05, - "time": "2019-11-14T13:12:46.156Z", - "p_event_time": "2019-11-14T13:12:46.156Z", - "p_log_type": "GitLab.Production" - } diff --git a/schemas/logs/gravitational/teleport_audit.yml b/schemas/logs/gravitational/teleport_audit.yml deleted file mode 100644 index bc2337f81..000000000 --- a/schemas/logs/gravitational/teleport_audit.yml +++ /dev/null @@ -1,179 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Gravitational.TeleportAudit -parser: - native: - name: Gravitational.TeleportAudit -description: Teleport logs events like successful user logins along with the metadata like remote IP address, time and the session ID. -referenceURL: https://gravitational.com/teleport/docs/admin-guide/#audit-log -version: 0 -fields: - - name: event - required: true - description: Event type - type: string - - name: code - required: true - description: Event code - type: string - - name: time - required: true - description: Event timestamp - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: uid - required: true - description: Event unique id - type: string - - name: user - description: Teleport user name (event type is 'user.login') - type: string - - name: namespace - description: Server namespace. This field is reserved for future use. - type: string - - name: server_id - description: Unique server ID. - type: string - - name: sid - description: Session ID. Can be used to replay the session. - type: string - indicators: - - trace_id - - name: ei - description: Event numeric id - type: int - - name: login - description: OS login - type: string - - name: addr.local - description: Address of the SSH node - type: string - indicators: - - net_addr - - name: addr.remote - description: Address of the connecting client (user) - type: string - indicators: - - net_addr - - name: size - description: Size of terminal - type: string - - name: success - description: Authentication success (if event type is 'auth') - type: boolean - - name: error - description: Authentication error (event type is 'auth') - type: string - - name: command - description: Command that was executed (event type is 'exec') - type: string - - name: exitCode - description: Exit code of the command (event type is 'exec') - type: int - - name: exitError - description: Exit error of the command (event type is 'exec') - type: string - - name: pid - description: Process id of command - type: bigint - - name: ppid - description: Process id of the parent process - type: bigint - - name: cgroup_id - description: Control group id - type: bigint - - name: return_code - description: Return code of the command - type: int - - name: program - description: Name of the command - type: string - - name: argv - description: Arguments passed to command - type: array - element: - type: string - - name: path - description: Executable path or SCP action target file path (scp, session.command) - type: string - - name: len - description: SCP target file size (scp) - type: bigint - - name: action - description: SCP action (scp) - type: string - - name: method - description: Login method used (user.login) - type: string - - name: attributes - description: User login attributes (user.login) - type: json - - name: roles - description: Roles for the new user (user.create) - type: array - element: - type: string - - name: connector - description: Connector that created the user (user.create) - type: string - - name: expires - description: Expiration date - type: timestamp - timeFormat: rfc3339 - - name: name - description: Name of user or service (github.created, user.create, user.update) - type: string - - name: tx - description: Number of bytes sent - type: bigint - - name: rx - description: Number of bytes received - type: bigint - - name: server_labels - description: Server labels - type: json - - name: server_hostname - description: Server hostname - type: string - indicators: - - hostname - - name: server_addr - description: Server hostname - type: string - indicators: - - net_addr - - name: session_start - description: Timestamp of session start - type: timestamp - timeFormat: rfc3339 - - name: session_stop - description: Timestamp of session end - type: timestamp - timeFormat: rfc3339 - - name: interactive - description: Whether the session was interactive - type: boolean - - name: enhanced_recording - description: Whether enhanced recording is enabled - type: boolean - - name: participants - description: Users that participated in the session - type: array - element: - type: string - - name: dst_addr - description: Destination IP address - type: string - indicators: - - ip - - name: src_addr - description: Source IP address - type: string - indicators: - - ip - - name: dst_port - description: Destination port - type: int - - name: version - description: Event version - type: int diff --git a/schemas/logs/gravitational/tests/teleport_audit_tests.yml b/schemas/logs/gravitational/tests/teleport_audit_tests.yml deleted file mode 100644 index 02bfbf2ef..000000000 --- a/schemas/logs/gravitational/tests/teleport_audit_tests.yml +++ /dev/null @@ -1,381 +0,0 @@ ---- -name: session.start -logType: Gravitational.TeleportAudit -input: | - { - "addr.local": "127.0.0.1:3022", - "addr.remote": "1.1.1.1:63558", - "code": "T2000I", - "ei": 0, - "event": "session.start", - "login": "root", - "namespace": "default", - "server_hostname": "ip-172-31-14-137.us-west-2.compute.internal", - "server_id": "411b9b66-b686-471a-b2c6-f6dc6c745f93", - "server_labels": { - "arch": "x86_64", - "env": "demo", - "hostname": "ip-172-31-14-137.us-west-2.compute.internal", - "role": "test-cluster" - }, - "sid": "e527ab2a-d882-11ea-9f82-0a588c28e4c2", - "size": "80:25", - "time": "2020-08-07T07:52:09.821Z", - "uid": "34bb01d5-8cef-4925-875a-783b2dbee3b6", - "user": "kostaspap" - } -result: | - { - "addr.local": "127.0.0.1:3022", - "addr.remote": "1.1.1.1:63558", - "code": "T2000I", - "ei": 0, - "event": "session.start", - "login": "root", - "namespace": "default", - "server_hostname": "ip-172-31-14-137.us-west-2.compute.internal", - "server_id": "411b9b66-b686-471a-b2c6-f6dc6c745f93", - "server_labels": { - "arch": "x86_64", - "env": "demo", - "hostname": "ip-172-31-14-137.us-west-2.compute.internal", - "role": "test-cluster" - }, - "sid": "e527ab2a-d882-11ea-9f82-0a588c28e4c2", - "size": "80:25", - "time": "2020-08-07T07:52:09.821Z", - "uid": "34bb01d5-8cef-4925-875a-783b2dbee3b6", - "user": "kostaspap", - "p_event_time": "2020-08-07T07:52:09.821Z", - "p_any_ip_addresses": ["1.1.1.1","127.0.0.1"], - "p_any_domain_names": ["ip-172-31-14-137.us-west-2.compute.internal"], - "p_any_trace_ids": ["e527ab2a-d882-11ea-9f82-0a588c28e4c2"], - "p_log_type": "{{.LogType}}" - } ---- -name: session.end -logType: Gravitational.TeleportAudit -input: | - { - "code": "T2004I", - "ei": 22, - "enhanced_recording": true, - "event": "session.end", - "interactive": true, - "namespace": "default", - "participants": [ - "kostaspap" - ], - "server_addr": "[::]:3022", - "server_hostname": "ip-172-31-14-137.us-west-2.compute.internal", - "server_id": "411b9b66-b686-471a-b2c6-f6dc6c745f93", - "session_start": "2020-08-07T07:52:09.817638134Z", - "session_stop": "2020-08-07T07:52:44.607207415Z", - "sid": "e527ab2a-d882-11ea-9f82-0a588c28e4c2", - "time": "2020-08-07T07:52:44.607Z", - "uid": "2e3b58c6-e135-4ca4-b79b-ee7acdafa8ab", - "user": "kostaspap" - } -result: | - { - "code": "T2004I", - "ei": 22, - "enhanced_recording": true, - "event": "session.end", - "interactive": true, - "namespace": "default", - "participants": [ - "kostaspap" - ], - "server_addr": "[::]:3022", - "server_hostname": "ip-172-31-14-137.us-west-2.compute.internal", - "server_id": "411b9b66-b686-471a-b2c6-f6dc6c745f93", - "session_start": "2020-08-07T07:52:09.817638134Z", - "session_stop": "2020-08-07T07:52:44.607207415Z", - "sid": "e527ab2a-d882-11ea-9f82-0a588c28e4c2", - "time": "2020-08-07T07:52:44.607Z", - "uid": "2e3b58c6-e135-4ca4-b79b-ee7acdafa8ab", - "user": "kostaspap", - "p_event_time": "2020-08-07T07:52:44.607Z", - "p_any_ip_addresses": ["::"], - "p_any_domain_names": ["ip-172-31-14-137.us-west-2.compute.internal"], - "p_any_trace_ids": ["e527ab2a-d882-11ea-9f82-0a588c28e4c2"], - "p_log_type": "{{.LogType}}" - } ---- -name: session.data -logType: Gravitational.TeleportAudit -input: | - { - "addr.local": "127.0.0.1:3022", - "addr.remote": "1.1.1.1:63558", - "code": "T2006I", - "ei": 2147483646, - "event": "session.data", - "login": "root", - "rx": 5286, - "server_id": "411b9b66-b686-471a-b2c6-f6dc6c745f93", - "sid": "e527ab2a-d882-11ea-9f82-0a588c28e4c2", - "time": "2020-08-07T07:52:25Z", - "tx": 5848, - "uid": "9f2bc778-e87e-4536-9c3f-0d4a57955fd0", - "user": "kostaspap" - } -result: | - { - "addr.local": "127.0.0.1:3022", - "addr.remote": "1.1.1.1:63558", - "code": "T2006I", - "ei": 2147483646, - "event": "session.data", - "login": "root", - "rx": 5286, - "server_id": "411b9b66-b686-471a-b2c6-f6dc6c745f93", - "sid": "e527ab2a-d882-11ea-9f82-0a588c28e4c2", - "time": "2020-08-07T07:52:25Z", - "tx": 5848, - "uid": "9f2bc778-e87e-4536-9c3f-0d4a57955fd0", - "user": "kostaspap", - "p_event_time": "2020-08-07T07:52:25Z", - "p_any_ip_addresses": ["1.1.1.1","127.0.0.1"], - "p_any_trace_ids": ["e527ab2a-d882-11ea-9f82-0a588c28e4c2"], - "p_log_type": "{{.LogType}}" - } ---- -name: session.network -logType: Gravitational.TeleportAudit -input: | - { - "cgroup_id": 4294967372, - "code": "T4002I", - "dst_addr": "1.1.1.1", - "dst_port": 80, - "ei": 0, - "event": "session.network", - "login": "ec2-user", - "namespace": "default", - "pid": 10028, - "program": "yum", - "server_id": "e073ecab-6091-45da-83e4-80196e7bc659", - "sid": "7e2f235d-d18c-4e77-a4c8-6e07d3cd10f1", - "src_addr": "2.1.1.1", - "time": "2020-08-11T23:29:16.101Z", - "uid": "954083eb-c997-4185-ba44-48801033857b", - "user": "jack", - "version": 4 - } -result: | - { - "cgroup_id": 4294967372, - "code": "T4002I", - "dst_addr": "1.1.1.1", - "dst_port": 80, - "ei": 0, - "event": "session.network", - "login": "ec2-user", - "namespace": "default", - "pid": 10028, - "program": "yum", - "server_id": "e073ecab-6091-45da-83e4-80196e7bc659", - "sid": "7e2f235d-d18c-4e77-a4c8-6e07d3cd10f1", - "src_addr": "2.1.1.1", - "time": "2020-08-11T23:29:16.101Z", - "uid": "954083eb-c997-4185-ba44-48801033857b", - "user": "jack", - "version": 4, - "p_event_time": "2020-08-11T23:29:16.101Z", - "p_any_trace_ids": ["7e2f235d-d18c-4e77-a4c8-6e07d3cd10f1"], - "p_any_ip_addresses": ["1.1.1.1","2.1.1.1"], - "p_log_type": "{{.LogType}}" - } ---- -name: session.command -logType: Gravitational.TeleportAudit -input: | - { - "argv": [ - "-u" - ], - "cgroup_id": 4294967537, - "code": "T4000I", - "ei": 11, - "event": "session.command", - "login": "root", - "namespace": "default", - "path": "/usr/bin/id", - "pid": 11371, - "ppid": 11370, - "program": "id", - "return_code": 0, - "server_id": "411b9b66-b686-471a-b2c6-f6dc6c745f93", - "sid": "e527ab2a-d882-11ea-9f82-0a588c28e4c2", - "time": "2020-08-07T07:52:09.932Z", - "uid": "d5f13a69-539b-4978-b6d3-e73cf72f1024", - "user": "kostaspap" - } -result: | - { - "argv": [ - "-u" - ], - "cgroup_id": 4294967537, - "code": "T4000I", - "ei": 11, - "event": "session.command", - "login": "root", - "namespace": "default", - "path": "/usr/bin/id", - "pid": 11371, - "ppid": 11370, - "program": "id", - "return_code": 0, - "server_id": "411b9b66-b686-471a-b2c6-f6dc6c745f93", - "sid": "e527ab2a-d882-11ea-9f82-0a588c28e4c2", - "time": "2020-08-07T07:52:09.932Z", - "uid": "d5f13a69-539b-4978-b6d3-e73cf72f1024", - "user": "kostaspap", - "p_event_time": "2020-08-07T07:52:09.932Z", - "p_any_trace_ids": ["e527ab2a-d882-11ea-9f82-0a588c28e4c2"], - "p_log_type": "{{.LogType}}" - } ---- -name: user.create -logType: Gravitational.TeleportAudit -input: | - { - "code": "T1002I", - "connector": "github", - "event": "user.create", - "expires": "2020-08-08T13:39:41.895085658Z", - "name": "kostaspap", - "roles": [ "admin" ], - "time": "2020-08-07T07:39:42Z", - "uid": "14551101-4d8e-4f35-b40b-a1b1ead65d43", - "user": "system" - } -result: | - { - "code": "T1002I", - "connector": "github", - "event": "user.create", - "expires": "2020-08-08T13:39:41.895085658Z", - "name": "kostaspap", - "roles": [ "admin" ], - "time": "2020-08-07T07:39:42Z", - "uid": "14551101-4d8e-4f35-b40b-a1b1ead65d43", - "user": "system", - "p_event_time": "2020-08-07T07:39:42Z", - "p_log_type": "{{.LogType}}" - } ---- -name: user.login -logType: Gravitational.TeleportAudit -input: | - { - "code": "T1001W", - "error": "list of user teams is empty, did you grant access?", - "event": "user.login", - "method": "github", - "success": false, - "time": "2020-08-06T20:43:13Z", - "uid": "8750c3dd-8fcb-4f1e-8cc4-634473d1e8bc" - } -result: | - { - "code": "T1001W", - "error": "list of user teams is empty, did you grant access?", - "event": "user.login", - "method": "github", - "success": false, - "time": "2020-08-06T20:43:13Z", - "uid": "8750c3dd-8fcb-4f1e-8cc4-634473d1e8bc", - "p_event_time": "2020-08-06T20:43:13Z", - "p_log_type": "{{.LogType}}" - } ---- -name: github.created -logType: Gravitational.TeleportAudit -input: | - { - "code": "T8000I", - "event": "github.created", - "name": "github", - "time": "2020-08-06T20:34:17Z", - "uid": "0212fa21-4011-4831-8934-a29653b78bb0", - "user": "411b9b66-b686-471a-b2c6-f6dc6c745f93.aws" - } -result: | - { - "code": "T8000I", - "event": "github.created", - "name": "github", - "time": "2020-08-06T20:34:17Z", - "uid": "0212fa21-4011-4831-8934-a29653b78bb0", - "user": "411b9b66-b686-471a-b2c6-f6dc6c745f93.aws", - "p_event_time": "2020-08-06T20:34:17Z", - "p_log_type": "{{.LogType}}" - } ---- -name: session.leave -logType: Gravitational.TeleportAudit -input: | - { - "code": "T2003I", - "ei": 34, - "event": "session.leave", - "namespace": "default", - "server_id": "411b9b66-b686-471a-b2c6-f6dc6c745f93", - "sid": "49aa4466-d824-11ea-a94f-0a588c28e4c2", - "time": "2020-08-06T20:41:24.042Z", - "uid": "9d13e8a3-b8ed-4749-b09f-f1c96edb822d", - "user": "benarent" - } -result: | - { - "code": "T2003I", - "ei": 34, - "event": "session.leave", - "namespace": "default", - "server_id": "411b9b66-b686-471a-b2c6-f6dc6c745f93", - "sid": "49aa4466-d824-11ea-a94f-0a588c28e4c2", - "time": "2020-08-06T20:41:24.042Z", - "uid": "9d13e8a3-b8ed-4749-b09f-f1c96edb822d", - "user": "benarent", - "p_event_time": "2020-08-06T20:41:24.042Z", - "p_any_trace_ids": ["49aa4466-d824-11ea-a94f-0a588c28e4c2"], - "p_log_type": "{{.LogType}}" - } ---- -name: resize -logType: Gravitational.TeleportAudit -input: | - { - "code": "T2002I", - "ei": 1, - "event": "resize", - "login": "root", - "namespace": "default", - "server_id": "411b9b66-b686-471a-b2c6-f6dc6c745f93", - "sid": "e527ab2a-d882-11ea-9f82-0a588c28e4c2", - "size": "197:55", - "time": "2020-08-07T07:52:09.839Z", - "uid": "cce1ada6-34cf-40e7-b527-eb2bf7f14e0c", - "user": "kostaspap" - } -result: | - { - "code": "T2002I", - "ei": 1, - "event": "resize", - "login": "root", - "namespace": "default", - "server_id": "411b9b66-b686-471a-b2c6-f6dc6c745f93", - "sid": "e527ab2a-d882-11ea-9f82-0a588c28e4c2", - "size": "197:55", - "time": "2020-08-07T07:52:09.839Z", - "uid": "cce1ada6-34cf-40e7-b527-eb2bf7f14e0c", - "user": "kostaspap", - "p_event_time": "2020-08-07T07:52:09.839Z", - "p_any_trace_ids": ["e527ab2a-d882-11ea-9f82-0a588c28e4c2"], - "p_log_type": "{{.LogType}}" - } diff --git a/schemas/logs/juniper/access.yml b/schemas/logs/juniper/access.yml deleted file mode 100644 index b632c3d7f..000000000 --- a/schemas/logs/juniper/access.yml +++ /dev/null @@ -1,37 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Juniper.Access -parser: - native: - name: Juniper.Access -description: Juniper.Access logs for all traffic coming to and from the box. -referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-access-log.html -version: 0 -fields: - - name: timestamp - description: Log entry timestamp - type: timestamp - timeFormat: rfc3339 - - name: hostname - description: The hostname of the appliance - type: string - - name: log_level - description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR. - type: string - - name: thread - description: The specific thread that is handling the request or response. - type: string - - name: unique_request_key - description: This is a key used to uniquely identify requests. - type: string - - name: type - description: Whether the HTTP packet is a client request, or a server response (REQUEST,RESPONSE). - type: string - - name: stage - description: Whether the HTTP packet is being logged before or after Security Engine processes it (and potentially manipulates it). - type: string - - name: proxy_client_ip - description: The incoming client IP. Since WebApp Secure works around a Nginx proxy, the client IP will most-likely be '127.0.0.1'. - type: string - - name: url - description: The full request or response URL. - type: string diff --git a/schemas/logs/juniper/audit.yml b/schemas/logs/juniper/audit.yml deleted file mode 100644 index 6c05f5ee5..000000000 --- a/schemas/logs/juniper/audit.yml +++ /dev/null @@ -1,31 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Juniper.Audit -parser: - native: - name: Juniper.Audit -description: Juniper.Audit The audit log contains log entries that indicate non-idempotent (state changing) actions performed on WebApp Secure. -referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-incident-log-format.html -version: 0 -fields: - - name: timestamp - description: Log entry timestamp - type: timestamp - timeFormat: rfc3339 - - name: hostname - description: The hostname of the appliance - type: string - - name: log_level - description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR. - type: string - - name: message - description: The message. Can indicate any of the previously mentioned actions. - type: string - - name: api_key - description: The key used to perform the action described in the message. - type: string - - name: login_ip - description: The IP address the user performed logged in from - type: string - - name: username - description: The user that performed the login - type: string diff --git a/schemas/logs/juniper/firewall.yml b/schemas/logs/juniper/firewall.yml deleted file mode 100644 index fc4afa52d..000000000 --- a/schemas/logs/juniper/firewall.yml +++ /dev/null @@ -1,71 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Juniper.Firewall -parser: - native: - name: Juniper.Firewall -description: Juniper.Firewall stores information about dropped packets from the iptables firewall. -referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-incident-log-format.html -version: 0 -fields: - - name: timestamp - required: true - description: Log timestamp - type: timestamp - timeFormat: rfc3339 - - name: hostname - description: Hostname - type: string - - name: event - description: Event name - type: string - - name: DST - description: Destination IP address - type: string - - name: DPT - description: Destination port - type: int - - name: SRC - description: Source IP address - type: string - - name: SPT - description: Source port - type: int - - name: TTL - description: IP TTL in milliseconds - type: bigint - - name: ID - description: Packet id - type: bigint - - name: MAC - description: MAC address - type: string - - name: LEN - description: Packet length - type: int - - name: TOS - description: Packet Type of Service field - type: string - - name: PREC - description: Packet precedence bits - type: string - - name: RST - description: Packet is RST - type: boolean - - name: SYN - description: Packet is SYN - type: boolean - - name: DF - description: Packet has do not fragment flag - type: boolean - - name: IN - description: Input interface - type: string - - name: OUT - description: Output interface - type: string - - name: PROTO - description: Protocol - type: string - - name: WINDOW - description: Transmit window - type: int diff --git a/schemas/logs/juniper/mws.yml b/schemas/logs/juniper/mws.yml deleted file mode 100644 index 1a355a819..000000000 --- a/schemas/logs/juniper/mws.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Juniper.MWS -parser: - native: - name: Juniper.MWS -description: Juniper.MWS is the main log file for most WebApp Secure logging needs. All messages that don't have a specific log location are sent, by default, to mws.log. -referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-mws-log.html -version: 0 -fields: - - name: timestamp - description: The date of the log entry, in UTC. - type: timestamp - timeFormat: rfc3339 - - name: hostname - description: The appliance hostname. - type: string - - name: log_level - description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR. - type: string - - name: service_name - description: The WebApp Secure service that generated the log entry. - type: string - - name: service_component - description: The specific component that is issuing the log message. - type: string - - name: log_message - description: The message. This can be anything, but usually contains information to help you narrow down problems or confirm certain events have occurred as they should. - type: string diff --git a/schemas/logs/juniper/postgres.yml b/schemas/logs/juniper/postgres.yml deleted file mode 100644 index badd25e50..000000000 --- a/schemas/logs/juniper/postgres.yml +++ /dev/null @@ -1,37 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Juniper.Postgres -parser: - native: - name: Juniper.Postgres -description: Juniper.Postgres contains logs of manipulations on the schema of the database that WebApp Secure uses, as well as any errors that occurred during database operations. -referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-postgres-log.html -version: 0 -fields: - - name: timestamp - description: Log entry timestamp - type: timestamp - timeFormat: rfc3339 - - name: hostname - description: The hostname of the appliance - type: string - - name: pid - description: The process ID of the postgres instance. - type: int - - name: group_id_major - description: Group id major number - type: int - - name: group_id_minor - description: Group id minor number - type: int - - name: sql_error_code - description: The SQL error code. - type: string - - name: session_id - description: A somewhat unique session identifier that can be used to search for specific lines in the log. - type: string - - name: message_type - description: The type of the message. Can be LOG, WARNING, ERROR, or STATEMENT. - type: string - - name: message - description: The message. - type: string diff --git a/schemas/logs/juniper/security.yml b/schemas/logs/juniper/security.yml deleted file mode 100644 index 6ee2dcc93..000000000 --- a/schemas/logs/juniper/security.yml +++ /dev/null @@ -1,82 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Juniper.Security -parser: - native: - name: Juniper.Security -description: |- - Juniper.Security Webapp Secure is configured to log security incidents to mws-security.log. - All security alerts should be sent to security.log (previously named security-alert.log). - There are different types of security incidents that will be a part of this log: new profiles, security incidents, new counter responses. -referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-log-format.html -version: 0 -fields: - - name: timestamp - description: Log entry timestamp - type: timestamp - timeFormat: rfc3339 - - name: hostname - description: The hostname of the appliance - type: string - - name: log_level - description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR. - type: string - - name: service - description: The WebApp Secure service that triggered the security log entry. - type: string - - name: category - description: Log entry category - type: string - - name: profile_id - description: The numerical ID assigned to the Profile that caused the security alert, or the profile ID that received a Response. - type: string - - name: profile_name - description: The friendly name assigned to the Profile that caused the security alert, or the Profile that received a Response. - type: string - - name: pubkey - description: The Public ID that can be used in conjunction with the Support_Processor to unblock Profiles. - type: string - - name: incident - description: The name of the incident that triggered this security alert. - type: string - - name: severity - description: The numerical severity of the incident that triggered this security alert. This can be a number from 0 to 4, inclusive. - type: smallint - - name: source_ip - description: The IP the request that generated this alert originated from. - type: string - - name: user_agent - description: The client's user agent string that generated this alert. - type: string - - name: url - description: The request URL that generated this alert. - type: string - - name: count - description: The number of times the profile triggered this incident. This is used for certain incidents to decide whether or not to elevate the profile or increase the responses on the profile. - type: int - - name: fake_response - description: Whether or not (true or false) the response sent back to the client was a fake one created by WebApp Secure. - type: boolean - - name: response_code - description: The numerical code for the response issued. - type: string - - name: response_name - description: The friendly name for the response issued on the profile indicated in the alert. - type: string - - name: created_date - description: The date and time the response was created. - type: timestamp - timeFormat: rfc3339 - - name: delay_date - description: The date and time the response is set to be delayed until. - type: timestamp - timeFormat: rfc3339 - - name: expiration_date - description: The date and time the response is set to expire. - type: timestamp - timeFormat: rfc3339 - - name: response_config - description: The configuration used in this response. Displayed as an XML-like node. - type: string - - name: silent_running - description: Whether or not this Counter Response was set to be silent with the Silent Running service at the time of activation. - type: boolean diff --git a/schemas/logs/lacework/alert_details.yml b/schemas/logs/lacework/alert_details.yml deleted file mode 100644 index 8425671e5..000000000 --- a/schemas/logs/lacework/alert_details.yml +++ /dev/null @@ -1,116 +0,0 @@ -schema: Lacework.AlertDetails -description: Lacework.AlertDetails represents the content of an exported Lacework Alert Details -referenceURL: https://www.lacework.com/platform-overview/ -version: 0 -fields: - - name: END_TIME - required: true - type: timestamp - timeFormat: "%a, %d %b %Y %H:%M:%S %z" - isEventTime: true - - name: ENTITY_MAP - required: true - type: object - fields: - - name: NewViolation - required: true - type: array - element: - type: object - fields: - - name: KEY - required: true - type: object - fields: - - name: reason - required: true - type: string - - name: reason_id - required: true - type: string - - name: rec_id - required: true - type: string - - name: resource - required: true - type: string - indicators: - - aws_arn - - name: PROPS - required: true - type: json - - name: RecId - required: true - type: array - element: - type: object - fields: - - name: KEY - required: true - type: object - fields: - - name: eval_guid - required: true - type: string - - name: rec_id - required: true - type: string - - name: PROPS - required: true - type: json - - name: Resource - required: true - type: array - element: - type: object - fields: - - name: KEY - required: true - type: object - fields: - - name: name - required: true - type: string - - name: value - required: true - type: string - indicators: - - aws_arn - - name: ViolationReason - required: true - type: array - element: - type: object - fields: - - name: KEY - required: true - type: object - fields: - - name: reason - required: true - type: string - - name: reason_id - required: true - type: string - - name: rec_id - required: true - type: string - - name: PROPS - required: true - type: json - - name: EVENT_ACTOR - required: true - type: string - - name: EVENT_ID - required: true - type: bigint - - name: EVENT_MODEL - required: true - type: string - - name: EVENT_TYPE - required: true - type: string - - name: START_TIME - required: true - type: timestamp - timeFormat: "%a, %d %b %Y %H:%M:%S %z" diff --git a/schemas/logs/lacework/cloud_compliance.yml b/schemas/logs/lacework/cloud_compliance.yml deleted file mode 100644 index 648442fb1..000000000 --- a/schemas/logs/lacework/cloud_compliance.yml +++ /dev/null @@ -1,40 +0,0 @@ -schema: Lacework.CloudCompliance -description: Lacework.Compliance represents the content of an exported Lacework CloudCompliance report -referenceURL: https://www.lacework.com/platform-overview/ -version: 0 -fields: - - name: REASON - type: string - - name: REGION - type: string - - name: RESOURCE - type: string - - name: ACCOUNT - required: true - type: object - fields: - - name: AccountId - type: string - - name: Account_Alias - type: string - - name: EVAL_TYPE - required: true - type: string - - name: ID - required: true - type: string - - name: RECOMMENDATION - type: string - - name: REPORT_TIME - required: true - type: timestamp - timeFormat: "%a, %d %b %Y %H:%M:%S %z" - isEventTime: true - - name: SECTION - type: string - - name: SEVERITY - required: true - type: string - - name: STATUS - required: true - type: string diff --git a/schemas/logs/lacework/events.yml b/schemas/logs/lacework/events.yml deleted file mode 100644 index 70939f5d8..000000000 --- a/schemas/logs/lacework/events.yml +++ /dev/null @@ -1,464 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Lacework.Events -parser: - native: - name: Lacework.Events -description: Lacework.Events represents the content of an exported Lacework Alert S3 Object. -referenceURL: https://www.lacework.com/platform-overview/ -version: 0 -fields: - - name: EVENT_CATEGORY - required: true - description: The category the event falls into - type: string - - name: EVENT_DETAILS - required: true - description: The event details - type: object - fields: - - name: data - description: The array of event data - type: array - element: - type: object - fields: - - name: START_TIME - description: The event start time. - type: timestamp - timeFormat: rfc3339 - - name: END_TIME - description: The event end time. - type: timestamp - timeFormat: rfc3339 - - name: EVENT_TYPE - description: The event type description eg - launched new binary. - type: string - - name: EVENT_ID - description: The event alert ID. - type: string - - name: EVENT_ACTOR - description: The origin of the event eg - AWS, User. - type: string - - name: EVENT_MODEL - description: The model that triggered an alert. - type: string - - name: ENTITY_MAP - description: The map of related fields to the detection alert. - type: object - fields: - - name: User - description: Any user based info involved in an alert. - type: array - element: - type: object - fields: - - name: MACHINE_HOSTNAME - description: Hostname field - type: string - - name: USERNAME - description: Username field - type: string - - name: Application - description: Any application based info involved in an alert. - type: array - element: - type: object - fields: - - name: APPLICATION - description: Application field - type: string - - name: HAS_EXTERNAL_CONNS - description: HasExternalConns field - type: bigint - - name: IS_CLIENT - description: IsClient field - type: bigint - - name: IS_SERVER - description: IsServer field - type: bigint - - name: EARLIEST_KNOWN_TIME - description: EarliestKnownTime field - type: timestamp - timeFormat: rfc3339 - - name: Machine - description: Any machine based info involved in an alert. - type: array - element: - type: object - fields: - - name: HOSTNAME - description: Hostname field - type: string - - name: EXTERNAL_IP - description: ExternalIP field - type: string - - name: INSTANCE_ID - description: InstanceID field - type: string - - name: INSTANCE_NAME - description: InstanceName field - type: string - - name: CPU_PERCENTAGE - description: CPUPercentage field - type: float - - name: INTERNAL_IP_ADDR - description: InternalIPAddress field - type: string - - name: IS_EXTERNAL - description: IsExternal field - type: bigint - - name: Container - description: Any container based info involved in an alert. - type: array - element: - type: object - fields: - - name: IMAGE_REPO - description: ImageRepo field - type: string - - name: IMAGE_TAG - description: ImageTag field - type: string - - name: HAS_EXTERNAL_CONNS - description: HasExternalConns field - type: bigint - - name: IS_CLIENT - description: IsClient field - type: bigint - - name: IS_SERVER - description: IsServer field - type: bigint - - name: FIRST_SEEN_TIME - description: FirstSeenTime field - type: timestamp - timeFormat: rfc3339 - - name: POD_NAMESPACE - description: PodNamespace field - type: string - - name: POD_IP_ADDR - description: PodIPAddress field - type: string - - name: DnsName - description: Any dns based info involved in an alert. - type: array - element: - type: object - fields: - - name: HOSTNAME - description: Hostname field - type: string - - name: PORT_LIST - description: PortList field - type: array - element: - type: int - - name: TOTAL_IN_BYTES - description: TotalINBytes field - type: float - - name: TOTAL_OUT_BYTES - description: TotalOUTBytes field - type: float - - name: IpAddress - description: Any ip based info involved in an alert. - type: array - element: - type: object - fields: - - name: IP_ADDRESS - description: SourceIPAddress field - type: string - indicators: - - ip - - name: TOTAL_IN_BYTES - description: TotalINBytes field - type: float - - name: TOTAL_OUT_BYTES - description: TotalOUTBytes field - type: float - - name: THREAT_TAGS - description: ThreatTags field - type: array - element: - type: string - - name: THREAT_SOURCE - description: ThreatSource field - type: json - - name: COUNTRY - description: Country field - type: string - - name: REGION - description: Region field - type: string - - name: PORT_LIST - description: PortList field - type: array - element: - type: int - - name: FIRST_SEEN_TIME - description: FirstSeenTime field - type: string - - name: Process - description: Any process based info involved in an alert. - type: array - element: - type: object - fields: - - name: HOSTNAME - description: Hostname field - type: string - - name: PROCESS_ID - description: ProcessID field - type: bigint - - name: PROCESS_START_TIME - description: ProcessStartTime field - type: timestamp - timeFormat: rfc3339 - - name: CMDLINE - description: CommandLine field - type: string - - name: CPU_PERCENTAGE - description: CPUPercentage field - type: float - - name: FileDataHash - description: Any filehash based info involved in an alert. - type: array - element: - type: object - fields: - - name: FILEDATA_HASH - description: FiledataHash field - type: string - - name: MACHINE_COUNT - description: MachineCount field - type: bigint - - name: EXE_PATH_LIST - description: EXEPathList field - type: array - element: - type: string - - name: FIRST_SEEN_TIME - description: FirstSeenTime field - type: timestamp - timeFormat: rfc3339 - - name: IS_KNOWN_BAD - description: ISKnownBad field - type: bigint - - name: FileExePath - description: Any executable filepath information. - type: array - element: - type: object - fields: - - name: EXE_PATH - description: EXEPath field - type: string - - name: FIRST_SEEN_TIME - description: FirstSeenTime field - type: timestamp - timeFormat: rfc3339 - - name: LAST_FILEDATA_HASH - description: LastFileDataHash field - type: string - - name: LAST_PACKAGE_NAME - description: LastPackageName field - type: string - - name: LAST_VERSION - description: LastVersion field - type: string - - name: LAST_FILE_OWNER - description: LastFileOwner field - type: string - - name: SourceIpAddress - description: Source IP based information. - type: array - element: - type: object - fields: - - name: IP_ADDRESS - description: SourceIPAddress field - type: string - indicators: - - ip - - name: REGION - description: Region field - type: string - - name: COUNTRY - description: Country field - type: string - - name: API - description: The service and endpoint. - type: array - element: - type: object - fields: - - name: SERVICE - description: EventSource field - type: string - - name: API - description: EventName field - type: string - - name: Region - description: Regional based information. - type: array - element: - type: object - fields: - - name: REGION - description: Region field - type: string - - name: ACCOUNT_LIST - description: RecipientAccountID field - type: array - element: - type: string - - name: CT_User - description: Cloudtrail user information. - type: array - element: - type: object - fields: - - name: USERNAME - description: Username field - type: string - - name: ACCOUNT_ID - description: AccountID field - type: string - - name: MFA - description: MFA field - type: bigint - - name: API_LIST - description: APIList field - type: array - element: - type: string - - name: REGION_LIST - description: RegionList field - type: array - element: - type: string - - name: PRINCIPAL_ID - description: AccessKeyID field - type: string - - name: Resource - description: Resource values. - type: array - element: - type: object - fields: - - name: NAME - description: Name field - type: string - - name: VALUE - description: Value field - type: string - - name: RecId - description: Receiver account info. - type: array - element: - type: object - fields: - - name: REC_ID - description: RECID field - type: string - - name: ACCOUNT_ID - description: RecipientAccountID field - type: string - - name: ACCOUNT_ALIAS - description: AccountAlias field - type: string - - name: TITLE - description: Title field - type: string - - name: STATUS - description: Status field - type: string - - name: EVAL_TYPE - description: EVALType field - type: string - - name: EVAL_GUID - description: EVALGUID field - type: string - - name: CustomRule - description: Custom Rule info. - type: array - element: - type: object - fields: - - name: LAST_UPDATED_TIME - description: LastUpdatedTime field - type: timestamp - timeFormat: rfc3339 - - name: LAST_UPDATED_USER - description: LastUpdatedUser field - type: string - - name: DISPLAY_FILTER - description: DisplayFilter field - type: string - - name: RULE_GUID - description: RuleGUID field - type: string - - name: NewViolation - description: Violation Ref. - type: array - element: - type: object - fields: - - name: REC_ID - description: RECID field - type: string - - name: REASON - description: Reason field - type: string - - name: RESOURCE - description: Resource field - type: string - - name: ViolationReason - description: A reason for the violation. - type: array - element: - type: object - fields: - - name: REC_ID - description: RECID field - type: string - - name: REASON - description: Reason field - type: string - - name: SEVERITY - required: true - description: The severity level of the alert - type: bigint - - name: START_TIME - required: true - description: The event start time. - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: SUMMARY - required: true - description: The alert title and quick summary - type: string - - name: EVENT_TYPE - required: true - description: The type of event - type: string - - name: EVENT_NAME - required: true - description: The event name - type: string - - name: LINK - required: true - description: A link to the Lacework dashboard for the event - type: string - - name: EVENT_ID - required: true - description: The eventID reference - type: bigint - - name: ACCOUNT - required: true - description: The Lacework tenent that created the event - type: string - - name: SOURCE - required: true - description: The data source the event triggered on - type: string diff --git a/schemas/logs/lacework/tests/alert_details_tests.yml b/schemas/logs/lacework/tests/alert_details_tests.yml deleted file mode 100644 index 8da5bdfac..000000000 --- a/schemas/logs/lacework/tests/alert_details_tests.yml +++ /dev/null @@ -1,149 +0,0 @@ -name: alertdetails -logType: Lacework.AlertDetails -input: | - { - "END_TIME":"Thu, 22 Apr 2021 07:00:00 -0700", - "START_TIME":"Thu, 22 Apr 2021 06:00:00 -0700", - "EVENT_ACTOR":"Compliance", - "EVENT_ID":12462, - "EVENT_MODEL":"AwsCompliance", - "EVENT_TYPE":"NewViolations", - "ENTITY_MAP":{ - "NewViolation":[ - { - "KEY":{ - "reason":"LBShouldHaveAccessLogsEnabled", - "reason_id":"LW_AWS_NETWORKING_49_LBShouldHaveAccessLogsEnabled", - "rec_id":"LW_AWS_NETWORKING_49", - "resource":"arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/k8s" - }, - "PROPS":{ - "provider":"AWS" - } - }, - { - "KEY":{ - "reason":"LBShouldHaveAccessLogsEnabled", - "reason_id":"LW_AWS_NETWORKING_49_LBShouldHaveAccessLogsEnabled", - "rec_id":"LW_AWS_NETWORKING_49", - "resource":"arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/k8s-2" - }, - "PROPS":{ - "provider":"AWS" - } - }], - "RecId":[ - { - "KEY":{ - "eval_guid":"9f9de06d4ad244c489f8fffe0f0db05d", - "rec_id":"LW_AWS_NETWORKING_49" - }, - "PROPS":{ - "account_alias":"guild-staging", - "account_id":"221203628080", - "eval_type":"LW_SA", - "title":"Load Balancers should have Access Logs enabled" - } - }], - "Resource":[ - { - "KEY":{ - "name":"loadBalancer", - "value":"arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/077dac4e" - } - },{ - "KEY":{ - "name":"loadBalancer", - "value":"arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/k8s" - } - }], - "ViolationReason":[ - { - "KEY":{ - "reason":"LBShouldHaveAccessLogsEnabled", - "reason_id":"LW_AWS_NETWORKING_49_LBShouldHaveAccessLogsEnabled", - "rec_id":"LW_AWS_NETWORKING_49" - }, - "PROPS":{ - "provider":"AWS" - } - }] - } - } -result: | - { - "END_TIME":"Thu, 22 Apr 2021 07:00:00 -0700", - "START_TIME":"Thu, 22 Apr 2021 06:00:00 -0700", - "EVENT_ACTOR":"Compliance", - "EVENT_ID":12462, - "EVENT_MODEL":"AwsCompliance", - "EVENT_TYPE":"NewViolations", - "ENTITY_MAP":{ - "NewViolation":[ - { - "KEY":{ - "reason":"LBShouldHaveAccessLogsEnabled", - "reason_id":"LW_AWS_NETWORKING_49_LBShouldHaveAccessLogsEnabled", - "rec_id":"LW_AWS_NETWORKING_49", - "resource":"arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/k8s" - }, - "PROPS":{ - "provider":"AWS" - } - }, - { - "KEY":{ - "reason":"LBShouldHaveAccessLogsEnabled", - "reason_id":"LW_AWS_NETWORKING_49_LBShouldHaveAccessLogsEnabled", - "rec_id":"LW_AWS_NETWORKING_49", - "resource":"arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/k8s-2" - }, - "PROPS":{ - "provider":"AWS" - } - }], - "RecId":[ - { - "KEY":{ - "eval_guid":"9f9de06d4ad244c489f8fffe0f0db05d", - "rec_id":"LW_AWS_NETWORKING_49" - }, - "PROPS":{ - "account_alias":"guild-staging", - "account_id":"221203628080", - "eval_type":"LW_SA", - "title":"Load Balancers should have Access Logs enabled" - } - }], - "Resource":[ - { - "KEY":{ - "name":"loadBalancer", - "value":"arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/077dac4e" - } - },{ - "KEY":{ - "name":"loadBalancer", - "value":"arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/k8s" - } - }], - "ViolationReason":[ - { - "KEY":{ - "reason":"LBShouldHaveAccessLogsEnabled", - "reason_id":"LW_AWS_NETWORKING_49_LBShouldHaveAccessLogsEnabled", - "rec_id":"LW_AWS_NETWORKING_49" - }, - "PROPS":{ - "provider":"AWS" - } - }] - }, - "p_log_type": "Lacework.AlertDetails", - "p_event_time": "2021-04-22T14:00:00Z", - "p_any_aws_account_ids":["123456789012"], - "p_any_aws_arns": [ - "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/077dac4e", - "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/k8s", - "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/k8s-2"] - } diff --git a/schemas/logs/lacework/tests/cloud_compliance_tests.yml b/schemas/logs/lacework/tests/cloud_compliance_tests.yml deleted file mode 100644 index 780cf76b4..000000000 --- a/schemas/logs/lacework/tests/cloud_compliance_tests.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: cloudcompliance.withrecomendation -logType: Lacework.CloudCompliance -input: | - { - "ACCOUNT":{ - "AccountId":"012345678912", - "Account_Alias":"test" - }, - "EVAL_TYPE":"LW_SA", - "ID":"LW_AWS_NETWORKING_9", - "RECOMMENDATION":"Unrestricted Security Group should not be attached to Network Interface", - "REGION":"us-west-2", - "REPORT_TIME":"Fri, 05 Feb 2021 05:42:02 -0800", - "RESOURCE":"arn:aws:ec2:us-west-2:012345678912:network-interface/eni-xxxxx", - "SECTION":"Networking", - "SEVERITY":"Critical", - "STATUS":"NonCompliant" - } -result: | - { - "ACCOUNT":{ - "AccountId":"012345678912", - "Account_Alias":"test" - }, - "EVAL_TYPE":"LW_SA", - "ID":"LW_AWS_NETWORKING_9", - "RECOMMENDATION":"Unrestricted Security Group should not be attached to Network Interface", - "REGION":"us-west-2", - "REPORT_TIME":"Fri, 05 Feb 2021 05:42:02 -0800", - "RESOURCE":"arn:aws:ec2:us-west-2:012345678912:network-interface/eni-xxxxx", - "SECTION":"Networking", - "SEVERITY":"Critical", - "STATUS":"NonCompliant", - "p_log_type":"Lacework.CloudCompliance", - "p_event_time":"2021-02-05T13:42:02Z" - } ---- -name: cloudcompliance.withoutrecomendation -logType: Lacework.CloudCompliance -input: | - { - "ACCOUNT":{ - "AccountId":"012345678912", - "Account_Alias":"test" - }, - "EVAL_TYPE":"LW_SA", - "ID":"AWS_CIS_1_10", - "REASON":"Account does not have password policy", - "RECOMMENDATION":"Ensure IAM password policy prevents password reuse", - "REPORT_TIME":"Fri, 05 Feb 2021 05:42:02 -0800", - "SECTION":"Identity and Access Management", - "SEVERITY":"High", - "STATUS":"NonCompliant" - } -result: | - { - "ACCOUNT":{ - "AccountId":"012345678912", - "Account_Alias":"test" - }, - "EVAL_TYPE":"LW_SA", - "ID":"AWS_CIS_1_10", - "REASON":"Account does not have password policy", - "RECOMMENDATION":"Ensure IAM password policy prevents password reuse", - "REPORT_TIME":"Fri, 05 Feb 2021 05:42:02 -0800", - "SECTION":"Identity and Access Management", - "SEVERITY":"High", - "STATUS":"NonCompliant", - "p_log_type":"Lacework.CloudCompliance", - "p_event_time":"2021-02-05T13:42:02Z" - } diff --git a/schemas/logs/microsoft_365/audit.azure_active_directory.yml b/schemas/logs/microsoft_365/audit.azure_active_directory.yml deleted file mode 100644 index 1d56182db..000000000 --- a/schemas/logs/microsoft_365/audit.azure_active_directory.yml +++ /dev/null @@ -1,154 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Microsoft365.Audit.AzureActiveDirectory -parser: - native: - name: Microsoft365.Audit.AzureActiveDirectory -description: Azure Active Directory audit events. -referenceURL: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema -version: 0 -fields: - - name: Id - required: true - description: Unique identifier of an audit record. - type: string - - name: RecordType - required: true - description: The type of operation indicated by the record. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype for details on the types of audit log records. - type: int - - name: CreationTime - required: true - description: The date and time in Coordinated Universal Time (UTC) when the user performed the activity. - type: timestamp - timeFormat: layout=2006-01-02T15:04:05 - isEventTime: true - - name: Operation - required: true - description: The name of the user or admin activity. - type: string - - name: OrganizationId - required: true - description: The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs. - type: string - - name: UserType - required: true - description: The type of user that performed the operation. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#user-type for details on the types of users. - type: int - - name: UserKey - required: true - description: An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts. - type: string - indicators: - - username - - name: Workload - description: The Office 365 service where the activity occurred. - type: string - - name: ResultStatus - description: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False. - type: string - - name: ObjectId - description: For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet. - type: string - - name: UserId - required: true - description: The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. - type: string - indicators: - - username - - name: ClientIP - description: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null. - type: string - indicators: - - ip - - name: Scope - description: Was this event created by a hosted M365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to M365. - type: string - - name: AzureActiveDirectoryEventType - required: true - description: The type of Azure AD event. - type: int - - name: ExtendedProperties - description: The extended properties of the Azure AD event. - type: array - element: - type: object - fields: - - name: Name - description: Name field - type: string - - name: Value - description: Value field - type: string - - name: ModifiedProperties - description: This property is included for admin events. The property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified property. - type: array - element: - type: string - - name: Application - description: The application that triggers the account login event, such as Office 15. - type: string - - name: Client - description: Details about the client device, device OS, and device browser that was used for the of the account login event. - type: string - - name: LoginStatus - description: This property is from OrgIdLogon.LoginStatus directly. The mapping of various interesting logon failures could be done by alerting algorithms. - type: int - - name: UserDomain - description: The Tenant Identity Information (TII). - type: string - - name: Actor - description: The user or service principal that performed the action. - type: array - element: - type: object - fields: - - name: ID - description: The value of the identity given the type. - type: string - indicators: - - username - - name: Type - description: The type of the identity. - type: int - - name: ActorContextId - description: The GUID of the organization that the actor belongs to. - type: string - - name: ActorIpAddress - description: The actor's IP address in IPV4 or IPV6 address format. - type: string - indicators: - - ip - - name: InterSystemsId - description: The GUID that track the actions across components within the Office 365 service. - type: string - - name: IntraSystemId - description: The GUID that's generated by Azure Active Directory to track the action. - type: string - - name: SupportTicketId - description: The customer support ticket ID for the action in "act-on-behalf-of" situations. - type: string - - name: Target - description: The user that the action (identified by the Operation property) was performed on. - type: array - element: - type: object - fields: - - name: ID - description: The value of the identity given the type. - type: string - indicators: - - username - - name: Type - description: The type of the identity. - type: int - - name: TargetContextId - description: The GUID of the organization that the targeted user belongs to. - type: string - - name: ApplicationId - description: The GUID that represents the application that is requesting the login. The display name can be looked up via the Azure Active Directory Graph API. - type: string - - name: ErrorCode - description: For failed logins (where the value for the Operation property is UserLoginFailed), this property contains the Azure Active Directory STS (AADSTS) error code. A value of 0 indicates a successful login. - type: string - - name: LogonError - description: For failed logins, this property contains a user-readable description of the reason for the failed login. - type: string diff --git a/schemas/logs/microsoft_365/audit.exchange.yml b/schemas/logs/microsoft_365/audit.exchange.yml deleted file mode 100644 index 220e419d8..000000000 --- a/schemas/logs/microsoft_365/audit.exchange.yml +++ /dev/null @@ -1,249 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Microsoft365.Audit.Exchange -parser: - native: - name: Microsoft365.Audit.Exchange -description: Microsoft Exchange audit events. -referenceURL: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema -version: 0 -fields: - - name: Id - required: true - description: Unique identifier of an audit record. - type: string - - name: RecordType - required: true - description: The type of operation indicated by the record. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype for details on the types of audit log records. - type: int - - name: CreationTime - required: true - description: The date and time in Coordinated Universal Time (UTC) when the user performed the activity. - type: timestamp - timeFormat: layout=2006-01-02T15:04:05 - isEventTime: true - - name: Operation - required: true - description: The name of the user or admin activity. - type: string - - name: OrganizationId - required: true - description: The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs. - type: string - - name: UserType - required: true - description: The type of user that performed the operation. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#user-type for details on the types of users. - type: int - - name: UserKey - required: true - description: An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts. - type: string - indicators: - - username - - name: Workload - description: The Office 365 service where the activity occurred. - type: string - - name: ResultStatus - description: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False. - type: string - - name: ObjectId - description: For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet. - type: string - - name: UserId - required: true - description: The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. - type: string - indicators: - - username - - name: ClientIP - description: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null. - type: string - indicators: - - ip - - name: Scope - description: Was this event created by a hosted M365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to M365. - type: string - - name: ModifiedObjectResolvedName - description: This is the user friendly name of the object that was modified by the cmdlet. This is logged only if the cmdlet modifies the object. - type: string - - name: Parameters - description: The name and value for all parameters that were used with the cmdlet that is identified in the Operations property. - type: array - element: - type: object - fields: - - name: Name - description: Name field - type: string - - name: Value - description: Value field - type: string - - name: ModifiedProperties - description: The property is included for admin events. The property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified object. - type: array - element: - type: string - - name: ExternalAccess - required: true - description: Specifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator. The value False indicates that the cmdlet was run by someone in your organization. The value True indicates that the cmdlet was run by datacenter personnel, a datacenter service account, or a delegated administrator. - type: boolean - - name: OriginatingServer - description: The name of the server from which the cmdlet was executed. - type: string - - name: OrganizationName - description: The name of the tenant. - type: string - indicators: - - username - - name: LogonType - description: Indicates the type of user who accessed the mailbox and performed the operation that was logged. - type: int - - name: InternalLogonType - description: Reserved for internal use. - type: int - - name: MailboxGuid - description: The Exchange GUID of the mailbox that was accessed. - type: string - - name: MailboxOwnerUPN - description: The email address of the person who owns the mailbox that was accessed. - type: string - indicators: - - username - - name: MailboxOwnerSid - description: The SID of the mailbox owner. - type: string - indicators: - - username - - name: MailboxOwnerMasterAccountSid - description: Mailbox owner account's master account SID. - type: string - indicators: - - username - - name: LogonUserSid - description: The SID of the user who performed the operation. - type: string - indicators: - - username - - name: LogonUserDisplayName - description: The user-friendly name of the user who performed the operation. - type: string - - name: ClientInfoString - description: Information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information. - type: string - - name: ClientIPAddress - description: The IP address of the device that was used when the operation was logged. The IP address is displayed in either an IPv4 or IPv6 address format. - type: string - indicators: - - ip - - name: ClientMachineName - description: The machine name that hosts the Outlook client. - type: string - indicators: - - hostname - - name: ClientProcessName - description: The email client that was used to access the mailbox. - type: string - - name: ClientVersion - description: The version of the email client. - type: string - - name: Folder - description: The folder where a group of items is located. - type: object - fields: - - name: Id - description: The store ID of the folder object. - type: string - - name: Path - description: The name of the mailbox folder where the message that was accessed is located. - type: string - - name: FolderItems - description: FolderItems field - type: json - - name: CrossMailboxOperations - description: Indicates if the operation involved more than one mailbox. - type: boolean - - name: DestMailboxId - description: Set only if the CrossMailboxOperations parameter is True. Specifies the target mailbox GUID. - type: string - - name: DestMailboxOwnerUPN - description: Set only if the CrossMailboxOperations parameter is True. Specifies the UPN of the owner of the target mailbox. - type: string - - name: DestMailboxOwnerSid - description: Set only if the CrossMailboxOperations parameter is True. Specifies the SID of the target mailbox. - type: string - - name: DestMailboxOwnerMasterAccountSid - description: Set only if the CrossMailboxOperations parameter is True. Specifies the SID for the master account SID of the target mailbox owner. - type: string - indicators: - - username - - name: DestFolder - description: The destination folder, for operations such as Move. - type: object - fields: - - name: Id - description: The store ID of the folder object. - type: string - - name: Path - description: The name of the mailbox folder where the message that was accessed is located. - type: string - - name: FolderItems - description: FolderItems field - type: json - - name: Folders - description: Information about the source folders involved in an operation; for example, if folders are selected and then deleted. - type: array - element: - type: object - fields: - - name: Id - description: The store ID of the folder object. - type: string - - name: Path - description: The name of the mailbox folder where the message that was accessed is located. - type: string - - name: FolderItems - description: FolderItems field - type: json - - name: AffectedItems - description: Information about each item in the group. - type: array - element: - type: object - fields: - - name: Id - description: The store ID. - type: string - - name: Subject - description: The subject line of the message that was accessed. - type: string - - name: ParentFolder - description: The name of the folder where the item is located. - type: object - fields: - - name: Id - description: The store ID of the folder object. - type: string - - name: Path - description: The name of the mailbox folder where the message that was accessed is located. - type: string - - name: FolderItems - description: FolderItems field - type: json - - name: Attachments - description: A list of the names and file size of all items that are attached to the message. - type: string - - name: SendAsUserSmtp - description: SMTP address of the user who is being impersonated. - type: string - indicators: - - hostname - - name: SendAsUserMailboxGuid - description: The Exchange GUID of the mailbox that was accessed to send email as. - type: string - - name: SendOnBehalfOfUserSmtp - description: SMTP address of the user on whose behalf the email is sent. - type: string - indicators: - - hostname - - name: SendOnBehalfOfUserMailboxGuid - description: The Exchange GUID of the mailbox that was accessed to send mail on behalf of. - type: string diff --git a/schemas/logs/microsoft_365/audit.general.yml b/schemas/logs/microsoft_365/audit.general.yml deleted file mode 100644 index d19ecc810..000000000 --- a/schemas/logs/microsoft_365/audit.general.yml +++ /dev/null @@ -1,67 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Microsoft365.Audit.General -parser: - native: - name: Microsoft365.Audit.General -description: General audit events not included in the other log types. -referenceURL: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema -version: 0 -fields: - - name: Id - required: true - description: Unique identifier of an audit record. - type: string - - name: RecordType - required: true - description: The type of operation indicated by the record. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype for details on the types of audit log records. - type: int - - name: CreationTime - required: true - description: The date and time in Coordinated Universal Time (UTC) when the user performed the activity. - type: timestamp - timeFormat: layout=2006-01-02T15:04:05 - isEventTime: true - - name: Operation - required: true - description: The name of the user or admin activity. - type: string - - name: OrganizationId - required: true - description: The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs. - type: string - - name: UserType - required: true - description: The type of user that performed the operation. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#user-type for details on the types of users. - type: int - - name: UserKey - required: true - description: An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts. - type: string - indicators: - - username - - name: Workload - description: The Office 365 service where the activity occurred. - type: string - - name: ResultStatus - description: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False. - type: string - - name: ObjectId - description: For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet. - type: string - - name: UserId - required: true - description: The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. - type: string - indicators: - - username - - name: ClientIP - description: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null. - type: string - indicators: - - ip - - name: Scope - description: Was this event created by a hosted M365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to M365. - type: string - - name: payload - description: The full JSON payload of the event. - type: json diff --git a/schemas/logs/microsoft_365/audit.share_point.yml b/schemas/logs/microsoft_365/audit.share_point.yml deleted file mode 100644 index 9bb795a49..000000000 --- a/schemas/logs/microsoft_365/audit.share_point.yml +++ /dev/null @@ -1,129 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Microsoft365.Audit.SharePoint -parser: - native: - name: Microsoft365.Audit.SharePoint -description: Microsoft SharePoint audit events. -referenceURL: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema -version: 0 -fields: - - name: Id - required: true - description: Unique identifier of an audit record. - type: string - - name: RecordType - required: true - description: The type of operation indicated by the record. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype for details on the types of audit log records. - type: int - - name: CreationTime - required: true - description: The date and time in Coordinated Universal Time (UTC) when the user performed the activity. - type: timestamp - timeFormat: layout=2006-01-02T15:04:05 - isEventTime: true - - name: Operation - required: true - description: The name of the user or admin activity. - type: string - - name: OrganizationId - required: true - description: The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs. - type: string - - name: UserType - required: true - description: The type of user that performed the operation. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#user-type for details on the types of users. - type: int - - name: UserKey - required: true - description: An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts. - type: string - indicators: - - username - - name: Workload - description: The Office 365 service where the activity occurred. - type: string - - name: ResultStatus - description: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False. - type: string - - name: ObjectId - description: For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet. - type: string - - name: UserId - required: true - description: The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. - type: string - indicators: - - username - - name: ClientIP - description: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null. - type: string - indicators: - - ip - - name: Scope - description: Was this event created by a hosted M365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to M365. - type: string - - name: Site - description: The GUID of the site where the file or folder accessed by the user is located. - type: string - - name: ItemType - description: The type of object that was accessed or modified. - type: string - - name: EventSource - description: Identifies that an event occurred in SharePoint. Possible values are SharePoint or ObjectModel. - type: string - - name: SourceName - description: The entity that triggered the audited operation. Possible values are SharePoint or ObjectModel. - type: string - - name: UserAgent - description: Information about the user's client or browser. This information is provided by the client or browser. - type: string - - name: MachineDomainInfo - description: Information about device sync operations. This information is reported only if it's present in the request. - type: string - - name: MachineId - description: Information about device sync operations. This information is reported only if it's present in the request. - type: string - - name: SiteUrl - description: The URL of the site where the file or folder accessed by the user is located. - type: string - - name: SourceRelativeUrl - description: The URL of the folder that contains the file accessed by the user. The combination of the values for the SiteURL, SourceRelativeURL, and SourceFileName parameters is the same as the value for the ObjectID property, which is the full path name for the file accessed by the user. - type: string - - name: SourceFileName - description: The name of the file or folder accessed by the user. - type: string - - name: SourceFileExtension - description: The file extension of the file that was accessed by the user. This property is blank if the object that was accessed is a folder. - type: string - - name: DestinationRelativeUrl - description: The URL of the destination folder where a file is copied or moved. The combination of the values for SiteURL, DestinationRelativeURL, and DestinationFileName parameters is the same as the value for the ObjectID property, which is the full path name for the file that was copied. This property is displayed only for FileCopied and FileMoved events. - type: string - - name: DestinationFileName - description: The name of the file that is copied or moved. This property is displayed only for FileCopied and FileMoved events. - type: string - - name: DestinationFileExtension - description: The file extension of a file that is copied or moved. This property is displayed only for FileCopied and FileMoved events. - type: string - - name: UserSharedWith - description: The user that a resource was shared with. - type: string - - name: SharingType - description: The type of sharing permissions that were assigned to the user that the resource was shared with. This user is identified by the UserSharedWith parameter. - type: string - - name: TargetUserOrGroupName - description: Stores the UPN or name of the target user or group that a resource was shared with. - type: string - - name: TargetUserOrGroupType - description: Identifies whether the target user or group is a Member, Guest, Group, or Partner. - type: string - - name: EventData - description: Conveys follow-up information about the sharing action that has occurred, such as adding a user to a group or granting edit permissions. - type: string - - name: CustomEvent - description: Optional string for custom events. - type: string - - name: ModifiedProperties - description: The property is included for admin events, such as adding a user as a member of a site or a site collection admin group. The property includes the name of the property that was modified (for example, the Site Admin group), the new value of the modified property (such the user who was added as a site admin), and the previous value of the modified object. - type: array - element: - type: string diff --git a/schemas/logs/microsoft_365/dlp.all.yml b/schemas/logs/microsoft_365/dlp.all.yml deleted file mode 100644 index 35d2735ff..000000000 --- a/schemas/logs/microsoft_365/dlp.all.yml +++ /dev/null @@ -1,254 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Microsoft365.DLP.All -parser: - native: - name: Microsoft365.DLP.All -description: DLP events for all workloads. -referenceURL: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#dlp-schema -version: 0 -fields: - - name: Id - required: true - description: Unique identifier of an audit record. - type: string - - name: RecordType - required: true - description: The type of operation indicated by the record. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype for details on the types of audit log records. - type: int - - name: CreationTime - required: true - description: The date and time in Coordinated Universal Time (UTC) when the user performed the activity. - type: timestamp - timeFormat: layout=2006-01-02T15:04:05 - isEventTime: true - - name: Operation - required: true - description: The name of the user or admin activity. - type: string - - name: OrganizationId - required: true - description: The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs. - type: string - - name: UserType - required: true - description: The type of user that performed the operation. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#user-type for details on the types of users. - type: int - - name: UserKey - required: true - description: An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts. - type: string - indicators: - - username - - name: Workload - description: The Office 365 service where the activity occurred. - type: string - - name: ResultStatus - description: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False. - type: string - - name: ObjectId - description: For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet. - type: string - - name: UserId - required: true - description: The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. - type: string - indicators: - - username - - name: ClientIP - description: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null. - type: string - indicators: - - ip - - name: Scope - description: Was this event created by a hosted M365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to M365. - type: string - - name: SharePointMetaData - description: Describes metadata about the document in SharePoint or OneDrive for Business that contained the sensitive information. - type: object - fields: - - name: From - description: The user who triggered the event. This will be either the FileOwner, LastModifier, or LastSharer. - type: string - indicators: - - username - - name: itemCreationTime - description: Datetimestamp in UTC of when event logged. - type: timestamp - timeFormat: layout=2006-01-02T15:04:05 - - name: SiteCollectionGuid - description: The GUID of the site collection. - type: string - - name: SiteCollectionUrl - description: Name of the SharePoint site. - type: string - - name: FileName - description: Name of the path. - type: string - - name: FileOwner - description: The document owner. - type: string - indicators: - - username - - name: FilePathUrl - description: The URL of the document - type: string - - name: DocumentLastModifier - description: The user who last modified the document. - type: string - indicators: - - username - - name: DocumentSharer - description: The user who last modified sharing of the document. - type: string - indicators: - - username - - name: UniqueId - description: A guid that identifies the file. - type: string - - name: LastModifiedTime - description: Timestamp in UTC for when doc was last modified. - type: timestamp - timeFormat: layout=2006-01-02T15:04:05 - - name: ExchangeMetaData - description: Describes metadata about the email message that contained the sensitive information. - type: object - fields: - - name: MessageID - description: The message ID of the email that triggered the event. - type: string - - name: From - description: The user who sent the email. - type: string - indicators: - - username - - email - - name: To - description: A collection of email addresses that were on the To line of the message. - type: array - element: - type: string - indicators: - - email - - name: CC - description: A collection of email addresses that were on the CC line of the message. - type: array - element: - type: string - indicators: - - email - - name: BCC - description: A collection of email addresses that were on the BCC line of the message. - type: array - element: - type: string - indicators: - - email - - name: Subject - description: Subject of the email message. - type: string - - name: Sent - description: The time in UTC of when the email was sent. - type: timestamp - timeFormat: layout=2006-01-02T15:04:05 - - name: RecipientCount - description: The total number of all recipients on the TO, CC, and BCC lines of the message. - type: int - - name: ExceptionInfo - description: Identifies reasons why a policy no longer applies and/or any information about false positive and/or override noted by the end user. - type: string - - name: PolicyDetails - required: true - description: Information about 1 or more policies that triggered the DLP event. - type: array - element: - type: object - fields: - - name: PolicyId - description: The guid of the DLP policy for this event. - type: string - - name: PolicyName - description: The friendly name of the DLP policy for this event. - type: string - - name: Rules - description: Information about the rules within the policy that were matched for this event. - type: array - element: - type: object - fields: - - name: RuleId - description: The guid of the DLP rule for this event. - type: string - - name: RuleName - description: The friendly name of the DLP rule for this event. - type: string - - name: Actions - description: A list of actions taken as a result of a DLP RuleMatch event. - type: array - element: - type: string - - name: OverriddenActions - description: A list of actions previously taken that were now undone as a result of a DLPRuleUndo event. - type: array - element: - type: string - - name: Severity - description: The severity (Low, Medium and High) of the rule match. - type: string - - name: RuleMode - description: Indicate whether the DLP Rule was set to Enforce, Audit with Notify, or Audit only. - type: string - - name: ConditionsMatched - description: Details about what conditions of the rule were matched for this event. - type: object - fields: - - name: SensitiveInformation - description: Information about the type of sensitive information detected. - type: object - fields: - - name: Confidence - description: The confidence of pattern that matched the detection. - type: bigint - - name: Count - description: The number of sensitive instances detected. - type: bigint - - name: SensitiveType - description: A guid that identifies the type of sensitive data detected. - type: string - - name: SensitiveInformationDetections - description: An array of objects that contain sensitive information data with the following details – matched value and context of matched value. - type: object - fields: - - name: Detections - description: An array of sensitive information that was detected. Information contains key value pairs with Value = matched value (eg. Value of credit card of SSN) and Context = an excerpt from source content that contains the matched value. - type: json - - name: ResultsTruncated - description: Indicates if the logs were truncated due to large number of results. - type: boolean - - name: DocumentProperties - description: Information about document properties that triggered a rule match. - type: array - element: - type: object - fields: - - name: Name - description: Name field - type: string - - name: Value - description: Value field - type: string - - name: OtherConditions - description: A list of key value pairs describing any other conditions that were matched. - type: array - element: - type: object - fields: - - name: Name - description: Name field - type: string - - name: Value - description: Value field - type: string - - name: SensitiveInfoDetectionIsIncluded - required: true - description: Indicates whether the event contains the value of the sensitive data type and surrounding context from the source content. Accessing sensitive data requires the "Read DLP policy events including sensitive details" permission in Azure Active Directory. - type: boolean diff --git a/schemas/logs/microsoft_365/tests/audit.azure_active_directory_tests.yml b/schemas/logs/microsoft_365/tests/audit.azure_active_directory_tests.yml deleted file mode 100644 index e47550354..000000000 --- a/schemas/logs/microsoft_365/tests/audit.azure_active_directory_tests.yml +++ /dev/null @@ -1,119 +0,0 @@ ---- -name: Microsoft365.Audit.AzureActiveDirectory logs -logType: Microsoft365.Audit.AzureActiveDirectory -input: | - { - "CreationTime": "2021-02-24T10:13:35", - "Id": "523b3967-fcdd-450b-ab97-6cc253332400", - "Operation": "UserLoginFailed", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 15, - "ResultStatus": "Success", - "UserKey": "011d5ede-0faa-4946-a25e-b2cd0c47a52c", - "UserType": 0, - "Version": 1, - "Workload": "AzureActiveDirectory", - "ClientIP": "1.23.45.6", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "UserId": "user.name@companyinc.onmicrosoft.com", - "AzureActiveDirectoryEventType": 1, - "ExtendedProperties": [ - { - "Name": "ResultStatusDetail", - "Value": "Success" - }, - { - "Name": "UserAgent", - "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0" - }, - { - "Name": "RequestType", - "Value": "OAuth2:Authorize" - } - ], - "ModifiedProperties": [], - "Actor": [ - { - "ID": "011d5ede-0faa-4946-a25e-b2cd0c47a52c", - "Type": 0 - }, - { - "ID": "user.name@companyinc.onmicrosoft.com", - "Type": 5 - } - ], - "ActorContextId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "ActorIpAddress": "1.23.45.6", - "InterSystemsId": "3e7b35b7-1fd6-4067-a04b-9177afde472b", - "IntraSystemId": "523b3967-fcdd-450b-ab97-6cc253332400", - "SupportTicketId": "", - "Target": [ - { - "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 - } - ], - "TargetContextId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", - "ErrorNumber": "50072", - "LogonError": "UserStrongAuthEnrollmentRequiredInterrupt" - } -result: | - { - "CreationTime": "2021-02-24T10:13:35", - "Id": "523b3967-fcdd-450b-ab97-6cc253332400", - "Operation": "UserLoginFailed", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 15, - "ResultStatus": "Success", - "UserKey": "011d5ede-0faa-4946-a25e-b2cd0c47a52c", - "UserType": 0, - "Workload": "AzureActiveDirectory", - "ClientIP": "1.23.45.6", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "UserId": "user.name@companyinc.onmicrosoft.com", - "AzureActiveDirectoryEventType": 1, - "ExtendedProperties": [ - { - "Name": "ResultStatusDetail", - "Value": "Success" - }, - { - "Name": "UserAgent", - "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0" - }, - { - "Name": "RequestType", - "Value": "OAuth2:Authorize" - } - ], - "Actor": [ - { - "ID": "011d5ede-0faa-4946-a25e-b2cd0c47a52c", - "Type": 0 - }, - { - "ID": "user.name@companyinc.onmicrosoft.com", - "Type": 5 - } - ], - "ActorContextId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "ActorIpAddress": "1.23.45.6", - "InterSystemsId": "3e7b35b7-1fd6-4067-a04b-9177afde472b", - "IntraSystemId": "523b3967-fcdd-450b-ab97-6cc253332400", - "SupportTicketId": "", - "Target": [ - { - "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 - } - ], - "TargetContextId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", - "LogonError": "UserStrongAuthEnrollmentRequiredInterrupt", - - "p_log_type": "Microsoft365.Audit.AzureActiveDirectory", - "p_event_time":"2021-02-24T10:13:35Z", - "p_any_usernames": ["00000002-0000-0000-c000-000000000000", "011d5ede-0faa-4946-a25e-b2cd0c47a52c", "user.name@companyinc.onmicrosoft.com"], - "p_any_ip_addresses":["1.23.45.6"] - } diff --git a/schemas/logs/microsoft_365/tests/audit.exchange_tests.yml b/schemas/logs/microsoft_365/tests/audit.exchange_tests.yml deleted file mode 100644 index cddcb8a73..000000000 --- a/schemas/logs/microsoft_365/tests/audit.exchange_tests.yml +++ /dev/null @@ -1,191 +0,0 @@ ---- -name: Exchange Mailbox schema RecordType=50 -logType: Microsoft365.Audit.Exchange -input: | - { - "CreationTime": "2021-02-24T01:22:10", - "Id": "34794aea-f556-454e-af57-0a5d98ff0ae9", - "Operation": "MailItemsAccessed", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 50, - "ResultStatus": "Succeeded", - "UserKey": "1003200115E78356", - "UserType": 0, - "Version": 1, - "Workload": "Exchange", - "UserId": "user.name@companyinc.onmicrosoft.com", - "AppId": "7a5fbd1c-3e6d-461a-9075-83049393b3a7", - "ClientAppId": "7a5fbd1c-3e6d-461a-9075-83049393b3a7", - "ClientIPAddress": "2603:10b6:5:127::10", - "ClientInfoString": "Client=REST;Client=RESTSystem;;", - "ExternalAccess": false, - "InternalLogonType": 0, - "LogonType": 0, - "LogonUserSid": "S-1-5-21-3580755388-3824964649-1963682085-50438804", - "MailboxGuid": "18a9cd77-d2ef-4a84-9616-af7564720c7c", - "MailboxOwnerSid": "S-1-5-21-3580755388-3824964649-1963682085-50438804", - "MailboxOwnerUPN": "user.name@companyinc.onmicrosoft.com", - "OperationProperties": [ - { - "Name": "MailAccessType", - "Value": "Bind" - }, - { - "Name": "IsThrottled", - "Value": "False" - } - ], - "OrganizationName": "companyinc.onmicrosoft.com", - "OriginatingServer": "DM6PR05MB4057 (15.20.3890.018)\r\n", - "Folders": [ - { - "FolderItems": [ - { - "InternetMessageId": "<13827bae-2713-4547-b29d-922bb368d28f@az.westus2.production.microsoft.com>" - } - ], - "Id": "LgAAAAA9ZZACXA2SS4snUzsz2PhnAQC+FePgPVCNS4zd+2bYtItVAAAAAAEMAAAB", - "Path": "\\Inbox" - } - ], - "OperationCount": 1 - } -result: | - { - "CreationTime": "2021-02-24T01:22:10", - "Id": "34794aea-f556-454e-af57-0a5d98ff0ae9", - "Operation": "MailItemsAccessed", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 50, - "ResultStatus": "Succeeded", - "UserKey": "1003200115E78356", - "UserType": 0, - "Workload": "Exchange", - "UserId": "user.name@companyinc.onmicrosoft.com", - "ClientIPAddress": "2603:10b6:5:127::10", - "ClientInfoString": "Client=REST;Client=RESTSystem;;", - "ExternalAccess": false, - "InternalLogonType": 0, - "LogonType": 0, - "LogonUserSid": "S-1-5-21-3580755388-3824964649-1963682085-50438804", - "MailboxGuid": "18a9cd77-d2ef-4a84-9616-af7564720c7c", - "MailboxOwnerSid": "S-1-5-21-3580755388-3824964649-1963682085-50438804", - "MailboxOwnerUPN": "user.name@companyinc.onmicrosoft.com", - "OrganizationName": "companyinc.onmicrosoft.com", - "OriginatingServer": "DM6PR05MB4057 (15.20.3890.018)\r\n", - "Folders": [ - { - "FolderItems": [ - { - "InternetMessageId": "<13827bae-2713-4547-b29d-922bb368d28f@az.westus2.production.microsoft.com>" - } - ], - "Id": "LgAAAAA9ZZACXA2SS4snUzsz2PhnAQC+FePgPVCNS4zd+2bYtItVAAAAAAEMAAAB", - "Path": "\\Inbox" - } - ], - - "p_event_time":"2021-02-24T01:22:10Z", - "p_log_type":"Microsoft365.Audit.Exchange", - "p_any_ip_addresses":["2603:10b6:5:127::10"], - "p_any_usernames": ["1003200115E78356", "S-1-5-21-3580755388-3824964649-1963682085-50438804", "companyinc.onmicrosoft.com", "user.name@companyinc.onmicrosoft.com"] - } ---- -name: Exchange Mailbox schema RecordType=1 -logType: Microsoft365.Audit.Exchange -input: | - { - "CreationTime": "2021-02-24T04:12:27", - "Id": "2c91e7c8-5657-48b2-3743-08d8d87a659b", - "Operation": "New-Mailbox", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 1, - "ResultStatus": "True", - "UserKey": "NT AUTHORITY\\SYSTEM (w3wp)", - "UserType": 3, - "Version": 1, - "Workload": "Exchange", - "ClientIP": "13.82.145.167:19388", - "ObjectId": "NAMPR05A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/companyinc.onmicrosoft.com/SecureScore_8b3391f4-af01-4ee8-b4ea-9871b2499735", - "UserId": "NT AUTHORITY\\SYSTEM (w3wp)", - "AppId": "8b3391f4-af01-4ee8-b4ea-9871b2499735", - "ClientAppId": "8b3391f4-af01-4ee8-b4ea-9871b2499735", - "ExternalAccess": true, - "OrganizationName": "companyinc.onmicrosoft.com", - "OriginatingServer": "SJ0PR05MB7309 (15.20.3890.018)", - "Parameters": [ - { - "Name": "Arbitration", - "Value": "True" - }, - { - "Name": "OrgPartition", - "Value": "True" - }, - { - "Name": "OrgPartitionOwner", - "Value": "8b3391f4-af01-4ee8-b4ea-9871b2499735" - }, - { - "Name": "DomainController", - "Value": "MWHPR05A01DC001.NAMPR05A001.prod.outlook.com" - }, - { - "Name": "SkipEapForArbitration", - "Value": "True" - }, - { - "Name": "Organization", - "Value": "1b78c20b-f4be-465a-8356-7eb189bf1ae8" - } - ], - "SessionId": "" - } -result: | - { - "CreationTime": "2021-02-24T04:12:27", - "Id": "2c91e7c8-5657-48b2-3743-08d8d87a659b", - "Operation": "New-Mailbox", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 1, - "ResultStatus": "True", - "UserKey": "NT AUTHORITY\\SYSTEM (w3wp)", - "UserType": 3, - "Workload": "Exchange", - "ClientIP": "13.82.145.167:19388", - "ObjectId": "NAMPR05A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/companyinc.onmicrosoft.com/SecureScore_8b3391f4-af01-4ee8-b4ea-9871b2499735", - "UserId": "NT AUTHORITY\\SYSTEM (w3wp)", - "ExternalAccess": true, - "OrganizationName": "companyinc.onmicrosoft.com", - "OriginatingServer": "SJ0PR05MB7309 (15.20.3890.018)", - "Parameters": [ - { - "Name": "Arbitration", - "Value": "True" - }, - { - "Name": "OrgPartition", - "Value": "True" - }, - { - "Name": "OrgPartitionOwner", - "Value": "8b3391f4-af01-4ee8-b4ea-9871b2499735" - }, - { - "Name": "DomainController", - "Value": "MWHPR05A01DC001.NAMPR05A001.prod.outlook.com" - }, - { - "Name": "SkipEapForArbitration", - "Value": "True" - }, - { - "Name": "Organization", - "Value": "1b78c20b-f4be-465a-8356-7eb189bf1ae8" - } - ], - - "p_log_type":"Microsoft365.Audit.Exchange", - "p_event_time": "2021-02-24T04:12:27Z", - "p_any_usernames": ["NT AUTHORITY\\SYSTEM (w3wp)", "companyinc.onmicrosoft.com"] - } diff --git a/schemas/logs/microsoft_365/tests/audit.general_tests.yml b/schemas/logs/microsoft_365/tests/audit.general_tests.yml deleted file mode 100644 index 342326576..000000000 --- a/schemas/logs/microsoft_365/tests/audit.general_tests.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -name: General schema RecordType=52 -logType: Microsoft365.Audit.General -input: | - { - "CreationTime": "2021-02-24T10:15:27", - "Id": "46f28c2a-0739-4058-770c-08d8d8ad1b67", - "Operation": "SearchDataInsightsSubscription", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 52, - "UserKey": "user.name@companyinc.onmicrosoft.com", - "UserType": 5, - "Version": 1, - "Workload": "SecurityComplianceCenter", - "UserId": "user.name@companyinc.onmicrosoft.com", - "AadAppId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", - "DataType": "DataInsightsSubscription", - "DatabaseType": "Directory", - "RelativeUrl": "/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "ResultCount": "1" - } -result: | - { - "CreationTime": "2021-02-24T10:15:27", - "Id": "46f28c2a-0739-4058-770c-08d8d8ad1b67", - "Operation": "SearchDataInsightsSubscription", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 52, - "UserKey": "user.name@companyinc.onmicrosoft.com", - "UserType": 5, - "Workload": "SecurityComplianceCenter", - "UserId": "user.name@companyinc.onmicrosoft.com", - "payload":{ - "CreationTime": "2021-02-24T10:15:27", - "Id": "46f28c2a-0739-4058-770c-08d8d8ad1b67", - "Operation": "SearchDataInsightsSubscription", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 52, - "UserKey": "user.name@companyinc.onmicrosoft.com", - "UserType": 5, - "Version": 1, - "Workload": "SecurityComplianceCenter", - "UserId": "user.name@companyinc.onmicrosoft.com", - "AadAppId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", - "DataType": "DataInsightsSubscription", - "DatabaseType": "Directory", - "RelativeUrl": "/DataInsights/DataInsightsService.svc/Find/DataInsightsSubscription?tenantid=1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "ResultCount": "1" - }, - - "p_log_type":"Microsoft365.Audit.General", - "p_event_time": "2021-02-24T10:15:27Z", - "p_any_usernames":["user.name@companyinc.onmicrosoft.com"] - } diff --git a/schemas/logs/microsoft_365/tests/audit.share_point_tests.yml b/schemas/logs/microsoft_365/tests/audit.share_point_tests.yml deleted file mode 100644 index 0363b9849..000000000 --- a/schemas/logs/microsoft_365/tests/audit.share_point_tests.yml +++ /dev/null @@ -1,221 +0,0 @@ ---- -name: SharePoint schema RecordType=4 -logType: Microsoft365.Audit.SharePoint -input: | - { - "CreationTime": "2021-02-24T10:27:18", - "Id": "124ace36-bf34-4040-3018-08d8d8aec373", - "Operation": "PageViewed", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 4, - "UserKey": "i:0h.f|membership|1003200115e78356@live.com", - "UserType": 0, - "Version": 1, - "Workload": "SharePoint", - "ClientIP": "1.23.45.6", - "ObjectId": "https://companyinc.sharepoint.com/sites/TestSharePointSite", - "UserId": "user.name@companyinc.onmicrosoft.com", - "CorrelationId": "0f5cae9f-30e7-0000-9c2e-21c639acb0a2", - "CustomUniqueId": false, - "EventSource": "SharePoint", - "ItemType": "Page", - "ListId": "ce40331b-33d4-4c05-9acd-4797beda783e", - "ListItemUniqueId": "9249389f-5c7e-4efe-ac0d-41243c822fd3", - "Site": "3c32695d-c94e-4415-a3b9-9c7e259d7ce9", - "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0", - "WebId": "bc84876c-def1-4c6c-b780-a68215ff2891" - } -result: | - { - "CreationTime": "2021-02-24T10:27:18", - "Id": "124ace36-bf34-4040-3018-08d8d8aec373", - "Operation": "PageViewed", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 4, - "UserKey": "i:0h.f|membership|1003200115e78356@live.com", - "UserType": 0, - "Workload": "SharePoint", - "ClientIP": "1.23.45.6", - "ObjectId": "https://companyinc.sharepoint.com/sites/TestSharePointSite", - "UserId": "user.name@companyinc.onmicrosoft.com", - "EventSource": "SharePoint", - "ItemType": "Page", - "Site": "3c32695d-c94e-4415-a3b9-9c7e259d7ce9", - "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0", - - "p_log_type":"Microsoft365.Audit.SharePoint", - "p_event_time": "2021-02-24T10:27:18Z", - "p_any_usernames": ["i:0h.f|membership|1003200115e78356@live.com", "user.name@companyinc.onmicrosoft.com"], - "p_any_ip_addresses":["1.23.45.6"] - } ---- -name: SharePoint schema RecordType=6 -logType: Microsoft365.Audit.SharePoint -input: | - { - "CreationTime": "2021-02-24T10:27:19", - "Id": "a7e78f44-c161-4823-d6c1-08d8d8aec3f6", - "Operation": "FileAccessed", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 6, - "UserKey": "i:0h.f|membership|1003200115e78356@live.com", - "UserType": 0, - "WebId":"bc84876c-def1-4c6c-b780-a68215ff2891", - "Version": 1, - "Workload": "SharePoint", - "ClientIP": "1.23.45.6", - "ObjectId": "https://companyinc.sharepoint.com/sites/TestSharePointSite/Shared Documents/Forms/AllItems.aspx", - "UserId": "user.name@companyinc.onmicrosoft.com", - "CorrelationId": "105cae9f-b056-0000-7883-b693a0de2de4", - "EventSource": "SharePoint", - "ItemType": "File", - "ListId": "b0487630-b76f-4215-b45d-261aa0dc11cc", - "ListItemUniqueId": "085abc66-6802-4770-90e5-fbcb010bb298", - "Site": "3c32695d-c94e-4415-a3b9-9c7e259d7ce9", - "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0", - "WebId": "bc84876c-def1-4c6c-b780-a68215ff2891", - "SourceFileExtension": "aspx", - "SiteUrl": "https://companyinc.sharepoint.com/sites/TestSharePointSite/", - "SourceFileName": "AllItems.aspx", - "SourceRelativeUrl": "Shared Documents/Forms" - } -result: | - { - "CreationTime": "2021-02-24T10:27:19", - "Id": "a7e78f44-c161-4823-d6c1-08d8d8aec3f6", - "Operation": "FileAccessed", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 6, - "UserKey": "i:0h.f|membership|1003200115e78356@live.com", - "UserType": 0, - "Workload": "SharePoint", - "ClientIP": "1.23.45.6", - "ObjectId": "https://companyinc.sharepoint.com/sites/TestSharePointSite/Shared Documents/Forms/AllItems.aspx", - "UserId": "user.name@companyinc.onmicrosoft.com", - "EventSource": "SharePoint", - "ItemType": "File", - "Site": "3c32695d-c94e-4415-a3b9-9c7e259d7ce9", - "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0", - "SourceFileExtension": "aspx", - "SiteUrl": "https://companyinc.sharepoint.com/sites/TestSharePointSite/", - "SourceFileName": "AllItems.aspx", - "SourceRelativeUrl": "Shared Documents/Forms", - - "p_log_type":"Microsoft365.Audit.SharePoint", - "p_event_time":"2021-02-24T10:27:19Z", - "p_any_ip_addresses":["1.23.45.6"], - "p_any_usernames": ["i:0h.f|membership|1003200115e78356@live.com", "user.name@companyinc.onmicrosoft.com"] - } ---- -name: SharePoint schema RecordType=14 -logType: Microsoft365.Audit.SharePoint -input: | - { - "CreationTime": "2021-02-24T10:27:15", - "Id": "c9dcc72f-a73f-472a-0a0b-08d8d8aec1a7", - "Operation": "AddedToGroup", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 14, - "UserKey": "i:0h.f|membership|1003200115e78356@live.com", - "UserType": 0, - "Version": 1, - "Workload": "SharePoint", - "ClientIP": "1.23.45.6", - "ObjectId": "https://companyinc.sharepoint.com/sites/TestSharePointSite", - "UserId": "user.name@companyinc.onmicrosoft.com", - "CorrelationId": "0e5cae9f-b02f-0000-9c2e-2813a9ca64a0", - "EventSource": "SharePoint", - "ItemType": "Web", - "Site": "3c32695d-c94e-4415-a3b9-9c7e259d7ce9", - "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0", - "WebId": "bc84876c-def1-4c6c-b780-a68215ff2891", - "EventData": "Site Owners", - "TargetUserOrGroupType": "Member", - "SiteUrl": "https://companyinc.sharepoint.com/sites/TestSharePointSite", - "TargetUserOrGroupName": "SHAREPOINT\\system" - } -result: | - { - "CreationTime": "2021-02-24T10:27:15", - "Id": "c9dcc72f-a73f-472a-0a0b-08d8d8aec1a7", - "Operation": "AddedToGroup", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 14, - "UserKey": "i:0h.f|membership|1003200115e78356@live.com", - "UserType": 0, - "Workload": "SharePoint", - "ClientIP": "1.23.45.6", - "ObjectId": "https://companyinc.sharepoint.com/sites/TestSharePointSite", - "UserId": "user.name@companyinc.onmicrosoft.com", - "EventSource": "SharePoint", - "ItemType": "Web", - "Site": "3c32695d-c94e-4415-a3b9-9c7e259d7ce9", - "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0", - "EventData": "Site Owners", - "TargetUserOrGroupType": "Member", - "SiteUrl": "https://companyinc.sharepoint.com/sites/TestSharePointSite", - "TargetUserOrGroupName": "SHAREPOINT\\system", - - "p_log_type":"Microsoft365.Audit.SharePoint", - "p_event_time": "2021-02-24T10:27:15Z", - "p_any_usernames":["i:0h.f|membership|1003200115e78356@live.com", "user.name@companyinc.onmicrosoft.com"], - "p_any_ip_addresses":["1.23.45.6"] - } ---- -name: SharePoint schema RecordType=36 -logType: Microsoft365.Audit.SharePoint -input: | - { - "CreationTime": "2021-02-24T10:27:19", - "Id": "3ed83216-d727-4c68-afa9-08d8d8aec3ef", - "Operation": "ListViewed", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 36, - "UserKey": "i:0h.f|membership|1003200115e78356@live.com", - "UserType": 0, - "Version": 1, - "Workload": "SharePoint", - "ClientIP": "1.23.45.6", - "ObjectId": "https://companyinc.sharepoint.com/sites/TestSharePointSite/b0487630-b76f-4215-b45d-261aa0dc11cc", - "UserId": "user.name@companyinc.onmicrosoft.com", - "CorrelationId": "105cae9f-b056-0000-7883-b693a0de2de4", - "DoNotDistributeEvent": true, - "EventSource": "SharePoint", - "ItemType": "List", - "ListId": "b0487630-b76f-4215-b45d-261aa0dc11cc", - "Site": "3c32695d-c94e-4415-a3b9-9c7e259d7ce9", - "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0", - "WebId": "bc84876c-def1-4c6c-b780-a68215ff2891", - "FromApp": true, - "IsDocLib": true, - "ItemCount": 0, - "ListBaseTemplateType": "101", - "ListBaseType": "DocumentLibrary", - "ListColor": "", - "ListIcon": "", - "TemplateTypeId": "", - "ListTitle": "b0487630-b76f-4215-b45d-261aa0dc11cc" - } -result: | - { - "CreationTime": "2021-02-24T10:27:19", - "Id": "3ed83216-d727-4c68-afa9-08d8d8aec3ef", - "Operation": "ListViewed", - "OrganizationId": "1b78c20b-f4be-465a-8356-7eb189bf1ae8", - "RecordType": 36, - "UserKey": "i:0h.f|membership|1003200115e78356@live.com", - "UserType": 0, - "Workload": "SharePoint", - "ClientIP": "1.23.45.6", - "ObjectId": "https://companyinc.sharepoint.com/sites/TestSharePointSite/b0487630-b76f-4215-b45d-261aa0dc11cc", - "UserId": "user.name@companyinc.onmicrosoft.com", - "EventSource": "SharePoint", - "ItemType": "List", - "Site": "3c32695d-c94e-4415-a3b9-9c7e259d7ce9", - "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0", - - "p_log_type":"Microsoft365.Audit.SharePoint", - "p_event_time": "2021-02-24T10:27:19Z", - "p_any_usernames":["i:0h.f|membership|1003200115e78356@live.com", "user.name@companyinc.onmicrosoft.com"], - "p_any_ip_addresses":["1.23.45.6"] - } diff --git a/schemas/logs/nginx/access.yml b/schemas/logs/nginx/access.yml deleted file mode 100644 index 2c56bede4..000000000 --- a/schemas/logs/nginx/access.yml +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright (C) 2020 Panther Labs Inc -# -# Panther Enterprise is licensed under the terms of a commercial license available from -# Panther Labs Inc ("Panther Commercial License") by contacting contact@runpanther.com. -# All use, distribution, and/or modification of this software, whether commercial or non-commercial, -# falls under the Panther Commercial License to the extent it is permitted. - -version: 0 -schema: Nginx.Access -description: Access Logs for your Nginx server. We currently support Nginx 'combined' format. -referenceURL: https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format -parser: - fastmatch: - match: - - '%{remoteAddr} - %{remoteUser} [%{time}] "%{request}" %{status} %{bodyBytesSent} "%{httpReferer}" "%{httpUserAgent}"' - emptyValues: - - "-" -fields: - - name: remoteAddr - type: string - description: The IP address of the client (remote host) which made the request to the server. - indicators: - - ip - - name: remoteUser - type: string - description: The userid of the person making the request. Usually empty unless .htaccess has requested authentication. - indicators: - - username - - name: time - description: The time that the request was received (UTC). - required: true - type: timestamp - isEventTime: true - timeFormat: "%d/%b/%Y:%H:%M:%S %z" - - name: request - description: The request line from the client. It includes the HTTP method, the resource requested, and the HTTP protocol. - type: string - - name: status - description: The HTTP status code returned to the client. - type: smallint - - name: bodyBytesSent - description: The size of the object returned to the client, measured in bytes. - type: bigint - - name: httpReferer - description: The HTTP referrer if any. - type: string - - name: httpUserAgent - description: The agent the user used when making the request. - type: string diff --git a/schemas/logs/nginx/tests/access_tests.yml b/schemas/logs/nginx/tests/access_tests.yml deleted file mode 100644 index 48d6f8ebd..000000000 --- a/schemas/logs/nginx/tests/access_tests.yml +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright (C) 2020 Panther Labs Inc -# -# Panther Enterprise is licensed under the terms of a commercial license available from -# Panther Labs Inc ("Panther Commercial License") by contacting contact@runpanther.com. -# All use, distribution, and/or modification of this software, whether commercial or non-commercial, -# falls under the Panther Commercial License to the extent it is permitted. - ---- -name: TestAccessLog -logType: Nginx.Access -input: 180.76.15.143 - - [06/Feb/2019:00:00:38 +0000] "GET / HTTP/1.1" 301 193 "https://domain1.com/?p=1" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.htm$" -result: | - { - "remoteAddr": "180.76.15.143", - "time": "06/Feb/2019:00:00:38 +0000", - "request": "GET / HTTP/1.1", - "status": 301, - "bodyBytesSent": 193, - "httpUserAgent": "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.htm$", - "httpReferer": "https://domain1.com/?p=1", - "p_log_type": "Nginx.Access", - "p_event_time": "2019-02-06T00:00:38Z", - "p_any_ip_addresses": ["180.76.15.143"] - } ---- -name: TestAccessLogWithoutReferer -logType: Nginx.Access -input: 180.76.15.143 - - [06/Feb/2019:00:00:38 +0000] "GET / HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.htm$" -result: | - { - "remoteAddr": "180.76.15.143", - "time": "06/Feb/2019:00:00:38 +0000", - "request": "GET / HTTP/1.1", - "status": 301, - "bodyBytesSent": 193, - "httpUserAgent": "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.htm$", - "p_log_type": "Nginx.Access", - "p_event_time": "2019-02-06T00:00:38Z", - "p_any_ip_addresses": ["180.76.15.143"] - } diff --git a/schemas/logs/okta/samples/generate_tests.jq b/schemas/logs/okta/samples/generate_tests.jq deleted file mode 100644 index 5ca665cb8..000000000 --- a/schemas/logs/okta/samples/generate_tests.jq +++ /dev/null @@ -1,40 +0,0 @@ -# Fix timestamp trailing zeros to match Go formatting -def timestamp: sub("0+Z"; "Z"); - -# Check if value is empty array -def empty_array: (. | type == "array") and (. | length) == 0; - -# Omitempty behavior of Go structs -def omitempty: - walk( - if type == "object" then - with_entries( - select( (.value != null) and ( .value | empty_array | not ) ) - ) - else - . - end - ); - -def sort_keys: - to_entries - | sort_by(.key) - | from_entries; - -def indicators: - map(select(.)) - | unique ; - -{ - name: "Okta.Systemlog.Sample \(input_filename) \(input_line_number)", - logType:"Okta.SystemLog", - input: . | sort_keys | @json, - result: ( . + { - p_log_type: "Okta.SystemLog", - p_event_time: .published | timestamp, - published: .published | timestamp, - p_any_domain_names: [.securityContext.domain] | indicators, - p_any_emails: [.actor.alternateId] | indicators, - p_any_ip_addresses: ( (.request.ipChain|map(.ip)) + [.client.ipAddress] ) | indicators, - }) | omitempty | sort_keys | tostring -} diff --git a/schemas/logs/okta/samples/systemlog_samples.jsonl b/schemas/logs/okta/samples/systemlog_samples.jsonl deleted file mode 100644 index 818d4d76a..000000000 --- a/schemas/logs/okta/samples/systemlog_samples.jsonl +++ /dev/null @@ -1,100 +0,0 @@ -{"severity":"INFO","transaction":{"type":"WEB","id":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","detail":{}},"target":null,"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016}}},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102iCf9Im9wSEmaVMYZNbEOMA"},"published":"2020-05-01T10:20:22.243Z","version":"0","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lon":-3.7016,"lat":40.4143}},"version":"V4"}]},"displayMessage":"User login to Okta","eventType":"user.session.start","debugContext":{"debugData":{"deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"legacyEventType":"core.user_auth.login_success","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"uuid":"5d730bf4-8b95-11ea-8cbe-bf2eaab2e9ef","outcome":{"result":"SUCCESS","reason":null}} -{"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"legacyEventType":null,"version":"0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102iCf9Im9wSEmaVMYZNbEOMA"},"eventType":"policy.evaluate_sign_on","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?","deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"Xqv35Wg7bT74OrlHVCM7JgAAFHM"}},"uuid":"5d7b2245-8b95-11ea-8cbe-bf2eaab2e9ef","target":[{"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown","displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"}},{"type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule","detailEntry":null,"id":"0prc1umtrQa0JxFfU356"}],"severity":"INFO","client":{"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"}},"displayMessage":"Evaluation of sign-on policy","published":"2020-05-01T10:20:22.296Z","transaction":{"type":"WEB","id":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid"},"version":"V4","source":null}]}} -{"displayMessage":"Authentication of user via MFA","outcome":{"reason":null,"result":"SUCCESS"},"transaction":{"type":"WEB","id":"Xqv4ChB6i@XT5JNpsgg5iwAACjY","detail":{}},"target":[{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null}],"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005"}},"published":"2020-05-01T10:20:59.091Z","severity":"INFO","debugContext":{"debugData":{"requestUri":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify","threatSuspected":"false","factor":"OKTA_SOFT_TOKEN","url":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify?rememberDevice=false","authnRequestId":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","requestId":"Xqv4ChB6i@XT5JNpsgg5iwAACjY"}},"legacyEventType":"core.user.factor.attempt_success","eventType":"user.authentication.auth_via_mfa","uuid":"73699ad3-8b95-11ea-bd6b-7d993edc4d99","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":{"geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005"}}]},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":"OTP","issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102GP5VxqC1SvuMpF0oLbm0-Q"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"version":"0"} -{"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain"},"version":"V4","source":null}]},"severity":"INFO","version":"0","debugContext":{"debugData":{"requestId":"Xqv4DAv9rG@QtvA52XJ5NwAAB2Q","requestUri":"/admin/sso/request","threatSuspected":"false","url":"/admin/sso/request?"}},"client":{"device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain"},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"eventType":"user.session.access_admin_app","target":[{"id":"00u3mo2ci0RuzhCQe357","type":"AppUser","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null}],"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"102tmLJSxrcTKe0eKPOcYRAIA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"legacyEventType":"app.admin.sso.login.success","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T10:21:00.666Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"transaction":{"type":"WEB","id":"Xqv4DAv9rG@QtvA52XJ5NwAAB2Q","detail":{}},"uuid":"7459ee6a-8b95-11ea-9fd1-bb7360a0b10c","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"User accessing Okta admin app"} -{"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsEIK87CP-TOWutoSIk5vwtA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"displayMessage":"Rate limit warning","uuid":"31bb29ef-8bcc-11ea-ada5-5fef26acfbc9","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"legacyEventType":"core.framework.ratelimit.warning","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","debugContext":{"debugData":{"requestId":"XqxT48Ec3yxgq8Icobx9mwAAC-4","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false"}},"transaction":{"type":"WEB","id":"XqxT48Ec3yxgq8Icobx9mwAAC-4","detail":{}},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T16:52:51.216Z"} -{"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"requestId":"XqxT6PWj5s2Quaf7cGZmTQAAElw","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","published":"2020-05-01T16:52:56.149Z","severity":"WARN","legacyEventType":"core.framework.ratelimit.exceeded","uuid":"34abe0f1-8bcc-11ea-9caf-87003407f90b","authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsg3DpeduvQXCmnzT-FC9l9g","authenticationProvider":null},"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"eventType":"system.org.rate_limit.violation","outcome":{"result":"SUCCESS","reason":null},"transaction":{"type":"WEB","id":"XqxT6PWj5s2Quaf7cGZmTQAAElw","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs2EP5Oub9RVKOQNpikZSWQQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"outcome":{"reason":null,"result":"SUCCESS"},"legacyEventType":"core.framework.ratelimit.warning","version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","published":"2020-05-01T16:54:52.404Z","severity":"WARN","debugContext":{"debugData":{"requestId":"XqxUXGWrk@@JYyqBk-48SQAAEuM","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588328461960_1\u0026limit=1000","timeUnit":"MINUTES"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"transaction":{"type":"WEB","id":"XqxUXGWrk@@JYyqBk-48SQAAEuM","detail":{}},"uuid":"79f6fbd3-8bcc-11ea-8cbe-bf2eaab2e9ef"} -{"transaction":{"type":"WEB","id":"XqxUYZWz9R0WfYS@G1uZ-QAAAz0","detail":{}},"legacyEventType":"core.framework.ratelimit.exceeded","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"eventType":"system.org.rate_limit.violation","authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsljB4mtDNSgCshrA0Np5LOA","authenticationProvider":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T16:54:57.700Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588328461960_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XqxUYZWz9R0WfYS@G1uZ-QAAAz0"}},"uuid":"7d1f16f0-8bcc-11ea-afeb-efa9a81fb877","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"version":"0"} -{"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"displayMessage":"Rate limit warning","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"severity":"WARN","transaction":{"type":"WEB","id":"XqxU1JJPCiAgOgakFdcF3wAAAo0","detail":{}},"uuid":"c1b07e9f-8bcc-11ea-9b4d-6d898d9545c0","version":"0","actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"published":"2020-05-01T16:56:52.738Z","debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588351976896_1\u0026limit=1000","requestId":"XqxU1JJPCiAgOgakFdcF3wAAAo0","warningPercent":"60","timeSpan":"1","timeUnit":"MINUTES","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false"}},"legacyEventType":"core.framework.ratelimit.warning","authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trszcQ1YhE5Ql2GZQo8gs5ZeA","authenticationProvider":null,"credentialProvider":null},"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}]} -{"published":"2020-05-01T16:56:57.255Z","legacyEventType":"core.framework.ratelimit.exceeded","uuid":"c461bba9-8bcc-11ea-af6d-6ff4ba545a59","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit violation","severity":"WARN","debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XqxU2ZmGQi6m7BKy3TSXWgAAAN0","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588351976896_1\u0026limit=1000"}},"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"transaction":{"type":"WEB","id":"XqxU2ZmGQi6m7BKy3TSXWgAAAN0","detail":{}},"target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsPblrLhY6RIWUIAD80VLeYA","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"eventType":"system.org.rate_limit.violation"} -{"debugContext":{"debugData":{"warningPercent":"60","threatSuspected":"false","requestId":"XqxVTKzp89io03gVyVIdbgAADjE","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588352098728_1\u0026limit=1000","timeUnit":"MINUTES"}},"uuid":"08de8a22-8bcd-11ea-874a-2fc94466cbde","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trspm5bfzYATkqbS5Gu1aM5ow"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"published":"2020-05-01T16:58:52.158Z","severity":"WARN","transaction":{"type":"WEB","id":"XqxVTKzp89io03gVyVIdbgAADjE","detail":{}},"displayMessage":"Rate limit warning","legacyEventType":"core.framework.ratelimit.warning","eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"version":"0"} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"uuid":"0b9a4f12-8bcd-11ea-965d-6da5dc6b4d61","transaction":{"type":"WEB","id":"XqxVUCHJ2YsYX@pvnat0lgAAA1s","detail":{}},"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T16:58:56.744Z","severity":"WARN","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588352098728_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XqxVUCHJ2YsYX@pvnat0lgAAA1s","threshold":"50","timeSpan":"1"}},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trseoJUnLitRb6mQPz0VWD_DA","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"legacyEventType":"core.framework.ratelimit.exceeded","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"eventType":"system.org.rate_limit.violation","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}]} -{"authenticationContext":{"externalSessionId":"102553OFOWURBmOgPoGl8kO-w","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"displayMessage":"User login to Okta","severity":"INFO","uuid":"3e497761-8bcd-11ea-82e2-356ba42b26b0","actor":{"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri","detailEntry":null},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"debugContext":{"debugData":{"deviceFingerprint":"5704071097000730d66366d819b89e6b","requestId":"XqxVpX8iMvHtxpNPrJimzQAAExM","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"transaction":{"type":"WEB","id":"XqxVpX8iMvHtxpNPrJimzQAAExM","detail":{}},"target":null,"client":{"device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"eventType":"user.session.start","outcome":{"reason":null,"result":"SUCCESS"},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874},"city":"San Francisco","state":"California","country":"United States"},"version":"V4","source":null}]},"published":"2020-05-01T17:00:21.778Z","legacyEventType":"core.user_auth.login_success","version":"0"} -{"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"geolocation":{"lat":37.7852,"lon":-122.3874},"city":"San Francisco","state":"California","country":"United States","postalCode":"94105"}},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102553OFOWURBmOgPoGl8kO-w"},"uuid":"3e529f23-8bcd-11ea-82e2-356ba42b26b0","target":[{"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown","displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"}},{"id":"0prc1umtrQa0JxFfU356","type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule","detailEntry":null}],"displayMessage":"Evaluation of sign-on policy","outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lon":-122.3874,"lat":37.7852}},"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","actor":{"displayName":"Jack Naglieri","detailEntry":null,"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com"},"eventType":"policy.evaluate_sign_on","published":"2020-05-01T17:00:21.838Z","version":"0","debugContext":{"debugData":{"deviceFingerprint":"5704071097000730d66366d819b89e6b","requestId":"XqxVpX8iMvHtxpNPrJimzQAAExM","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"legacyEventType":null,"transaction":{"detail":{},"type":"WEB","id":"XqxVpX8iMvHtxpNPrJimzQAAExM"}} -{"transaction":{"type":"WEB","id":"XqxVsrIaFxbB2vhlGYB1YgAAA0w","detail":{}},"target":[{"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri","detailEntry":null}],"client":{"device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"authenticationContext":{"credentialType":"OTP","issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102djXtz5b_ROSoLOia6Q7juA","authenticationProvider":"FACTOR_PROVIDER","credentialProvider":"OKTA_CREDENTIAL_PROVIDER"},"published":"2020-05-01T17:00:34.670Z","debugContext":{"debugData":{"authnRequestId":"XqxVpX8iMvHtxpNPrJimzQAAExM","requestId":"XqxVsrIaFxbB2vhlGYB1YgAAA0w","requestUri":"/api/v1/authn/factors/ost316zzhb7EFtPn2357/verify","threatSuspected":"false","factor":"OKTA_SOFT_TOKEN","url":"/api/v1/authn/factors/ost316zzhb7EFtPn2357/verify?rememberDevice=false"}},"eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","uuid":"45f8a1b0-8bcd-11ea-965d-6da5dc6b4d61","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":{"geolocation":{"lon":-122.3874,"lat":37.7852},"city":"San Francisco","state":"California","country":"United States","postalCode":"94105"},"version":"V4"}]},"outcome":{"result":"SUCCESS","reason":null},"severity":"INFO","actor":{"detailEntry":null,"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri"},"displayMessage":"Authentication of user via MFA","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"version":"0"} -{"displayMessage":"User accessing Okta admin app","authenticationContext":{"authenticationStep":0,"externalSessionId":"102iZBO931kTSi4g5FdbiqgUA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"eventType":"user.session.access_admin_app","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T17:00:35.647Z","debugContext":{"debugData":{"requestId":"XqxVs-6znn2BGMzyKH-OOQAAEKM","requestUri":"/admin/sso/request","threatSuspected":"false","url":"/admin/sso/request?"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874}},"version":"V4","source":null}]},"client":{"userAgent":{"browser":"CHROME","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"state":"California","country":"United States","postalCode":"94105","geolocation":{"lon":-122.3874,"lat":37.7852},"city":"San Francisco"}},"target":[{"id":"00uc1umudIxtsadWL356","type":"AppUser","alternateId":"foo@bar.com","displayName":"Jack Naglieri","detailEntry":null}],"actor":{"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri","detailEntry":null},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"INFO","legacyEventType":"app.admin.sso.login.success","transaction":{"detail":{},"type":"WEB","id":"XqxVs-6znn2BGMzyKH-OOQAAEKM"},"uuid":"468db570-8bcd-11ea-abd3-1d668132201e","version":"0"} -{"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"transaction":{"id":"XqxVxEfn3CHz-HuDhPzyygAAAlo","detail":{},"type":"WEB"},"version":"0","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trs9AUNFdfRR1yvWWW7odRUJA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"published":"2020-05-01T17:00:52.286Z","severity":"WARN","debugContext":{"debugData":{"requestId":"XqxVxEfn3CHz-HuDhPzyygAAAlo","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357"}},"legacyEventType":"core.framework.ratelimit.warning","client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"uuid":"50789e06-8bcd-11ea-92ce-d536dee30c90"} -{"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","requestId":"XqxVyfcOD88CV28@AwfpAQAABDQ","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XqxVyfcOD88CV28@AwfpAQAABDQ","detail":{}},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"version":"0","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T17:00:57.213Z","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsPesucZbGTuOI0jck4g9yyw","authenticationProvider":null,"credentialProvider":null},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","uuid":"53686b88-8bcd-11ea-b823-db4e40ee0137"} -{"eventType":"user.session.start","outcome":{"result":"SUCCESS","reason":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","transaction":{"type":"WEB","id":"XqxV7PCo@4CYl52a7k5V-AAADhk","detail":{}},"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"displayMessage":"User login to Okta","legacyEventType":"core.user_auth.login_success","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"28037","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain"},"version":"V4","source":null}]},"target":null,"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102Zs5s_R6zRs2wBnpXh6J7Xw","authenticationProvider":null},"published":"2020-05-01T17:01:32.562Z","client":{"device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28037","geolocation":{"lat":40.4143,"lon":-3.7016}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"uuid":"687a400e-8bcd-11ea-9424-4db38b988f86","debugContext":{"debugData":{"deviceFingerprint":"75653fa886d95b75e1f1ca0411b82cd2","requestId":"XqxV7PCo@4CYl52a7k5V-AAADhk","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"version":"0"} -{"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"102Zs5s_R6zRs2wBnpXh6J7Xw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"displayMessage":"Evaluation of sign-on policy","debugContext":{"debugData":{"threatSuspected":"false","url":"/api/v1/authn?","deviceFingerprint":"75653fa886d95b75e1f1ca0411b82cd2","requestId":"XqxV7PCo@4CYl52a7k5V-AAADhk","requestUri":"/api/v1/authn"}},"transaction":{"id":"XqxV7PCo@4CYl52a7k5V-AAADhk","detail":{},"type":"WEB"},"version":"0","client":{"geographicalContext":{"geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28037"},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1"},"published":"2020-05-01T17:01:32.611Z","uuid":"6881ba20-8bcd-11ea-9424-4db38b988f86","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"state":"Madrid","country":"Spain","postalCode":"28037","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid"},"version":"V4","source":null}]},"severity":"INFO","target":[{"displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"},"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown"},{"id":"0prc1umtrQa0JxFfU356","type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule","detailEntry":null}],"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"eventType":"policy.evaluate_sign_on","outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":null} -{"transaction":{"id":"XrEvgymRMCc7udKvskmg@QAAFLw","detail":{},"type":"WEB"},"request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:18:59.980Z","authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs_RzmHPPNSpegdTR4iSNg6g","authenticationProvider":null},"version":"0","legacyEventType":"core.framework.ratelimit.warning","uuid":"744d4cdc-8eb1-11ea-a57c-950f2517e685","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit warning","severity":"WARN","eventType":"system.org.rate_limit.warning","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","requestId":"XrEvgymRMCc7udKvskmg@QAAFLw"}}} -{"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"displayMessage":"Rate limit violation","severity":"WARN","uuid":"774e7f7e-8eb1-11ea-af6d-6ff4ba545a59","version":"0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsRN_8hq3bRa22ZK_F166Ibw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrEvifZcBsOYX1sXqJeH7QAAAy8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000"}},"legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrEvifZcBsOYX1sXqJeH7QAAAy8","detail":{}},"request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"eventType":"system.org.rate_limit.violation","published":"2020-05-05T09:19:05.021Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null}} -{"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"transaction":{"type":"WEB","id":"XrEvzZW30MsCw7au9fDIegAAAqI","detail":{}},"uuid":"a010c2d1-8eb1-11ea-afeb-efa9a81fb877","published":"2020-05-05T09:20:13.403Z","severity":"WARN","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"version":"0","authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsRmE6AQuzQDKo6PCtNuM-cA"},"displayMessage":"Rate limit warning","legacyEventType":"core.framework.ratelimit.warning","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588352493659_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrEvzZW30MsCw7au9fDIegAAAqI","threshold":"50"}}} -{"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"published":"2020-05-05T09:20:18.310Z","securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588352493659_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrEv0nWh6j118-TwvwBbPgAAA3Y"}},"uuid":"a2fd8277-8eb1-11ea-8cbe-bf2eaab2e9ef","authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsVq2bDMYWSuCOxxP_GkiDEQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrEv0nWh6j118-TwvwBbPgAAA3Y","detail":{}},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN"} -{"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"target":null,"outcome":{"result":"SUCCESS","reason":null},"severity":"INFO","debugContext":{"debugData":{"deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"uuid":"f3f60211-8eb2-11ea-af6d-6ff4ba545a59","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"legacyEventType":"core.user_auth.login_success","transaction":{"type":"WEB","id":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","detail":{}},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093},"city":"London","state":"England","country":"United Kingdom"},"version":"V4","source":null}]},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"country":"United Kingdom","postalCode":"EC2V","geolocation":{"lon":-0.093,"lat":51.5164},"city":"London","state":"England"}},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102cDYxGvsETzeO9CvrF7KZCg","authenticationProvider":null},"displayMessage":"User login to Okta","eventType":"user.session.start","published":"2020-05-05T09:29:43.653Z"} -{"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"transaction":{"type":"WEB","id":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","detail":{}},"uuid":"f3fdf152-8eb2-11ea-af6d-6ff4ba545a59","version":"0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102cDYxGvsETzeO9CvrF7KZCg"},"outcome":{"result":"ALLOW","reason":"Sign-on policy evaluation resulted in ALLOW"},"published":"2020-05-05T09:29:43.705Z","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093}}}]},"displayMessage":"Evaluation of sign-on policy","legacyEventType":null,"target":[{"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown","displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"}},{"id":"0prc1umtrQa0JxFfU356","type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule","detailEntry":null}],"eventType":"policy.evaluate_sign_on","severity":"INFO","debugContext":{"debugData":{"deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"client":{"ipAddress":"1.1.1.1","geographicalContext":{"postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093},"city":"London","state":"England","country":"United Kingdom"},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null}} -{"severity":"INFO","legacyEventType":"core.user.factor.attempt_success","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lon":-0.093,"lat":51.5164}},"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"userAgent":{"browser":"CHROME","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093}}},"displayMessage":"Authentication of user via MFA","uuid":"fbf14f6e-8eb2-11ea-af6d-6ff4ba545a59","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T09:29:57.044Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"authnRequestId":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","requestId":"XrEyFHAW5aRx5UpfQfZ06AAAEWs","requestUri":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify","threatSuspected":"false","factor":"OKTA_SOFT_TOKEN","url":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify?rememberDevice=false"}},"transaction":{"type":"WEB","id":"XrEyFHAW5aRx5UpfQfZ06AAAEWs","detail":{}},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102xCfoDfXqTqas4lokllvI_A","authenticationProvider":"FACTOR_PROVIDER","credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":"OTP","issuer":null,"interface":null},"eventType":"user.authentication.auth_via_mfa","version":"0","target":[{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"}]} -{"client":{"userAgent":{"browser":"CHROME","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lon":-0.093,"lat":51.5164}}},"published":"2020-05-05T09:29:58.695Z","debugContext":{"debugData":{"requestId":"XrEyFkNWiaslHeI685XdGQAAEHk","requestUri":"/admin/sso/request","threatSuspected":"false","url":"/admin/sso/request?"}},"authenticationContext":{"externalSessionId":"1023sD69JIBQ_eLPh5nLZ7D7Q","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"displayMessage":"User accessing Okta admin app","uuid":"fced3b73-8eb2-11ea-a57c-950f2517e685","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093},"city":"London"},"version":"V4","source":null}]},"transaction":{"type":"WEB","id":"XrEyFkNWiaslHeI685XdGQAAEHk","detail":{}},"version":"0","actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"eventType":"user.session.access_admin_app","securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"INFO","legacyEventType":"app.admin.sso.login.success","outcome":{"result":"SUCCESS","reason":null},"target":[{"id":"00u3mo2ci0RuzhCQe357","type":"AppUser","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null}]} -{"severity":"WARN","securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"debugContext":{"debugData":{"threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000","warningPercent":"60","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrEyy07XR5NsHsU9Szj8hgAAEmI"}},"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"displayMessage":"Rate limit warning","outcome":{"reason":null,"result":"SUCCESS"},"transaction":{"type":"WEB","id":"XrEyy07XR5NsHsU9Szj8hgAAEmI","detail":{}},"version":"0","authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsssx2nlapR7iXmdeF4OEGRQ"},"eventType":"system.org.rate_limit.warning","published":"2020-05-05T09:32:59.192Z","legacyEventType":"core.framework.ratelimit.warning","uuid":"6882e432-8eb3-11ea-a6b7-cf71f57d4442","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"}} -{"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","severity":"WARN","debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","requestId":"XrEy4Ie0rO6XiaQtvAgNbQAAB1A"}},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"legacyEventType":"core.framework.ratelimit.exceeded","uuid":"7508002a-8eb3-11ea-a04f-81a81472156a","version":"0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsGguELVEbQkOEwSOX-Hw3HA","authenticationProvider":null,"credentialProvider":null},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:33:20.197Z","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"transaction":{"type":"WEB","id":"XrEy4Ie0rO6XiaQtvAgNbQAAB1A","detail":{}}} -{"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"eventType":"system.org.rate_limit.warning","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T09:34:58.440Z","legacyEventType":"core.framework.ratelimit.warning","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"transaction":{"type":"WEB","id":"XrEzQgVp30i3cw0jE1JJmAAAATU","detail":{}},"version":"0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit warning","severity":"WARN","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","threshold":"50","timeSpan":"1","url":"/api/v1/logs?limit=1000\u0026after=1588670999394_1\u0026limit=1000","requestId":"XrEzQgVp30i3cw0jE1JJmAAAATU","warningPercent":"60"}},"uuid":"af96b0c9-8eb3-11ea-abac-bda3eefbb100","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs-dSqQkjKRcOW-8u5g77j3w","authenticationProvider":null,"credentialProvider":null}} -{"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trszwXQ2FlJSkGvwtXu-2A-DQ","authenticationProvider":null,"credentialProvider":null},"outcome":{"reason":null,"result":"SUCCESS"},"transaction":{"type":"WEB","id":"XrEzV2MOB6yuxkiYa@yhRAAAE7o","detail":{}},"version":"0","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"eventType":"system.org.rate_limit.violation","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588670999394_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrEzV2MOB6yuxkiYa@yhRAAAE7o","threshold":"50","timeSpan":"1"}},"legacyEventType":"core.framework.ratelimit.exceeded","uuid":"bc1abaff-8eb3-11ea-9b4d-6d898d9545c0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"displayMessage":"Rate limit violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"published":"2020-05-05T09:35:19.438Z","severity":"WARN"} -{"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"published":"2020-05-05T09:36:58.341Z","debugContext":{"debugData":{"threshold":"50","timeSpan":"1","timeUnit":"MINUTES","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588671201176_1\u0026limit=1000","requestId":"XrEzun5hPHkLIfFvhbwmSwAADzU","warningPercent":"60","requestUri":"/api/v1/logs","threatSuspected":"false"}},"version":"0","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"transaction":{"type":"WEB","id":"XrEzun5hPHkLIfFvhbwmSwAADzU","detail":{}},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs-Dt5KF-zQRK35ORsxqKyJg","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"legacyEventType":"core.framework.ratelimit.warning","uuid":"f70e21fc-8eb3-11ea-a561-47493e2e60a2"} -{"published":"2020-05-05T09:37:19.334Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588671201176_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrEzzzn-wFxNr1zSzKgF9QAAFJ8","threshold":"50"}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","transaction":{"type":"WEB","id":"XrEzzzn-wFxNr1zSzKgF9QAAFJ8","detail":{}},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsaT97zDebSnGacMeKOk84RA","authenticationProvider":null,"credentialProvider":null},"outcome":{"result":"SUCCESS","reason":null},"legacyEventType":"core.framework.ratelimit.exceeded","uuid":"039168ad-8eb4-11ea-8936-ab42b09eebb3","actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"legacyEventType":"core.framework.ratelimit.warning","version":"0","outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","debugContext":{"debugData":{"requestId":"XrE0MgIdaCXRDPxam8@QNgAACx0","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","warningPercent":"60","timeSpan":"1","url":"/api/v1/logs?limit=1000\u0026after=1588671320515_1\u0026limit=1000"}},"securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs55ZXx8apTC2cBkTyHMIRag"},"displayMessage":"Rate limit warning","client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"published":"2020-05-05T09:38:58.656Z","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"eventType":"system.org.rate_limit.warning","transaction":{"type":"WEB","id":"XrE0MgIdaCXRDPxam8@QNgAACx0","detail":{}},"uuid":"3ec4be12-8eb4-11ea-b70a-e7df59d7aa62"} -{"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588671320515_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE0R2Wrk@@JYyqBk-4jxgAAExY","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"uuid":"4b48c932-8eb4-11ea-9caf-87003407f90b","actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"displayMessage":"Rate limit violation","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"outcome":{"result":"SUCCESS","reason":null},"legacyEventType":"core.framework.ratelimit.exceeded","published":"2020-05-05T09:39:19.654Z","transaction":{"type":"WEB","id":"XrE0R2Wrk@@JYyqBk-4jxgAAExY","detail":{}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"eventType":"system.org.rate_limit.violation","version":"0","authenticationContext":{"authenticationStep":0,"externalSessionId":"trsxfh5tAPLTSOJqP2qp3tjfg","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"severity":"WARN"} -{"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"legacyEventType":"core.framework.ratelimit.warning","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"debugContext":{"debugData":{"threshold":"50","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588671560676_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE3w@3r6F@XqNiEZP964QAADOg","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357"}},"transaction":{"id":"XrE3w@3r6F@XqNiEZP964QAADOg","detail":{},"type":"WEB"},"uuid":"5efc818c-8eb6-11ea-965d-6da5dc6b4d61","version":"0","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"published":"2020-05-05T09:54:11.702Z","authenticationContext":{"externalSessionId":"trsFdMM3YUiQ8-Vex2q-3XuLA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0}} -{"legacyEventType":"core.framework.ratelimit.exceeded","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:54:32.704Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsLi8q266AT7On0yboFL8hpg"},"request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"severity":"WARN","transaction":{"type":"WEB","id":"XrE32KEw-bQ5FxqsmlbZ@wAAAa8","detail":{}},"uuid":"6b8128e3-8eb6-11ea-8cbe-bf2eaab2e9ef","version":"0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588671560676_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE32KEw-bQ5FxqsmlbZ@wAAAa8","threshold":"50"}}} -{"outcome":{"reason":null,"result":"SUCCESS"},"request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs4DKibUjURpOOGZIUgsbcMA"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"uuid":"a5e3e819-8eb6-11ea-8aaa-959b94ed26bb","client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"eventType":"system.org.rate_limit.warning","severity":"WARN","debugContext":{"debugData":{"warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588672473879_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE4OovrzgsubrSRhiRnEgAAB0E","userId":"00u3mo2ci0RuzhCQe357"}},"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"displayMessage":"Rate limit warning","published":"2020-05-05T09:56:10.659Z","legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrE4OovrzgsubrSRhiRnEgAAB0E","detail":{}}} -{"outcome":{"reason":null,"result":"SUCCESS"},"legacyEventType":"core.framework.ratelimit.exceeded","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"transaction":{"type":"WEB","id":"XrE4T0H@Hmw00TTU@51daAAAEWM","detail":{}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","uuid":"b267cb4c-8eb6-11ea-abac-bda3eefbb100","debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588672473879_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE4T0H@Hmw00TTU@51daAAAEWM","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"authenticationContext":{"externalSessionId":"trsmzKbH9K9QXKMgZJAzMOt3A","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"published":"2020-05-05T09:56:31.656Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN"} -{"eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs7sQ9KpvnQ0Gmao4UbmSOwQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","uuid":"ed7856dc-8eb6-11ea-aeca-a544dbc5d64e","displayMessage":"Rate limit warning","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"requestId":"XrE4slvsYUrf30@uCZpT2AAABqQ","url":"/api/v1/logs?limit=1000\u0026after=1588672592595_1\u0026limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"transaction":{"type":"WEB","id":"XrE4slvsYUrf30@uCZpT2AAABqQ","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"published":"2020-05-05T09:58:10.750Z","version":"0"} -{"outcome":{"result":"SUCCESS","reason":null},"uuid":"f9fc8789-8eb6-11ea-8b3c-c55929189475","published":"2020-05-05T09:58:31.749Z","severity":"WARN","transaction":{"id":"XrE4x-enQ5Pq3FItg-jdXAAAFT8","detail":{},"type":"WEB"},"version":"0","actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"displayMessage":"Rate limit violation","debugContext":{"debugData":{"requestId":"XrE4x-enQ5Pq3FItg-jdXAAAFT8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588672592595_1\u0026limit=1000","timeUnit":"MINUTES"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":"core.framework.ratelimit.exceeded","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsjcydSSnbS-O6KmXVuhq1TA","authenticationProvider":null}} -{"displayMessage":"Rate limit warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:00:10.811Z","severity":"WARN","eventType":"system.org.rate_limit.warning","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"transaction":{"type":"WEB","id":"XrE5KsZP30Ct5Zl3AMqDdQAAC@g","detail":{}},"uuid":"350830fb-8eb7-11ea-965d-6da5dc6b4d61","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"warningPercent":"60","requestUri":"/api/v1/logs","threatSuspected":"false","timeUnit":"MINUTES","url":"/api/v1/logs?limit=1000\u0026after=1588672712039_1\u0026limit=1000","requestId":"XrE5KsZP30Ct5Zl3AMqDdQAAC@g","threshold":"50","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsBz8XCMETS5-wEWIfvFNw6Q","authenticationProvider":null},"legacyEventType":"core.framework.ratelimit.warning","version":"0"} -{"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trskxm6PQPlRLSzHLuLJ4Y8uw"},"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:00:31.812Z","debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588672712039_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE5P5fVV-k1JB93arg6hQAADx8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"transaction":{"type":"WEB","id":"XrE5P5fVV-k1JB93arg6hQAADx8","detail":{}},"severity":"WARN","uuid":"418cb0ed-8eb7-11ea-9b4d-6d898d9545c0","actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":"core.framework.ratelimit.exceeded","version":"0","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}]} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"severity":"WARN","transaction":{"type":"WEB","id":"XrE5nnehMrQPJ1YrPbFeuwAAAeE","detail":{}},"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trslQ99uvI-SsWfpNPASW270Q","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:02:06.242Z","legacyEventType":"core.framework.ratelimit.warning","uuid":"79d590f9-8eb7-11ea-a672-5f81fb6cecd5","displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"debugContext":{"debugData":{"warningPercent":"60","threshold":"50","timeSpan":"1","url":"/api/v1/logs?limit=1000\u0026after=1588672832671_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE5nnehMrQPJ1YrPbFeuwAAAeE","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","requestUri":"/api/v1/logs"}},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"severity":"WARN","outcome":{"result":"SUCCESS","reason":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsY8Hk5Xx5QJyHUJgQdYMUiA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"displayMessage":"Rate limit violation","debugContext":{"debugData":{"requestId":"XrE5s6bhp3bzQEUHfive1AAADkA","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588672832671_1\u0026limit=1000","timeUnit":"MINUTES"}},"legacyEventType":"core.framework.ratelimit.exceeded","uuid":"8658fe56-8eb7-11ea-82e2-356ba42b26b0","version":"0","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"}},"published":"2020-05-05T10:02:27.236Z","securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"transaction":{"type":"WEB","id":"XrE5s6bhp3bzQEUHfive1AAADkA","detail":{}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"eventType":"system.org.rate_limit.violation","actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"}} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrE6GrIEsM9UqIn@nJOY8gAAA1w","detail":{}},"uuid":"c419b5bc-8eb7-11ea-bd6b-7d993edc4d99","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"published":"2020-05-05T10:04:10.840Z","severity":"WARN","version":"0","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588672948000_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE6GrIEsM9UqIn@nJOY8gAAA1w","warningPercent":"60","userId":"00u3mo2ci0RuzhCQe357","threshold":"50","timeSpan":"1"}},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsoaBgjOodQF-4yuKPQMNXCQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null}} -{"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE6LxEAAx7LcLghmoyEmgAAAFw","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588672948000_1\u0026limit=1000"}},"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"eventType":"system.org.rate_limit.violation","transaction":{"type":"WEB","id":"XrE6LxEAAx7LcLghmoyEmgAAAFw","detail":{}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit violation","severity":"WARN","uuid":"d09d99ce-8eb7-11ea-b611-f1d979f83d84","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"}},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsmsJeVEKOQv-IxduQ3tS26A"},"version":"0","published":"2020-05-05T10:04:31.837Z","legacyEventType":"core.framework.ratelimit.exceeded"} -{"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs5NE4ukUHQyiWxtu58-boww"},"eventType":"system.org.rate_limit.warning","securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"published":"2020-05-05T10:06:08.316Z","client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673072677_1\u0026limit=1000","requestId":"XrE6kBmJa4z2oxvYkpDgdQAAEsE","warningPercent":"60","timeSpan":"1","threshold":"50","timeUnit":"MINUTES"}},"legacyEventType":"core.framework.ratelimit.warning","uuid":"0a1f1ffc-8eb8-11ea-a57c-950f2517e685","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"displayMessage":"Rate limit warning","transaction":{"type":"WEB","id":"XrE6kBmJa4z2oxvYkpDgdQAAEsE","detail":{}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}]} -{"eventType":"system.org.rate_limit.violation","authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsDDtInz8kQ1uoLAhRTjbBqA"},"displayMessage":"Rate limit violation","legacyEventType":"core.framework.ratelimit.exceeded","version":"0","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"uuid":"16a414bd-8eb8-11ea-82e2-356ba42b26b0","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:06:29.320Z","debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673072677_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE6pS27VfkqqJWpbgzy7gAAELQ","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs"}},"transaction":{"type":"WEB","id":"XrE6pS27VfkqqJWpbgzy7gAAELQ","detail":{}},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"severity":"WARN"} -{"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"legacyEventType":"core.framework.ratelimit.warning","uuid":"53429308-8eb8-11ea-b70a-e7df59d7aa62","version":"0","client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsW0NRQK_sSq-ABs26kTzO4w","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"severity":"WARN","eventType":"system.org.rate_limit.warning","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit warning","published":"2020-05-05T10:08:11.022Z","debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","url":"/api/v1/logs?limit=1000\u0026after=1588673190341_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE7C@3r6F@XqNiEZP@SVQAADKg","warningPercent":"60","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"transaction":{"type":"WEB","id":"XrE7C@3r6F@XqNiEZP@SVQAADKg","detail":{}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}]} -{"uuid":"5fc73a6b-8eb8-11ea-8cbe-bf2eaab2e9ef","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673190341_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE7IKePYtd7JtnbQ1ihnQAAAzc","threshold":"50"}},"transaction":{"type":"WEB","id":"XrE7IKePYtd7JtnbQ1ihnQAAAzc","detail":{}},"published":"2020-05-05T10:08:32.024Z","legacyEventType":"core.framework.ratelimit.exceeded","eventType":"system.org.rate_limit.violation","securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","version":"0","client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"displayMessage":"Rate limit violation","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs9C1nRza2Qea6vvY8b9uBBA"},"outcome":{"result":"SUCCESS","reason":null}} -{"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","timeSpan":"1","warningPercent":"60","threshold":"50","url":"/api/v1/logs?limit=1000\u0026after=1588673313139_1\u0026limit=1000","requestId":"XrE7gnpFJJ1p6j3-wha7eQAAD9E"}},"transaction":{"id":"XrE7gnpFJJ1p6j3-wha7eQAAD9E","detail":{},"type":"WEB"},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"eventType":"system.org.rate_limit.warning","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"version":"0","published":"2020-05-05T10:10:10.586Z","legacyEventType":"core.framework.ratelimit.warning","uuid":"9a869822-8eb8-11ea-b9fc-61056b16b278","displayMessage":"Rate limit warning","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsxc2kkNMCQ-WahLf93GcN_w","authenticationProvider":null,"credentialProvider":null},"outcome":{"reason":null,"result":"SUCCESS"},"severity":"WARN","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null}} -{"severity":"WARN","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:10:31.589Z","legacyEventType":"core.framework.ratelimit.exceeded","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"uuid":"a70b65db-8eb8-11ea-ba49-7f15d05ef278","version":"0","debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673313139_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE7l4zaB9tH9ugqPHDIqQAAEsg","threshold":"50"}},"transaction":{"detail":{},"type":"WEB","id":"XrE7l4zaB9tH9ugqPHDIqQAAEsg"},"target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs0iGo25DtSKCRx8Lj0bZCHw","authenticationProvider":null,"credentialProvider":null},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null}} -{"published":"2020-05-05T10:12:06.007Z","severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrE79aePYtd7JtnbQ1imjgAAAzc","detail":{}},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"eventType":"system.org.rate_limit.warning","version":"0","securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"outcome":{"result":"SUCCESS","reason":null},"uuid":"df52710d-8eb8-11ea-8b3c-c55929189475","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsY5C_Zq7HQZm3-qgkspRT1w","authenticationProvider":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"displayMessage":"Rate limit warning","debugContext":{"debugData":{"requestId":"XrE79aePYtd7JtnbQ1imjgAAAzc","warningPercent":"60","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673432515_1\u0026limit=1000","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","timeUnit":"MINUTES"}},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null}} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsPx7wEDF9S3mmyAEwjA98cg","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673432515_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE8CqjRygVen0SUkJebQgAADyQ","threshold":"50","timeSpan":"1"}},"legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrE8CqjRygVen0SUkJebQgAADyQ","detail":{}},"version":"0","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:12:27.008Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown"},"displayMessage":"Rate limit violation","severity":"WARN","eventType":"system.org.rate_limit.violation","uuid":"ebd6f0b1-8eb8-11ea-965d-6da5dc6b4d61","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrE8cznw7CtbP0yJVwVs7QAAEgI","detail":{}},"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"displayMessage":"Rate limit warning","version":"0","eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"published":"2020-05-05T10:14:11.145Z","uuid":"29e8fc1f-8eb9-11ea-aeca-a544dbc5d64e","securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"debugContext":{"debugData":{"timeSpan":"1","threatSuspected":"false","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673547459_1\u0026limit=1000","requestId":"XrE8cznw7CtbP0yJVwVs7QAAEgI"}},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"}},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs7-MOLLOxS0-LG3ZtMMF0jA","authenticationProvider":null}} -{"version":"0","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:14:32.146Z","debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000\u0026after=1588673547459_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE8iNh-vHogmJ8NIM3iqgAABaY","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"uuid":"366d7b32-8eb9-11ea-94f8-45ab612226ab","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"eventType":"system.org.rate_limit.violation","severity":"WARN","client":{"geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs1Z_-WCrvTr6Sx45M5fDLXg","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrE8iNh-vHogmJ8NIM3iqgAABaY","detail":{}},"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"}} -{"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"eventType":"system.org.rate_limit.warning","published":"2020-05-05T10:16:10.785Z","transaction":{"type":"WEB","id":"XrE86j66FdOwKsQJVQRVjAAADCU","detail":{}},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsqXZYn4VJQlWEtiX8TdGTiw"},"displayMessage":"Rate limit warning","debugContext":{"debugData":{"warningPercent":"60","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrE86j66FdOwKsQJVQRVjAAADCU","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588673672587_1\u0026limit=1000"}},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"uuid":"71389917-8eb9-11ea-adf2-ed39f0ba450d"} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs7UCHzEGbSx-XoQRUK-7BJA","authenticationProvider":null,"credentialProvider":null},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE8-45erIFpVwGi1Emu@wAADmI","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673672587_1\u0026limit=1000"}},"version":"0","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit violation","published":"2020-05-05T10:16:31.959Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"uuid":"7dd77ec0-8eb9-11ea-82e2-356ba42b26b0","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrE8-45erIFpVwGi1Emu@wAADmI","detail":{}},"request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]}} -{"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs56imW9-hT4mXUQxM7pR-Pw","authenticationProvider":null,"credentialProvider":null},"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"uuid":"b8b2c9f8-8eb9-11ea-a0ba-379f04824fb1","transaction":{"detail":{},"type":"WEB","id":"XrE9YgQlhQc@sTWCXHrxJwAAEx4"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"displayMessage":"Rate limit warning","published":"2020-05-05T10:18:10.704Z","severity":"WARN","debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","url":"/api/v1/logs?limit=1000\u0026after=1588673792565_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE9YgQlhQc@sTWCXHrxJwAAEx4","warningPercent":"60","threshold":"50","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"legacyEventType":"core.framework.ratelimit.warning","securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]}} -{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"displayMessage":"Rate limit violation","severity":"WARN","debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE9d9wlaOBew8uKlh7rkgAAA0s","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673792565_1\u0026limit=1000"}},"uuid":"c53796ba-8eb9-11ea-b3e6-1d46bc417fb6","version":"0","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:18:31.707Z","transaction":{"id":"XrE9d9wlaOBew8uKlh7rkgAAA0s","detail":{},"type":"WEB"},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"legacyEventType":"core.framework.ratelimit.exceeded","authenticationContext":{"externalSessionId":"trsdg9YDpRuRgKaOLUj5oKsdw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}]} -{"outcome":{"reason":null,"result":"SUCCESS"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"warningPercent":"60","requestUri":"/api/v1/logs","timeUnit":"MINUTES","requestId":"XrE92lvsYUrf30@uCZpt-gAABoU","threshold":"50","timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673912497_1\u0026limit=1000"}},"legacyEventType":"core.framework.ratelimit.warning","version":"0","actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsnyGjrmSkQle5e4SRGvZglA"},"eventType":"system.org.rate_limit.warning","client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"displayMessage":"Rate limit warning","severity":"WARN","uuid":"0042f1fc-8eba-11ea-a04f-81a81472156a","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"published":"2020-05-05T10:20:10.767Z","transaction":{"type":"WEB","id":"XrE92lvsYUrf30@uCZpt-gAABoU","detail":{}},"request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]}} -{"published":"2020-05-05T10:20:31.769Z","severity":"WARN","legacyEventType":"core.framework.ratelimit.exceeded","uuid":"0cc798b0-8eba-11ea-abd3-1d668132201e","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsTE7n3E68RjOlx_LfF-RZXQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"outcome":{"result":"SUCCESS","reason":null},"transaction":{"type":"WEB","id":"XrE97@an-mUZdi219wQzgwAAEjs","detail":{}},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"displayMessage":"Rate limit violation","version":"0","eventType":"system.org.rate_limit.violation","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE97@an-mUZdi219wQzgwAAEjs","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673912497_1\u0026limit=1000"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"displayMessage":"Rate limit warning","securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000\u0026after=1588674032426_1\u0026limit=1000","requestId":"XrE@TwVp30i3cw0jE1KOvwAAAPo","userId":"00u3mo2ci0RuzhCQe357","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","timeUnit":"MINUTES","warningPercent":"60","threshold":"50"}},"legacyEventType":"core.framework.ratelimit.warning","uuid":"45a6c519-8eba-11ea-8b3c-c55929189475","version":"0","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"eventType":"system.org.rate_limit.warning","published":"2020-05-05T10:22:07.184Z","transaction":{"detail":{},"type":"WEB","id":"XrE@TwVp30i3cw0jE1KOvwAAAPo"},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsn5zK28QtR0uXn28sBMXonQ","authenticationProvider":null}} -{"uuid":"522bba5e-8eba-11ea-b9c2-0dd5b21f944b","published":"2020-05-05T10:22:28.188Z","transaction":{"type":"WEB","id":"XrE@ZDn-wFxNr1zSzKhZPQAAFG8","detail":{}},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":"core.framework.ratelimit.exceeded","version":"0","actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"displayMessage":"Rate limit violation","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"severity":"WARN","outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674032426_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE@ZDn-wFxNr1zSzKhZPQAAFG8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs"}},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trssjZmnfC_QheY69POkrAlrw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"eventType":"system.org.rate_limit.violation"} -{"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"authenticationContext":{"externalSessionId":"trs8mkv_xN6Q3uxZL2JykiXfw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"eventType":"system.org.rate_limit.warning","published":"2020-05-05T10:24:10.938Z","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"displayMessage":"Rate limit warning","transaction":{"type":"WEB","id":"XrE@yls-7N-b7zu5QlJQTAAAEHo","detail":{}},"uuid":"8f6a21e2-8eba-11ea-9fd1-bb7360a0b10c","severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"requestId":"XrE@yls-7N-b7zu5QlJQTAAAEHo","timeSpan":"1","url":"/api/v1/logs?limit=1000\u0026after=1588674149179_1\u0026limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}}} -{"version":"0","legacyEventType":"core.framework.ratelimit.exceeded","uuid":"9bef8bf2-8eba-11ea-82e2-356ba42b26b0","authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs_Osy-QHSQvSuV4XIrZ_tzA","authenticationProvider":null},"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674149179_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE@301ETj3E3czvhhMq6QAAAF4","threshold":"50"}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"transaction":{"type":"WEB","id":"XrE@301ETj3E3czvhhMq6QAAAF4","detail":{}},"published":"2020-05-05T10:24:31.945Z","severity":"WARN","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"eventType":"system.org.rate_limit.violation","securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null}} -{"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:26:10.680Z","transaction":{"detail":{},"type":"WEB","id":"XrE-QkH@Hmw00TTU@52P3wAAEVw"},"version":"0","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"displayMessage":"Rate limit warning","severity":"WARN","debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","requestId":"XrE-QkH@Hmw00TTU@52P3wAAEVw","threshold":"50","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588674272534_1\u0026limit=1000","timeUnit":"MINUTES","warningPercent":"60"}},"uuid":"d6c95067-8eba-11ea-b823-db4e40ee0137","authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs8ezvjqNdTIuNvebCfVkDvA"},"eventType":"system.org.rate_limit.warning","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"legacyEventType":"core.framework.ratelimit.warning","actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null}} -{"outcome":{"result":"SUCCESS","reason":null},"eventType":"system.org.rate_limit.violation","published":"2020-05-05T10:26:31.684Z","debugContext":{"debugData":{"requestId":"XrE-V04MZnO8t6TkdnOVnwAAAQo","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674272534_1\u0026limit=1000","timeUnit":"MINUTES"}},"transaction":{"type":"WEB","id":"XrE-V04MZnO8t6TkdnOVnwAAAQo","detail":{}},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"severity":"WARN","legacyEventType":"core.framework.ratelimit.exceeded","uuid":"e34e450c-8eba-11ea-b70a-e7df59d7aa62","version":"0","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs44CgqwPsQhmLGT8KA4ochw","authenticationProvider":null,"credentialProvider":null},"displayMessage":"Rate limit violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}]} -{"eventType":"system.org.rate_limit.warning","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"version":"0","authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsNStE8sXvTW-xPL-IkNPiIw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"transaction":{"type":"WEB","id":"XrE-uk4MZnO8t6TkdnOYWwAAAQo","detail":{}},"debugContext":{"debugData":{"requestId":"XrE-uk4MZnO8t6TkdnOYWwAAAQo","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","timeUnit":"MINUTES","threshold":"50","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674392876_1\u0026limit=1000"}},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"legacyEventType":"core.framework.ratelimit.warning","uuid":"1e4de073-8ebb-11ea-9424-4db38b988f86","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:28:10.667Z","severity":"WARN","displayMessage":"Rate limit warning"} -{"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674392876_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE-z-QdodjJSHySIWsZjgAAASE","threshold":"50","timeSpan":"1"}},"legacyEventType":"core.framework.ratelimit.exceeded","uuid":"2ad19c78-8ebb-11ea-a0ba-379f04824fb1","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"eventType":"system.org.rate_limit.violation","published":"2020-05-05T10:28:31.663Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"authenticationContext":{"externalSessionId":"trsAGWkP27TR8K3QPE7qkaFiw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"severity":"WARN","transaction":{"type":"WEB","id":"XrE-z-QdodjJSHySIWsZjgAAASE","detail":{}},"version":"0","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]}} -{"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","published":"2020-05-05T10:30:07.127Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","url":"/api/v1/logs?limit=1000\u0026after=1588674512526_1\u0026limit=1000","requestId":"XrFAL6UM0GYBxBYcLmbsGgAAASE","requestUri":"/api/v1/logs"}},"legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrFAL6UM0GYBxBYcLmbsGgAAASE","detail":{}},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsC9_zAgzSTTCXog08Shebaw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"uuid":"63b84288-8ebb-11ea-abd3-1d668132201e","severity":"WARN","outcome":{"result":"SUCCESS","reason":null},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"version":"0","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null}} -{"legacyEventType":"core.framework.ratelimit.exceeded","authenticationContext":{"externalSessionId":"trsJWp3AarMTT2KzDb6UqvV5Q","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"published":"2020-05-05T10:30:28.124Z","severity":"WARN","eventType":"system.org.rate_limit.violation","displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674512526_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFARFvsYUrf30@uCZp5ZAAABp0","threshold":"50"}},"uuid":"703c2649-8ebb-11ea-abd1-d96b7fcb273d","version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"transaction":{"type":"WEB","id":"XrFARFvsYUrf30@uCZp5ZAAABp0","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"}} -{"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsoFJQ24y3TDyKYuyEeVtYIQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"published":"2020-05-05T10:32:10.646Z","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","uuid":"ad57c3ed-8ebb-11ea-837c-8f84d82c8d23","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrFAqoLAJMDIusENvq9y4QAADhA","detail":{}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"debugContext":{"debugData":{"warningPercent":"60","timeSpan":"1","timeUnit":"MINUTES","requestId":"XrFAqoLAJMDIusENvq9y4QAADhA","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674628854_1\u0026limit=1000"}}} -{"authenticationContext":{"externalSessionId":"trsDcy7icVsTXOeLV2i8VIEWw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"displayMessage":"Rate limit violation","transaction":{"type":"WEB","id":"XrFAv-cOD88CV28@AwdLMQAABDo","detail":{}},"eventType":"system.org.rate_limit.violation","debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674628854_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFAv-cOD88CV28@AwdLMQAABDo"}},"published":"2020-05-05T10:32:31.647Z","securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"outcome":{"result":"SUCCESS","reason":null},"legacyEventType":"core.framework.ratelimit.exceeded","uuid":"b9dc435a-8ebb-11ea-ada5-5fef26acfbc9","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:34:05.127Z","legacyEventType":"core.framework.ratelimit.warning","displayMessage":"Rate limit warning","severity":"WARN","transaction":{"type":"WEB","id":"XrFBHean-mUZdi219wRHqwAAEjs","detail":{}},"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs9_xfqQ2mSKWujaPlIeJ5dQ","authenticationProvider":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"threshold":"50","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588674752224_1\u0026limit=1000","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrFBHean-mUZdi219wRHqwAAEjs","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs"}},"uuid":"f1942d82-8ebb-11ea-aeca-a544dbc5d64e","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null}} -{"eventType":"system.org.rate_limit.violation","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674752224_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFBMgv9rG@QtvA52XIeiAAAByY","threshold":"50","timeSpan":"1"}},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsZKjIBa07ShGiH1-fqQ11zw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:34:26.123Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrFBMgv9rG@QtvA52XIeiAAAByY","detail":{}},"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"displayMessage":"Rate limit violation","uuid":"fe17ea9d-8ebb-11ea-a6b7-cf71f57d4442"} -{"severity":"WARN","transaction":{"type":"WEB","id":"XrFBmlvsYUrf30@uCZp-zgAABpk","detail":{}},"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"requestId":"XrFBmlvsYUrf30@uCZp-zgAABpk","timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674866876_1\u0026limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","published":"2020-05-05T10:36:10.725Z","legacyEventType":"core.framework.ratelimit.warning","uuid":"3c70ea10-8ebc-11ea-874a-2fc94466cbde","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsv0gnF2CTQdGSDgSoZhqTAw","authenticationProvider":null},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null}} -{"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsVtv1XeRbTFWprOF_8p-csQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"uuid":"48f59075-8ebc-11ea-afeb-efa9a81fb877","displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:36:31.727Z","legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrFBr7bV1sm78T1X2@XySwAADMg","detail":{}},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"eventType":"system.org.rate_limit.violation","severity":"WARN","debugContext":{"debugData":{"requestId":"XrFBr7bV1sm78T1X2@XySwAADMg","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674866876_1\u0026limit=1000","timeUnit":"MINUTES"}}} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"uuid":"83f3cbe4-8ebc-11ea-b70a-e7df59d7aa62","published":"2020-05-05T10:38:10.701Z","severity":"WARN","displayMessage":"Rate limit warning","transaction":{"type":"WEB","id":"XrFCEnWh6j118-TwvwDADAAAA3M","detail":{}},"version":"0","client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsz9wM-17ERb6AGAty-4A7Vg","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"eventType":"system.org.rate_limit.warning","debugContext":{"debugData":{"warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrFCEnWh6j118-TwvwDADAAAA3M","timeSpan":"1","url":"/api/v1/logs?limit=1000\u0026after=1588674992071_1\u0026limit=1000"}},"legacyEventType":"core.framework.ratelimit.warning","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}]} -{"eventType":"system.org.rate_limit.violation","securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"transaction":{"type":"WEB","id":"XrFCJ60nT1FhhE9h96tEngAAByI","detail":{}},"version":"0","authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsyzk0YgPnStmg85RAEg_0AA","authenticationProvider":null},"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:38:31.700Z","legacyEventType":"core.framework.ratelimit.exceeded","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674992071_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFCJ60nT1FhhE9h96tEngAAByI","threshold":"50","timeSpan":"1"}},"uuid":"9077fdae-8ebc-11ea-a0ba-379f04824fb1","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}]} -{"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsStsGG3ZJRP6TjRYVeOqqnw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"uuid":"cb78f8b5-8ebc-11ea-965d-6da5dc6b4d61","version":"0","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:40:10.692Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"displayMessage":"Rate limit warning","severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","debugContext":{"debugData":{"warningPercent":"60","threshold":"50","timeSpan":"1","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588675111954_1\u0026limit=1000","requestId":"XrFCivboihgf9k0vFE3flQAAAbI","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES"}},"transaction":{"type":"WEB","id":"XrFCivboihgf9k0vFE3flQAAAbI","detail":{}}} -{"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","legacyEventType":"core.framework.ratelimit.exceeded","version":"0","client":{"geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"displayMessage":"Rate limit violation","debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675111954_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFCnwQlhQc@sTWCXHoaWwAAEwo","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"transaction":{"type":"WEB","id":"XrFCnwQlhQc@sTWCXHoaWwAAEwo","detail":{}},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trslfT_A1LuT_WG7Z9PdodFoA","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"eventType":"system.org.rate_limit.violation","outcome":{"result":"SUCCESS","reason":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"published":"2020-05-05T10:40:31.691Z","uuid":"d7fd2a5b-8ebc-11ea-a561-47493e2e60a2"} -{"authenticationContext":{"externalSessionId":"trsT4qu9luVRu2VdIsvSWBDCA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:42:06.228Z","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrFC-ovrzgsubrSRhiSsKgAAB0E","threshold":"50","timeSpan":"1","url":"/api/v1/logs?limit=1000\u0026after=1588675232499_1\u0026limit=1000","warningPercent":"60"}},"legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrFC-ovrzgsubrSRhiSsKgAAB0E","detail":{}},"version":"0","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"severity":"WARN","uuid":"10565dcd-8ebd-11ea-abd3-1d668132201e","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null}} -{"published":"2020-05-05T10:42:27.225Z","severity":"WARN","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675232499_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFDE7bV1sm78T1X2@X7pAAADOI","threshold":"50","timeSpan":"1"}},"version":"0","transaction":{"type":"WEB","id":"XrFDE7bV1sm78T1X2@X7pAAADOI","detail":{}},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsDmVaG8i4RZ2SD5TvUgJhqQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"uuid":"1cda40ae-8ebd-11ea-abd3-1d668132201e","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"displayMessage":"Rate limit violation"} -{"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsKOWj0B51Q-ukLMXFhVupmw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"transaction":{"type":"WEB","id":"XrFDej@Lf3n8Pj8mzXH1kgAABPk","detail":{}},"uuid":"5aa77b5c-8ebd-11ea-b9fc-61056b16b278","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null"},"legacyEventType":"core.framework.ratelimit.warning","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000\u0026after=1588675347901_1\u0026limit=1000","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","requestId":"XrFDej@Lf3n8Pj8mzXH1kgAABPk","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","published":"2020-05-05T10:44:10.911Z","severity":"WARN","version":"0"} -{"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"transaction":{"type":"WEB","id":"XrFDj0ZkozEynuDR0MGhVgAADiI","detail":{}},"version":"0","published":"2020-05-05T10:44:31.913Z","severity":"WARN","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675347901_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFDj0ZkozEynuDR0MGhVgAADiI","threshold":"50","timeSpan":"1"}},"uuid":"672c21a3-8ebd-11ea-a561-47493e2e60a2","authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsjKLlLVoVSZqtTxSTIOgzxg","authenticationProvider":null},"eventType":"system.org.rate_limit.violation","outcome":{"result":"SUCCESS","reason":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":"core.framework.ratelimit.exceeded","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"displayMessage":"Rate limit violation"} -{"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsngtN0TJJSq-cRIvN5-aB_Q"},"outcome":{"reason":null,"result":"SUCCESS"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675472781_1\u0026limit=1000","threshold":"50","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","timeUnit":"MINUTES","requestId":"XrFD7D@Lf3n8Pj8mzXH4RwAABPk"}},"legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrFD7D@Lf3n8Pj8mzXH4RwAABPk","detail":{}},"target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"published":"2020-05-05T10:46:04.407Z","actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","severity":"WARN","uuid":"9e4d9949-8ebd-11ea-b611-f1d979f83d84","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"uuid":"aad1c9f7-8ebd-11ea-a0ba-379f04824fb1","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsYITx7VKdTvulh47b8Vbh9w"},"published":"2020-05-05T10:46:25.406Z","debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675472781_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFEAQPeLOKhwhWFk9FcpQAAAnM","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"transaction":{"type":"WEB","id":"XrFEAQPeLOKhwhWFk9FcpQAAAnM","detail":{}},"version":"0","eventType":"system.org.rate_limit.violation","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"severity":"WARN","displayMessage":"Rate limit violation","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"outcome":{"result":"SUCCESS","reason":null},"legacyEventType":"core.framework.ratelimit.exceeded"} -{"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"displayMessage":"Rate limit warning","published":"2020-05-05T10:48:10.789Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"threshold":"50","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675586163_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFEavXjc7OfNk-q70maxgAAExE","warningPercent":"60","timeSpan":"1","threatSuspected":"false"}},"version":"0","client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsUz-ZZ-69RbGWGcTZtRQ3vw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"eventType":"system.org.rate_limit.warning","severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrFEavXjc7OfNk-q70maxgAAExE","detail":{}},"target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"uuid":"e9a1f55c-8ebd-11ea-baf6-b58aa7127d4c","outcome":{"result":"SUCCESS","reason":null}} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsgM0RpzkxTFy37NOB9pW-6g","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:48:31.789Z","transaction":{"type":"WEB","id":"XrFEf5a-SjOG@MbFt9Q@GQAAEUA","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrFEf5a-SjOG@MbFt9Q@GQAAEUA","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675586163_1\u0026limit=1000"}},"legacyEventType":"core.framework.ratelimit.exceeded","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"uuid":"f6264df6-8ebd-11ea-8936-ab42b09eebb3","version":"0","displayMessage":"Rate limit violation","severity":"WARN"} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsq-8tXCInQ96eZXTsy_qhVg","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"outcome":{"reason":null,"result":"SUCCESS"},"debugContext":{"debugData":{"requestId":"XrFE3yhlgQ7cxaCrlGcPHQAAETw","warningPercent":"60","timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675713059_1\u0026limit=1000","threshold":"50","requestUri":"/api/v1/logs","timeUnit":"MINUTES"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"eventType":"system.org.rate_limit.warning","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":"core.framework.ratelimit.warning","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"published":"2020-05-05T10:50:07.333Z","severity":"WARN","uuid":"2f192a3f-8ebe-11ea-8aaa-959b94ed26bb","displayMessage":"Rate limit warning","transaction":{"type":"WEB","id":"XrFE3yhlgQ7cxaCrlGcPHQAAETw","detail":{}},"version":"0"} -{"displayMessage":"Rate limit violation","debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrFE9Fefz-B54FiebJ6wuAAAEwk","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675713059_1\u0026limit=1000"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsmlZ6_exZS7CQs65fCHMbgQ"},"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"uuid":"3b9cbeb9-8ebe-11ea-874a-2fc94466cbde","eventType":"system.org.rate_limit.violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:50:28.328Z","legacyEventType":"core.framework.ratelimit.exceeded","version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"severity":"WARN","transaction":{"type":"WEB","id":"XrFE9Fefz-B54FiebJ6wuAAAEwk","detail":{}}} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"published":"2020-05-05T10:52:10.887Z","client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsg6IXhKhBQuOP5VleUY2DIg"},"eventType":"system.org.rate_limit.warning","transaction":{"type":"WEB","id":"XrFFWgQlhQc@sTWCXHoxtwAAEwo","detail":{}},"uuid":"78be01aa-8ebe-11ea-aeca-a544dbc5d64e","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit warning","outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","version":"0","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"requestId":"XrFFWgQlhQc@sTWCXHoxtwAAEwo","warningPercent":"60","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675829279_1\u0026limit=1000","timeUnit":"MINUTES","threshold":"50","timeSpan":"1"}},"request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]}} -{"displayMessage":"Rate limit violation","securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrFFb6vcOlZWM2vVN2XrrQAAA-o","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:52:31.887Z","severity":"WARN","eventType":"system.org.rate_limit.violation","version":"0","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsWLNyNeB1TuaOf9KUtafqjQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675829279_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFFb6vcOlZWM2vVN2XrrQAAA-o"}},"uuid":"85425adf-8ebe-11ea-b9fc-61056b16b278"} -{"published":"2020-05-05T10:54:05.450Z","severity":"WARN","actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsPo_I88spSiO7D-Z3DiP2nA","authenticationProvider":null,"credentialProvider":null},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit warning","debugContext":{"debugData":{"requestId":"XrFFzVUO@EPHfYJRM8GZHwAAEK4","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588675952841_1\u0026limit=1000"}},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"transaction":{"type":"WEB","id":"XrFFzVUO@EPHfYJRM8GZHwAAEK4","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"outcome":{"result":"SUCCESS","reason":null},"uuid":"bd06eee7-8ebe-11ea-82e2-356ba42b26b0","version":"0","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning"} -{"eventType":"system.org.rate_limit.violation","outcome":{"result":"SUCCESS","reason":null},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","debugContext":{"debugData":{"requestId":"XrFF4k4GCgrejBJbF709NgAADkw","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675952841_1\u0026limit=1000","timeUnit":"MINUTES"}},"uuid":"c98b962e-8ebe-11ea-8cbe-bf2eaab2e9ef","version":"0","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"published":"2020-05-05T10:54:26.452Z","legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrFF4k4GCgrejBJbF709NgAADkw","detail":{}},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsQfY_9PlvSXudklqeUljN-Q"},"displayMessage":"Rate limit violation"} -{"published":"2020-05-05T10:56:10.706Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsSKUi5-F1RLGN6KxlwchJSQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"legacyEventType":"core.framework.ratelimit.warning","transaction":{"detail":{},"type":"WEB","id":"XrFGShXpNT0RVGi@JH9uIwAAAc0"},"uuid":"07af7b64-8ebf-11ea-9a68-45f5acc7edae","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"displayMessage":"Rate limit warning","debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588676067403_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFGShXpNT0RVGi@JH9uIwAAAc0","threshold":"50","threatSuspected":"false","warningPercent":"60"}},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"severity":"WARN","version":"0"} -{"securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000\u0026after=1588676067403_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFGX6ij4DHbM5celo4CfgAAEGg","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"transaction":{"type":"WEB","id":"XrFGX6ij4DHbM5celo4CfgAAEGg","detail":{}},"uuid":"14347026-8ebf-11ea-9b4d-6d898d9545c0","displayMessage":"Rate limit violation","legacyEventType":"core.framework.ratelimit.exceeded","severity":"WARN","client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"authenticationContext":{"externalSessionId":"trsXxlMs-kRSOyAE7puqhj8Pw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"eventType":"system.org.rate_limit.violation","outcome":{"result":"SUCCESS","reason":null},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"published":"2020-05-05T10:56:31.710Z"} diff --git a/schemas/logs/okta/system_log.yml b/schemas/logs/okta/system_log.yml deleted file mode 100644 index 88c0e3203..000000000 --- a/schemas/logs/okta/system_log.yml +++ /dev/null @@ -1,285 +0,0 @@ -# Copyright (C) 2020 Panther Labs Inc -# -# Panther Enterprise is licensed under the terms of a commercial license available from -# Panther Labs Inc ("Panther Commercial License") by contacting contact@runpanther.com. -# All use, distribution, and/or modification of this software, whether commercial or non-commercial, -# falls under the Panther Commercial License to the extent it is permitted. - -schema: Okta.SystemLog -description: | - The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. - - Panther Enterprise Only -referenceURL: https://developer.okta.com/docs/reference/api/system-log/ -version: 0 -fields: - - name: uuid - required: true - description: Unique identifier for an individual event - type: string - - name: published - required: true - description: Timestamp when event was published - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: eventType - required: true - description: Type of event that was published - type: string - - name: version - required: true - description: Versioning indicator - type: string - - name: severity - required: true - description: "Indicates how severe the event is: DEBUG, INFO, WARN, ERROR" - type: string - - name: legacyEventType - description: Associated Events API Action objectType attribute value - type: string - - name: displayMessage - description: The display message for an event - type: string - - name: actor - description: Describes the entity that performed an action - type: object - fields: - - name: id - required: true - description: ID of actor - type: string - - name: type - required: true - description: Type of actor - type: string - - name: alternateId - description: Alternative id of the actor - type: string - indicators: - - email - - name: displayName - description: Display name of the actor - type: string - - name: details - description: Details about the actor - type: json - - name: detailEntry - description: Detail entry - type: json - - name: client - description: The client that requested an action - type: object - fields: - - name: id - description: For OAuth requests this is the id of the OAuth client making the request. For SSWS token requests, this is the id of the agent making the request. - type: string - - name: userAgent - description: The user agent used by an actor to perform an action - type: object - fields: - - name: browser - description: If the client is a web browser, this field identifies the type of web browser (e.g. CHROME, FIREFOX) - type: string - - name: os - description: The Operating System the client runs on (e.g. Windows 10) - type: string - - name: rawUserAgent - description: A raw string representation of the user agent, formatted according to section 5.5.3 of HTTP/1.1 Semantics and Content. Both the browser and the OS fields can be derived from this field. - type: string - - name: geographicalContext - description: The physical location where the client made its request from - type: object - fields: - - name: geolocation - description: Contains the geolocation coordinates (latitude, longitude) - type: object - fields: - - name: lat - description: Latitude - type: float - - name: lon - description: Longitude - type: float - - name: city - description: The city encompassing the area containing the geolocation coordinates, if available (e.g. Seattle, San Francisco) - type: string - - name: state - description: Full name of the state/province encompassing the area containing the geolocation coordinates (e.g. Montana, Incheon) - type: string - - name: country - description: Full name of the country encompassing the area containing the geolocation coordinates (e.g. France, Uganda) - type: string - - name: postalCode - description: Full name of the country encompassing the area containing the geolocation coordinates (e.g. France, Uganda) - type: string - - name: zone - description: The name of the Zone that the client's location is mapped to - type: string - - name: ipAddress - description: Ip address that the client made its request from - type: string - indicators: - - ip - - name: device - description: Type of device that the client operated from (e.g. Computer) - type: string - - name: request - description: The request that initiated an action - type: object - fields: - - name: ipChain - description: If the incoming request passes through any proxies, the IP addresses of those proxies will be stored here in the format (clientIp, proxy1, proxy2, ...). - type: array - element: - type: object - fields: - - name: ip - description: IP address - type: string - indicators: - - ip - - name: geographicalContext - description: Geographical context of the IP address - type: object - fields: - - name: geolocation - description: Contains the geolocation coordinates (latitude, longitude) - type: object - fields: - - name: lat - description: Latitude - type: float - - name: lon - description: Longitude - type: float - - name: city - description: The city encompassing the area containing the geolocation coordinates, if available (e.g. Seattle, San Francisco) - type: string - - name: state - description: Full name of the state/province encompassing the area containing the geolocation coordinates (e.g. Montana, Incheon) - type: string - - name: country - description: Full name of the country encompassing the area containing the geolocation coordinates (e.g. France, Uganda) - type: string - - name: postalCode - description: Full name of the country encompassing the area containing the geolocation coordinates (e.g. France, Uganda) - type: string - - name: version - description: IP version - type: string - - name: source - description: Details regarding the source - type: string - - name: outcome - description: The outcome of an action - type: object - fields: - - name: result - description: "Result of the action: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN" - type: string - - name: reason - description: Reason for the result, for example INVALID_CREDENTIALS - type: string - - name: target - description: Zero or more targets of an action - type: array - element: - type: object - fields: - - name: id - required: true - description: ID of target - type: string - - name: type - required: true - description: Type of target - type: string - - name: alternateId - description: Alternative id of the target - type: string - - name: displayName - description: Display name of the target - type: string - - name: details - description: Details about the target - type: json - - name: detailEntry - description: Detail entry - type: json - - name: transaction - description: The transaction details of an action - type: object - fields: - - name: id - description: Unique identifier for this transaction. - type: string - - name: type - description: Describes the kind of transaction. WEB indicates a web request. JOB indicates an asynchronous task. - type: string - - name: detail - description: Details for this transaction. - type: json - - name: debugContext - description: The debug request data of an action - type: object - fields: - - name: debugData - description: Dynamic field containing miscellaneous information dependent on the event type. - type: json - - name: authenticationContext - description: The authentication data of an action - type: object - fields: - - name: authenticationProvider - description: The system that proves the identity of an actor using the credentials provided to it - type: string - - name: authenticationStep - description: The zero-based step number in the authentication pipeline. Currently unused and always set to 0. - type: int - - name: credentialProvider - description: A credential provider is a software service that manages identities and their associated credentials. When authentication occurs via credentials provided by a credential provider, that credential provider will be recorded here. - type: string - - name: credentialType - description: The underlying technology/scheme used in the credential - type: string - - name: issuer - description: The specific software entity that created and issued the credential. - type: object - fields: - - name: id - description: Varies depending on the type of authentication. If authentication is SAML 2.0, id is the issuer in the SAML assertion. For social login, id is the issuer of the token. - type: string - - name: type - description: Information regarding issuer and source of the SAML assertion or token. - type: string - - name: externalSessionId - description: A proxy for the actor's session ID - type: string - - name: interface - description: The third party user interface that the actor authenticates through, if any. - type: string - - name: authenticatorProvider - description: "DEPRECATED: This field is kept here for backwards compatibility." - type: string - - name: securityContext - description: The security data of an action - type: object - fields: - - name: asNumber - description: Autonomous system number associated with the autonomous system that the event request was sourced to - type: bigint - - name: asOrg - description: Organization associated with the autonomous system that the event request was sourced to - type: string - - name: isp - description: Internet service provider used to sent the event's request - type: string - - name: domain - description: The domain name associated with the IP address of the inbound event request - type: string - indicators: - - domain - - name: isProxy - description: Specifies whether an event's request is from a known proxy - type: boolean diff --git a/schemas/logs/okta/tests/generated_tests.yml b/schemas/logs/okta/tests/generated_tests.yml deleted file mode 100644 index b25ac8cf5..000000000 --- a/schemas/logs/okta/tests/generated_tests.yml +++ /dev/null @@ -1,499 +0,0 @@ -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 1 -logType: Okta.SystemLog -input: '{"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102iCf9Im9wSEmaVMYZNbEOMA"},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016}}},"debugContext":{"debugData":{"deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T10:20:22.243Z","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lon":-3.7016,"lat":40.4143}},"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","target":null,"transaction":{"type":"WEB","id":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","detail":{}},"uuid":"5d730bf4-8b95-11ea-8cbe-bf2eaab2e9ef","version":"0"}' -result: '{"actor":{"displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102iCf9Im9wSEmaVMYZNbEOMA"},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","ipAddress":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016}}},"debugContext":{"debugData":{"deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T10:20:22.243Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T10:20:22.243Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lon":-3.7016,"lat":40.4143}},"version":"V4"}]},"securityContext":{},"severity":"INFO","transaction":{"type":"WEB","id":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","detail":{}},"uuid":"5d730bf4-8b95-11ea-8cbe-bf2eaab2e9ef","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 2 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102iCf9Im9wSEmaVMYZNbEOMA"},"client":{"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"}},"debugContext":{"debugData":{"requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?","deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"Xqv35Wg7bT74OrlHVCM7JgAAFHM"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-05-01T10:20:22.296Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid"},"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","target":[{"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown","displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"}},{"type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule","detailEntry":null,"id":"0prc1umtrQa0JxFfU356"}],"transaction":{"type":"WEB","id":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","detail":{}},"uuid":"5d7b2245-8b95-11ea-8cbe-bf2eaab2e9ef","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102iCf9Im9wSEmaVMYZNbEOMA"},"client":{"zone":"null","device":"Computer","ipAddress":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"}},"debugContext":{"debugData":{"requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?","deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"Xqv35Wg7bT74OrlHVCM7JgAAFHM"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T10:20:22.296Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T10:20:22.296Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid"},"version":"V4"}]},"securityContext":{},"severity":"INFO","target":[{"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown","displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"}},{"type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule","id":"0prc1umtrQa0JxFfU356"}],"transaction":{"type":"WEB","id":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","detail":{}},"uuid":"5d7b2245-8b95-11ea-8cbe-bf2eaab2e9ef","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 3 -logType: Okta.SystemLog -input: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":"OTP","issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102GP5VxqC1SvuMpF0oLbm0-Q"},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005"}},"debugContext":{"debugData":{"requestUri":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify","threatSuspected":"false","factor":"OKTA_SOFT_TOKEN","url":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify?rememberDevice=false","authnRequestId":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","requestId":"Xqv4ChB6i@XT5JNpsgg5iwAACjY"}},"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-01T10:20:59.091Z","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":{"geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005"}}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","target":[{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null}],"transaction":{"type":"WEB","id":"Xqv4ChB6i@XT5JNpsgg5iwAACjY","detail":{}},"uuid":"73699ad3-8b95-11ea-bd6b-7d993edc4d99","version":"0"}' -result: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":"OTP","authenticationStep":0,"externalSessionId":"102GP5VxqC1SvuMpF0oLbm0-Q"},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","ipAddress":"1.1.1.1","geographicalContext":{"geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005"}},"debugContext":{"debugData":{"requestUri":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify","threatSuspected":"false","factor":"OKTA_SOFT_TOKEN","url":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify?rememberDevice=false","authnRequestId":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","requestId":"Xqv4ChB6i@XT5JNpsgg5iwAACjY"}},"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T10:20:59.091Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T10:20:59.091Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1","geographicalContext":{"geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005"}}]},"securityContext":{},"severity":"INFO","target":[{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"}],"transaction":{"type":"WEB","id":"Xqv4ChB6i@XT5JNpsgg5iwAACjY","detail":{}},"uuid":"73699ad3-8b95-11ea-bd6b-7d993edc4d99","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 4 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"102tmLJSxrcTKe0eKPOcYRAIA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"client":{"device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain"},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"debugContext":{"debugData":{"requestId":"Xqv4DAv9rG@QtvA52XJ5NwAAB2Q","requestUri":"/admin/sso/request","threatSuspected":"false","url":"/admin/sso/request?"}},"displayMessage":"User accessing Okta admin app","eventType":"user.session.access_admin_app","legacyEventType":"app.admin.sso.login.success","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T10:21:00.666Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain"},"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","target":[{"id":"00u3mo2ci0RuzhCQe357","type":"AppUser","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null}],"transaction":{"type":"WEB","id":"Xqv4DAv9rG@QtvA52XJ5NwAAB2Q","detail":{}},"uuid":"7459ee6a-8b95-11ea-9fd1-bb7360a0b10c","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102tmLJSxrcTKe0eKPOcYRAIA"},"client":{"device":"Computer","ipAddress":"1.1.1.1","geographicalContext":{"postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain"},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"debugContext":{"debugData":{"requestId":"Xqv4DAv9rG@QtvA52XJ5NwAAB2Q","requestUri":"/admin/sso/request","threatSuspected":"false","url":"/admin/sso/request?"}},"displayMessage":"User accessing Okta admin app","eventType":"user.session.access_admin_app","legacyEventType":"app.admin.sso.login.success","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T10:21:00.666Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T10:21:00.666Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain"},"version":"V4"}]},"securityContext":{},"severity":"INFO","target":[{"id":"00u3mo2ci0RuzhCQe357","type":"AppUser","alternateId":"foo@bar.com","displayName":"John Doe"}],"transaction":{"type":"WEB","id":"Xqv4DAv9rG@QtvA52XJ5NwAAB2Q","detail":{}},"uuid":"7459ee6a-8b95-11ea-9fd1-bb7360a0b10c","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 5 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsEIK87CP-TOWutoSIk5vwtA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestId":"XqxT48Ec3yxgq8Icobx9mwAAC-4","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T16:52:51.216Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XqxT48Ec3yxgq8Icobx9mwAAC-4","detail":{}},"uuid":"31bb29ef-8bcc-11ea-ada5-5fef26acfbc9","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsEIK87CP-TOWutoSIk5vwtA"},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XqxT48Ec3yxgq8Icobx9mwAAC-4","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T16:52:51.216Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T16:52:51.216Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XqxT48Ec3yxgq8Icobx9mwAAC-4","detail":{}},"uuid":"31bb29ef-8bcc-11ea-ada5-5fef26acfbc9","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 6 -logType: Okta.SystemLog -input: '{"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsg3DpeduvQXCmnzT-FC9l9g","authenticationProvider":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"requestId":"XqxT6PWj5s2Quaf7cGZmTQAAElw","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T16:52:56.149Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XqxT6PWj5s2Quaf7cGZmTQAAElw","detail":{}},"uuid":"34abe0f1-8bcc-11ea-9caf-87003407f90b","version":"0"}' -result: '{"actor":{"displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsg3DpeduvQXCmnzT-FC9l9g"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"requestId":"XqxT6PWj5s2Quaf7cGZmTQAAElw","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T16:52:56.149Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T16:52:56.149Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XqxT6PWj5s2Quaf7cGZmTQAAElw","detail":{}},"uuid":"34abe0f1-8bcc-11ea-9caf-87003407f90b","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 7 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs2EP5Oub9RVKOQNpikZSWQQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestId":"XqxUXGWrk@@JYyqBk-48SQAAEuM","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588328461960_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-01T16:54:52.404Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XqxUXGWrk@@JYyqBk-48SQAAEuM","detail":{}},"uuid":"79f6fbd3-8bcc-11ea-8cbe-bf2eaab2e9ef","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs2EP5Oub9RVKOQNpikZSWQQ"},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XqxUXGWrk@@JYyqBk-48SQAAEuM","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588328461960_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T16:54:52.404Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T16:54:52.404Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XqxUXGWrk@@JYyqBk-48SQAAEuM","detail":{}},"uuid":"79f6fbd3-8bcc-11ea-8cbe-bf2eaab2e9ef","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 8 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsljB4mtDNSgCshrA0Np5LOA","authenticationProvider":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588328461960_1&limit=1000","timeUnit":"MINUTES","requestId":"XqxUYZWz9R0WfYS@G1uZ-QAAAz0"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T16:54:57.700Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"transaction":{"type":"WEB","id":"XqxUYZWz9R0WfYS@G1uZ-QAAAz0","detail":{}},"uuid":"7d1f16f0-8bcc-11ea-afeb-efa9a81fb877","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsljB4mtDNSgCshrA0Np5LOA"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588328461960_1&limit=1000","timeUnit":"MINUTES","requestId":"XqxUYZWz9R0WfYS@G1uZ-QAAAz0"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T16:54:57.7Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T16:54:57.7Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XqxUYZWz9R0WfYS@G1uZ-QAAAz0","detail":{}},"uuid":"7d1f16f0-8bcc-11ea-afeb-efa9a81fb877","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 9 -logType: Okta.SystemLog -input: '{"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trszcQ1YhE5Ql2GZQo8gs5ZeA","authenticationProvider":null,"credentialProvider":null},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588351976896_1&limit=1000","requestId":"XqxU1JJPCiAgOgakFdcF3wAAAo0","warningPercent":"60","timeSpan":"1","timeUnit":"MINUTES","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T16:56:52.738Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XqxU1JJPCiAgOgakFdcF3wAAAo0","detail":{}},"uuid":"c1b07e9f-8bcc-11ea-9b4d-6d898d9545c0","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trszcQ1YhE5Ql2GZQo8gs5ZeA"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588351976896_1&limit=1000","requestId":"XqxU1JJPCiAgOgakFdcF3wAAAo0","warningPercent":"60","timeSpan":"1","timeUnit":"MINUTES","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T16:56:52.738Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T16:56:52.738Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XqxU1JJPCiAgOgakFdcF3wAAAo0","detail":{}},"uuid":"c1b07e9f-8bcc-11ea-9b4d-6d898d9545c0","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 10 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsPblrLhY6RIWUIAD80VLeYA","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XqxU2ZmGQi6m7BKy3TSXWgAAAN0","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588351976896_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T16:56:57.255Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"transaction":{"type":"WEB","id":"XqxU2ZmGQi6m7BKy3TSXWgAAAN0","detail":{}},"uuid":"c461bba9-8bcc-11ea-af6d-6ff4ba545a59","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsPblrLhY6RIWUIAD80VLeYA"},"client":{"ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XqxU2ZmGQi6m7BKy3TSXWgAAAN0","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588351976896_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T16:56:57.255Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T16:56:57.255Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XqxU2ZmGQi6m7BKy3TSXWgAAAN0","detail":{}},"uuid":"c461bba9-8bcc-11ea-af6d-6ff4ba545a59","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 11 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trspm5bfzYATkqbS5Gu1aM5ow"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"warningPercent":"60","threatSuspected":"false","requestId":"XqxVTKzp89io03gVyVIdbgAADjE","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588352098728_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T16:58:52.158Z","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XqxVTKzp89io03gVyVIdbgAADjE","detail":{}},"uuid":"08de8a22-8bcd-11ea-874a-2fc94466cbde","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trspm5bfzYATkqbS5Gu1aM5ow"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"warningPercent":"60","threatSuspected":"false","requestId":"XqxVTKzp89io03gVyVIdbgAADjE","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588352098728_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T16:58:52.158Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T16:58:52.158Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XqxVTKzp89io03gVyVIdbgAADjE","detail":{}},"uuid":"08de8a22-8bcd-11ea-874a-2fc94466cbde","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 12 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trseoJUnLitRb6mQPz0VWD_DA","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588352098728_1&limit=1000","timeUnit":"MINUTES","requestId":"XqxVUCHJ2YsYX@pvnat0lgAAA1s","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T16:58:56.744Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"transaction":{"type":"WEB","id":"XqxVUCHJ2YsYX@pvnat0lgAAA1s","detail":{}},"uuid":"0b9a4f12-8bcd-11ea-965d-6da5dc6b4d61","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trseoJUnLitRb6mQPz0VWD_DA"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588352098728_1&limit=1000","timeUnit":"MINUTES","requestId":"XqxVUCHJ2YsYX@pvnat0lgAAA1s","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T16:58:56.744Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T16:58:56.744Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XqxVUCHJ2YsYX@pvnat0lgAAA1s","detail":{}},"uuid":"0b9a4f12-8bcd-11ea-965d-6da5dc6b4d61","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 13 -logType: Okta.SystemLog -input: '{"actor":{"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri","detailEntry":null},"authenticationContext":{"externalSessionId":"102553OFOWURBmOgPoGl8kO-w","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"client":{"device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"5704071097000730d66366d819b89e6b","requestId":"XqxVpX8iMvHtxpNPrJimzQAAExM","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-01T17:00:21.778Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874},"city":"San Francisco","state":"California","country":"United States"},"version":"V4","source":null}]},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"INFO","target":null,"transaction":{"type":"WEB","id":"XqxVpX8iMvHtxpNPrJimzQAAExM","detail":{}},"uuid":"3e497761-8bcd-11ea-82e2-356ba42b26b0","version":"0"}' -result: '{"actor":{"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri"},"authenticationContext":{"externalSessionId":"102553OFOWURBmOgPoGl8kO-w","authenticationStep":0},"client":{"device":"Computer","ipAddress":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"5704071097000730d66366d819b89e6b","requestId":"XqxVpX8iMvHtxpNPrJimzQAAExM","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T17:00:21.778Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T17:00:21.778Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874},"city":"San Francisco","state":"California","country":"United States"},"version":"V4"}]},"securityContext":{},"severity":"INFO","transaction":{"type":"WEB","id":"XqxVpX8iMvHtxpNPrJimzQAAExM","detail":{}},"uuid":"3e497761-8bcd-11ea-82e2-356ba42b26b0","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 14 -logType: Okta.SystemLog -input: '{"actor":{"displayName":"Jack Naglieri","detailEntry":null,"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102553OFOWURBmOgPoGl8kO-w"},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"geolocation":{"lat":37.7852,"lon":-122.3874},"city":"San Francisco","state":"California","country":"United States","postalCode":"94105"}},"debugContext":{"debugData":{"deviceFingerprint":"5704071097000730d66366d819b89e6b","requestId":"XqxVpX8iMvHtxpNPrJimzQAAExM","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-05-01T17:00:21.838Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lon":-122.3874,"lat":37.7852}},"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","target":[{"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown","displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"}},{"id":"0prc1umtrQa0JxFfU356","type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule","detailEntry":null}],"transaction":{"detail":{},"type":"WEB","id":"XqxVpX8iMvHtxpNPrJimzQAAExM"},"uuid":"3e529f23-8bcd-11ea-82e2-356ba42b26b0","version":"0"}' -result: '{"actor":{"displayName":"Jack Naglieri","id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102553OFOWURBmOgPoGl8kO-w"},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","ipAddress":"1.1.1.1","geographicalContext":{"geolocation":{"lat":37.7852,"lon":-122.3874},"city":"San Francisco","state":"California","country":"United States","postalCode":"94105"}},"debugContext":{"debugData":{"deviceFingerprint":"5704071097000730d66366d819b89e6b","requestId":"XqxVpX8iMvHtxpNPrJimzQAAExM","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T17:00:21.838Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T17:00:21.838Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lon":-122.3874,"lat":37.7852}},"version":"V4"}]},"securityContext":{},"severity":"INFO","target":[{"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown","displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"}},{"id":"0prc1umtrQa0JxFfU356","type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule"}],"transaction":{"detail":{},"type":"WEB","id":"XqxVpX8iMvHtxpNPrJimzQAAExM"},"uuid":"3e529f23-8bcd-11ea-82e2-356ba42b26b0","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 15 -logType: Okta.SystemLog -input: '{"actor":{"detailEntry":null,"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri"},"authenticationContext":{"credentialType":"OTP","issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102djXtz5b_ROSoLOia6Q7juA","authenticationProvider":"FACTOR_PROVIDER","credentialProvider":"OKTA_CREDENTIAL_PROVIDER"},"client":{"device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XqxVpX8iMvHtxpNPrJimzQAAExM","requestId":"XqxVsrIaFxbB2vhlGYB1YgAAA0w","requestUri":"/api/v1/authn/factors/ost316zzhb7EFtPn2357/verify","threatSuspected":"false","factor":"OKTA_SOFT_TOKEN","url":"/api/v1/authn/factors/ost316zzhb7EFtPn2357/verify?rememberDevice=false"}},"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T17:00:34.670Z","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":{"geolocation":{"lon":-122.3874,"lat":37.7852},"city":"San Francisco","state":"California","country":"United States","postalCode":"94105"},"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","target":[{"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri","detailEntry":null}],"transaction":{"type":"WEB","id":"XqxVsrIaFxbB2vhlGYB1YgAAA0w","detail":{}},"uuid":"45f8a1b0-8bcd-11ea-965d-6da5dc6b4d61","version":"0"}' -result: '{"actor":{"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri"},"authenticationContext":{"credentialType":"OTP","authenticationStep":0,"externalSessionId":"102djXtz5b_ROSoLOia6Q7juA","authenticationProvider":"FACTOR_PROVIDER","credentialProvider":"OKTA_CREDENTIAL_PROVIDER"},"client":{"device":"Computer","ipAddress":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XqxVpX8iMvHtxpNPrJimzQAAExM","requestId":"XqxVsrIaFxbB2vhlGYB1YgAAA0w","requestUri":"/api/v1/authn/factors/ost316zzhb7EFtPn2357/verify","threatSuspected":"false","factor":"OKTA_SOFT_TOKEN","url":"/api/v1/authn/factors/ost316zzhb7EFtPn2357/verify?rememberDevice=false"}},"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T17:00:34.67Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T17:00:34.67Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"geolocation":{"lon":-122.3874,"lat":37.7852},"city":"San Francisco","state":"California","country":"United States","postalCode":"94105"},"version":"V4"}]},"securityContext":{},"severity":"INFO","target":[{"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri"}],"transaction":{"type":"WEB","id":"XqxVsrIaFxbB2vhlGYB1YgAAA0w","detail":{}},"uuid":"45f8a1b0-8bcd-11ea-965d-6da5dc6b4d61","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 16 -logType: Okta.SystemLog -input: '{"actor":{"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102iZBO931kTSi4g5FdbiqgUA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"userAgent":{"browser":"CHROME","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"state":"California","country":"United States","postalCode":"94105","geolocation":{"lon":-122.3874,"lat":37.7852},"city":"San Francisco"}},"debugContext":{"debugData":{"requestId":"XqxVs-6znn2BGMzyKH-OOQAAEKM","requestUri":"/admin/sso/request","threatSuspected":"false","url":"/admin/sso/request?"}},"displayMessage":"User accessing Okta admin app","eventType":"user.session.access_admin_app","legacyEventType":"app.admin.sso.login.success","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T17:00:35.647Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874}},"version":"V4","source":null}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"INFO","target":[{"id":"00uc1umudIxtsadWL356","type":"AppUser","alternateId":"foo@bar.com","displayName":"Jack Naglieri","detailEntry":null}],"transaction":{"detail":{},"type":"WEB","id":"XqxVs-6znn2BGMzyKH-OOQAAEKM"},"uuid":"468db570-8bcd-11ea-abd3-1d668132201e","version":"0"}' -result: '{"actor":{"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102iZBO931kTSi4g5FdbiqgUA"},"client":{"userAgent":{"browser":"CHROME","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X"},"zone":"null","device":"Computer","ipAddress":"1.1.1.1","geographicalContext":{"state":"California","country":"United States","postalCode":"94105","geolocation":{"lon":-122.3874,"lat":37.7852},"city":"San Francisco"}},"debugContext":{"debugData":{"requestId":"XqxVs-6znn2BGMzyKH-OOQAAEKM","requestUri":"/admin/sso/request","threatSuspected":"false","url":"/admin/sso/request?"}},"displayMessage":"User accessing Okta admin app","eventType":"user.session.access_admin_app","legacyEventType":"app.admin.sso.login.success","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T17:00:35.647Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T17:00:35.647Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874}},"version":"V4"}]},"securityContext":{},"severity":"INFO","target":[{"id":"00uc1umudIxtsadWL356","type":"AppUser","alternateId":"foo@bar.com","displayName":"Jack Naglieri"}],"transaction":{"detail":{},"type":"WEB","id":"XqxVs-6znn2BGMzyKH-OOQAAEKM"},"uuid":"468db570-8bcd-11ea-abd3-1d668132201e","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 17 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trs9AUNFdfRR1yvWWW7odRUJA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XqxVxEfn3CHz-HuDhPzyygAAAlo","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T17:00:52.286Z","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"id":"XqxVxEfn3CHz-HuDhPzyygAAAlo","detail":{},"type":"WEB"},"uuid":"50789e06-8bcd-11ea-92ce-d536dee30c90","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs9AUNFdfRR1yvWWW7odRUJA"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XqxVxEfn3CHz-HuDhPzyygAAAlo","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T17:00:52.286Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T17:00:52.286Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"id":"XqxVxEfn3CHz-HuDhPzyygAAAlo","detail":{},"type":"WEB"},"uuid":"50789e06-8bcd-11ea-92ce-d536dee30c90","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 18 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsPesucZbGTuOI0jck4g9yyw","authenticationProvider":null,"credentialProvider":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","requestId":"XqxVyfcOD88CV28@AwfpAQAABDQ","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T17:00:57.213Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"transaction":{"type":"WEB","id":"XqxVyfcOD88CV28@AwfpAQAABDQ","detail":{}},"uuid":"53686b88-8bcd-11ea-b823-db4e40ee0137","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsPesucZbGTuOI0jck4g9yyw"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","requestId":"XqxVyfcOD88CV28@AwfpAQAABDQ","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T17:00:57.213Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T17:00:57.213Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XqxVyfcOD88CV28@AwfpAQAABDQ","detail":{}},"uuid":"53686b88-8bcd-11ea-b823-db4e40ee0137","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 19 -logType: Okta.SystemLog -input: '{"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102Zs5s_R6zRs2wBnpXh6J7Xw","authenticationProvider":null},"client":{"device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28037","geolocation":{"lat":40.4143,"lon":-3.7016}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"75653fa886d95b75e1f1ca0411b82cd2","requestId":"XqxV7PCo@4CYl52a7k5V-AAADhk","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T17:01:32.562Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"28037","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain"},"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","target":null,"transaction":{"type":"WEB","id":"XqxV7PCo@4CYl52a7k5V-AAADhk","detail":{}},"uuid":"687a400e-8bcd-11ea-9424-4db38b988f86","version":"0"}' -result: '{"actor":{"displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102Zs5s_R6zRs2wBnpXh6J7Xw"},"client":{"device":"Computer","ipAddress":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28037","geolocation":{"lat":40.4143,"lon":-3.7016}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"75653fa886d95b75e1f1ca0411b82cd2","requestId":"XqxV7PCo@4CYl52a7k5V-AAADhk","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T17:01:32.562Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T17:01:32.562Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"28037","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain"},"version":"V4"}]},"securityContext":{},"severity":"INFO","transaction":{"type":"WEB","id":"XqxV7PCo@4CYl52a7k5V-AAADhk","detail":{}},"uuid":"687a400e-8bcd-11ea-9424-4db38b988f86","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 20 -logType: Okta.SystemLog -input: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"102Zs5s_R6zRs2wBnpXh6J7Xw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"client":{"geographicalContext":{"geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28037"},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"threatSuspected":"false","url":"/api/v1/authn?","deviceFingerprint":"75653fa886d95b75e1f1ca0411b82cd2","requestId":"XqxV7PCo@4CYl52a7k5V-AAADhk","requestUri":"/api/v1/authn"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-05-01T17:01:32.611Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"state":"Madrid","country":"Spain","postalCode":"28037","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid"},"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","target":[{"displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"},"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown"},{"id":"0prc1umtrQa0JxFfU356","type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule","detailEntry":null}],"transaction":{"id":"XqxV7PCo@4CYl52a7k5V-AAADhk","detail":{},"type":"WEB"},"uuid":"6881ba20-8bcd-11ea-9424-4db38b988f86","version":"0"}' -result: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102Zs5s_R6zRs2wBnpXh6J7Xw"},"client":{"geographicalContext":{"geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28037"},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"threatSuspected":"false","url":"/api/v1/authn?","deviceFingerprint":"75653fa886d95b75e1f1ca0411b82cd2","requestId":"XqxV7PCo@4CYl52a7k5V-AAADhk","requestUri":"/api/v1/authn"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-01T17:01:32.611Z","p_log_type":"Okta.SystemLog","published":"2020-05-01T17:01:32.611Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"state":"Madrid","country":"Spain","postalCode":"28037","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid"},"version":"V4"}]},"securityContext":{},"severity":"INFO","target":[{"displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"},"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown"},{"id":"0prc1umtrQa0JxFfU356","type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule"}],"transaction":{"id":"XqxV7PCo@4CYl52a7k5V-AAADhk","detail":{},"type":"WEB"},"uuid":"6881ba20-8bcd-11ea-9424-4db38b988f86","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 21 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs_RzmHPPNSpegdTR4iSNg6g","authenticationProvider":null},"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","requestId":"XrEvgymRMCc7udKvskmg@QAAFLw"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:18:59.980Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"id":"XrEvgymRMCc7udKvskmg@QAAFLw","detail":{},"type":"WEB"},"uuid":"744d4cdc-8eb1-11ea-a57c-950f2517e685","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs_RzmHPPNSpegdTR4iSNg6g"},"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","requestId":"XrEvgymRMCc7udKvskmg@QAAFLw"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:18:59.98Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:18:59.98Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"id":"XrEvgymRMCc7udKvskmg@QAAFLw","detail":{},"type":"WEB"},"uuid":"744d4cdc-8eb1-11ea-a57c-950f2517e685","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 22 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsRN_8hq3bRa22ZK_F166Ibw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrEvifZcBsOYX1sXqJeH7QAAAy8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:19:05.021Z","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrEvifZcBsOYX1sXqJeH7QAAAy8","detail":{}},"uuid":"774e7f7e-8eb1-11ea-af6d-6ff4ba545a59","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsRN_8hq3bRa22ZK_F166Ibw"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrEvifZcBsOYX1sXqJeH7QAAAy8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:19:05.021Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:19:05.021Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrEvifZcBsOYX1sXqJeH7QAAAy8","detail":{}},"uuid":"774e7f7e-8eb1-11ea-af6d-6ff4ba545a59","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 23 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsRmE6AQuzQDKo6PCtNuM-cA"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588352493659_1&limit=1000","timeUnit":"MINUTES","requestId":"XrEvzZW30MsCw7au9fDIegAAAqI","threshold":"50"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:20:13.403Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrEvzZW30MsCw7au9fDIegAAAqI","detail":{}},"uuid":"a010c2d1-8eb1-11ea-afeb-efa9a81fb877","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsRmE6AQuzQDKo6PCtNuM-cA"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588352493659_1&limit=1000","timeUnit":"MINUTES","requestId":"XrEvzZW30MsCw7au9fDIegAAAqI","threshold":"50"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:20:13.403Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:20:13.403Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrEvzZW30MsCw7au9fDIegAAAqI","detail":{}},"uuid":"a010c2d1-8eb1-11ea-afeb-efa9a81fb877","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 24 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsVq2bDMYWSuCOxxP_GkiDEQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588352493659_1&limit=1000","timeUnit":"MINUTES","requestId":"XrEv0nWh6j118-TwvwBbPgAAA3Y"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:20:18.310Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrEv0nWh6j118-TwvwBbPgAAA3Y","detail":{}},"uuid":"a2fd8277-8eb1-11ea-8cbe-bf2eaab2e9ef","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsVq2bDMYWSuCOxxP_GkiDEQ"},"client":{"ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588352493659_1&limit=1000","timeUnit":"MINUTES","requestId":"XrEv0nWh6j118-TwvwBbPgAAA3Y"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:20:18.31Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:20:18.31Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrEv0nWh6j118-TwvwBbPgAAA3Y","detail":{}},"uuid":"a2fd8277-8eb1-11ea-8cbe-bf2eaab2e9ef","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 25 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102cDYxGvsETzeO9CvrF7KZCg","authenticationProvider":null},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"country":"United Kingdom","postalCode":"EC2V","geolocation":{"lon":-0.093,"lat":51.5164},"city":"London","state":"England"}},"debugContext":{"debugData":{"deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:29:43.653Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093},"city":"London","state":"England","country":"United Kingdom"},"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","target":null,"transaction":{"type":"WEB","id":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","detail":{}},"uuid":"f3f60211-8eb2-11ea-af6d-6ff4ba545a59","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102cDYxGvsETzeO9CvrF7KZCg"},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","ipAddress":"1.1.1.1","geographicalContext":{"country":"United Kingdom","postalCode":"EC2V","geolocation":{"lon":-0.093,"lat":51.5164},"city":"London","state":"England"}},"debugContext":{"debugData":{"deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:29:43.653Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:29:43.653Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093},"city":"London","state":"England","country":"United Kingdom"},"version":"V4"}]},"securityContext":{},"severity":"INFO","transaction":{"type":"WEB","id":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","detail":{}},"uuid":"f3f60211-8eb2-11ea-af6d-6ff4ba545a59","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 26 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102cDYxGvsETzeO9CvrF7KZCg"},"client":{"ipAddress":"1.1.1.1","geographicalContext":{"postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093},"city":"London","state":"England","country":"United Kingdom"},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null},"debugContext":{"debugData":{"deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"result":"ALLOW","reason":"Sign-on policy evaluation resulted in ALLOW"},"published":"2020-05-05T09:29:43.705Z","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093}}}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"INFO","target":[{"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown","displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"}},{"id":"0prc1umtrQa0JxFfU356","type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule","detailEntry":null}],"transaction":{"type":"WEB","id":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","detail":{}},"uuid":"f3fdf152-8eb2-11ea-af6d-6ff4ba545a59","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102cDYxGvsETzeO9CvrF7KZCg"},"client":{"ipAddress":"1.1.1.1","geographicalContext":{"postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093},"city":"London","state":"England","country":"United Kingdom"},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer"},"debugContext":{"debugData":{"deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","outcome":{"result":"ALLOW","reason":"Sign-on policy evaluation resulted in ALLOW"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:29:43.705Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:29:43.705Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093}}}]},"securityContext":{},"severity":"INFO","target":[{"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown","displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"}},{"id":"0prc1umtrQa0JxFfU356","type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule"}],"transaction":{"type":"WEB","id":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","detail":{}},"uuid":"f3fdf152-8eb2-11ea-af6d-6ff4ba545a59","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 27 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102xCfoDfXqTqas4lokllvI_A","authenticationProvider":"FACTOR_PROVIDER","credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":"OTP","issuer":null,"interface":null},"client":{"userAgent":{"browser":"CHROME","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093}}},"debugContext":{"debugData":{"authnRequestId":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","requestId":"XrEyFHAW5aRx5UpfQfZ06AAAEWs","requestUri":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify","threatSuspected":"false","factor":"OKTA_SOFT_TOKEN","url":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify?rememberDevice=false"}},"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T09:29:57.044Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lon":-0.093,"lat":51.5164}},"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","target":[{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"}],"transaction":{"type":"WEB","id":"XrEyFHAW5aRx5UpfQfZ06AAAEWs","detail":{}},"uuid":"fbf14f6e-8eb2-11ea-af6d-6ff4ba545a59","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102xCfoDfXqTqas4lokllvI_A","authenticationProvider":"FACTOR_PROVIDER","credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":"OTP"},"client":{"userAgent":{"browser":"CHROME","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X"},"zone":"null","device":"Computer","ipAddress":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093}}},"debugContext":{"debugData":{"authnRequestId":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","requestId":"XrEyFHAW5aRx5UpfQfZ06AAAEWs","requestUri":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify","threatSuspected":"false","factor":"OKTA_SOFT_TOKEN","url":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify?rememberDevice=false"}},"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:29:57.044Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:29:57.044Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lon":-0.093,"lat":51.5164}},"version":"V4"}]},"securityContext":{},"severity":"INFO","target":[{"displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"}],"transaction":{"type":"WEB","id":"XrEyFHAW5aRx5UpfQfZ06AAAEWs","detail":{}},"uuid":"fbf14f6e-8eb2-11ea-af6d-6ff4ba545a59","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 28 -logType: Okta.SystemLog -input: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"externalSessionId":"1023sD69JIBQ_eLPh5nLZ7D7Q","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"client":{"userAgent":{"browser":"CHROME","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lon":-0.093,"lat":51.5164}}},"debugContext":{"debugData":{"requestId":"XrEyFkNWiaslHeI685XdGQAAEHk","requestUri":"/admin/sso/request","threatSuspected":"false","url":"/admin/sso/request?"}},"displayMessage":"User accessing Okta admin app","eventType":"user.session.access_admin_app","legacyEventType":"app.admin.sso.login.success","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:29:58.695Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093},"city":"London"},"version":"V4","source":null}]},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"INFO","target":[{"id":"00u3mo2ci0RuzhCQe357","type":"AppUser","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null}],"transaction":{"type":"WEB","id":"XrEyFkNWiaslHeI685XdGQAAEHk","detail":{}},"uuid":"fced3b73-8eb2-11ea-a57c-950f2517e685","version":"0"}' -result: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"externalSessionId":"1023sD69JIBQ_eLPh5nLZ7D7Q","authenticationStep":0},"client":{"userAgent":{"browser":"CHROME","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X"},"zone":"null","device":"Computer","ipAddress":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lon":-0.093,"lat":51.5164}}},"debugContext":{"debugData":{"requestId":"XrEyFkNWiaslHeI685XdGQAAEHk","requestUri":"/admin/sso/request","threatSuspected":"false","url":"/admin/sso/request?"}},"displayMessage":"User accessing Okta admin app","eventType":"user.session.access_admin_app","legacyEventType":"app.admin.sso.login.success","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:29:58.695Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:29:58.695Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093},"city":"London"},"version":"V4"}]},"securityContext":{},"severity":"INFO","target":[{"id":"00u3mo2ci0RuzhCQe357","type":"AppUser","alternateId":"foo@bar.com","displayName":"John Doe"}],"transaction":{"type":"WEB","id":"XrEyFkNWiaslHeI685XdGQAAEHk","detail":{}},"uuid":"fced3b73-8eb2-11ea-a57c-950f2517e685","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 29 -logType: Okta.SystemLog -input: '{"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsssx2nlapR7iXmdeF4OEGRQ"},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000","warningPercent":"60","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrEyy07XR5NsHsU9Szj8hgAAEmI"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T09:32:59.192Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"severity":"WARN","target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"transaction":{"type":"WEB","id":"XrEyy07XR5NsHsU9Szj8hgAAEmI","detail":{}},"uuid":"6882e432-8eb3-11ea-a6b7-cf71f57d4442","version":"0"}' -result: '{"actor":{"displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsssx2nlapR7iXmdeF4OEGRQ"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000","warningPercent":"60","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrEyy07XR5NsHsU9Szj8hgAAEmI"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:32:59.192Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:32:59.192Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrEyy07XR5NsHsU9Szj8hgAAEmI","detail":{}},"uuid":"6882e432-8eb3-11ea-a6b7-cf71f57d4442","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 30 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsGguELVEbQkOEwSOX-Hw3HA","authenticationProvider":null,"credentialProvider":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","requestId":"XrEy4Ie0rO6XiaQtvAgNbQAAB1A"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:33:20.197Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"transaction":{"type":"WEB","id":"XrEy4Ie0rO6XiaQtvAgNbQAAB1A","detail":{}},"uuid":"7508002a-8eb3-11ea-a04f-81a81472156a","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsGguELVEbQkOEwSOX-Hw3HA"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","requestId":"XrEy4Ie0rO6XiaQtvAgNbQAAB1A"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:33:20.197Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:33:20.197Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrEy4Ie0rO6XiaQtvAgNbQAAB1A","detail":{}},"uuid":"7508002a-8eb3-11ea-a04f-81a81472156a","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 31 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs-dSqQkjKRcOW-8u5g77j3w","authenticationProvider":null,"credentialProvider":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","threshold":"50","timeSpan":"1","url":"/api/v1/logs?limit=1000&after=1588670999394_1&limit=1000","requestId":"XrEzQgVp30i3cw0jE1JJmAAAATU","warningPercent":"60"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T09:34:58.440Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrEzQgVp30i3cw0jE1JJmAAAATU","detail":{}},"uuid":"af96b0c9-8eb3-11ea-abac-bda3eefbb100","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs-dSqQkjKRcOW-8u5g77j3w"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","threshold":"50","timeSpan":"1","url":"/api/v1/logs?limit=1000&after=1588670999394_1&limit=1000","requestId":"XrEzQgVp30i3cw0jE1JJmAAAATU","warningPercent":"60"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:34:58.44Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:34:58.44Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrEzQgVp30i3cw0jE1JJmAAAATU","detail":{}},"uuid":"af96b0c9-8eb3-11ea-abac-bda3eefbb100","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 32 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trszwXQ2FlJSkGvwtXu-2A-DQ","authenticationProvider":null,"credentialProvider":null},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588670999394_1&limit=1000","timeUnit":"MINUTES","requestId":"XrEzV2MOB6yuxkiYa@yhRAAAE7o","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T09:35:19.438Z","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrEzV2MOB6yuxkiYa@yhRAAAE7o","detail":{}},"uuid":"bc1abaff-8eb3-11ea-9b4d-6d898d9545c0","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trszwXQ2FlJSkGvwtXu-2A-DQ"},"client":{"ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588670999394_1&limit=1000","timeUnit":"MINUTES","requestId":"XrEzV2MOB6yuxkiYa@yhRAAAE7o","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:35:19.438Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:35:19.438Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrEzV2MOB6yuxkiYa@yhRAAAE7o","detail":{}},"uuid":"bc1abaff-8eb3-11ea-9b4d-6d898d9545c0","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 33 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs-Dt5KF-zQRK35ORsxqKyJg","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","timeUnit":"MINUTES","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588671201176_1&limit=1000","requestId":"XrEzun5hPHkLIfFvhbwmSwAADzU","warningPercent":"60","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:36:58.341Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"severity":"WARN","target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"transaction":{"type":"WEB","id":"XrEzun5hPHkLIfFvhbwmSwAADzU","detail":{}},"uuid":"f70e21fc-8eb3-11ea-a561-47493e2e60a2","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs-Dt5KF-zQRK35ORsxqKyJg"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","timeUnit":"MINUTES","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588671201176_1&limit=1000","requestId":"XrEzun5hPHkLIfFvhbwmSwAADzU","warningPercent":"60","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:36:58.341Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:36:58.341Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrEzun5hPHkLIfFvhbwmSwAADzU","detail":{}},"uuid":"f70e21fc-8eb3-11ea-a561-47493e2e60a2","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 34 -logType: Okta.SystemLog -input: '{"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsaT97zDebSnGacMeKOk84RA","authenticationProvider":null,"credentialProvider":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588671201176_1&limit=1000","timeUnit":"MINUTES","requestId":"XrEzzzn-wFxNr1zSzKgF9QAAFJ8","threshold":"50"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:37:19.334Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrEzzzn-wFxNr1zSzKgF9QAAFJ8","detail":{}},"uuid":"039168ad-8eb4-11ea-8936-ab42b09eebb3","version":"0"}' -result: '{"actor":{"displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsaT97zDebSnGacMeKOk84RA"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588671201176_1&limit=1000","timeUnit":"MINUTES","requestId":"XrEzzzn-wFxNr1zSzKgF9QAAFJ8","threshold":"50"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:37:19.334Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:37:19.334Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrEzzzn-wFxNr1zSzKgF9QAAFJ8","detail":{}},"uuid":"039168ad-8eb4-11ea-8936-ab42b09eebb3","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 35 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs55ZXx8apTC2cBkTyHMIRag"},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestId":"XrE0MgIdaCXRDPxam8@QNgAACx0","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","warningPercent":"60","timeSpan":"1","url":"/api/v1/logs?limit=1000&after=1588671320515_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:38:58.656Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrE0MgIdaCXRDPxam8@QNgAACx0","detail":{}},"uuid":"3ec4be12-8eb4-11ea-b70a-e7df59d7aa62","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs55ZXx8apTC2cBkTyHMIRag"},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XrE0MgIdaCXRDPxam8@QNgAACx0","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","warningPercent":"60","timeSpan":"1","url":"/api/v1/logs?limit=1000&after=1588671320515_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:38:58.656Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:38:58.656Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrE0MgIdaCXRDPxam8@QNgAACx0","detail":{}},"uuid":"3ec4be12-8eb4-11ea-b70a-e7df59d7aa62","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 36 -logType: Okta.SystemLog -input: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsxfh5tAPLTSOJqP2qp3tjfg","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588671320515_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE0R2Wrk@@JYyqBk-4jxgAAExY","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:39:19.654Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE0R2Wrk@@JYyqBk-4jxgAAExY","detail":{}},"uuid":"4b48c932-8eb4-11ea-9caf-87003407f90b","version":"0"}' -result: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsxfh5tAPLTSOJqP2qp3tjfg"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588671320515_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE0R2Wrk@@JYyqBk-4jxgAAExY","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:39:19.654Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:39:19.654Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE0R2Wrk@@JYyqBk-4jxgAAExY","detail":{}},"uuid":"4b48c932-8eb4-11ea-9caf-87003407f90b","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 37 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"externalSessionId":"trsFdMM3YUiQ8-Vex2q-3XuLA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"threshold":"50","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588671560676_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE3w@3r6F@XqNiEZP964QAADOg","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:54:11.702Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"id":"XrE3w@3r6F@XqNiEZP964QAADOg","detail":{},"type":"WEB"},"uuid":"5efc818c-8eb6-11ea-965d-6da5dc6b4d61","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"externalSessionId":"trsFdMM3YUiQ8-Vex2q-3XuLA","authenticationStep":0},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"threshold":"50","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588671560676_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE3w@3r6F@XqNiEZP964QAADOg","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:54:11.702Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:54:11.702Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"id":"XrE3w@3r6F@XqNiEZP964QAADOg","detail":{},"type":"WEB"},"uuid":"5efc818c-8eb6-11ea-965d-6da5dc6b4d61","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 38 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsLi8q266AT7On0yboFL8hpg"},"client":{"geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588671560676_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE32KEw-bQ5FxqsmlbZ@wAAAa8","threshold":"50"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:54:32.704Z","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE32KEw-bQ5FxqsmlbZ@wAAAa8","detail":{}},"uuid":"6b8128e3-8eb6-11ea-8cbe-bf2eaab2e9ef","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsLi8q266AT7On0yboFL8hpg"},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588671560676_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE32KEw-bQ5FxqsmlbZ@wAAAa8","threshold":"50"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:54:32.704Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:54:32.704Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE32KEw-bQ5FxqsmlbZ@wAAAa8","detail":{}},"uuid":"6b8128e3-8eb6-11ea-8cbe-bf2eaab2e9ef","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 39 -logType: Okta.SystemLog -input: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs4DKibUjURpOOGZIUgsbcMA"},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588672473879_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE4OovrzgsubrSRhiRnEgAAB0E","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T09:56:10.659Z","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE4OovrzgsubrSRhiRnEgAAB0E","detail":{}},"uuid":"a5e3e819-8eb6-11ea-8aaa-959b94ed26bb","version":"0"}' -result: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs4DKibUjURpOOGZIUgsbcMA"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588672473879_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE4OovrzgsubrSRhiRnEgAAB0E","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:56:10.659Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:56:10.659Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE4OovrzgsubrSRhiRnEgAAB0E","detail":{}},"uuid":"a5e3e819-8eb6-11ea-8aaa-959b94ed26bb","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 40 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"externalSessionId":"trsmzKbH9K9QXKMgZJAzMOt3A","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588672473879_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE4T0H@Hmw00TTU@51daAAAEWM","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T09:56:31.656Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrE4T0H@Hmw00TTU@51daAAAEWM","detail":{}},"uuid":"b267cb4c-8eb6-11ea-abac-bda3eefbb100","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"externalSessionId":"trsmzKbH9K9QXKMgZJAzMOt3A","authenticationStep":0},"client":{"ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588672473879_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE4T0H@Hmw00TTU@51daAAAEWM","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:56:31.656Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:56:31.656Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrE4T0H@Hmw00TTU@51daAAAEWM","detail":{}},"uuid":"b267cb4c-8eb6-11ea-abac-bda3eefbb100","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 41 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs7sQ9KpvnQ0Gmao4UbmSOwQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XrE4slvsYUrf30@uCZpT2AAABqQ","url":"/api/v1/logs?limit=1000&after=1588672592595_1&limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:58:10.750Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE4slvsYUrf30@uCZpT2AAABqQ","detail":{}},"uuid":"ed7856dc-8eb6-11ea-aeca-a544dbc5d64e","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs7sQ9KpvnQ0Gmao4UbmSOwQ"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XrE4slvsYUrf30@uCZpT2AAABqQ","url":"/api/v1/logs?limit=1000&after=1588672592595_1&limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:58:10.75Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:58:10.75Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE4slvsYUrf30@uCZpT2AAABqQ","detail":{}},"uuid":"ed7856dc-8eb6-11ea-aeca-a544dbc5d64e","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 42 -logType: Okta.SystemLog -input: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsjcydSSnbS-O6KmXVuhq1TA","authenticationProvider":null},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"requestId":"XrE4x-enQ5Pq3FItg-jdXAAAFT8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588672592595_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:58:31.749Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"id":"XrE4x-enQ5Pq3FItg-jdXAAAFT8","detail":{},"type":"WEB"},"uuid":"f9fc8789-8eb6-11ea-8b3c-c55929189475","version":"0"}' -result: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsjcydSSnbS-O6KmXVuhq1TA"},"client":{"ipAddress":"1.1.1.1","userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"requestId":"XrE4x-enQ5Pq3FItg-jdXAAAFT8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588672592595_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T09:58:31.749Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T09:58:31.749Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"id":"XrE4x-enQ5Pq3FItg-jdXAAAFT8","detail":{},"type":"WEB"},"uuid":"f9fc8789-8eb6-11ea-8b3c-c55929189475","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 43 -logType: Okta.SystemLog -input: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsBz8XCMETS5-wEWIfvFNw6Q","authenticationProvider":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"warningPercent":"60","requestUri":"/api/v1/logs","threatSuspected":"false","timeUnit":"MINUTES","url":"/api/v1/logs?limit=1000&after=1588672712039_1&limit=1000","requestId":"XrE5KsZP30Ct5Zl3AMqDdQAAC@g","threshold":"50","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:00:10.811Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE5KsZP30Ct5Zl3AMqDdQAAC@g","detail":{}},"uuid":"350830fb-8eb7-11ea-965d-6da5dc6b4d61","version":"0"}' -result: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsBz8XCMETS5-wEWIfvFNw6Q"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"warningPercent":"60","requestUri":"/api/v1/logs","threatSuspected":"false","timeUnit":"MINUTES","url":"/api/v1/logs?limit=1000&after=1588672712039_1&limit=1000","requestId":"XrE5KsZP30Ct5Zl3AMqDdQAAC@g","threshold":"50","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:00:10.811Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:00:10.811Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE5KsZP30Ct5Zl3AMqDdQAAC@g","detail":{}},"uuid":"350830fb-8eb7-11ea-965d-6da5dc6b4d61","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 44 -logType: Okta.SystemLog -input: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trskxm6PQPlRLSzHLuLJ4Y8uw"},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588672712039_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE5P5fVV-k1JB93arg6hQAADx8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:00:31.812Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE5P5fVV-k1JB93arg6hQAADx8","detail":{}},"uuid":"418cb0ed-8eb7-11ea-9b4d-6d898d9545c0","version":"0"}' -result: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trskxm6PQPlRLSzHLuLJ4Y8uw"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588672712039_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE5P5fVV-k1JB93arg6hQAADx8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:00:31.812Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:00:31.812Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE5P5fVV-k1JB93arg6hQAADx8","detail":{}},"uuid":"418cb0ed-8eb7-11ea-9b4d-6d898d9545c0","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 45 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trslQ99uvI-SsWfpNPASW270Q","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"}},"debugContext":{"debugData":{"warningPercent":"60","threshold":"50","timeSpan":"1","url":"/api/v1/logs?limit=1000&after=1588672832671_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE5nnehMrQPJ1YrPbFeuwAAAeE","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:02:06.242Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE5nnehMrQPJ1YrPbFeuwAAAeE","detail":{}},"uuid":"79d590f9-8eb7-11ea-a672-5f81fb6cecd5","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trslQ99uvI-SsWfpNPASW270Q"},"client":{"zone":"null","device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"}},"debugContext":{"debugData":{"warningPercent":"60","threshold":"50","timeSpan":"1","url":"/api/v1/logs?limit=1000&after=1588672832671_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE5nnehMrQPJ1YrPbFeuwAAAeE","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:02:06.242Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:02:06.242Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE5nnehMrQPJ1YrPbFeuwAAAeE","detail":{}},"uuid":"79d590f9-8eb7-11ea-a672-5f81fb6cecd5","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 46 -logType: Okta.SystemLog -input: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsY8Hk5Xx5QJyHUJgQdYMUiA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"}},"debugContext":{"debugData":{"requestId":"XrE5s6bhp3bzQEUHfive1AAADkA","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588672832671_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:02:27.236Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE5s6bhp3bzQEUHfive1AAADkA","detail":{}},"uuid":"8658fe56-8eb7-11ea-82e2-356ba42b26b0","version":"0"}' -result: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsY8Hk5Xx5QJyHUJgQdYMUiA"},"client":{"zone":"null","device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"}},"debugContext":{"debugData":{"requestId":"XrE5s6bhp3bzQEUHfive1AAADkA","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588672832671_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:02:27.236Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:02:27.236Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE5s6bhp3bzQEUHfive1AAADkA","detail":{}},"uuid":"8658fe56-8eb7-11ea-82e2-356ba42b26b0","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 47 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsoaBgjOodQF-4yuKPQMNXCQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588672948000_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE6GrIEsM9UqIn@nJOY8gAAA1w","warningPercent":"60","userId":"00u3mo2ci0RuzhCQe357","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:04:10.840Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE6GrIEsM9UqIn@nJOY8gAAA1w","detail":{}},"uuid":"c419b5bc-8eb7-11ea-bd6b-7d993edc4d99","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsoaBgjOodQF-4yuKPQMNXCQ"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588672948000_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE6GrIEsM9UqIn@nJOY8gAAA1w","warningPercent":"60","userId":"00u3mo2ci0RuzhCQe357","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:04:10.84Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:04:10.84Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE6GrIEsM9UqIn@nJOY8gAAA1w","detail":{}},"uuid":"c419b5bc-8eb7-11ea-bd6b-7d993edc4d99","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 48 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsmsJeVEKOQv-IxduQ3tS26A"},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"}},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE6LxEAAx7LcLghmoyEmgAAAFw","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588672948000_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:04:31.837Z","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE6LxEAAx7LcLghmoyEmgAAAFw","detail":{}},"uuid":"d09d99ce-8eb7-11ea-b611-f1d979f83d84","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsmsJeVEKOQv-IxduQ3tS26A"},"client":{"zone":"null","device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"}},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE6LxEAAx7LcLghmoyEmgAAAFw","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588672948000_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:04:31.837Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:04:31.837Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE6LxEAAx7LcLghmoyEmgAAAFw","detail":{}},"uuid":"d09d99ce-8eb7-11ea-b611-f1d979f83d84","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 49 -logType: Okta.SystemLog -input: '{"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs5NE4ukUHQyiWxtu58-boww"},"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673072677_1&limit=1000","requestId":"XrE6kBmJa4z2oxvYkpDgdQAAEsE","warningPercent":"60","timeSpan":"1","threshold":"50","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:06:08.316Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE6kBmJa4z2oxvYkpDgdQAAEsE","detail":{}},"uuid":"0a1f1ffc-8eb8-11ea-a57c-950f2517e685","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs5NE4ukUHQyiWxtu58-boww"},"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673072677_1&limit=1000","requestId":"XrE6kBmJa4z2oxvYkpDgdQAAEsE","warningPercent":"60","timeSpan":"1","threshold":"50","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:06:08.316Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:06:08.316Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE6kBmJa4z2oxvYkpDgdQAAEsE","detail":{}},"uuid":"0a1f1ffc-8eb8-11ea-a57c-950f2517e685","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 50 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsDDtInz8kQ1uoLAhRTjbBqA"},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673072677_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE6pS27VfkqqJWpbgzy7gAAELQ","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:06:29.320Z","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"transaction":{"type":"WEB","id":"XrE6pS27VfkqqJWpbgzy7gAAELQ","detail":{}},"uuid":"16a414bd-8eb8-11ea-82e2-356ba42b26b0","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsDDtInz8kQ1uoLAhRTjbBqA"},"client":{"ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673072677_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE6pS27VfkqqJWpbgzy7gAAELQ","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:06:29.32Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:06:29.32Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE6pS27VfkqqJWpbgzy7gAAELQ","detail":{}},"uuid":"16a414bd-8eb8-11ea-82e2-356ba42b26b0","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 51 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsW0NRQK_sSq-ABs26kTzO4w","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","url":"/api/v1/logs?limit=1000&after=1588673190341_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE7C@3r6F@XqNiEZP@SVQAADKg","warningPercent":"60","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:08:11.022Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE7C@3r6F@XqNiEZP@SVQAADKg","detail":{}},"uuid":"53429308-8eb8-11ea-b70a-e7df59d7aa62","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsW0NRQK_sSq-ABs26kTzO4w"},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","url":"/api/v1/logs?limit=1000&after=1588673190341_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE7C@3r6F@XqNiEZP@SVQAADKg","warningPercent":"60","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:08:11.022Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:08:11.022Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE7C@3r6F@XqNiEZP@SVQAADKg","detail":{}},"uuid":"53429308-8eb8-11ea-b70a-e7df59d7aa62","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 52 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs9C1nRza2Qea6vvY8b9uBBA"},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673190341_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE7IKePYtd7JtnbQ1ihnQAAAzc","threshold":"50"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:08:32.024Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrE7IKePYtd7JtnbQ1ihnQAAAzc","detail":{}},"uuid":"5fc73a6b-8eb8-11ea-8cbe-bf2eaab2e9ef","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs9C1nRza2Qea6vvY8b9uBBA"},"client":{"zone":"null","device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673190341_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE7IKePYtd7JtnbQ1ihnQAAAzc","threshold":"50"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:08:32.024Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:08:32.024Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrE7IKePYtd7JtnbQ1ihnQAAAzc","detail":{}},"uuid":"5fc73a6b-8eb8-11ea-8cbe-bf2eaab2e9ef","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 53 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsxc2kkNMCQ-WahLf93GcN_w","authenticationProvider":null,"credentialProvider":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","timeSpan":"1","warningPercent":"60","threshold":"50","url":"/api/v1/logs?limit=1000&after=1588673313139_1&limit=1000","requestId":"XrE7gnpFJJ1p6j3-wha7eQAAD9E"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T10:10:10.586Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"id":"XrE7gnpFJJ1p6j3-wha7eQAAD9E","detail":{},"type":"WEB"},"uuid":"9a869822-8eb8-11ea-b9fc-61056b16b278","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsxc2kkNMCQ-WahLf93GcN_w"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","timeSpan":"1","warningPercent":"60","threshold":"50","url":"/api/v1/logs?limit=1000&after=1588673313139_1&limit=1000","requestId":"XrE7gnpFJJ1p6j3-wha7eQAAD9E"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:10:10.586Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:10:10.586Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"id":"XrE7gnpFJJ1p6j3-wha7eQAAD9E","detail":{},"type":"WEB"},"uuid":"9a869822-8eb8-11ea-b9fc-61056b16b278","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 54 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs0iGo25DtSKCRx8Lj0bZCHw","authenticationProvider":null,"credentialProvider":null},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673313139_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE7l4zaB9tH9ugqPHDIqQAAEsg","threshold":"50"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:10:31.589Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"detail":{},"type":"WEB","id":"XrE7l4zaB9tH9ugqPHDIqQAAEsg"},"uuid":"a70b65db-8eb8-11ea-ba49-7f15d05ef278","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs0iGo25DtSKCRx8Lj0bZCHw"},"client":{"zone":"null","device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673313139_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE7l4zaB9tH9ugqPHDIqQAAEsg","threshold":"50"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:10:31.589Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:10:31.589Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"detail":{},"type":"WEB","id":"XrE7l4zaB9tH9ugqPHDIqQAAEsg"},"uuid":"a70b65db-8eb8-11ea-ba49-7f15d05ef278","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 55 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsY5C_Zq7HQZm3-qgkspRT1w","authenticationProvider":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"requestId":"XrE79aePYtd7JtnbQ1imjgAAAzc","warningPercent":"60","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673432515_1&limit=1000","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:12:06.007Z","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrE79aePYtd7JtnbQ1imjgAAAzc","detail":{}},"uuid":"df52710d-8eb8-11ea-8b3c-c55929189475","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsY5C_Zq7HQZm3-qgkspRT1w"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"requestId":"XrE79aePYtd7JtnbQ1imjgAAAzc","warningPercent":"60","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673432515_1&limit=1000","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:12:06.007Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:12:06.007Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrE79aePYtd7JtnbQ1imjgAAAzc","detail":{}},"uuid":"df52710d-8eb8-11ea-8b3c-c55929189475","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 56 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsPx7wEDF9S3mmyAEwjA98cg","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673432515_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE8CqjRygVen0SUkJebQgAADyQ","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:12:27.008Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE8CqjRygVen0SUkJebQgAADyQ","detail":{}},"uuid":"ebd6f0b1-8eb8-11ea-965d-6da5dc6b4d61","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsPx7wEDF9S3mmyAEwjA98cg"},"client":{"ipAddress":"1.1.1.1","userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673432515_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE8CqjRygVen0SUkJebQgAADyQ","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:12:27.008Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:12:27.008Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE8CqjRygVen0SUkJebQgAADyQ","detail":{}},"uuid":"ebd6f0b1-8eb8-11ea-965d-6da5dc6b4d61","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 57 -logType: Okta.SystemLog -input: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs7-MOLLOxS0-LG3ZtMMF0jA","authenticationProvider":null},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"}},"debugContext":{"debugData":{"timeSpan":"1","threatSuspected":"false","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673547459_1&limit=1000","requestId":"XrE8cznw7CtbP0yJVwVs7QAAEgI"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:14:11.145Z","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"transaction":{"type":"WEB","id":"XrE8cznw7CtbP0yJVwVs7QAAEgI","detail":{}},"uuid":"29e8fc1f-8eb9-11ea-aeca-a544dbc5d64e","version":"0"}' -result: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs7-MOLLOxS0-LG3ZtMMF0jA"},"client":{"zone":"null","device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"}},"debugContext":{"debugData":{"timeSpan":"1","threatSuspected":"false","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673547459_1&limit=1000","requestId":"XrE8cznw7CtbP0yJVwVs7QAAEgI"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:14:11.145Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:14:11.145Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE8cznw7CtbP0yJVwVs7QAAEgI","detail":{}},"uuid":"29e8fc1f-8eb9-11ea-aeca-a544dbc5d64e","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 58 -logType: Okta.SystemLog -input: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs1Z_-WCrvTr6Sx45M5fDLXg","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"client":{"geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000&after=1588673547459_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE8iNh-vHogmJ8NIM3iqgAABaY","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:14:32.146Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE8iNh-vHogmJ8NIM3iqgAABaY","detail":{}},"uuid":"366d7b32-8eb9-11ea-94f8-45ab612226ab","version":"0"}' -result: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs1Z_-WCrvTr6Sx45M5fDLXg"},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000&after=1588673547459_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE8iNh-vHogmJ8NIM3iqgAABaY","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:14:32.146Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:14:32.146Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE8iNh-vHogmJ8NIM3iqgAABaY","detail":{}},"uuid":"366d7b32-8eb9-11ea-94f8-45ab612226ab","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 59 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsqXZYn4VJQlWEtiX8TdGTiw"},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"debugContext":{"debugData":{"warningPercent":"60","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrE86j66FdOwKsQJVQRVjAAADCU","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588673672587_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:16:10.785Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"transaction":{"type":"WEB","id":"XrE86j66FdOwKsQJVQRVjAAADCU","detail":{}},"uuid":"71389917-8eb9-11ea-adf2-ed39f0ba450d","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsqXZYn4VJQlWEtiX8TdGTiw"},"client":{"zone":"null","device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"debugContext":{"debugData":{"warningPercent":"60","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrE86j66FdOwKsQJVQRVjAAADCU","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588673672587_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:16:10.785Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:16:10.785Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE86j66FdOwKsQJVQRVjAAADCU","detail":{}},"uuid":"71389917-8eb9-11ea-adf2-ed39f0ba450d","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 60 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs7UCHzEGbSx-XoQRUK-7BJA","authenticationProvider":null,"credentialProvider":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE8-45erIFpVwGi1Emu@wAADmI","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673672587_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:16:31.959Z","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE8-45erIFpVwGi1Emu@wAADmI","detail":{}},"uuid":"7dd77ec0-8eb9-11ea-82e2-356ba42b26b0","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs7UCHzEGbSx-XoQRUK-7BJA"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE8-45erIFpVwGi1Emu@wAADmI","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673672587_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:16:31.959Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:16:31.959Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE8-45erIFpVwGi1Emu@wAADmI","detail":{}},"uuid":"7dd77ec0-8eb9-11ea-82e2-356ba42b26b0","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 61 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs56imW9-hT4mXUQxM7pR-Pw","authenticationProvider":null,"credentialProvider":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","url":"/api/v1/logs?limit=1000&after=1588673792565_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE9YgQlhQc@sTWCXHrxJwAAEx4","warningPercent":"60","threshold":"50","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:18:10.704Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"detail":{},"type":"WEB","id":"XrE9YgQlhQc@sTWCXHrxJwAAEx4"},"uuid":"b8b2c9f8-8eb9-11ea-a0ba-379f04824fb1","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs56imW9-hT4mXUQxM7pR-Pw"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","url":"/api/v1/logs?limit=1000&after=1588673792565_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE9YgQlhQc@sTWCXHrxJwAAEx4","warningPercent":"60","threshold":"50","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:18:10.704Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:18:10.704Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"detail":{},"type":"WEB","id":"XrE9YgQlhQc@sTWCXHrxJwAAEx4"},"uuid":"b8b2c9f8-8eb9-11ea-a0ba-379f04824fb1","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 62 -logType: Okta.SystemLog -input: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"externalSessionId":"trsdg9YDpRuRgKaOLUj5oKsdw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE9d9wlaOBew8uKlh7rkgAAA0s","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673792565_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:18:31.707Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"transaction":{"id":"XrE9d9wlaOBew8uKlh7rkgAAA0s","detail":{},"type":"WEB"},"uuid":"c53796ba-8eb9-11ea-b3e6-1d46bc417fb6","version":"0"}' -result: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"externalSessionId":"trsdg9YDpRuRgKaOLUj5oKsdw","authenticationStep":0},"client":{"ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE9d9wlaOBew8uKlh7rkgAAA0s","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673792565_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:18:31.707Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:18:31.707Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"id":"XrE9d9wlaOBew8uKlh7rkgAAA0s","detail":{},"type":"WEB"},"uuid":"c53796ba-8eb9-11ea-b3e6-1d46bc417fb6","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 63 -logType: Okta.SystemLog -input: '{"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsnyGjrmSkQle5e4SRGvZglA"},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"debugContext":{"debugData":{"warningPercent":"60","requestUri":"/api/v1/logs","timeUnit":"MINUTES","requestId":"XrE92lvsYUrf30@uCZpt-gAABoU","threshold":"50","timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673912497_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T10:20:10.767Z","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE92lvsYUrf30@uCZpt-gAABoU","detail":{}},"uuid":"0042f1fc-8eba-11ea-a04f-81a81472156a","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsnyGjrmSkQle5e4SRGvZglA"},"client":{"ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"warningPercent":"60","requestUri":"/api/v1/logs","timeUnit":"MINUTES","requestId":"XrE92lvsYUrf30@uCZpt-gAABoU","threshold":"50","timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673912497_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:20:10.767Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:20:10.767Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE92lvsYUrf30@uCZpt-gAABoU","detail":{}},"uuid":"0042f1fc-8eba-11ea-a04f-81a81472156a","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 64 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsTE7n3E68RjOlx_LfF-RZXQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE97@an-mUZdi219wQzgwAAEjs","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673912497_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:20:31.769Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrE97@an-mUZdi219wQzgwAAEjs","detail":{}},"uuid":"0cc798b0-8eba-11ea-abd3-1d668132201e","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsTE7n3E68RjOlx_LfF-RZXQ"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE97@an-mUZdi219wQzgwAAEjs","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588673912497_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:20:31.769Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:20:31.769Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrE97@an-mUZdi219wQzgwAAEjs","detail":{}},"uuid":"0cc798b0-8eba-11ea-abd3-1d668132201e","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 65 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsn5zK28QtR0uXn28sBMXonQ","authenticationProvider":null},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000&after=1588674032426_1&limit=1000","requestId":"XrE@TwVp30i3cw0jE1KOvwAAAPo","userId":"00u3mo2ci0RuzhCQe357","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","timeUnit":"MINUTES","warningPercent":"60","threshold":"50"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:22:07.184Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"transaction":{"detail":{},"type":"WEB","id":"XrE@TwVp30i3cw0jE1KOvwAAAPo"},"uuid":"45a6c519-8eba-11ea-8b3c-c55929189475","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsn5zK28QtR0uXn28sBMXonQ"},"client":{"ipAddress":"1.1.1.1","userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000&after=1588674032426_1&limit=1000","requestId":"XrE@TwVp30i3cw0jE1KOvwAAAPo","userId":"00u3mo2ci0RuzhCQe357","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","timeUnit":"MINUTES","warningPercent":"60","threshold":"50"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:22:07.184Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:22:07.184Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"detail":{},"type":"WEB","id":"XrE@TwVp30i3cw0jE1KOvwAAAPo"},"uuid":"45a6c519-8eba-11ea-8b3c-c55929189475","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 66 -logType: Okta.SystemLog -input: '{"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trssjZmnfC_QheY69POkrAlrw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674032426_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE@ZDn-wFxNr1zSzKhZPQAAFG8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:22:28.188Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"transaction":{"type":"WEB","id":"XrE@ZDn-wFxNr1zSzKhZPQAAFG8","detail":{}},"uuid":"522bba5e-8eba-11ea-b9c2-0dd5b21f944b","version":"0"}' -result: '{"actor":{"displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trssjZmnfC_QheY69POkrAlrw"},"client":{"ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674032426_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE@ZDn-wFxNr1zSzKhZPQAAFG8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:22:28.188Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:22:28.188Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE@ZDn-wFxNr1zSzKhZPQAAFG8","detail":{}},"uuid":"522bba5e-8eba-11ea-b9c2-0dd5b21f944b","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 67 -logType: Okta.SystemLog -input: '{"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"externalSessionId":"trs8mkv_xN6Q3uxZL2JykiXfw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestId":"XrE@yls-7N-b7zu5QlJQTAAAEHo","timeSpan":"1","url":"/api/v1/logs?limit=1000&after=1588674149179_1&limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:24:10.938Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE@yls-7N-b7zu5QlJQTAAAEHo","detail":{}},"uuid":"8f6a21e2-8eba-11ea-9fd1-bb7360a0b10c","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"externalSessionId":"trs8mkv_xN6Q3uxZL2JykiXfw","authenticationStep":0},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XrE@yls-7N-b7zu5QlJQTAAAEHo","timeSpan":"1","url":"/api/v1/logs?limit=1000&after=1588674149179_1&limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:24:10.938Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:24:10.938Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE@yls-7N-b7zu5QlJQTAAAEHo","detail":{}},"uuid":"8f6a21e2-8eba-11ea-9fd1-bb7360a0b10c","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 68 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs_Osy-QHSQvSuV4XIrZ_tzA","authenticationProvider":null},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674149179_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE@301ETj3E3czvhhMq6QAAAF4","threshold":"50"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:24:31.945Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE@301ETj3E3czvhhMq6QAAAF4","detail":{}},"uuid":"9bef8bf2-8eba-11ea-82e2-356ba42b26b0","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs_Osy-QHSQvSuV4XIrZ_tzA"},"client":{"ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674149179_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE@301ETj3E3czvhhMq6QAAAF4","threshold":"50"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:24:31.945Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:24:31.945Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE@301ETj3E3czvhhMq6QAAAF4","detail":{}},"uuid":"9bef8bf2-8eba-11ea-82e2-356ba42b26b0","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 69 -logType: Okta.SystemLog -input: '{"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs8ezvjqNdTIuNvebCfVkDvA"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","requestId":"XrE-QkH@Hmw00TTU@52P3wAAEVw","threshold":"50","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588674272534_1&limit=1000","timeUnit":"MINUTES","warningPercent":"60"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:26:10.680Z","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"transaction":{"detail":{},"type":"WEB","id":"XrE-QkH@Hmw00TTU@52P3wAAEVw"},"uuid":"d6c95067-8eba-11ea-b823-db4e40ee0137","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs8ezvjqNdTIuNvebCfVkDvA"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","requestId":"XrE-QkH@Hmw00TTU@52P3wAAEVw","threshold":"50","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588674272534_1&limit=1000","timeUnit":"MINUTES","warningPercent":"60"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:26:10.68Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:26:10.68Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"detail":{},"type":"WEB","id":"XrE-QkH@Hmw00TTU@52P3wAAEVw"},"uuid":"d6c95067-8eba-11ea-b823-db4e40ee0137","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 70 -logType: Okta.SystemLog -input: '{"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs44CgqwPsQhmLGT8KA4ochw","authenticationProvider":null,"credentialProvider":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"requestId":"XrE-V04MZnO8t6TkdnOVnwAAAQo","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674272534_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:26:31.684Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrE-V04MZnO8t6TkdnOVnwAAAQo","detail":{}},"uuid":"e34e450c-8eba-11ea-b70a-e7df59d7aa62","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs44CgqwPsQhmLGT8KA4ochw"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"requestId":"XrE-V04MZnO8t6TkdnOVnwAAAQo","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674272534_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:26:31.684Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:26:31.684Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE-V04MZnO8t6TkdnOVnwAAAQo","detail":{}},"uuid":"e34e450c-8eba-11ea-b70a-e7df59d7aa62","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 71 -logType: Okta.SystemLog -input: '{"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsNStE8sXvTW-xPL-IkNPiIw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XrE-uk4MZnO8t6TkdnOYWwAAAQo","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","timeUnit":"MINUTES","threshold":"50","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674392876_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:28:10.667Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE-uk4MZnO8t6TkdnOYWwAAAQo","detail":{}},"uuid":"1e4de073-8ebb-11ea-9424-4db38b988f86","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsNStE8sXvTW-xPL-IkNPiIw"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XrE-uk4MZnO8t6TkdnOYWwAAAQo","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","timeUnit":"MINUTES","threshold":"50","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674392876_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:28:10.667Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:28:10.667Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE-uk4MZnO8t6TkdnOYWwAAAQo","detail":{}},"uuid":"1e4de073-8ebb-11ea-9424-4db38b988f86","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 72 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"externalSessionId":"trsAGWkP27TR8K3QPE7qkaFiw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674392876_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE-z-QdodjJSHySIWsZjgAAASE","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:28:31.663Z","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"transaction":{"type":"WEB","id":"XrE-z-QdodjJSHySIWsZjgAAASE","detail":{}},"uuid":"2ad19c78-8ebb-11ea-a0ba-379f04824fb1","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"externalSessionId":"trsAGWkP27TR8K3QPE7qkaFiw","authenticationStep":0},"client":{"zone":"null","device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674392876_1&limit=1000","timeUnit":"MINUTES","requestId":"XrE-z-QdodjJSHySIWsZjgAAASE","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:28:31.663Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:28:31.663Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrE-z-QdodjJSHySIWsZjgAAASE","detail":{}},"uuid":"2ad19c78-8ebb-11ea-a0ba-379f04824fb1","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 73 -logType: Okta.SystemLog -input: '{"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsC9_zAgzSTTCXog08Shebaw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","url":"/api/v1/logs?limit=1000&after=1588674512526_1&limit=1000","requestId":"XrFAL6UM0GYBxBYcLmbsGgAAASE","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:30:07.127Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFAL6UM0GYBxBYcLmbsGgAAASE","detail":{}},"uuid":"63b84288-8ebb-11ea-abd3-1d668132201e","version":"0"}' -result: '{"actor":{"displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsC9_zAgzSTTCXog08Shebaw"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","url":"/api/v1/logs?limit=1000&after=1588674512526_1&limit=1000","requestId":"XrFAL6UM0GYBxBYcLmbsGgAAASE","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:30:07.127Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:30:07.127Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFAL6UM0GYBxBYcLmbsGgAAASE","detail":{}},"uuid":"63b84288-8ebb-11ea-abd3-1d668132201e","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 74 -logType: Okta.SystemLog -input: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"externalSessionId":"trsJWp3AarMTT2KzDb6UqvV5Q","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674512526_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFARFvsYUrf30@uCZp5ZAAABp0","threshold":"50"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:30:28.124Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFARFvsYUrf30@uCZp5ZAAABp0","detail":{}},"uuid":"703c2649-8ebb-11ea-abd1-d96b7fcb273d","version":"0"}' -result: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"externalSessionId":"trsJWp3AarMTT2KzDb6UqvV5Q","authenticationStep":0},"client":{"ipAddress":"1.1.1.1","userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674512526_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFARFvsYUrf30@uCZp5ZAAABp0","threshold":"50"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:30:28.124Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:30:28.124Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFARFvsYUrf30@uCZp5ZAAABp0","detail":{}},"uuid":"703c2649-8ebb-11ea-abd1-d96b7fcb273d","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 75 -logType: Okta.SystemLog -input: '{"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsoFJQ24y3TDyKYuyEeVtYIQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"warningPercent":"60","timeSpan":"1","timeUnit":"MINUTES","requestId":"XrFAqoLAJMDIusENvq9y4QAADhA","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674628854_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:32:10.646Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFAqoLAJMDIusENvq9y4QAADhA","detail":{}},"uuid":"ad57c3ed-8ebb-11ea-837c-8f84d82c8d23","version":"0"}' -result: '{"actor":{"displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsoFJQ24y3TDyKYuyEeVtYIQ"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"warningPercent":"60","timeSpan":"1","timeUnit":"MINUTES","requestId":"XrFAqoLAJMDIusENvq9y4QAADhA","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674628854_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:32:10.646Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:32:10.646Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFAqoLAJMDIusENvq9y4QAADhA","detail":{}},"uuid":"ad57c3ed-8ebb-11ea-837c-8f84d82c8d23","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 76 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"externalSessionId":"trsDcy7icVsTXOeLV2i8VIEWw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674628854_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFAv-cOD88CV28@AwdLMQAABDo"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:32:31.647Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"transaction":{"type":"WEB","id":"XrFAv-cOD88CV28@AwdLMQAABDo","detail":{}},"uuid":"b9dc435a-8ebb-11ea-ada5-5fef26acfbc9","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"externalSessionId":"trsDcy7icVsTXOeLV2i8VIEWw","authenticationStep":0},"client":{"ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674628854_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFAv-cOD88CV28@AwdLMQAABDo"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:32:31.647Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:32:31.647Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFAv-cOD88CV28@AwdLMQAABDo","detail":{}},"uuid":"b9dc435a-8ebb-11ea-ada5-5fef26acfbc9","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 77 -logType: Okta.SystemLog -input: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs9_xfqQ2mSKWujaPlIeJ5dQ","authenticationProvider":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"threshold":"50","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588674752224_1&limit=1000","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrFBHean-mUZdi219wRHqwAAEjs","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:34:05.127Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFBHean-mUZdi219wRHqwAAEjs","detail":{}},"uuid":"f1942d82-8ebb-11ea-aeca-a544dbc5d64e","version":"0"}' -result: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs9_xfqQ2mSKWujaPlIeJ5dQ"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"threshold":"50","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588674752224_1&limit=1000","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrFBHean-mUZdi219wRHqwAAEjs","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:34:05.127Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:34:05.127Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFBHean-mUZdi219wRHqwAAEjs","detail":{}},"uuid":"f1942d82-8ebb-11ea-aeca-a544dbc5d64e","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 78 -logType: Okta.SystemLog -input: '{"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsZKjIBa07ShGiH1-fqQ11zw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674752224_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFBMgv9rG@QtvA52XIeiAAAByY","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:34:26.123Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFBMgv9rG@QtvA52XIeiAAAByY","detail":{}},"uuid":"fe17ea9d-8ebb-11ea-a6b7-cf71f57d4442","version":"0"}' -result: '{"actor":{"displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsZKjIBa07ShGiH1-fqQ11zw"},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674752224_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFBMgv9rG@QtvA52XIeiAAAByY","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:34:26.123Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:34:26.123Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFBMgv9rG@QtvA52XIeiAAAByY","detail":{}},"uuid":"fe17ea9d-8ebb-11ea-a6b7-cf71f57d4442","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 79 -logType: Okta.SystemLog -input: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsv0gnF2CTQdGSDgSoZhqTAw","authenticationProvider":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestId":"XrFBmlvsYUrf30@uCZp-zgAABpk","timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674866876_1&limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:36:10.725Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFBmlvsYUrf30@uCZp-zgAABpk","detail":{}},"uuid":"3c70ea10-8ebc-11ea-874a-2fc94466cbde","version":"0"}' -result: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsv0gnF2CTQdGSDgSoZhqTAw"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XrFBmlvsYUrf30@uCZp-zgAABpk","timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674866876_1&limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:36:10.725Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:36:10.725Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFBmlvsYUrf30@uCZp-zgAABpk","detail":{}},"uuid":"3c70ea10-8ebc-11ea-874a-2fc94466cbde","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 80 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsVtv1XeRbTFWprOF_8p-csQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XrFBr7bV1sm78T1X2@XySwAADMg","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674866876_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:36:31.727Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFBr7bV1sm78T1X2@XySwAADMg","detail":{}},"uuid":"48f59075-8ebc-11ea-afeb-efa9a81fb877","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsVtv1XeRbTFWprOF_8p-csQ"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XrFBr7bV1sm78T1X2@XySwAADMg","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674866876_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:36:31.727Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:36:31.727Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFBr7bV1sm78T1X2@XySwAADMg","detail":{}},"uuid":"48f59075-8ebc-11ea-afeb-efa9a81fb877","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 81 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsz9wM-17ERb6AGAty-4A7Vg","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null"},"debugContext":{"debugData":{"warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrFCEnWh6j118-TwvwDADAAAA3M","timeSpan":"1","url":"/api/v1/logs?limit=1000&after=1588674992071_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:38:10.701Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrFCEnWh6j118-TwvwDADAAAA3M","detail":{}},"uuid":"83f3cbe4-8ebc-11ea-b70a-e7df59d7aa62","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsz9wM-17ERb6AGAty-4A7Vg"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null"},"debugContext":{"debugData":{"warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrFCEnWh6j118-TwvwDADAAAA3M","timeSpan":"1","url":"/api/v1/logs?limit=1000&after=1588674992071_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:38:10.701Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:38:10.701Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrFCEnWh6j118-TwvwDADAAAA3M","detail":{}},"uuid":"83f3cbe4-8ebc-11ea-b70a-e7df59d7aa62","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 82 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsyzk0YgPnStmg85RAEg_0AA","authenticationProvider":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674992071_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFCJ60nT1FhhE9h96tEngAAByI","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:38:31.700Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"transaction":{"type":"WEB","id":"XrFCJ60nT1FhhE9h96tEngAAByI","detail":{}},"uuid":"9077fdae-8ebc-11ea-a0ba-379f04824fb1","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsyzk0YgPnStmg85RAEg_0AA"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588674992071_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFCJ60nT1FhhE9h96tEngAAByI","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:38:31.7Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:38:31.7Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFCJ60nT1FhhE9h96tEngAAByI","detail":{}},"uuid":"9077fdae-8ebc-11ea-a0ba-379f04824fb1","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 83 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsStsGG3ZJRP6TjRYVeOqqnw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"warningPercent":"60","threshold":"50","timeSpan":"1","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588675111954_1&limit=1000","requestId":"XrFCivboihgf9k0vFE3flQAAAbI","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:40:10.692Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrFCivboihgf9k0vFE3flQAAAbI","detail":{}},"uuid":"cb78f8b5-8ebc-11ea-965d-6da5dc6b4d61","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsStsGG3ZJRP6TjRYVeOqqnw"},"client":{"ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"warningPercent":"60","threshold":"50","timeSpan":"1","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588675111954_1&limit=1000","requestId":"XrFCivboihgf9k0vFE3flQAAAbI","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:40:10.692Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:40:10.692Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrFCivboihgf9k0vFE3flQAAAbI","detail":{}},"uuid":"cb78f8b5-8ebc-11ea-965d-6da5dc6b4d61","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 84 -logType: Okta.SystemLog -input: '{"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trslfT_A1LuT_WG7Z9PdodFoA","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"client":{"geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675111954_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFCnwQlhQc@sTWCXHoaWwAAEwo","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:40:31.691Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFCnwQlhQc@sTWCXHoaWwAAEwo","detail":{}},"uuid":"d7fd2a5b-8ebc-11ea-a561-47493e2e60a2","version":"0"}' -result: '{"actor":{"displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trslfT_A1LuT_WG7Z9PdodFoA"},"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675111954_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFCnwQlhQc@sTWCXHoaWwAAEwo","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:40:31.691Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:40:31.691Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFCnwQlhQc@sTWCXHoaWwAAEwo","detail":{}},"uuid":"d7fd2a5b-8ebc-11ea-a561-47493e2e60a2","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 85 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"externalSessionId":"trsT4qu9luVRu2VdIsvSWBDCA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrFC-ovrzgsubrSRhiSsKgAAB0E","threshold":"50","timeSpan":"1","url":"/api/v1/logs?limit=1000&after=1588675232499_1&limit=1000","warningPercent":"60"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:42:06.228Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFC-ovrzgsubrSRhiSsKgAAB0E","detail":{}},"uuid":"10565dcd-8ebd-11ea-abd3-1d668132201e","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"externalSessionId":"trsT4qu9luVRu2VdIsvSWBDCA","authenticationStep":0},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrFC-ovrzgsubrSRhiSsKgAAB0E","threshold":"50","timeSpan":"1","url":"/api/v1/logs?limit=1000&after=1588675232499_1&limit=1000","warningPercent":"60"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:42:06.228Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:42:06.228Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFC-ovrzgsubrSRhiSsKgAAB0E","detail":{}},"uuid":"10565dcd-8ebd-11ea-abd3-1d668132201e","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 86 -logType: Okta.SystemLog -input: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsDmVaG8i4RZ2SD5TvUgJhqQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675232499_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFDE7bV1sm78T1X2@X7pAAADOI","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:42:27.225Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrFDE7bV1sm78T1X2@X7pAAADOI","detail":{}},"uuid":"1cda40ae-8ebd-11ea-abd3-1d668132201e","version":"0"}' -result: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsDmVaG8i4RZ2SD5TvUgJhqQ"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675232499_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFDE7bV1sm78T1X2@X7pAAADOI","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:42:27.225Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:42:27.225Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrFDE7bV1sm78T1X2@X7pAAADOI","detail":{}},"uuid":"1cda40ae-8ebd-11ea-abd3-1d668132201e","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 87 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsKOWj0B51Q-ukLMXFhVupmw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null"},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000&after=1588675347901_1&limit=1000","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","requestId":"XrFDej@Lf3n8Pj8mzXH1kgAABPk","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:44:10.911Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFDej@Lf3n8Pj8mzXH1kgAABPk","detail":{}},"uuid":"5aa77b5c-8ebd-11ea-b9fc-61056b16b278","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsKOWj0B51Q-ukLMXFhVupmw"},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null"},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000&after=1588675347901_1&limit=1000","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","requestId":"XrFDej@Lf3n8Pj8mzXH1kgAABPk","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:44:10.911Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:44:10.911Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFDej@Lf3n8Pj8mzXH1kgAABPk","detail":{}},"uuid":"5aa77b5c-8ebd-11ea-b9fc-61056b16b278","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 88 -logType: Okta.SystemLog -input: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsjKLlLVoVSZqtTxSTIOgzxg","authenticationProvider":null},"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675347901_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFDj0ZkozEynuDR0MGhVgAADiI","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:44:31.913Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrFDj0ZkozEynuDR0MGhVgAADiI","detail":{}},"uuid":"672c21a3-8ebd-11ea-a561-47493e2e60a2","version":"0"}' -result: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsjKLlLVoVSZqtTxSTIOgzxg"},"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675347901_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFDj0ZkozEynuDR0MGhVgAADiI","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:44:31.913Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:44:31.913Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrFDj0ZkozEynuDR0MGhVgAADiI","detail":{}},"uuid":"672c21a3-8ebd-11ea-a561-47493e2e60a2","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 89 -logType: Okta.SystemLog -input: '{"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsngtN0TJJSq-cRIvN5-aB_Q"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675472781_1&limit=1000","threshold":"50","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","timeUnit":"MINUTES","requestId":"XrFD7D@Lf3n8Pj8mzXH4RwAABPk"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T10:46:04.407Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFD7D@Lf3n8Pj8mzXH4RwAABPk","detail":{}},"uuid":"9e4d9949-8ebd-11ea-b611-f1d979f83d84","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsngtN0TJJSq-cRIvN5-aB_Q"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675472781_1&limit=1000","threshold":"50","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","timeUnit":"MINUTES","requestId":"XrFD7D@Lf3n8Pj8mzXH4RwAABPk"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:46:04.407Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:46:04.407Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFD7D@Lf3n8Pj8mzXH4RwAABPk","detail":{}},"uuid":"9e4d9949-8ebd-11ea-b611-f1d979f83d84","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 90 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsYITx7VKdTvulh47b8Vbh9w"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675472781_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFEAQPeLOKhwhWFk9FcpQAAAnM","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:46:25.406Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFEAQPeLOKhwhWFk9FcpQAAAnM","detail":{}},"uuid":"aad1c9f7-8ebd-11ea-a0ba-379f04824fb1","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsYITx7VKdTvulh47b8Vbh9w"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675472781_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFEAQPeLOKhwhWFk9FcpQAAAnM","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:46:25.406Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:46:25.406Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFEAQPeLOKhwhWFk9FcpQAAAnM","detail":{}},"uuid":"aad1c9f7-8ebd-11ea-a0ba-379f04824fb1","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 91 -logType: Okta.SystemLog -input: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsUz-ZZ-69RbGWGcTZtRQ3vw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"threshold":"50","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675586163_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFEavXjc7OfNk-q70maxgAAExE","warningPercent":"60","timeSpan":"1","threatSuspected":"false"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:48:10.789Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"transaction":{"type":"WEB","id":"XrFEavXjc7OfNk-q70maxgAAExE","detail":{}},"uuid":"e9a1f55c-8ebd-11ea-baf6-b58aa7127d4c","version":"0"}' -result: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsUz-ZZ-69RbGWGcTZtRQ3vw"},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"threshold":"50","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675586163_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFEavXjc7OfNk-q70maxgAAExE","warningPercent":"60","timeSpan":"1","threatSuspected":"false"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:48:10.789Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:48:10.789Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFEavXjc7OfNk-q70maxgAAExE","detail":{}},"uuid":"e9a1f55c-8ebd-11ea-baf6-b58aa7127d4c","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 92 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsgM0RpzkxTFy37NOB9pW-6g","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrFEf5a-SjOG@MbFt9Q@GQAAEUA","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675586163_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:48:31.789Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFEf5a-SjOG@MbFt9Q@GQAAEUA","detail":{}},"uuid":"f6264df6-8ebd-11ea-8936-ab42b09eebb3","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsgM0RpzkxTFy37NOB9pW-6g"},"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrFEf5a-SjOG@MbFt9Q@GQAAEUA","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675586163_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:48:31.789Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:48:31.789Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFEf5a-SjOG@MbFt9Q@GQAAEUA","detail":{}},"uuid":"f6264df6-8ebd-11ea-8936-ab42b09eebb3","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 93 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsq-8tXCInQ96eZXTsy_qhVg","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestId":"XrFE3yhlgQ7cxaCrlGcPHQAAETw","warningPercent":"60","timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675713059_1&limit=1000","threshold":"50","requestUri":"/api/v1/logs","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T10:50:07.333Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrFE3yhlgQ7cxaCrlGcPHQAAETw","detail":{}},"uuid":"2f192a3f-8ebe-11ea-8aaa-959b94ed26bb","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsq-8tXCInQ96eZXTsy_qhVg"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XrFE3yhlgQ7cxaCrlGcPHQAAETw","warningPercent":"60","timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675713059_1&limit=1000","threshold":"50","requestUri":"/api/v1/logs","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:50:07.333Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:50:07.333Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"type":"WEB","id":"XrFE3yhlgQ7cxaCrlGcPHQAAETw","detail":{}},"uuid":"2f192a3f-8ebe-11ea-8aaa-959b94ed26bb","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 94 -logType: Okta.SystemLog -input: '{"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsmlZ6_exZS7CQs65fCHMbgQ"},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrFE9Fefz-B54FiebJ6wuAAAEwk","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675713059_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:50:28.328Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFE9Fefz-B54FiebJ6wuAAAEwk","detail":{}},"uuid":"3b9cbeb9-8ebe-11ea-874a-2fc94466cbde","version":"0"}' -result: '{"actor":{"displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsmlZ6_exZS7CQs65fCHMbgQ"},"client":{"zone":"null","device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrFE9Fefz-B54FiebJ6wuAAAEwk","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675713059_1&limit=1000"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:50:28.328Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:50:28.328Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFE9Fefz-B54FiebJ6wuAAAEwk","detail":{}},"uuid":"3b9cbeb9-8ebe-11ea-874a-2fc94466cbde","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 95 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsg6IXhKhBQuOP5VleUY2DIg"},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"debugContext":{"debugData":{"requestId":"XrFFWgQlhQc@sTWCXHoxtwAAEwo","warningPercent":"60","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675829279_1&limit=1000","timeUnit":"MINUTES","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:52:10.887Z","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFFWgQlhQc@sTWCXHoxtwAAEwo","detail":{}},"uuid":"78be01aa-8ebe-11ea-aeca-a544dbc5d64e","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsg6IXhKhBQuOP5VleUY2DIg"},"client":{"zone":"null","device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"debugContext":{"debugData":{"requestId":"XrFFWgQlhQc@sTWCXHoxtwAAEwo","warningPercent":"60","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675829279_1&limit=1000","timeUnit":"MINUTES","threshold":"50","timeSpan":"1"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:52:10.887Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:52:10.887Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFFWgQlhQc@sTWCXHoxtwAAEwo","detail":{}},"uuid":"78be01aa-8ebe-11ea-aeca-a544dbc5d64e","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 96 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsWLNyNeB1TuaOf9KUtafqjQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675829279_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFFb6vcOlZWM2vVN2XrrQAAA-o"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:52:31.887Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"severity":"WARN","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFFb6vcOlZWM2vVN2XrrQAAA-o","detail":{}},"uuid":"85425adf-8ebe-11ea-b9fc-61056b16b278","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsWLNyNeB1TuaOf9KUtafqjQ"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675829279_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFFb6vcOlZWM2vVN2XrrQAAA-o"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:52:31.887Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:52:31.887Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFFb6vcOlZWM2vVN2XrrQAAA-o","detail":{}},"uuid":"85425adf-8ebe-11ea-b9fc-61056b16b278","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 97 -logType: Okta.SystemLog -input: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsPo_I88spSiO7D-Z3DiP2nA","authenticationProvider":null,"credentialProvider":null},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"debugContext":{"debugData":{"requestId":"XrFFzVUO@EPHfYJRM8GZHwAAEK4","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588675952841_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:54:05.450Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFFzVUO@EPHfYJRM8GZHwAAEK4","detail":{}},"uuid":"bd06eee7-8ebe-11ea-82e2-356ba42b26b0","version":"0"}' -result: '{"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsPo_I88spSiO7D-Z3DiP2nA"},"client":{"ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"requestId":"XrFFzVUO@EPHfYJRM8GZHwAAEK4","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000&after=1588675952841_1&limit=1000"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:54:05.45Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:54:05.45Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFFzVUO@EPHfYJRM8GZHwAAEK4","detail":{}},"uuid":"bd06eee7-8ebe-11ea-82e2-356ba42b26b0","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 98 -logType: Okta.SystemLog -input: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsQfY_9PlvSXudklqeUljN-Q"},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"requestId":"XrFF4k4GCgrejBJbF709NgAADkw","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675952841_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:54:26.452Z","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"transaction":{"type":"WEB","id":"XrFF4k4GCgrejBJbF709NgAADkw","detail":{}},"uuid":"c98b962e-8ebe-11ea-8cbe-bf2eaab2e9ef","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsQfY_9PlvSXudklqeUljN-Q"},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","ipAddress":"1.1.1.1"},"debugContext":{"debugData":{"requestId":"XrFF4k4GCgrejBJbF709NgAADkw","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588675952841_1&limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:54:26.452Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:54:26.452Z","request":{"ipChain":[{"version":"V4","ip":"1.1.1.1"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFF4k4GCgrejBJbF709NgAADkw","detail":{}},"uuid":"c98b962e-8ebe-11ea-8cbe-bf2eaab2e9ef","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 99 -logType: Okta.SystemLog -input: '{"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsSKUi5-F1RLGN6KxlwchJSQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588676067403_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFGShXpNT0RVGi@JH9uIwAAAc0","threshold":"50","threatSuspected":"false","warningPercent":"60"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:56:10.706Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"transaction":{"detail":{},"type":"WEB","id":"XrFGShXpNT0RVGi@JH9uIwAAAc0"},"uuid":"07af7b64-8ebf-11ea-9a68-45f5acc7edae","version":"0"}' -result: '{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsSKUi5-F1RLGN6KxlwchJSQ"},"client":{"ipAddress":"1.1.1.1","userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000&after=1588676067403_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFGShXpNT0RVGi@JH9uIwAAAc0","threshold":"50","threatSuspected":"false","warningPercent":"60"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:56:10.706Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:56:10.706Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"type":"URL Pattern","id":"/api/v1/logs"}],"transaction":{"detail":{},"type":"WEB","id":"XrFGShXpNT0RVGi@JH9uIwAAAc0"},"uuid":"07af7b64-8ebf-11ea-9a68-45f5acc7edae","version":"0"}' ---- -name: Okta.Systemlog.Sample ./samples/systemlog_samples.jsonl 100 -logType: Okta.SystemLog -input: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"externalSessionId":"trsXxlMs-kRSOyAE7puqhj8Pw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000&after=1588676067403_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFGX6ij4DHbM5celo4CfgAAEGg","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:56:31.710Z","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"transaction":{"type":"WEB","id":"XrFGX6ij4DHbM5celo4CfgAAEGg","detail":{}},"uuid":"14347026-8ebf-11ea-9b4d-6d898d9545c0","version":"0"}' -result: '{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"externalSessionId":"trsXxlMs-kRSOyAE7puqhj8Pw","authenticationStep":0},"client":{"device":"Unknown","ipAddress":"1.1.1.1","userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000&after=1588676067403_1&limit=1000","timeUnit":"MINUTES","requestId":"XrFGX6ij4DHbM5celo4CfgAAEGg","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS"},"p_any_emails":["foo@bar.com"],"p_any_ip_addresses":["1.1.1.1"],"p_event_time":"2020-05-05T10:56:31.71Z","p_log_type":"Okta.SystemLog","published":"2020-05-05T10:56:31.71Z","request":{"ipChain":[{"ip":"1.1.1.1","version":"V4"}]},"securityContext":{},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern"}],"transaction":{"type":"WEB","id":"XrFGX6ij4DHbM5celo4CfgAAEGg","detail":{}},"uuid":"14347026-8ebf-11ea-9b4d-6d898d9545c0","version":"0"}' diff --git a/schemas/logs/okta/tests/samples/generate_tests.jq b/schemas/logs/okta/tests/samples/generate_tests.jq deleted file mode 100644 index 34fde47e9..000000000 --- a/schemas/logs/okta/tests/samples/generate_tests.jq +++ /dev/null @@ -1,41 +0,0 @@ -# Usage jq -f generate_tests.jq sample_file.jsonl -# Fix timestamp trailing zeros to match Go formatting -def timestamp: sub("0+Z"; "Z"); - -# Check if value is empty array -def empty_array: (. | type == "array") and (. | length) == 0; - -# Omitempty behavior of Go structs -def omitempty: - walk( - if type == "object" then - with_entries( - select( (.value != null) and ( .value | empty_array | not ) ) - ) - else - . - end - ); - -def sort_keys: - to_entries - | sort_by(.key) - | from_entries; - -def indicators: - map(select(.)) - | unique ; - -{ - name: "Okta.Systemlog.Sample \(input_filename) \(input_line_number)", - logType:"Okta.SystemLog", - input: . | sort_keys | @json, - result: ( . + { - p_log_type: "Okta.SystemLog", - p_event_time: .published | timestamp, - published: .published | timestamp, - p_any_domain_names: [.securityContext.domain] | indicators, - p_any_emails: [.actor.alternateId] | indicators, - p_any_ip_addresses: ( (.request.ipChain|map(.ip)) + [.client.ipAddress] ) | indicators, - }) | omitempty | sort_keys | tostring -} diff --git a/schemas/logs/okta/tests/samples/systemlog_samples.jsonl b/schemas/logs/okta/tests/samples/systemlog_samples.jsonl deleted file mode 100644 index 818d4d76a..000000000 --- a/schemas/logs/okta/tests/samples/systemlog_samples.jsonl +++ /dev/null @@ -1,100 +0,0 @@ -{"severity":"INFO","transaction":{"type":"WEB","id":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","detail":{}},"target":null,"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016}}},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102iCf9Im9wSEmaVMYZNbEOMA"},"published":"2020-05-01T10:20:22.243Z","version":"0","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lon":-3.7016,"lat":40.4143}},"version":"V4"}]},"displayMessage":"User login to Okta","eventType":"user.session.start","debugContext":{"debugData":{"deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"legacyEventType":"core.user_auth.login_success","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"uuid":"5d730bf4-8b95-11ea-8cbe-bf2eaab2e9ef","outcome":{"result":"SUCCESS","reason":null}} -{"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"legacyEventType":null,"version":"0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102iCf9Im9wSEmaVMYZNbEOMA"},"eventType":"policy.evaluate_sign_on","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?","deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"Xqv35Wg7bT74OrlHVCM7JgAAFHM"}},"uuid":"5d7b2245-8b95-11ea-8cbe-bf2eaab2e9ef","target":[{"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown","displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"}},{"type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule","detailEntry":null,"id":"0prc1umtrQa0JxFfU356"}],"severity":"INFO","client":{"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"}},"displayMessage":"Evaluation of sign-on policy","published":"2020-05-01T10:20:22.296Z","transaction":{"type":"WEB","id":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"state":"Madrid","country":"Spain","postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid"},"version":"V4","source":null}]}} -{"displayMessage":"Authentication of user via MFA","outcome":{"reason":null,"result":"SUCCESS"},"transaction":{"type":"WEB","id":"Xqv4ChB6i@XT5JNpsgg5iwAACjY","detail":{}},"target":[{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null}],"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005"}},"published":"2020-05-01T10:20:59.091Z","severity":"INFO","debugContext":{"debugData":{"requestUri":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify","threatSuspected":"false","factor":"OKTA_SOFT_TOKEN","url":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify?rememberDevice=false","authnRequestId":"Xqv35Wg7bT74OrlHVCM7JgAAFHM","requestId":"Xqv4ChB6i@XT5JNpsgg5iwAACjY"}},"legacyEventType":"core.user.factor.attempt_success","eventType":"user.authentication.auth_via_mfa","uuid":"73699ad3-8b95-11ea-bd6b-7d993edc4d99","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":{"geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28005"}}]},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":"OTP","issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102GP5VxqC1SvuMpF0oLbm0-Q"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"version":"0"} -{"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain"},"version":"V4","source":null}]},"severity":"INFO","version":"0","debugContext":{"debugData":{"requestId":"Xqv4DAv9rG@QtvA52XJ5NwAAB2Q","requestUri":"/admin/sso/request","threatSuspected":"false","url":"/admin/sso/request?"}},"client":{"device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"postalCode":"28005","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain"},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"eventType":"user.session.access_admin_app","target":[{"id":"00u3mo2ci0RuzhCQe357","type":"AppUser","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null}],"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"102tmLJSxrcTKe0eKPOcYRAIA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"legacyEventType":"app.admin.sso.login.success","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T10:21:00.666Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"transaction":{"type":"WEB","id":"Xqv4DAv9rG@QtvA52XJ5NwAAB2Q","detail":{}},"uuid":"7459ee6a-8b95-11ea-9fd1-bb7360a0b10c","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"User accessing Okta admin app"} -{"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsEIK87CP-TOWutoSIk5vwtA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"displayMessage":"Rate limit warning","uuid":"31bb29ef-8bcc-11ea-ada5-5fef26acfbc9","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"legacyEventType":"core.framework.ratelimit.warning","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","debugContext":{"debugData":{"requestId":"XqxT48Ec3yxgq8Icobx9mwAAC-4","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false"}},"transaction":{"type":"WEB","id":"XqxT48Ec3yxgq8Icobx9mwAAC-4","detail":{}},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T16:52:51.216Z"} -{"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"requestId":"XqxT6PWj5s2Quaf7cGZmTQAAElw","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES"}},"displayMessage":"Rate limit violation","published":"2020-05-01T16:52:56.149Z","severity":"WARN","legacyEventType":"core.framework.ratelimit.exceeded","uuid":"34abe0f1-8bcc-11ea-9caf-87003407f90b","authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsg3DpeduvQXCmnzT-FC9l9g","authenticationProvider":null},"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"eventType":"system.org.rate_limit.violation","outcome":{"result":"SUCCESS","reason":null},"transaction":{"type":"WEB","id":"XqxT6PWj5s2Quaf7cGZmTQAAElw","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs2EP5Oub9RVKOQNpikZSWQQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"outcome":{"reason":null,"result":"SUCCESS"},"legacyEventType":"core.framework.ratelimit.warning","version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","published":"2020-05-01T16:54:52.404Z","severity":"WARN","debugContext":{"debugData":{"requestId":"XqxUXGWrk@@JYyqBk-48SQAAEuM","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588328461960_1\u0026limit=1000","timeUnit":"MINUTES"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"transaction":{"type":"WEB","id":"XqxUXGWrk@@JYyqBk-48SQAAEuM","detail":{}},"uuid":"79f6fbd3-8bcc-11ea-8cbe-bf2eaab2e9ef"} -{"transaction":{"type":"WEB","id":"XqxUYZWz9R0WfYS@G1uZ-QAAAz0","detail":{}},"legacyEventType":"core.framework.ratelimit.exceeded","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"eventType":"system.org.rate_limit.violation","authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsljB4mtDNSgCshrA0Np5LOA","authenticationProvider":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T16:54:57.700Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588328461960_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XqxUYZWz9R0WfYS@G1uZ-QAAAz0"}},"uuid":"7d1f16f0-8bcc-11ea-afeb-efa9a81fb877","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"version":"0"} -{"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"displayMessage":"Rate limit warning","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"severity":"WARN","transaction":{"type":"WEB","id":"XqxU1JJPCiAgOgakFdcF3wAAAo0","detail":{}},"uuid":"c1b07e9f-8bcc-11ea-9b4d-6d898d9545c0","version":"0","actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"published":"2020-05-01T16:56:52.738Z","debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588351976896_1\u0026limit=1000","requestId":"XqxU1JJPCiAgOgakFdcF3wAAAo0","warningPercent":"60","timeSpan":"1","timeUnit":"MINUTES","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false"}},"legacyEventType":"core.framework.ratelimit.warning","authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trszcQ1YhE5Ql2GZQo8gs5ZeA","authenticationProvider":null,"credentialProvider":null},"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}]} -{"published":"2020-05-01T16:56:57.255Z","legacyEventType":"core.framework.ratelimit.exceeded","uuid":"c461bba9-8bcc-11ea-af6d-6ff4ba545a59","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit violation","severity":"WARN","debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XqxU2ZmGQi6m7BKy3TSXWgAAAN0","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588351976896_1\u0026limit=1000"}},"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"transaction":{"type":"WEB","id":"XqxU2ZmGQi6m7BKy3TSXWgAAAN0","detail":{}},"target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsPblrLhY6RIWUIAD80VLeYA","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"eventType":"system.org.rate_limit.violation"} -{"debugContext":{"debugData":{"warningPercent":"60","threatSuspected":"false","requestId":"XqxVTKzp89io03gVyVIdbgAADjE","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588352098728_1\u0026limit=1000","timeUnit":"MINUTES"}},"uuid":"08de8a22-8bcd-11ea-874a-2fc94466cbde","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trspm5bfzYATkqbS5Gu1aM5ow"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"published":"2020-05-01T16:58:52.158Z","severity":"WARN","transaction":{"type":"WEB","id":"XqxVTKzp89io03gVyVIdbgAADjE","detail":{}},"displayMessage":"Rate limit warning","legacyEventType":"core.framework.ratelimit.warning","eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"version":"0"} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"uuid":"0b9a4f12-8bcd-11ea-965d-6da5dc6b4d61","transaction":{"type":"WEB","id":"XqxVUCHJ2YsYX@pvnat0lgAAA1s","detail":{}},"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T16:58:56.744Z","severity":"WARN","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588352098728_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XqxVUCHJ2YsYX@pvnat0lgAAA1s","threshold":"50","timeSpan":"1"}},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trseoJUnLitRb6mQPz0VWD_DA","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"legacyEventType":"core.framework.ratelimit.exceeded","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"eventType":"system.org.rate_limit.violation","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}]} -{"authenticationContext":{"externalSessionId":"102553OFOWURBmOgPoGl8kO-w","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"displayMessage":"User login to Okta","severity":"INFO","uuid":"3e497761-8bcd-11ea-82e2-356ba42b26b0","actor":{"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri","detailEntry":null},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"debugContext":{"debugData":{"deviceFingerprint":"5704071097000730d66366d819b89e6b","requestId":"XqxVpX8iMvHtxpNPrJimzQAAExM","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"transaction":{"type":"WEB","id":"XqxVpX8iMvHtxpNPrJimzQAAExM","detail":{}},"target":null,"client":{"device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"eventType":"user.session.start","outcome":{"reason":null,"result":"SUCCESS"},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874},"city":"San Francisco","state":"California","country":"United States"},"version":"V4","source":null}]},"published":"2020-05-01T17:00:21.778Z","legacyEventType":"core.user_auth.login_success","version":"0"} -{"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"geolocation":{"lat":37.7852,"lon":-122.3874},"city":"San Francisco","state":"California","country":"United States","postalCode":"94105"}},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102553OFOWURBmOgPoGl8kO-w"},"uuid":"3e529f23-8bcd-11ea-82e2-356ba42b26b0","target":[{"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown","displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"}},{"id":"0prc1umtrQa0JxFfU356","type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule","detailEntry":null}],"displayMessage":"Evaluation of sign-on policy","outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lon":-122.3874,"lat":37.7852}},"version":"V4","source":null}]},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","actor":{"displayName":"Jack Naglieri","detailEntry":null,"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com"},"eventType":"policy.evaluate_sign_on","published":"2020-05-01T17:00:21.838Z","version":"0","debugContext":{"debugData":{"deviceFingerprint":"5704071097000730d66366d819b89e6b","requestId":"XqxVpX8iMvHtxpNPrJimzQAAExM","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"legacyEventType":null,"transaction":{"detail":{},"type":"WEB","id":"XqxVpX8iMvHtxpNPrJimzQAAExM"}} -{"transaction":{"type":"WEB","id":"XqxVsrIaFxbB2vhlGYB1YgAAA0w","detail":{}},"target":[{"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri","detailEntry":null}],"client":{"device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"authenticationContext":{"credentialType":"OTP","issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102djXtz5b_ROSoLOia6Q7juA","authenticationProvider":"FACTOR_PROVIDER","credentialProvider":"OKTA_CREDENTIAL_PROVIDER"},"published":"2020-05-01T17:00:34.670Z","debugContext":{"debugData":{"authnRequestId":"XqxVpX8iMvHtxpNPrJimzQAAExM","requestId":"XqxVsrIaFxbB2vhlGYB1YgAAA0w","requestUri":"/api/v1/authn/factors/ost316zzhb7EFtPn2357/verify","threatSuspected":"false","factor":"OKTA_SOFT_TOKEN","url":"/api/v1/authn/factors/ost316zzhb7EFtPn2357/verify?rememberDevice=false"}},"eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","uuid":"45f8a1b0-8bcd-11ea-965d-6da5dc6b4d61","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":{"geolocation":{"lon":-122.3874,"lat":37.7852},"city":"San Francisco","state":"California","country":"United States","postalCode":"94105"},"version":"V4"}]},"outcome":{"result":"SUCCESS","reason":null},"severity":"INFO","actor":{"detailEntry":null,"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri"},"displayMessage":"Authentication of user via MFA","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"version":"0"} -{"displayMessage":"User accessing Okta admin app","authenticationContext":{"authenticationStep":0,"externalSessionId":"102iZBO931kTSi4g5FdbiqgUA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"eventType":"user.session.access_admin_app","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T17:00:35.647Z","debugContext":{"debugData":{"requestId":"XqxVs-6znn2BGMzyKH-OOQAAEKM","requestUri":"/admin/sso/request","threatSuspected":"false","url":"/admin/sso/request?"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"city":"San Francisco","state":"California","country":"United States","postalCode":"94105","geolocation":{"lat":37.7852,"lon":-122.3874}},"version":"V4","source":null}]},"client":{"userAgent":{"browser":"CHROME","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"state":"California","country":"United States","postalCode":"94105","geolocation":{"lon":-122.3874,"lat":37.7852},"city":"San Francisco"}},"target":[{"id":"00uc1umudIxtsadWL356","type":"AppUser","alternateId":"foo@bar.com","displayName":"Jack Naglieri","detailEntry":null}],"actor":{"id":"00uc1umudIxtsadWL356","type":"User","alternateId":"foo@bar.com","displayName":"Jack Naglieri","detailEntry":null},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"INFO","legacyEventType":"app.admin.sso.login.success","transaction":{"detail":{},"type":"WEB","id":"XqxVs-6znn2BGMzyKH-OOQAAEKM"},"uuid":"468db570-8bcd-11ea-abd3-1d668132201e","version":"0"} -{"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"transaction":{"id":"XqxVxEfn3CHz-HuDhPzyygAAAlo","detail":{},"type":"WEB"},"version":"0","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trs9AUNFdfRR1yvWWW7odRUJA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"published":"2020-05-01T17:00:52.286Z","severity":"WARN","debugContext":{"debugData":{"requestId":"XqxVxEfn3CHz-HuDhPzyygAAAlo","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357"}},"legacyEventType":"core.framework.ratelimit.warning","client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"uuid":"50789e06-8bcd-11ea-92ce-d536dee30c90"} -{"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","requestId":"XqxVyfcOD88CV28@AwfpAQAABDQ","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XqxVyfcOD88CV28@AwfpAQAABDQ","detail":{}},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"version":"0","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-01T17:00:57.213Z","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsPesucZbGTuOI0jck4g9yyw","authenticationProvider":null,"credentialProvider":null},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","uuid":"53686b88-8bcd-11ea-b823-db4e40ee0137"} -{"eventType":"user.session.start","outcome":{"result":"SUCCESS","reason":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","transaction":{"type":"WEB","id":"XqxV7PCo@4CYl52a7k5V-AAADhk","detail":{}},"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"displayMessage":"User login to Okta","legacyEventType":"core.user_auth.login_success","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"28037","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain"},"version":"V4","source":null}]},"target":null,"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102Zs5s_R6zRs2wBnpXh6J7Xw","authenticationProvider":null},"published":"2020-05-01T17:01:32.562Z","client":{"device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28037","geolocation":{"lat":40.4143,"lon":-3.7016}},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null"},"uuid":"687a400e-8bcd-11ea-9424-4db38b988f86","debugContext":{"debugData":{"deviceFingerprint":"75653fa886d95b75e1f1ca0411b82cd2","requestId":"XqxV7PCo@4CYl52a7k5V-AAADhk","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"version":"0"} -{"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"102Zs5s_R6zRs2wBnpXh6J7Xw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"displayMessage":"Evaluation of sign-on policy","debugContext":{"debugData":{"threatSuspected":"false","url":"/api/v1/authn?","deviceFingerprint":"75653fa886d95b75e1f1ca0411b82cd2","requestId":"XqxV7PCo@4CYl52a7k5V-AAADhk","requestUri":"/api/v1/authn"}},"transaction":{"id":"XqxV7PCo@4CYl52a7k5V-AAADhk","detail":{},"type":"WEB"},"version":"0","client":{"geographicalContext":{"geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid","state":"Madrid","country":"Spain","postalCode":"28037"},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1"},"published":"2020-05-01T17:01:32.611Z","uuid":"6881ba20-8bcd-11ea-9424-4db38b988f86","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"state":"Madrid","country":"Spain","postalCode":"28037","geolocation":{"lat":40.4143,"lon":-3.7016},"city":"Madrid"},"version":"V4","source":null}]},"severity":"INFO","target":[{"displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"},"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown"},{"id":"0prc1umtrQa0JxFfU356","type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule","detailEntry":null}],"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"eventType":"policy.evaluate_sign_on","outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":null} -{"transaction":{"id":"XrEvgymRMCc7udKvskmg@QAAFLw","detail":{},"type":"WEB"},"request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:18:59.980Z","authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs_RzmHPPNSpegdTR4iSNg6g","authenticationProvider":null},"version":"0","legacyEventType":"core.framework.ratelimit.warning","uuid":"744d4cdc-8eb1-11ea-a57c-950f2517e685","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit warning","severity":"WARN","eventType":"system.org.rate_limit.warning","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","requestId":"XrEvgymRMCc7udKvskmg@QAAFLw"}}} -{"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"displayMessage":"Rate limit violation","severity":"WARN","uuid":"774e7f7e-8eb1-11ea-af6d-6ff4ba545a59","version":"0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsRN_8hq3bRa22ZK_F166Ibw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrEvifZcBsOYX1sXqJeH7QAAAy8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000"}},"legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrEvifZcBsOYX1sXqJeH7QAAAy8","detail":{}},"request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"eventType":"system.org.rate_limit.violation","published":"2020-05-05T09:19:05.021Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null}} -{"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"transaction":{"type":"WEB","id":"XrEvzZW30MsCw7au9fDIegAAAqI","detail":{}},"uuid":"a010c2d1-8eb1-11ea-afeb-efa9a81fb877","published":"2020-05-05T09:20:13.403Z","severity":"WARN","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"version":"0","authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsRmE6AQuzQDKo6PCtNuM-cA"},"displayMessage":"Rate limit warning","legacyEventType":"core.framework.ratelimit.warning","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588352493659_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrEvzZW30MsCw7au9fDIegAAAqI","threshold":"50"}}} -{"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"published":"2020-05-05T09:20:18.310Z","securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588352493659_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrEv0nWh6j118-TwvwBbPgAAA3Y"}},"uuid":"a2fd8277-8eb1-11ea-8cbe-bf2eaab2e9ef","authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsVq2bDMYWSuCOxxP_GkiDEQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrEv0nWh6j118-TwvwBbPgAAA3Y","detail":{}},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN"} -{"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"target":null,"outcome":{"result":"SUCCESS","reason":null},"severity":"INFO","debugContext":{"debugData":{"deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"uuid":"f3f60211-8eb2-11ea-af6d-6ff4ba545a59","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"legacyEventType":"core.user_auth.login_success","transaction":{"type":"WEB","id":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","detail":{}},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093},"city":"London","state":"England","country":"United Kingdom"},"version":"V4","source":null}]},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"country":"United Kingdom","postalCode":"EC2V","geolocation":{"lon":-0.093,"lat":51.5164},"city":"London","state":"England"}},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102cDYxGvsETzeO9CvrF7KZCg","authenticationProvider":null},"displayMessage":"User login to Okta","eventType":"user.session.start","published":"2020-05-05T09:29:43.653Z"} -{"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"transaction":{"type":"WEB","id":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","detail":{}},"uuid":"f3fdf152-8eb2-11ea-af6d-6ff4ba545a59","version":"0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"102cDYxGvsETzeO9CvrF7KZCg"},"outcome":{"result":"ALLOW","reason":"Sign-on policy evaluation resulted in ALLOW"},"published":"2020-05-05T09:29:43.705Z","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093}}}]},"displayMessage":"Evaluation of sign-on policy","legacyEventType":null,"target":[{"id":"00pc1umtqGqytLjuP356","type":"PolicyEntity","alternateId":"unknown","displayName":"Default Policy","detailEntry":{"policyType":"OktaSignOn"}},{"id":"0prc1umtrQa0JxFfU356","type":"PolicyRule","alternateId":"00pc1umtqGqytLjuP356","displayName":"Default Rule","detailEntry":null}],"eventType":"policy.evaluate_sign_on","severity":"INFO","debugContext":{"debugData":{"deviceFingerprint":"d46b17d2d7119ece5a466d6e6d4285db","requestId":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"client":{"ipAddress":"1.1.1.1","geographicalContext":{"postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093},"city":"London","state":"England","country":"United Kingdom"},"userAgent":{"rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X","browser":"CHROME"},"zone":"null","device":"Computer","id":null}} -{"severity":"INFO","legacyEventType":"core.user.factor.attempt_success","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lon":-0.093,"lat":51.5164}},"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"userAgent":{"browser":"CHROME","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093}}},"displayMessage":"Authentication of user via MFA","uuid":"fbf14f6e-8eb2-11ea-af6d-6ff4ba545a59","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T09:29:57.044Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"authnRequestId":"XrEyB6Ew-bQ5Fxqsmlaw5AAAAfw","requestId":"XrEyFHAW5aRx5UpfQfZ06AAAEWs","requestUri":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify","threatSuspected":"false","factor":"OKTA_SOFT_TOKEN","url":"/api/v1/authn/factors/ost3mo9dmdxHEE64N357/verify?rememberDevice=false"}},"transaction":{"type":"WEB","id":"XrEyFHAW5aRx5UpfQfZ06AAAEWs","detail":{}},"authenticationContext":{"authenticationStep":0,"externalSessionId":"102xCfoDfXqTqas4lokllvI_A","authenticationProvider":"FACTOR_PROVIDER","credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":"OTP","issuer":null,"interface":null},"eventType":"user.authentication.auth_via_mfa","version":"0","target":[{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"}]} -{"client":{"userAgent":{"browser":"CHROME","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36","os":"Mac OS X"},"zone":"null","device":"Computer","id":null,"ipAddress":"1.1.1.1","geographicalContext":{"city":"London","state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lon":-0.093,"lat":51.5164}}},"published":"2020-05-05T09:29:58.695Z","debugContext":{"debugData":{"requestId":"XrEyFkNWiaslHeI685XdGQAAEHk","requestUri":"/admin/sso/request","threatSuspected":"false","url":"/admin/sso/request?"}},"authenticationContext":{"externalSessionId":"1023sD69JIBQ_eLPh5nLZ7D7Q","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"displayMessage":"User accessing Okta admin app","uuid":"fced3b73-8eb2-11ea-a57c-950f2517e685","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":{"state":"England","country":"United Kingdom","postalCode":"EC2V","geolocation":{"lat":51.5164,"lon":-0.093},"city":"London"},"version":"V4","source":null}]},"transaction":{"type":"WEB","id":"XrEyFkNWiaslHeI685XdGQAAEHk","detail":{}},"version":"0","actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"eventType":"user.session.access_admin_app","securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"INFO","legacyEventType":"app.admin.sso.login.success","outcome":{"result":"SUCCESS","reason":null},"target":[{"id":"00u3mo2ci0RuzhCQe357","type":"AppUser","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null}]} -{"severity":"WARN","securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"debugContext":{"debugData":{"threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000","warningPercent":"60","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrEyy07XR5NsHsU9Szj8hgAAEmI"}},"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"displayMessage":"Rate limit warning","outcome":{"reason":null,"result":"SUCCESS"},"transaction":{"type":"WEB","id":"XrEyy07XR5NsHsU9Szj8hgAAEmI","detail":{}},"version":"0","authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsssx2nlapR7iXmdeF4OEGRQ"},"eventType":"system.org.rate_limit.warning","published":"2020-05-05T09:32:59.192Z","legacyEventType":"core.framework.ratelimit.warning","uuid":"6882e432-8eb3-11ea-a6b7-cf71f57d4442","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"}} -{"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","severity":"WARN","debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000","timeUnit":"MINUTES","requestId":"XrEy4Ie0rO6XiaQtvAgNbQAAB1A"}},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"legacyEventType":"core.framework.ratelimit.exceeded","uuid":"7508002a-8eb3-11ea-a04f-81a81472156a","version":"0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsGguELVEbQkOEwSOX-Hw3HA","authenticationProvider":null,"credentialProvider":null},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:33:20.197Z","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"transaction":{"type":"WEB","id":"XrEy4Ie0rO6XiaQtvAgNbQAAB1A","detail":{}}} -{"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"eventType":"system.org.rate_limit.warning","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-05-05T09:34:58.440Z","legacyEventType":"core.framework.ratelimit.warning","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"transaction":{"type":"WEB","id":"XrEzQgVp30i3cw0jE1JJmAAAATU","detail":{}},"version":"0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit warning","severity":"WARN","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","threshold":"50","timeSpan":"1","url":"/api/v1/logs?limit=1000\u0026after=1588670999394_1\u0026limit=1000","requestId":"XrEzQgVp30i3cw0jE1JJmAAAATU","warningPercent":"60"}},"uuid":"af96b0c9-8eb3-11ea-abac-bda3eefbb100","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs-dSqQkjKRcOW-8u5g77j3w","authenticationProvider":null,"credentialProvider":null}} -{"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trszwXQ2FlJSkGvwtXu-2A-DQ","authenticationProvider":null,"credentialProvider":null},"outcome":{"reason":null,"result":"SUCCESS"},"transaction":{"type":"WEB","id":"XrEzV2MOB6yuxkiYa@yhRAAAE7o","detail":{}},"version":"0","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"eventType":"system.org.rate_limit.violation","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588670999394_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrEzV2MOB6yuxkiYa@yhRAAAE7o","threshold":"50","timeSpan":"1"}},"legacyEventType":"core.framework.ratelimit.exceeded","uuid":"bc1abaff-8eb3-11ea-9b4d-6d898d9545c0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"displayMessage":"Rate limit violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"published":"2020-05-05T09:35:19.438Z","severity":"WARN"} -{"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"published":"2020-05-05T09:36:58.341Z","debugContext":{"debugData":{"threshold":"50","timeSpan":"1","timeUnit":"MINUTES","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588671201176_1\u0026limit=1000","requestId":"XrEzun5hPHkLIfFvhbwmSwAADzU","warningPercent":"60","requestUri":"/api/v1/logs","threatSuspected":"false"}},"version":"0","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"transaction":{"type":"WEB","id":"XrEzun5hPHkLIfFvhbwmSwAADzU","detail":{}},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs-Dt5KF-zQRK35ORsxqKyJg","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"legacyEventType":"core.framework.ratelimit.warning","uuid":"f70e21fc-8eb3-11ea-a561-47493e2e60a2"} -{"published":"2020-05-05T09:37:19.334Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588671201176_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrEzzzn-wFxNr1zSzKgF9QAAFJ8","threshold":"50"}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","transaction":{"type":"WEB","id":"XrEzzzn-wFxNr1zSzKgF9QAAFJ8","detail":{}},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsaT97zDebSnGacMeKOk84RA","authenticationProvider":null,"credentialProvider":null},"outcome":{"result":"SUCCESS","reason":null},"legacyEventType":"core.framework.ratelimit.exceeded","uuid":"039168ad-8eb4-11ea-8936-ab42b09eebb3","actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"legacyEventType":"core.framework.ratelimit.warning","version":"0","outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","debugContext":{"debugData":{"requestId":"XrE0MgIdaCXRDPxam8@QNgAACx0","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","warningPercent":"60","timeSpan":"1","url":"/api/v1/logs?limit=1000\u0026after=1588671320515_1\u0026limit=1000"}},"securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs55ZXx8apTC2cBkTyHMIRag"},"displayMessage":"Rate limit warning","client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"published":"2020-05-05T09:38:58.656Z","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"eventType":"system.org.rate_limit.warning","transaction":{"type":"WEB","id":"XrE0MgIdaCXRDPxam8@QNgAACx0","detail":{}},"uuid":"3ec4be12-8eb4-11ea-b70a-e7df59d7aa62"} -{"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588671320515_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE0R2Wrk@@JYyqBk-4jxgAAExY","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"uuid":"4b48c932-8eb4-11ea-9caf-87003407f90b","actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"displayMessage":"Rate limit violation","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"outcome":{"result":"SUCCESS","reason":null},"legacyEventType":"core.framework.ratelimit.exceeded","published":"2020-05-05T09:39:19.654Z","transaction":{"type":"WEB","id":"XrE0R2Wrk@@JYyqBk-4jxgAAExY","detail":{}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"eventType":"system.org.rate_limit.violation","version":"0","authenticationContext":{"authenticationStep":0,"externalSessionId":"trsxfh5tAPLTSOJqP2qp3tjfg","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"severity":"WARN"} -{"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"legacyEventType":"core.framework.ratelimit.warning","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"debugContext":{"debugData":{"threshold":"50","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588671560676_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE3w@3r6F@XqNiEZP964QAADOg","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357"}},"transaction":{"id":"XrE3w@3r6F@XqNiEZP964QAADOg","detail":{},"type":"WEB"},"uuid":"5efc818c-8eb6-11ea-965d-6da5dc6b4d61","version":"0","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"published":"2020-05-05T09:54:11.702Z","authenticationContext":{"externalSessionId":"trsFdMM3YUiQ8-Vex2q-3XuLA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0}} -{"legacyEventType":"core.framework.ratelimit.exceeded","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T09:54:32.704Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsLi8q266AT7On0yboFL8hpg"},"request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"severity":"WARN","transaction":{"type":"WEB","id":"XrE32KEw-bQ5FxqsmlbZ@wAAAa8","detail":{}},"uuid":"6b8128e3-8eb6-11ea-8cbe-bf2eaab2e9ef","version":"0","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588671560676_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE32KEw-bQ5FxqsmlbZ@wAAAa8","threshold":"50"}}} -{"outcome":{"reason":null,"result":"SUCCESS"},"request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs4DKibUjURpOOGZIUgsbcMA"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"uuid":"a5e3e819-8eb6-11ea-8aaa-959b94ed26bb","client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"eventType":"system.org.rate_limit.warning","severity":"WARN","debugContext":{"debugData":{"warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588672473879_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE4OovrzgsubrSRhiRnEgAAB0E","userId":"00u3mo2ci0RuzhCQe357"}},"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"displayMessage":"Rate limit warning","published":"2020-05-05T09:56:10.659Z","legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrE4OovrzgsubrSRhiRnEgAAB0E","detail":{}}} -{"outcome":{"reason":null,"result":"SUCCESS"},"legacyEventType":"core.framework.ratelimit.exceeded","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"transaction":{"type":"WEB","id":"XrE4T0H@Hmw00TTU@51daAAAEWM","detail":{}},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","uuid":"b267cb4c-8eb6-11ea-abac-bda3eefbb100","debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588672473879_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE4T0H@Hmw00TTU@51daAAAEWM","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"authenticationContext":{"externalSessionId":"trsmzKbH9K9QXKMgZJAzMOt3A","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"published":"2020-05-05T09:56:31.656Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN"} -{"eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trs7sQ9KpvnQ0Gmao4UbmSOwQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","uuid":"ed7856dc-8eb6-11ea-aeca-a544dbc5d64e","displayMessage":"Rate limit warning","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"requestId":"XrE4slvsYUrf30@uCZpT2AAABqQ","url":"/api/v1/logs?limit=1000\u0026after=1588672592595_1\u0026limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"transaction":{"type":"WEB","id":"XrE4slvsYUrf30@uCZpT2AAABqQ","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"published":"2020-05-05T09:58:10.750Z","version":"0"} -{"outcome":{"result":"SUCCESS","reason":null},"uuid":"f9fc8789-8eb6-11ea-8b3c-c55929189475","published":"2020-05-05T09:58:31.749Z","severity":"WARN","transaction":{"id":"XrE4x-enQ5Pq3FItg-jdXAAAFT8","detail":{},"type":"WEB"},"version":"0","actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"displayMessage":"Rate limit violation","debugContext":{"debugData":{"requestId":"XrE4x-enQ5Pq3FItg-jdXAAAFT8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588672592595_1\u0026limit=1000","timeUnit":"MINUTES"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":"core.framework.ratelimit.exceeded","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsjcydSSnbS-O6KmXVuhq1TA","authenticationProvider":null}} -{"displayMessage":"Rate limit warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:00:10.811Z","severity":"WARN","eventType":"system.org.rate_limit.warning","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"transaction":{"type":"WEB","id":"XrE5KsZP30Ct5Zl3AMqDdQAAC@g","detail":{}},"uuid":"350830fb-8eb7-11ea-965d-6da5dc6b4d61","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"debugContext":{"debugData":{"warningPercent":"60","requestUri":"/api/v1/logs","threatSuspected":"false","timeUnit":"MINUTES","url":"/api/v1/logs?limit=1000\u0026after=1588672712039_1\u0026limit=1000","requestId":"XrE5KsZP30Ct5Zl3AMqDdQAAC@g","threshold":"50","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsBz8XCMETS5-wEWIfvFNw6Q","authenticationProvider":null},"legacyEventType":"core.framework.ratelimit.warning","version":"0"} -{"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trskxm6PQPlRLSzHLuLJ4Y8uw"},"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:00:31.812Z","debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588672712039_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE5P5fVV-k1JB93arg6hQAADx8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"transaction":{"type":"WEB","id":"XrE5P5fVV-k1JB93arg6hQAADx8","detail":{}},"severity":"WARN","uuid":"418cb0ed-8eb7-11ea-9b4d-6d898d9545c0","actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":"core.framework.ratelimit.exceeded","version":"0","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}]} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"severity":"WARN","transaction":{"type":"WEB","id":"XrE5nnehMrQPJ1YrPbFeuwAAAeE","detail":{}},"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trslQ99uvI-SsWfpNPASW270Q","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:02:06.242Z","legacyEventType":"core.framework.ratelimit.warning","uuid":"79d590f9-8eb7-11ea-a672-5f81fb6cecd5","displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"debugContext":{"debugData":{"warningPercent":"60","threshold":"50","timeSpan":"1","url":"/api/v1/logs?limit=1000\u0026after=1588672832671_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE5nnehMrQPJ1YrPbFeuwAAAeE","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","requestUri":"/api/v1/logs"}},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"severity":"WARN","outcome":{"result":"SUCCESS","reason":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsY8Hk5Xx5QJyHUJgQdYMUiA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"displayMessage":"Rate limit violation","debugContext":{"debugData":{"requestId":"XrE5s6bhp3bzQEUHfive1AAADkA","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588672832671_1\u0026limit=1000","timeUnit":"MINUTES"}},"legacyEventType":"core.framework.ratelimit.exceeded","uuid":"8658fe56-8eb7-11ea-82e2-356ba42b26b0","version":"0","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"}},"published":"2020-05-05T10:02:27.236Z","securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"transaction":{"type":"WEB","id":"XrE5s6bhp3bzQEUHfive1AAADkA","detail":{}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"eventType":"system.org.rate_limit.violation","actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"}} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrE6GrIEsM9UqIn@nJOY8gAAA1w","detail":{}},"uuid":"c419b5bc-8eb7-11ea-bd6b-7d993edc4d99","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"published":"2020-05-05T10:04:10.840Z","severity":"WARN","version":"0","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588672948000_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE6GrIEsM9UqIn@nJOY8gAAA1w","warningPercent":"60","userId":"00u3mo2ci0RuzhCQe357","threshold":"50","timeSpan":"1"}},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsoaBgjOodQF-4yuKPQMNXCQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null}} -{"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE6LxEAAx7LcLghmoyEmgAAAFw","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588672948000_1\u0026limit=1000"}},"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"eventType":"system.org.rate_limit.violation","transaction":{"type":"WEB","id":"XrE6LxEAAx7LcLghmoyEmgAAAFw","detail":{}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit violation","severity":"WARN","uuid":"d09d99ce-8eb7-11ea-b611-f1d979f83d84","request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"}},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsmsJeVEKOQv-IxduQ3tS26A"},"version":"0","published":"2020-05-05T10:04:31.837Z","legacyEventType":"core.framework.ratelimit.exceeded"} -{"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs5NE4ukUHQyiWxtu58-boww"},"eventType":"system.org.rate_limit.warning","securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"published":"2020-05-05T10:06:08.316Z","client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673072677_1\u0026limit=1000","requestId":"XrE6kBmJa4z2oxvYkpDgdQAAEsE","warningPercent":"60","timeSpan":"1","threshold":"50","timeUnit":"MINUTES"}},"legacyEventType":"core.framework.ratelimit.warning","uuid":"0a1f1ffc-8eb8-11ea-a57c-950f2517e685","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"displayMessage":"Rate limit warning","transaction":{"type":"WEB","id":"XrE6kBmJa4z2oxvYkpDgdQAAEsE","detail":{}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}]} -{"eventType":"system.org.rate_limit.violation","authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsDDtInz8kQ1uoLAhRTjbBqA"},"displayMessage":"Rate limit violation","legacyEventType":"core.framework.ratelimit.exceeded","version":"0","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"uuid":"16a414bd-8eb8-11ea-82e2-356ba42b26b0","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:06:29.320Z","debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673072677_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE6pS27VfkqqJWpbgzy7gAAELQ","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs"}},"transaction":{"type":"WEB","id":"XrE6pS27VfkqqJWpbgzy7gAAELQ","detail":{}},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"severity":"WARN"} -{"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"legacyEventType":"core.framework.ratelimit.warning","uuid":"53429308-8eb8-11ea-b70a-e7df59d7aa62","version":"0","client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsW0NRQK_sSq-ABs26kTzO4w","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"severity":"WARN","eventType":"system.org.rate_limit.warning","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit warning","published":"2020-05-05T10:08:11.022Z","debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","url":"/api/v1/logs?limit=1000\u0026after=1588673190341_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE7C@3r6F@XqNiEZP@SVQAADKg","warningPercent":"60","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"transaction":{"type":"WEB","id":"XrE7C@3r6F@XqNiEZP@SVQAADKg","detail":{}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}]} -{"uuid":"5fc73a6b-8eb8-11ea-8cbe-bf2eaab2e9ef","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673190341_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE7IKePYtd7JtnbQ1ihnQAAAzc","threshold":"50"}},"transaction":{"type":"WEB","id":"XrE7IKePYtd7JtnbQ1ihnQAAAzc","detail":{}},"published":"2020-05-05T10:08:32.024Z","legacyEventType":"core.framework.ratelimit.exceeded","eventType":"system.org.rate_limit.violation","securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","version":"0","client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"displayMessage":"Rate limit violation","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs9C1nRza2Qea6vvY8b9uBBA"},"outcome":{"result":"SUCCESS","reason":null}} -{"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","timeSpan":"1","warningPercent":"60","threshold":"50","url":"/api/v1/logs?limit=1000\u0026after=1588673313139_1\u0026limit=1000","requestId":"XrE7gnpFJJ1p6j3-wha7eQAAD9E"}},"transaction":{"id":"XrE7gnpFJJ1p6j3-wha7eQAAD9E","detail":{},"type":"WEB"},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"eventType":"system.org.rate_limit.warning","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"version":"0","published":"2020-05-05T10:10:10.586Z","legacyEventType":"core.framework.ratelimit.warning","uuid":"9a869822-8eb8-11ea-b9fc-61056b16b278","displayMessage":"Rate limit warning","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsxc2kkNMCQ-WahLf93GcN_w","authenticationProvider":null,"credentialProvider":null},"outcome":{"reason":null,"result":"SUCCESS"},"severity":"WARN","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null}} -{"severity":"WARN","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:10:31.589Z","legacyEventType":"core.framework.ratelimit.exceeded","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"uuid":"a70b65db-8eb8-11ea-ba49-7f15d05ef278","version":"0","debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673313139_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE7l4zaB9tH9ugqPHDIqQAAEsg","threshold":"50"}},"transaction":{"detail":{},"type":"WEB","id":"XrE7l4zaB9tH9ugqPHDIqQAAEsg"},"target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs0iGo25DtSKCRx8Lj0bZCHw","authenticationProvider":null,"credentialProvider":null},"displayMessage":"Rate limit violation","eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null}} -{"published":"2020-05-05T10:12:06.007Z","severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrE79aePYtd7JtnbQ1imjgAAAzc","detail":{}},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"eventType":"system.org.rate_limit.warning","version":"0","securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"outcome":{"result":"SUCCESS","reason":null},"uuid":"df52710d-8eb8-11ea-8b3c-c55929189475","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsY5C_Zq7HQZm3-qgkspRT1w","authenticationProvider":null},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"displayMessage":"Rate limit warning","debugContext":{"debugData":{"requestId":"XrE79aePYtd7JtnbQ1imjgAAAzc","warningPercent":"60","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673432515_1\u0026limit=1000","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","timeUnit":"MINUTES"}},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null}} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsPx7wEDF9S3mmyAEwjA98cg","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673432515_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE8CqjRygVen0SUkJebQgAADyQ","threshold":"50","timeSpan":"1"}},"legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrE8CqjRygVen0SUkJebQgAADyQ","detail":{}},"version":"0","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:12:27.008Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown"},"displayMessage":"Rate limit violation","severity":"WARN","eventType":"system.org.rate_limit.violation","uuid":"ebd6f0b1-8eb8-11ea-965d-6da5dc6b4d61","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrE8cznw7CtbP0yJVwVs7QAAEgI","detail":{}},"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"displayMessage":"Rate limit warning","version":"0","eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"published":"2020-05-05T10:14:11.145Z","uuid":"29e8fc1f-8eb9-11ea-aeca-a544dbc5d64e","securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"debugContext":{"debugData":{"timeSpan":"1","threatSuspected":"false","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673547459_1\u0026limit=1000","requestId":"XrE8cznw7CtbP0yJVwVs7QAAEgI"}},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"}},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs7-MOLLOxS0-LG3ZtMMF0jA","authenticationProvider":null}} -{"version":"0","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:14:32.146Z","debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000\u0026after=1588673547459_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE8iNh-vHogmJ8NIM3iqgAABaY","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"uuid":"366d7b32-8eb9-11ea-94f8-45ab612226ab","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"eventType":"system.org.rate_limit.violation","severity":"WARN","client":{"geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs1Z_-WCrvTr6Sx45M5fDLXg","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrE8iNh-vHogmJ8NIM3iqgAABaY","detail":{}},"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"}} -{"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"eventType":"system.org.rate_limit.warning","published":"2020-05-05T10:16:10.785Z","transaction":{"type":"WEB","id":"XrE86j66FdOwKsQJVQRVjAAADCU","detail":{}},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsqXZYn4VJQlWEtiX8TdGTiw"},"displayMessage":"Rate limit warning","debugContext":{"debugData":{"warningPercent":"60","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrE86j66FdOwKsQJVQRVjAAADCU","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588673672587_1\u0026limit=1000"}},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"uuid":"71389917-8eb9-11ea-adf2-ed39f0ba450d"} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs7UCHzEGbSx-XoQRUK-7BJA","authenticationProvider":null,"credentialProvider":null},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE8-45erIFpVwGi1Emu@wAADmI","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673672587_1\u0026limit=1000"}},"version":"0","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit violation","published":"2020-05-05T10:16:31.959Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"uuid":"7dd77ec0-8eb9-11ea-82e2-356ba42b26b0","eventType":"system.org.rate_limit.violation","legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrE8-45erIFpVwGi1Emu@wAADmI","detail":{}},"request":{"ipChain":[{"source":null,"ip":"1.1.1.1","geographicalContext":null,"version":"V4"}]}} -{"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs56imW9-hT4mXUQxM7pR-Pw","authenticationProvider":null,"credentialProvider":null},"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"uuid":"b8b2c9f8-8eb9-11ea-a0ba-379f04824fb1","transaction":{"detail":{},"type":"WEB","id":"XrE9YgQlhQc@sTWCXHrxJwAAEx4"},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"displayMessage":"Rate limit warning","published":"2020-05-05T10:18:10.704Z","severity":"WARN","debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","url":"/api/v1/logs?limit=1000\u0026after=1588673792565_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE9YgQlhQc@sTWCXHrxJwAAEx4","warningPercent":"60","threshold":"50","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"legacyEventType":"core.framework.ratelimit.warning","securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]}} -{"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"displayMessage":"Rate limit violation","severity":"WARN","debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE9d9wlaOBew8uKlh7rkgAAA0s","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673792565_1\u0026limit=1000"}},"uuid":"c53796ba-8eb9-11ea-b3e6-1d46bc417fb6","version":"0","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:18:31.707Z","transaction":{"id":"XrE9d9wlaOBew8uKlh7rkgAAA0s","detail":{},"type":"WEB"},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"legacyEventType":"core.framework.ratelimit.exceeded","authenticationContext":{"externalSessionId":"trsdg9YDpRuRgKaOLUj5oKsdw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}]} -{"outcome":{"reason":null,"result":"SUCCESS"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"warningPercent":"60","requestUri":"/api/v1/logs","timeUnit":"MINUTES","requestId":"XrE92lvsYUrf30@uCZpt-gAABoU","threshold":"50","timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673912497_1\u0026limit=1000"}},"legacyEventType":"core.framework.ratelimit.warning","version":"0","actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsnyGjrmSkQle5e4SRGvZglA"},"eventType":"system.org.rate_limit.warning","client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"displayMessage":"Rate limit warning","severity":"WARN","uuid":"0042f1fc-8eba-11ea-a04f-81a81472156a","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"published":"2020-05-05T10:20:10.767Z","transaction":{"type":"WEB","id":"XrE92lvsYUrf30@uCZpt-gAABoU","detail":{}},"request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]}} -{"published":"2020-05-05T10:20:31.769Z","severity":"WARN","legacyEventType":"core.framework.ratelimit.exceeded","uuid":"0cc798b0-8eba-11ea-abd3-1d668132201e","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsTE7n3E68RjOlx_LfF-RZXQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"outcome":{"result":"SUCCESS","reason":null},"transaction":{"type":"WEB","id":"XrE97@an-mUZdi219wQzgwAAEjs","detail":{}},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"displayMessage":"Rate limit violation","version":"0","eventType":"system.org.rate_limit.violation","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrE97@an-mUZdi219wQzgwAAEjs","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588673912497_1\u0026limit=1000"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"displayMessage":"Rate limit warning","securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000\u0026after=1588674032426_1\u0026limit=1000","requestId":"XrE@TwVp30i3cw0jE1KOvwAAAPo","userId":"00u3mo2ci0RuzhCQe357","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","timeUnit":"MINUTES","warningPercent":"60","threshold":"50"}},"legacyEventType":"core.framework.ratelimit.warning","uuid":"45a6c519-8eba-11ea-8b3c-c55929189475","version":"0","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"eventType":"system.org.rate_limit.warning","published":"2020-05-05T10:22:07.184Z","transaction":{"detail":{},"type":"WEB","id":"XrE@TwVp30i3cw0jE1KOvwAAAPo"},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsn5zK28QtR0uXn28sBMXonQ","authenticationProvider":null}} -{"uuid":"522bba5e-8eba-11ea-b9c2-0dd5b21f944b","published":"2020-05-05T10:22:28.188Z","transaction":{"type":"WEB","id":"XrE@ZDn-wFxNr1zSzKhZPQAAFG8","detail":{}},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":"core.framework.ratelimit.exceeded","version":"0","actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"displayMessage":"Rate limit violation","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"severity":"WARN","outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674032426_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE@ZDn-wFxNr1zSzKhZPQAAFG8","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs"}},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trssjZmnfC_QheY69POkrAlrw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"eventType":"system.org.rate_limit.violation"} -{"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"authenticationContext":{"externalSessionId":"trs8mkv_xN6Q3uxZL2JykiXfw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"eventType":"system.org.rate_limit.warning","published":"2020-05-05T10:24:10.938Z","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"displayMessage":"Rate limit warning","transaction":{"type":"WEB","id":"XrE@yls-7N-b7zu5QlJQTAAAEHo","detail":{}},"uuid":"8f6a21e2-8eba-11ea-9fd1-bb7360a0b10c","severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"requestId":"XrE@yls-7N-b7zu5QlJQTAAAEHo","timeSpan":"1","url":"/api/v1/logs?limit=1000\u0026after=1588674149179_1\u0026limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}}} -{"version":"0","legacyEventType":"core.framework.ratelimit.exceeded","uuid":"9bef8bf2-8eba-11ea-82e2-356ba42b26b0","authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs_Osy-QHSQvSuV4XIrZ_tzA","authenticationProvider":null},"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674149179_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE@301ETj3E3czvhhMq6QAAAF4","threshold":"50"}},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"transaction":{"type":"WEB","id":"XrE@301ETj3E3czvhhMq6QAAAF4","detail":{}},"published":"2020-05-05T10:24:31.945Z","severity":"WARN","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"eventType":"system.org.rate_limit.violation","securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null}} -{"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:26:10.680Z","transaction":{"detail":{},"type":"WEB","id":"XrE-QkH@Hmw00TTU@52P3wAAEVw"},"version":"0","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"displayMessage":"Rate limit warning","severity":"WARN","debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","requestId":"XrE-QkH@Hmw00TTU@52P3wAAEVw","threshold":"50","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588674272534_1\u0026limit=1000","timeUnit":"MINUTES","warningPercent":"60"}},"uuid":"d6c95067-8eba-11ea-b823-db4e40ee0137","authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs8ezvjqNdTIuNvebCfVkDvA"},"eventType":"system.org.rate_limit.warning","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"legacyEventType":"core.framework.ratelimit.warning","actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null}} -{"outcome":{"result":"SUCCESS","reason":null},"eventType":"system.org.rate_limit.violation","published":"2020-05-05T10:26:31.684Z","debugContext":{"debugData":{"requestId":"XrE-V04MZnO8t6TkdnOVnwAAAQo","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674272534_1\u0026limit=1000","timeUnit":"MINUTES"}},"transaction":{"type":"WEB","id":"XrE-V04MZnO8t6TkdnOVnwAAAQo","detail":{}},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"severity":"WARN","legacyEventType":"core.framework.ratelimit.exceeded","uuid":"e34e450c-8eba-11ea-b70a-e7df59d7aa62","version":"0","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs44CgqwPsQhmLGT8KA4ochw","authenticationProvider":null,"credentialProvider":null},"displayMessage":"Rate limit violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}]} -{"eventType":"system.org.rate_limit.warning","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"version":"0","authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsNStE8sXvTW-xPL-IkNPiIw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"transaction":{"type":"WEB","id":"XrE-uk4MZnO8t6TkdnOYWwAAAQo","detail":{}},"debugContext":{"debugData":{"requestId":"XrE-uk4MZnO8t6TkdnOYWwAAAQo","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","timeUnit":"MINUTES","threshold":"50","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674392876_1\u0026limit=1000"}},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"legacyEventType":"core.framework.ratelimit.warning","uuid":"1e4de073-8ebb-11ea-9424-4db38b988f86","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:28:10.667Z","severity":"WARN","displayMessage":"Rate limit warning"} -{"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674392876_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrE-z-QdodjJSHySIWsZjgAAASE","threshold":"50","timeSpan":"1"}},"legacyEventType":"core.framework.ratelimit.exceeded","uuid":"2ad19c78-8ebb-11ea-a0ba-379f04824fb1","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"eventType":"system.org.rate_limit.violation","published":"2020-05-05T10:28:31.663Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"authenticationContext":{"externalSessionId":"trsAGWkP27TR8K3QPE7qkaFiw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"severity":"WARN","transaction":{"type":"WEB","id":"XrE-z-QdodjJSHySIWsZjgAAASE","detail":{}},"version":"0","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]}} -{"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","published":"2020-05-05T10:30:07.127Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","url":"/api/v1/logs?limit=1000\u0026after=1588674512526_1\u0026limit=1000","requestId":"XrFAL6UM0GYBxBYcLmbsGgAAASE","requestUri":"/api/v1/logs"}},"legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrFAL6UM0GYBxBYcLmbsGgAAASE","detail":{}},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsC9_zAgzSTTCXog08Shebaw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"uuid":"63b84288-8ebb-11ea-abd3-1d668132201e","severity":"WARN","outcome":{"result":"SUCCESS","reason":null},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"version":"0","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null}} -{"legacyEventType":"core.framework.ratelimit.exceeded","authenticationContext":{"externalSessionId":"trsJWp3AarMTT2KzDb6UqvV5Q","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"published":"2020-05-05T10:30:28.124Z","severity":"WARN","eventType":"system.org.rate_limit.violation","displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674512526_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFARFvsYUrf30@uCZp5ZAAABp0","threshold":"50"}},"uuid":"703c2649-8ebb-11ea-abd1-d96b7fcb273d","version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"transaction":{"type":"WEB","id":"XrFARFvsYUrf30@uCZp5ZAAABp0","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"}} -{"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsoFJQ24y3TDyKYuyEeVtYIQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"published":"2020-05-05T10:32:10.646Z","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","uuid":"ad57c3ed-8ebb-11ea-837c-8f84d82c8d23","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrFAqoLAJMDIusENvq9y4QAADhA","detail":{}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"debugContext":{"debugData":{"warningPercent":"60","timeSpan":"1","timeUnit":"MINUTES","requestId":"XrFAqoLAJMDIusENvq9y4QAADhA","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674628854_1\u0026limit=1000"}}} -{"authenticationContext":{"externalSessionId":"trsDcy7icVsTXOeLV2i8VIEWw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"displayMessage":"Rate limit violation","transaction":{"type":"WEB","id":"XrFAv-cOD88CV28@AwdLMQAABDo","detail":{}},"eventType":"system.org.rate_limit.violation","debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674628854_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFAv-cOD88CV28@AwdLMQAABDo"}},"published":"2020-05-05T10:32:31.647Z","securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"severity":"WARN","target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"outcome":{"result":"SUCCESS","reason":null},"legacyEventType":"core.framework.ratelimit.exceeded","uuid":"b9dc435a-8ebb-11ea-ada5-5fef26acfbc9","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:34:05.127Z","legacyEventType":"core.framework.ratelimit.warning","displayMessage":"Rate limit warning","severity":"WARN","transaction":{"type":"WEB","id":"XrFBHean-mUZdi219wRHqwAAEjs","detail":{}},"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trs9_xfqQ2mSKWujaPlIeJ5dQ","authenticationProvider":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"threshold":"50","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588674752224_1\u0026limit=1000","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrFBHean-mUZdi219wRHqwAAEjs","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs"}},"uuid":"f1942d82-8ebb-11ea-aeca-a544dbc5d64e","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null}} -{"eventType":"system.org.rate_limit.violation","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674752224_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFBMgv9rG@QtvA52XIeiAAAByY","threshold":"50","timeSpan":"1"}},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsZKjIBa07ShGiH1-fqQ11zw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:34:26.123Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"WARN","legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrFBMgv9rG@QtvA52XIeiAAAByY","detail":{}},"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"displayMessage":"Rate limit violation","uuid":"fe17ea9d-8ebb-11ea-a6b7-cf71f57d4442"} -{"severity":"WARN","transaction":{"type":"WEB","id":"XrFBmlvsYUrf30@uCZp-zgAABpk","detail":{}},"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"outcome":{"result":"SUCCESS","reason":null},"debugContext":{"debugData":{"requestId":"XrFBmlvsYUrf30@uCZp-zgAABpk","timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674866876_1\u0026limit=1000","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","published":"2020-05-05T10:36:10.725Z","legacyEventType":"core.framework.ratelimit.warning","uuid":"3c70ea10-8ebc-11ea-874a-2fc94466cbde","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsv0gnF2CTQdGSDgSoZhqTAw","authenticationProvider":null},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null}} -{"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsVtv1XeRbTFWprOF_8p-csQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"uuid":"48f59075-8ebc-11ea-afeb-efa9a81fb877","displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:36:31.727Z","legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrFBr7bV1sm78T1X2@XySwAADMg","detail":{}},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"eventType":"system.org.rate_limit.violation","severity":"WARN","debugContext":{"debugData":{"requestId":"XrFBr7bV1sm78T1X2@XySwAADMg","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674866876_1\u0026limit=1000","timeUnit":"MINUTES"}}} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"uuid":"83f3cbe4-8ebc-11ea-b70a-e7df59d7aa62","published":"2020-05-05T10:38:10.701Z","severity":"WARN","displayMessage":"Rate limit warning","transaction":{"type":"WEB","id":"XrFCEnWh6j118-TwvwDADAAAA3M","detail":{}},"version":"0","client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsz9wM-17ERb6AGAty-4A7Vg","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"eventType":"system.org.rate_limit.warning","debugContext":{"debugData":{"warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrFCEnWh6j118-TwvwDADAAAA3M","timeSpan":"1","url":"/api/v1/logs?limit=1000\u0026after=1588674992071_1\u0026limit=1000"}},"legacyEventType":"core.framework.ratelimit.warning","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}]} -{"eventType":"system.org.rate_limit.violation","securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"transaction":{"type":"WEB","id":"XrFCJ60nT1FhhE9h96tEngAAByI","detail":{}},"version":"0","authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsyzk0YgPnStmg85RAEg_0AA","authenticationProvider":null},"displayMessage":"Rate limit violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:38:31.700Z","legacyEventType":"core.framework.ratelimit.exceeded","actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588674992071_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFCJ60nT1FhhE9h96tEngAAByI","threshold":"50","timeSpan":"1"}},"uuid":"9077fdae-8ebc-11ea-a0ba-379f04824fb1","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}]} -{"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsStsGG3ZJRP6TjRYVeOqqnw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"uuid":"cb78f8b5-8ebc-11ea-965d-6da5dc6b4d61","version":"0","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:40:10.692Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"displayMessage":"Rate limit warning","severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","debugContext":{"debugData":{"warningPercent":"60","threshold":"50","timeSpan":"1","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588675111954_1\u0026limit=1000","requestId":"XrFCivboihgf9k0vFE3flQAAAbI","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES"}},"transaction":{"type":"WEB","id":"XrFCivboihgf9k0vFE3flQAAAbI","detail":{}}} -{"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","legacyEventType":"core.framework.ratelimit.exceeded","version":"0","client":{"geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"displayMessage":"Rate limit violation","debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675111954_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFCnwQlhQc@sTWCXHoaWwAAEwo","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"transaction":{"type":"WEB","id":"XrFCnwQlhQc@sTWCXHoaWwAAEwo","detail":{}},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trslfT_A1LuT_WG7Z9PdodFoA","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"eventType":"system.org.rate_limit.violation","outcome":{"result":"SUCCESS","reason":null},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"published":"2020-05-05T10:40:31.691Z","uuid":"d7fd2a5b-8ebc-11ea-a561-47493e2e60a2"} -{"authenticationContext":{"externalSessionId":"trsT4qu9luVRu2VdIsvSWBDCA","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:42:06.228Z","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","requestId":"XrFC-ovrzgsubrSRhiSsKgAAB0E","threshold":"50","timeSpan":"1","url":"/api/v1/logs?limit=1000\u0026after=1588675232499_1\u0026limit=1000","warningPercent":"60"}},"legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrFC-ovrzgsubrSRhiSsKgAAB0E","detail":{}},"version":"0","client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"severity":"WARN","uuid":"10565dcd-8ebd-11ea-abd3-1d668132201e","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null}} -{"published":"2020-05-05T10:42:27.225Z","severity":"WARN","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675232499_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFDE7bV1sm78T1X2@X7pAAADOI","threshold":"50","timeSpan":"1"}},"version":"0","transaction":{"type":"WEB","id":"XrFDE7bV1sm78T1X2@X7pAAADOI","detail":{}},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsDmVaG8i4RZ2SD5TvUgJhqQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":"core.framework.ratelimit.exceeded","outcome":{"result":"SUCCESS","reason":null},"uuid":"1cda40ae-8ebd-11ea-abd3-1d668132201e","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null"},"displayMessage":"Rate limit violation"} -{"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsKOWj0B51Q-ukLMXFhVupmw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"transaction":{"type":"WEB","id":"XrFDej@Lf3n8Pj8mzXH1kgAABPk","detail":{}},"uuid":"5aa77b5c-8ebd-11ea-b9fc-61056b16b278","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null"},"legacyEventType":"core.framework.ratelimit.warning","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"outcome":{"result":"SUCCESS","reason":null},"securityContext":{"isp":null,"domain":null,"isProxy":null,"asNumber":null,"asOrg":null},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000\u0026after=1588675347901_1\u0026limit=1000","warningPercent":"60","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","requestId":"XrFDej@Lf3n8Pj8mzXH1kgAABPk","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES"}},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","published":"2020-05-05T10:44:10.911Z","severity":"WARN","version":"0"} -{"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"transaction":{"type":"WEB","id":"XrFDj0ZkozEynuDR0MGhVgAADiI","detail":{}},"version":"0","published":"2020-05-05T10:44:31.913Z","severity":"WARN","debugContext":{"debugData":{"requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675347901_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFDj0ZkozEynuDR0MGhVgAADiI","threshold":"50","timeSpan":"1"}},"uuid":"672c21a3-8ebd-11ea-a561-47493e2e60a2","authenticationContext":{"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsjKLlLVoVSZqtTxSTIOgzxg","authenticationProvider":null},"eventType":"system.org.rate_limit.violation","outcome":{"result":"SUCCESS","reason":null},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":"core.framework.ratelimit.exceeded","request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"displayMessage":"Rate limit violation"} -{"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsngtN0TJJSq-cRIvN5-aB_Q"},"outcome":{"reason":null,"result":"SUCCESS"},"securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675472781_1\u0026limit=1000","threshold":"50","warningPercent":"60","timeSpan":"1","requestUri":"/api/v1/logs","timeUnit":"MINUTES","requestId":"XrFD7D@Lf3n8Pj8mzXH4RwAABPk"}},"legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrFD7D@Lf3n8Pj8mzXH4RwAABPk","detail":{}},"target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"published":"2020-05-05T10:46:04.407Z","actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"displayMessage":"Rate limit warning","eventType":"system.org.rate_limit.warning","severity":"WARN","uuid":"9e4d9949-8ebd-11ea-b611-f1d979f83d84","version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]}} -{"uuid":"aad1c9f7-8ebd-11ea-a0ba-379f04824fb1","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsYITx7VKdTvulh47b8Vbh9w"},"published":"2020-05-05T10:46:25.406Z","debugContext":{"debugData":{"userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675472781_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFEAQPeLOKhwhWFk9FcpQAAAnM","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false"}},"transaction":{"type":"WEB","id":"XrFEAQPeLOKhwhWFk9FcpQAAAnM","detail":{}},"version":"0","eventType":"system.org.rate_limit.violation","securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"severity":"WARN","displayMessage":"Rate limit violation","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"outcome":{"result":"SUCCESS","reason":null},"legacyEventType":"core.framework.ratelimit.exceeded"} -{"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"displayMessage":"Rate limit warning","published":"2020-05-05T10:48:10.789Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"threshold":"50","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675586163_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFEavXjc7OfNk-q70maxgAAExE","warningPercent":"60","timeSpan":"1","threatSuspected":"false"}},"version":"0","client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsUz-ZZ-69RbGWGcTZtRQ3vw","authenticationProvider":null,"credentialProvider":null,"credentialType":null},"eventType":"system.org.rate_limit.warning","severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","transaction":{"type":"WEB","id":"XrFEavXjc7OfNk-q70maxgAAExE","detail":{}},"target":[{"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null}],"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"uuid":"e9a1f55c-8ebd-11ea-baf6-b58aa7127d4c","outcome":{"result":"SUCCESS","reason":null}} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsgM0RpzkxTFy37NOB9pW-6g","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:48:31.789Z","transaction":{"type":"WEB","id":"XrFEf5a-SjOG@MbFt9Q@GQAAEUA","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrFEf5a-SjOG@MbFt9Q@GQAAEUA","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675586163_1\u0026limit=1000"}},"legacyEventType":"core.framework.ratelimit.exceeded","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"client":{"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"eventType":"system.org.rate_limit.violation","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"uuid":"f6264df6-8ebd-11ea-8936-ab42b09eebb3","version":"0","displayMessage":"Rate limit violation","severity":"WARN"} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"authenticationContext":{"interface":null,"authenticationStep":0,"externalSessionId":"trsq-8tXCInQ96eZXTsy_qhVg","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null},"outcome":{"reason":null,"result":"SUCCESS"},"debugContext":{"debugData":{"requestId":"XrFE3yhlgQ7cxaCrlGcPHQAAETw","warningPercent":"60","timeSpan":"1","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675713059_1\u0026limit=1000","threshold":"50","requestUri":"/api/v1/logs","timeUnit":"MINUTES"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"eventType":"system.org.rate_limit.warning","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"legacyEventType":"core.framework.ratelimit.warning","target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"client":{"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"published":"2020-05-05T10:50:07.333Z","severity":"WARN","uuid":"2f192a3f-8ebe-11ea-8aaa-959b94ed26bb","displayMessage":"Rate limit warning","transaction":{"type":"WEB","id":"XrFE3yhlgQ7cxaCrlGcPHQAAETw","detail":{}},"version":"0"} -{"displayMessage":"Rate limit violation","debugContext":{"debugData":{"timeUnit":"MINUTES","requestId":"XrFE9Fefz-B54FiebJ6wuAAAEwk","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675713059_1\u0026limit=1000"}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsmlZ6_exZS7CQs65fCHMbgQ"},"securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"uuid":"3b9cbeb9-8ebe-11ea-874a-2fc94466cbde","eventType":"system.org.rate_limit.violation","outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:50:28.328Z","legacyEventType":"core.framework.ratelimit.exceeded","version":"0","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"actor":{"displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com"},"severity":"WARN","transaction":{"type":"WEB","id":"XrFE9Fefz-B54FiebJ6wuAAAEwk","detail":{}}} -{"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"published":"2020-05-05T10:52:10.887Z","client":{"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"}},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsg6IXhKhBQuOP5VleUY2DIg"},"eventType":"system.org.rate_limit.warning","transaction":{"type":"WEB","id":"XrFFWgQlhQc@sTWCXHoxtwAAEwo","detail":{}},"uuid":"78be01aa-8ebe-11ea-aeca-a544dbc5d64e","target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit warning","outcome":{"result":"SUCCESS","reason":null},"severity":"WARN","legacyEventType":"core.framework.ratelimit.warning","version":"0","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"debugContext":{"debugData":{"requestId":"XrFFWgQlhQc@sTWCXHoxtwAAEwo","warningPercent":"60","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675829279_1\u0026limit=1000","timeUnit":"MINUTES","threshold":"50","timeSpan":"1"}},"request":{"ipChain":[{"geographicalContext":null,"version":"V4","source":null,"ip":"1.1.1.1"}]}} -{"displayMessage":"Rate limit violation","securityContext":{"isProxy":null,"asNumber":null,"asOrg":null,"isp":null,"domain":null},"legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrFFb6vcOlZWM2vVN2XrrQAAA-o","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"outcome":{"result":"SUCCESS","reason":null},"published":"2020-05-05T10:52:31.887Z","severity":"WARN","eventType":"system.org.rate_limit.violation","version":"0","target":[{"alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern"}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"client":{"geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1"},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsWLNyNeB1TuaOf9KUtafqjQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"debugContext":{"debugData":{"threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675829279_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFFb6vcOlZWM2vVN2XrrQAAA-o"}},"uuid":"85425adf-8ebe-11ea-b9fc-61056b16b278"} -{"published":"2020-05-05T10:54:05.450Z","severity":"WARN","actor":{"alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User"},"authenticationContext":{"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsPo_I88spSiO7D-Z3DiP2nA","authenticationProvider":null,"credentialProvider":null},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"displayMessage":"Rate limit warning","debugContext":{"debugData":{"requestId":"XrFFzVUO@EPHfYJRM8GZHwAAEK4","timeSpan":"1","userId":"00u3mo2ci0RuzhCQe357","timeUnit":"MINUTES","warningPercent":"60","threshold":"50","requestUri":"/api/v1/logs","threatSuspected":"false","url":"/api/v1/logs?limit=1000\u0026after=1588675952841_1\u0026limit=1000"}},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"transaction":{"type":"WEB","id":"XrFFzVUO@EPHfYJRM8GZHwAAEK4","detail":{}},"request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"client":{"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown","id":null},"outcome":{"result":"SUCCESS","reason":null},"uuid":"bd06eee7-8ebe-11ea-82e2-356ba42b26b0","version":"0","eventType":"system.org.rate_limit.warning","legacyEventType":"core.framework.ratelimit.warning"} -{"eventType":"system.org.rate_limit.violation","outcome":{"result":"SUCCESS","reason":null},"securityContext":{"domain":null,"isProxy":null,"asNumber":null,"asOrg":null,"isp":null},"severity":"WARN","debugContext":{"debugData":{"requestId":"XrFF4k4GCgrejBJbF709NgAADkw","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588675952841_1\u0026limit=1000","timeUnit":"MINUTES"}},"uuid":"c98b962e-8ebe-11ea-8cbe-bf2eaab2e9ef","version":"0","request":{"ipChain":[{"version":"V4","source":null,"ip":"1.1.1.1","geographicalContext":null}]},"target":[{"displayName":null,"detailEntry":null,"id":"/api/v1/logs","type":"URL Pattern","alternateId":null}],"actor":{"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null},"published":"2020-05-05T10:54:26.452Z","legacyEventType":"core.framework.ratelimit.exceeded","transaction":{"type":"WEB","id":"XrFF4k4GCgrejBJbF709NgAADkw","detail":{}},"client":{"userAgent":{"os":"Unknown","browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0"},"zone":"null","device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null},"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"trsQfY_9PlvSXudklqeUljN-Q"},"displayMessage":"Rate limit violation"} -{"published":"2020-05-05T10:56:10.706Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"authenticationContext":{"authenticationStep":0,"externalSessionId":"trsSKUi5-F1RLGN6KxlwchJSQ","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null},"eventType":"system.org.rate_limit.warning","outcome":{"result":"SUCCESS","reason":null},"actor":{"detailEntry":null,"id":"00u3mo2ci0RuzhCQe357","type":"User","alternateId":"foo@bar.com","displayName":"John Doe"},"client":{"id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"rawUserAgent":"Go-http-client/2.0","os":"Unknown","browser":"UNKNOWN"},"zone":"null","device":"Unknown"},"legacyEventType":"core.framework.ratelimit.warning","transaction":{"detail":{},"type":"WEB","id":"XrFGShXpNT0RVGi@JH9uIwAAAc0"},"uuid":"07af7b64-8ebf-11ea-9a68-45f5acc7edae","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"displayMessage":"Rate limit warning","debugContext":{"debugData":{"timeSpan":"1","requestUri":"/api/v1/logs","userId":"00u3mo2ci0RuzhCQe357","url":"/api/v1/logs?limit=1000\u0026after=1588676067403_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFGShXpNT0RVGi@JH9uIwAAAc0","threshold":"50","threatSuspected":"false","warningPercent":"60"}},"target":[{"type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null,"id":"/api/v1/logs"}],"severity":"WARN","version":"0"} -{"securityContext":{"asOrg":null,"isp":null,"domain":null,"isProxy":null,"asNumber":null},"debugContext":{"debugData":{"url":"/api/v1/logs?limit=1000\u0026after=1588676067403_1\u0026limit=1000","timeUnit":"MINUTES","requestId":"XrFGX6ij4DHbM5celo4CfgAAEGg","threshold":"50","timeSpan":"1","requestUri":"/api/v1/logs","threatSuspected":"false","userId":"00u3mo2ci0RuzhCQe357"}},"transaction":{"type":"WEB","id":"XrFGX6ij4DHbM5celo4CfgAAEGg","detail":{}},"uuid":"14347026-8ebf-11ea-9b4d-6d898d9545c0","displayMessage":"Rate limit violation","legacyEventType":"core.framework.ratelimit.exceeded","severity":"WARN","client":{"device":"Unknown","id":null,"ipAddress":"1.1.1.1","geographicalContext":null,"userAgent":{"browser":"UNKNOWN","rawUserAgent":"Go-http-client/2.0","os":"Unknown"},"zone":"null"},"authenticationContext":{"externalSessionId":"trsXxlMs-kRSOyAE7puqhj8Pw","authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0},"eventType":"system.org.rate_limit.violation","outcome":{"result":"SUCCESS","reason":null},"version":"0","request":{"ipChain":[{"ip":"1.1.1.1","geographicalContext":null,"version":"V4","source":null}]},"actor":{"type":"User","alternateId":"foo@bar.com","displayName":"John Doe","detailEntry":null,"id":"00u3mo2ci0RuzhCQe357"},"target":[{"id":"/api/v1/logs","type":"URL Pattern","alternateId":null,"displayName":null,"detailEntry":null}],"published":"2020-05-05T10:56:31.710Z"} diff --git a/schemas/logs/okta/tests/system_log_tests.yml b/schemas/logs/okta/tests/system_log_tests.yml deleted file mode 100644 index 24d880531..000000000 --- a/schemas/logs/okta/tests/system_log_tests.yml +++ /dev/null @@ -1,98 +0,0 @@ -# Copyright (C) 2020 Panther Labs Inc -# -# Panther Enterprise is licensed under the terms of a commercial license available from -# Panther Labs Inc ("Panther Commercial License") by contacting contact@runpanther.com. -# All use, distribution, and/or modification of this software, whether commercial or non-commercial, -# falls under the Panther Commercial License to the extent it is permitted. - ---- -name: OktaSystemLogs -logType: Okta.SystemLog -input: | - { - "version": "0", - "severity": "INFO", - "client": { - "zone": "OFF_NETWORK", - "device": "Unknown", - "userAgent": { - "os": "Unknown", - "browser": "UNKNOWN", - "rawUserAgent": "UNKNOWN-DOWNLOAD" - }, - "ipAddress": "1.1.1.1" - }, - "actor": { - "id": "00u1qw1mqitPHM8AJ0g7", - "type": "User", - "alternateId": "admin@tc1-trexcloud.com", - "displayName": "John Fung" - }, - "outcome": { - "result": "SUCCESS" - }, - "uuid": "f790999f-fe87-467a-9880-6982a583986c", - "published": "2017-09-30T22:23:07.777Z", - "eventType": "user.session.start", - "displayMessage": "User login to Okta", - "transaction": { - "type": "WEB", - "id": "V04Oy4ubUOc5UuG6s9DyNQAABtc" - }, - "debugContext": { - "debugData": { - "requestUri": "/login/do-login" - } - }, - "legacyEventType": "core.user_auth.login_success", - "authenticationContext": { - "authenticationStep": 0, - "externalSessionId": "1013FfF-DKQSvCI4RVXChzX-w" - } - } -result: | - { - "version": "0", - "severity": "INFO", - "client": { - "zone": "OFF_NETWORK", - "device": "Unknown", - "userAgent": { - "os": "Unknown", - "browser": "UNKNOWN", - "rawUserAgent": "UNKNOWN-DOWNLOAD" - }, - "ipAddress": "1.1.1.1" - }, - "actor": { - "id": "00u1qw1mqitPHM8AJ0g7", - "type": "User", - "alternateId": "admin@tc1-trexcloud.com", - "displayName": "John Fung" - }, - "outcome": { - "result": "SUCCESS" - }, - "uuid": "f790999f-fe87-467a-9880-6982a583986c", - "published": "2017-09-30T22:23:07.777Z", - "eventType": "user.session.start", - "displayMessage": "User login to Okta", - "transaction": { - "type": "WEB", - "id": "V04Oy4ubUOc5UuG6s9DyNQAABtc" - }, - "debugContext": { - "debugData": { - "requestUri": "/login/do-login" - } - }, - "legacyEventType": "core.user_auth.login_success", - "authenticationContext": { - "authenticationStep": 0, - "externalSessionId": "1013FfF-DKQSvCI4RVXChzX-w" - }, - "p_any_ip_addresses": ["1.1.1.1"], - "p_any_emails": ["admin@tc1-trexcloud.com"], - "p_log_type": "Okta.SystemLog", - "p_event_time": "2017-09-30T22:23:07.777Z" - } diff --git a/schemas/logs/one_login/events.yml b/schemas/logs/one_login/events.yml deleted file mode 100644 index 31ab98c3a..000000000 --- a/schemas/logs/one_login/events.yml +++ /dev/null @@ -1,208 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: OneLogin.Events -parser: - native: - name: OneLogin.Events -description: | - OneLogin provides single sign-on and identity management for organizations - Panther Enterprise Only -referenceURL: https://developers.onelogin.com/api-docs/1/events/event-resource -version: 0 -fields: - - name: uuid - required: true - description: The Universal Unique Identifier for this message generated by OneLogin. - type: string - - name: account_id - required: true - description: Account that triggered the event. - type: bigint - - name: event_timestamp - required: true - description: Time and date at which the event was created. This value is autogenerated by OneLogin. - type: timestamp - timeFormat: layout=2006-01-02 15:04:05 MST - isEventTime: true - - name: error_description - description: Provisioning error details, if applicable. - type: string - - name: login_name - description: The name of the login user - type: string - - name: app_name - description: Name of the app involved in the event, if applicable. - type: string - - name: authentication_factor_description - description: More details about the authentication factor used. - type: string - - name: certificate_name - description: The name of the certificate that was included in the request. - type: string - - name: certificate_id - description: The ID of the certificate that was included in the request. - type: string - - name: assumed_by_superadmin_or_reseller - description: Indicates that the operation was performed by superadmin or reseller. - type: boolean - - name: directory_name - description: The directory name. - type: string - - name: actor_user_id - description: ID of the user whose action triggered the event. - type: bigint - - name: user_name - description: Name of the user that was acted upon to trigger the event. - type: string - indicators: - - username - - name: mapping_id - description: The ID of the mapping included in the operation. - type: bigint - - name: radius_config_id - description: The ID of the Radius configuration included in the operation. - type: bigint - - name: risk_score - description: The higher thiss number, the higher the risk. - type: bigint - - name: otp_device_id - description: ID of a device involved in the event. - type: bigint - - name: imported_user_id - description: The ID of the imported user. - type: bigint - - name: resolution - description: The resolution. - type: bigint - - name: directory_id - description: The directory ID. - type: bigint - - name: authentication_factor_id - description: The ID of the authentication factor used. - type: bigint - - name: risk_cookie_id - description: The ID of the risk cookie. - type: string - - name: app_id - description: ID of the app involved in the event, if applicable. - type: bigint - - name: custom_message - description: More details about the event. - type: string - - name: browser_fingerprint - description: The fingerprint of the browser. - type: string - - name: otp_device_name - description: Name of a device involved in the event. - type: string - - name: actor_user_name - description: First and last name of the user whose action triggered the event. - type: string - indicators: - - username - - name: actor_system - description: Acting system that triggered the event when the actor is not a user. - type: string - - name: user_field_name - description: The name of the custom user field. - type: string - - name: user_field_id - description: The ID of the custom user field. - type: string - - name: assuming_acting_user_id - description: ID of the user who assumed the role of the acting user to trigger the event, if applicable. - type: bigint - - name: api_credential_name - description: The name of the API credential used. - type: string - - name: imported_user_name - description: The name of the imported user. - type: string - indicators: - - username - - name: note_title - description: The title of the note. - type: string - - name: trusted_idp_name - description: The name of the trusted IDP. - type: string - - name: policy_id - description: ID of the policy involved in the event. - type: bigint - - name: role_name - description: Name of a role involved in the event. - type: string - - name: resolved_by_user_id - description: The ID of the user that resolved the issue. - type: bigint - - name: group_id - description: ID of a group involved in the event. - type: bigint - - name: client_id - description: Client ID used to generate the access token that made the API call that generated the event. - type: string - - name: ipaddr - description: IP address of the machine used to trigger the event. - type: string - indicators: - - ip - - name: notes - description: More details about the event. - type: string - - name: event_type_id - required: true - description: Type of event triggered. - type: bigint - - name: user_id - description: ID of the user that was acted upon to trigger the event. - type: bigint - - name: risk_reasons - description: This is not an exhaustive list of the reasons for the risk score and should only be used as a guide - type: string - - name: proxy_agent_name - description: The name of the proxy agent. - type: string - - name: policy_type - description: The type of the policy. - type: string - - name: role_id - description: ID of a role involved in the event. - type: bigint - - name: user_agent - description: The user agent from which the request was invoke - type: string - - name: privilege_name - description: The name of the privilege. - type: string - - name: group_name - description: Name of a group involved in the event. - type: string - - name: entity - description: The entity involved in this request. - type: string - - name: resource_type_id - description: ID of the resource (user, role, group, and so forth) associated with the event. - type: bigint - - name: mapping_name - description: The name of the mapping. - type: string - - name: task_name - description: The name of the task. - type: string - - name: authentication_factor_type - description: The type of the authentication type. - type: bigint - - name: radius_config_name - description: The name of the Radius configuration used. - type: string - - name: policy_name - description: Name of the policy involved in the event. - type: string - - name: privilege_id - description: The id of the privilege. - type: bigint - - name: directory_sync_run_id - description: Directory sync run ID. - type: bigint - - name: operation_name - description: The name of the operation - type: string diff --git a/schemas/logs/one_login/tests/events_tests.yml b/schemas/logs/one_login/tests/events_tests.yml deleted file mode 100644 index 930d5b13d..000000000 --- a/schemas/logs/one_login/tests/events_tests.yml +++ /dev/null @@ -1,248 +0,0 @@ ---- -name: TestOneLogin -logType: OneLogin.Events -input: | - { - "create": { - "_id": "6ce16f26-b25d-4070-9a30-4f259675a745" - }, - "event_timestamp": "2020-04-15 22:51:24 UTC", - "otp_device_id": 1159999, - "user_id": 50361999, - "event_type_id": 1400, - "actor_user_name": "Jon Bixton", - "notes": "Authentication method: OTP (Valid OTP). Factor name: Duo Security", - "actor_system": "", - "uuid": "6ce16f26-b25d-4070-9a30-4f259675a745", - "user_name": "Jon Bixton", - "ipaddr": "136.25.254.254", - "account_id": 142999, - "authentication_factor_type": 12, - "authentication_factor_description": "Duo Security", - "user_agent": "Swagger-Codegen/1.0.0/ruby", - "authentication_factor_id": 20402, - "actor_user_id": 50361999, - "otp_device_name": "Duo Duo Security" - } -result: | - { - "event_timestamp": "2020-04-15 22:51:24 UTC", - "otp_device_id": 1159999, - "user_id": 50361999, - "event_type_id": 1400, - "actor_user_name": "Jon Bixton", - "notes": "Authentication method: OTP (Valid OTP). Factor name: Duo Security", - "actor_system": "", - "uuid": "6ce16f26-b25d-4070-9a30-4f259675a745", - "user_name": "Jon Bixton", - "ipaddr": "136.25.254.254", - "account_id": 142999, - "authentication_factor_type": 12, - "authentication_factor_description": "Duo Security", - "user_agent": "Swagger-Codegen/1.0.0/ruby", - "authentication_factor_id": 20402, - "actor_user_id": 50361999, - "otp_device_name": "Duo Duo Security", - "p_event_time": "2020-04-15T22:51:24Z", - "p_any_usernames": ["Jon Bixton"], - "p_any_ip_addresses":["136.25.254.254"], - "p_log_type": "OneLogin.Events" - } ---- -name: TestOneLoginPriviledgeEvent -logType: OneLogin.Events -input: | - { - "create": { - "_id": "aca33051-d938-40cf-8dec-c382e397b4d7" - }, - "event_timestamp": "2020-04-14 23:34:15 UTC", - "ipaddr": "136.25.254.254", - "privilege_id": 338999, - "privilege_name": "Manage Panther Cognito (Test)", - "account_id": 142999, - "event_type_id": 72, - "uuid": "aca33051-d938-40cf-8dec-c382e397b4d7", - "app_name": "Panther Cognito (Test)", - "actor_user_name": "Jon Bixton", - "user_id": 50361999, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36", - "user_name": "Jon Bixton", - "app_id": 1120551, - "actor_user_id": 50361999, - "actor_system": "" - } -result: | - { - "event_timestamp": "2020-04-14 23:34:15 UTC", - "ipaddr": "136.25.254.254", - "privilege_id": 338999, - "privilege_name": "Manage Panther Cognito (Test)", - "account_id": 142999, - "event_type_id": 72, - "uuid": "aca33051-d938-40cf-8dec-c382e397b4d7", - "app_name": "Panther Cognito (Test)", - "actor_user_name": "Jon Bixton", - "user_id": 50361999, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36", - "user_name": "Jon Bixton", - "app_id": 1120551, - "actor_user_id": 50361999, - "actor_system": "", - "p_event_time": "2020-04-14T23:34:15Z", - "p_any_usernames": ["Jon Bixton"], - "p_any_ip_addresses":["136.25.254.254"], - "p_log_type": "OneLogin.Events" - } ---- -name: TestOneLoginDirectorySync -logType: OneLogin.Events -input: | - { - "create": { - "_id": "5c103afb-bcca-4d5b-8eae-a23e675cae82" - }, - "event_type_id": 14, - "uuid": "5c103afb-bcca-4d5b-8eae-a23e67588888", - "resolution": 10, - "event_timestamp": "2020-04-09 18:37:33 UTC", - "directory_sync_run_id": 1586458888, - "account_id": 142999, - "actor_user_name": "G Suite", - "actor_system": "G Suite", - "ipaddr": "", - "user_agent": "", - "user_id": 53642999, - "user_name": "Jon Bixton", - "notes": "Updated user" - } -result: | - { - "event_type_id": 14, - "uuid": "5c103afb-bcca-4d5b-8eae-a23e67588888", - "resolution": 10, - "event_timestamp": "2020-04-09 18:37:33 UTC", - "directory_sync_run_id": 1586458888, - "account_id": 142999, - "actor_user_name": "G Suite", - "actor_system": "G Suite", - "ipaddr": "", - "user_agent": "", - "user_id": 53642999, - "user_name": "Jon Bixton", - "notes": "Updated user", - "p_event_time": "2020-04-09T18:37:33Z", - "p_any_usernames": [ "G Suite", "Jon Bixton" ], - "p_log_type": "OneLogin.Events" - } ---- -name: TestOneLoginRiskReasons -logType: OneLogin.Events -input: | - { - "create": { - "_id": "9d038ce7-12a9-4548-9835-6c07d13dcb63" - }, - "resource_type_id": null, - "resolved_at": null, - "object_id": null, - "job_name": null, - "authentication_factor_type": null, - "radius_config_id": null, - "mapping_id": null, - "client_id": null, - "risk_cookie_id": "dccab460dde68a296872a01204976b5e6a755671aa6234d14ccedbea10fd4173", - "param": null, - "proxy_ip": null, - "authentication_factor_description": null, - "directory_id": null, - "risk_reasons": "Boulder, Colorado, United States is a new location (20%)\nAccessed from a new IP address (20%)\nUnexpectedly high velocity (4587.45 km/hr) (20%)\nInfrequent access from 70.39.110.83 (20%)\nInfrequent access from Boulder, Colorado, United States (20%)", - "api_credential_name": null, - "safe_to_unescape": null, - "report_id": null, - "app_name": null, - "proxy_agent_name": null, - "user_field_name": null, - "otp_device_id": null, - "directory_name": null, - "notes": "Authentication method: Login App.\nTransitions: desktop_login -> username -> password -> mfa_login\nCorrelation_id: fc7f0a67-6970-4919-8a73-e5a3b4c76189", - "custom_message": null, - "policy_name": null, - "note_id": null, - "user_field_id": null, - "user_id": 73503145, - "service_job_name": null, - "assumed_by_superadmin_or_reseller": null, - "assuming_acting_user_id": null, - "otp_device_name": null, - "authentication_factor_id": null, - "browser_fingerprint": "0335332a287a43e05e0e7cd8ec9eb44c", - "adc_name": null, - "user_name": "Somebody", - "trusted_idp_id": null, - "trusted_idp_name": null, - "service_directory_id": null, - "actor_user_id": 73503145, - "note_title": null, - "login_name": null, - "adc_id": null, - "certificate_name": null, - "privilege_id": null, - "solved": null, - "uuid": "9d038ce7-12a9-4548-9835-6c07d13dcb63", - "directory_sync_run_id": null, - "proxy_agent_id": null, - "service_job_id": null, - "app_id": null, - "error_description": null, - "actor_system": "", - "privilege_name": null, - "imported_user_id": null, - "job_id": null, - "role_id": null, - "policy_type": null, - "actor_user_name": "Somebody", - "account_id": 148935, - "resolution": null, - "event_type_id": 5, - "risk_score": 30, - "report_name": null, - "resolved_by_user_id": null, - "imported_user_name": null, - "group_name": null, - "ipaddr": "70.39.110.83", - "group_id": null, - "policy_id": null, - "entity": null, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36", - "certificate_id": null, - "mapping_name": null, - "task_name": null, - "login_id": null, - "role_name": null, - "event_timestamp": "2020-08-21 00:32:38 UTC", - "radius_config_name": null - } -result: | - { - "risk_cookie_id": "dccab460dde68a296872a01204976b5e6a755671aa6234d14ccedbea10fd4173", - "risk_reasons": "Boulder, Colorado, United States is a new location (20%)\nAccessed from a new IP address (20%)\nUnexpectedly high velocity (4587.45 km/hr) (20%)\nInfrequent access from 70.39.110.83 (20%)\nInfrequent access from Boulder, Colorado, United States (20%)", - "notes": "Authentication method: Login App.\nTransitions: desktop_login -> username -> password -> mfa_login\nCorrelation_id: fc7f0a67-6970-4919-8a73-e5a3b4c76189", - "browser_fingerprint": "0335332a287a43e05e0e7cd8ec9eb44c", - "user_name": "Somebody", - "actor_user_id": 73503145, - "uuid": "9d038ce7-12a9-4548-9835-6c07d13dcb63", - "actor_system": "", - "actor_user_name": "Somebody", - "account_id": 148935, - "event_type_id": 5, - "risk_score": 30, - "ipaddr": "70.39.110.83", - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36", - "user_id": 73503145, - "event_timestamp": "2020-08-21 00:32:38 UTC", - "p_event_time": "2020-08-21T00:32:38Z", - "p_any_usernames": ["Somebody"], - "p_any_ip_addresses":["70.39.110.83"], - "p_log_type": "OneLogin.Events" - } diff --git a/schemas/logs/osquery/batch.yml b/schemas/logs/osquery/batch.yml deleted file mode 100644 index c77cf7dc4..000000000 --- a/schemas/logs/osquery/batch.yml +++ /dev/null @@ -1,52 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Osquery.Batch -parser: - native: - name: Osquery.Batch -description: Batch contains all the data included in OsQuery batch logs -referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/ -version: 0 -fields: - - name: calendarTime - required: true - description: The time of the event (UTC). - type: timestamp - timeFormat: rfc3339 - - name: counter - required: true - description: Counter - type: bigint - - name: decorations - description: Decorations - type: json - - name: diffResults - required: true - description: Computed differences. - type: object - fields: - - name: added - description: Added field - type: array - element: - type: json - - name: removed - description: Removed field - type: array - element: - type: json - - name: epoch - required: true - description: Epoch - type: bigint - - name: hostname - required: true - description: Hostname - type: string - - name: name - required: true - description: Name - type: string - - name: unixTime - required: true - description: Unix epoch - type: bigint diff --git a/schemas/logs/osquery/differential.yml b/schemas/logs/osquery/differential.yml deleted file mode 100644 index 5f75ca89e..000000000 --- a/schemas/logs/osquery/differential.yml +++ /dev/null @@ -1,53 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Osquery.Differential -parser: - native: - name: Osquery.Differential -description: Differential contains all the data included in OsQuery differential logs -referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/ -version: 0 -fields: - - name: action - required: true - description: Action - type: string - - name: calendarTime - required: true - description: The time of the event (UTC). - type: timestamp - timeFormat: rfc3339 - - name: columns - required: true - description: Columns - type: json - - name: counter - description: Counter - type: bigint - - name: decorations - description: Decorations - type: json - - name: epoch - required: true - description: Epoch - type: bigint - - name: hostIdentifier - required: true - description: HostIdentifier - type: string - - name: logType - description: LogType - type: string - - name: log_type - description: LogUnderscoreType - type: string - - name: name - required: true - description: Name - type: string - - name: unixTime - required: true - description: UnixTime - type: bigint - - name: logNumericsAsNumbers - description: LogNumericsAsNumbers - type: boolean diff --git a/schemas/logs/osquery/snapshot.yml b/schemas/logs/osquery/snapshot.yml deleted file mode 100644 index 21ed21fdf..000000000 --- a/schemas/logs/osquery/snapshot.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Osquery.Snapshot -parser: - native: - name: Osquery.Snapshot -description: Snapshot contains all the data included in OsQuery differential logs -referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/ -version: 0 -fields: - - name: action - required: true - description: Action - type: string - - name: calendarTime - required: true - description: The time of the event (UTC). - type: timestamp - timeFormat: rfc3339 - - name: counter - required: true - description: Counter - type: bigint - - name: decorations - description: Decorations - type: json - - name: epoch - required: true - description: Epoch - type: bigint - - name: hostIdentifier - required: true - description: HostIdentifier - type: string - - name: name - required: true - description: Name - type: string - - name: snapshot - required: true - description: Snapshot - type: array - element: - type: json - - name: unixTime - required: true - description: UnixTime - type: bigint diff --git a/schemas/logs/osquery/status.yml b/schemas/logs/osquery/status.yml deleted file mode 100644 index e2e626f3f..000000000 --- a/schemas/logs/osquery/status.yml +++ /dev/null @@ -1,50 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Osquery.Status -parser: - native: - name: Osquery.Status -description: Status is a diagnostic osquery log about the daemon. -referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/ -version: 0 -fields: - - name: calendarTime - required: true - description: The time of the event (UTC). - type: timestamp - timeFormat: rfc3339 - - name: decorations - description: Decorations - type: json - - name: filename - required: true - description: Filename - type: string - - name: hostIdentifier - required: true - description: HostIdentifier - type: string - - name: line - required: true - description: Line - type: bigint - - name: logType - description: LogType - type: string - - name: log_type - description: LogUnderScoreType - type: string - - name: message - description: Message - type: string - - name: severity - required: true - description: Severity - type: bigint - - name: unixTime - required: true - description: UnixTime - type: bigint - - name: version - required: true - description: Version - type: string diff --git a/schemas/logs/ossec/event_info.yml b/schemas/logs/ossec/event_info.yml deleted file mode 100644 index 550406eb2..000000000 --- a/schemas/logs/ossec/event_info.yml +++ /dev/null @@ -1,221 +0,0 @@ -# Copyright (C) 2020 Panther Labs Inc -# -# Panther Enterprise is licensed under the terms of a commercial license available from -# Panther Labs Inc ("Panther Commercial License") by contacting contact@runpanther.com. -# All use, distribution, and/or modification of this software, whether commercial or non-commercial, -# falls under the Panther Commercial License to the extent it is permitted. - -version: 0 -schema: OSSEC.EventInfo -description: OSSEC EventInfo alert parser. Currently only JSON output is supported. -referenceURL: https://www.ossec.net/docs/docs/formats/alerts.html -fields: - - name: id - required: true - description: Unique id of the event. - type: string - - name: rule - required: true - description: Information about the rule that created the event. - type: object - fields: - - name: comment - required: true - description: The rule description. - type: string - - name: level - required: true - description: The level of the rule (0 to 16). Alerts and responses use this value. - type: bigint - - name: sidid - required: true - description: The ID of the rule (100 to 99999). - type: bigint - - name: CIS - description: A list of Center for Internet Security (CIS) checks relevant to the rule. - type: array - element: - type: string - - name: cve - description: A Common Vulnerabilities and Exposures (CVE) identifier relevant to the rule. - type: string - - name: firedtimes - description: The number of times the rule fired. - type: bigint - - name: frequency - description: Specifies the number of times the rule must have matched before firing. - type: bigint - - name: group - description: Groups are optional tags added to alerts. - type: string - - name: groups - description: Groups are optional tags added to alerts. - type: array - element: - type: string - - name: info - description: Additional information or reference about the rule. - type: string - - name: PCI_DSS - description: A list of Payment Card Industry Data Security Standard (PCI DSS) requirements relevant to the rule. - type: array - element: - type: string - - name: TimeStamp - required: true - description: Timestamp in UTC. - type: timestamp - timeFormat: unix_ms - isEventTime: true - - name: location - required: true - description: Source of the event (filename, command, etc). - type: string - - name: hostname - required: true - description: Hostname of the host that created the event. - type: string - - name: full_log - required: true - description: The full captured log of the event. - type: string - - name: action - description: The event action (drop, deny, accept, etc). - type: string - - name: agentip - description: The IP address of an agent extracted from the hostname. - type: string - indicators: - - ip - - name: agent_name - description: The name of an agent extracted from the hostname. - type: string - - name: command - description: The command extracted by the decoder. - type: string - - name: data - description: Additional data extracted by the decoder. For example a filename. - type: string - - name: decoder - description: The name of the decoder used to parse the logs. - type: string - - name: decoder_desc - description: Information about the decoder used to parse the logs. - type: object - fields: - - name: accumulate - description: True if OSSEC tracks events over multiple log messages based on decoded id. - type: bigint - - name: fts - description: The First Time Seen option inside of analysisd. - type: bigint - - name: ftscomment - description: Unused at this time. - type: string - - name: name - description: The name of the decoder. - type: string - - name: parent - description: In the case of a nested decoder, the name of it's parent. - type: string - - name: decoder_parent - description: In the case of a nested decoder, the name of it's parent. - type: string - - name: dstgeoip - description: GeoIP location information about the destination IP address. - type: string - - name: dstip - description: The destination IP address. - type: string - indicators: - - ip - - name: dstport - description: The destination port. - type: string - - name: dstuser - description: The destination (target) username. - type: string - indicators: - - username - - name: logfile - description: The source log file that was decoded to generate the event. - type: string - - name: previous_output - description: The full captured log of the previous event. - type: string - - name: program_name - description: The executable name extracted from the log by the decoder used to match a rule. - type: string - - name: protocol - description: The protocol (ip, tcp, udp, etc) extracted by the decoder. - type: string - - name: srcgeoip - description: GeoIP location information about the source IP address. - type: string - - name: srcip - description: The source IP address. - type: string - indicators: - - ip - - name: srcport - description: The source port. - type: string - - name: srcuser - description: The source username. - type: string - indicators: - - username - - name: status - description: Event status (success, failure, etc). - type: string - - name: SyscheckFile - description: Information about a file integrity check. - type: object - fields: - - name: gowner_after - description: The group owner after modification. - type: string - - name: gowner_before - description: The group owner before modification. - type: string - - name: md5_after - description: MD5 hash of the file after modification. - type: string - indicators: - - md5 - - name: md5_before - description: MD5 hash of the file before modification. - type: string - indicators: - - md5 - - name: owner_after - description: The file owner after modification. - type: string - - name: owner_before - description: The file owner before modification. - type: string - - name: path - description: The path to the file. - type: string - - name: perm_after - description: The permissions of the file after modification. - type: bigint - - name: perm_before - description: The permissions of the file before modification. - type: bigint - - name: sha1_after - description: SHA1 hash of the file after modification. - type: string - indicators: - - sha1 - - name: sha1_before - description: SHA1 hash of the file before modification. - type: string - indicators: - - sha1 - - name: systemname - description: The system name extracted by the decoder. - type: string - - name: url - description: URL of the event. - type: string diff --git a/schemas/logs/ossec/tests/ossec_tests.yml b/schemas/logs/ossec/tests/ossec_tests.yml deleted file mode 100644 index 50c38a644..000000000 --- a/schemas/logs/ossec/tests/ossec_tests.yml +++ /dev/null @@ -1,167 +0,0 @@ -# Copyright (C) 2020 Panther Labs Inc -# -# Panther Enterprise is licensed under the terms of a commercial license available from -# Panther Labs Inc ("Panther Commercial License") by contacting contact@runpanther.com. -# All use, distribution, and/or modification of this software, whether commercial or non-commercial, -# falls under the Panther Commercial License to the extent it is permitted. - ---- -name: OSSEC.EventInfo.3.6.0 -logType: OSSEC.EventInfo -input: | - { - "rule": { - "level": 3, - "comment": "Successful sudo to ROOT executed", - "sidid": 5402, - "firedtimes": 33, - "groups": [ - "syslog", - "sudo" - ] - }, - "id": "1616694073.100223", - "TimeStamp": 1616694073000, - "decoder": "sudo", - "srcuser": "root", - "dstuser": "ssm-user", - "location": "/var/log/secure", - "full_log": "Mar 25 17:41:11 ip-1-1-4-1 sudo: ssm-user : TTY=pts/2 ; PWD=/home/ssm-user ; USER=root ; COMMAND=/bin/tail /var/ossec/logs/alerts/alerts.json", - "hostname": "ip-1-1-4-1", - "program_name": "sudo", - "status": "/bin/tail /var/ossec/logs/alerts/alerts.json", - "url": "/home/ssm-user", - "decoder_desc": { - "fts": 2816, - "name": "sudo" - }, - "agent_name": "ip-1-1-4-1", - "timestamp": "2021 Mar 25 17:41:13", - "logfile": "/var/log/secure" - } -result: | - { - "rule": { - "level": 3, - "comment": "Successful sudo to ROOT executed", - "sidid": 5402, - "firedtimes": 33, - "groups": [ - "syslog", - "sudo" - ] - }, - "id": "1616694073.100223", - "TimeStamp": 1616694073000, - "decoder": "sudo", - "srcuser": "root", - "dstuser": "ssm-user", - "location": "/var/log/secure", - "full_log": "Mar 25 17:41:11 ip-1-1-4-1 sudo: ssm-user : TTY=pts/2 ; PWD=/home/ssm-user ; USER=root ; COMMAND=/bin/tail /var/ossec/logs/alerts/alerts.json", - "hostname": "ip-1-1-4-1", - "program_name": "sudo", - "status": "/bin/tail /var/ossec/logs/alerts/alerts.json", - "url": "/home/ssm-user", - "decoder_desc": { - "fts": 2816, - "name": "sudo" - }, - "agent_name": "ip-1-1-4-1", - "logfile": "/var/log/secure", - "p_event_time": "2021-03-25T17:41:13Z", - "p_log_type": "OSSEC.EventInfo", - "p_any_usernames": ["root","ssm-user"] - } - ---- -name: TestEventInfo -logType: OSSEC.EventInfo -input: | - { - "rule": { - "level": 5, - "comment": "Syslogd restarted.", - "sidid": 1005, - "group": "syslog,errors," - }, - "id": "1510376401.0", - "TimeStamp": 1510376401000, - "location": "/var/log/messages", - "full_log": "Nov 11 00:00:01 ix syslogd[72090]: restart", - "hostname": "ix", - "program_name": "syslogd" - } -result: | - { - "rule": { - "level": 5, - "comment": "Syslogd restarted.", - "sidid": 1005, - "group": "syslog,errors," - }, - "id": "1510376401.0", - "TimeStamp": 1510376401000, - "location": "/var/log/messages", - "full_log": "Nov 11 00:00:01 ix syslogd[72090]: restart", - "hostname": "ix", - "program_name": "syslogd", - "p_log_type": "OSSEC.EventInfo", - "p_event_time": "2017-11-11T05:00:01Z" - } ---- -name: TestEventInfoWithSyscheckFile -logType: OSSEC.EventInfo -input: | - { - "rule": { - "level": 7, - "comment": "Integrity checksum changed.", - "sidid": 550, - "group": "ossec,syscheck," - }, - "id": "1540845340.16991", - "TimeStamp": 1540845340000, - "decoder": "syscheck_integrity_changed", - "location": "syscheck", - "full_log": "Integrity checksum changed for:'/usr/bin/ssm-cli'\nOld md5sum was:'22271cce0732d887e3980e5a6868e459'\nNew md5sum is :'220a8f105af5e711f99e52583209a871'\nOld sha1sum was:'4df65340f366c18f85be228c26817e20391f32c4'\nNew sha1sum is :'c7414fd048c81361720e2d9c8d2f82faf33748b6'\n", - "SyscheckFile": { - "path": "/usr/bin/ssm-cli", - "md5_before": "22271cce0732d887e3980e5a6868e459", - "md5_after": "220a8f105af5e711f99e52583209a871", - "sha1_before": "4df65340f366c18f85be228c26817e20391f32c4", - "sha1_after": "c7414fd048c81361720e2d9c8d2f82faf33748b6" - }, - "hostname": "ip-172-16-2-16" - } -result: | - { - "rule": { - "level": 7, - "comment": "Integrity checksum changed.", - "sidid": 550, - "group": "ossec,syscheck," - }, - "id": "1540845340.16991", - "TimeStamp": 1540845340000, - "decoder": "syscheck_integrity_changed", - "location": "syscheck", - "full_log": "Integrity checksum changed for:'/usr/bin/ssm-cli'\nOld md5sum was:'22271cce0732d887e3980e5a6868e459'\nNew md5sum is :'220a8f105af5e711f99e52583209a871'\nOld sha1sum was:'4df65340f366c18f85be228c26817e20391f32c4'\nNew sha1sum is :'c7414fd048c81361720e2d9c8d2f82faf33748b6'\n", - "SyscheckFile": { - "path": "/usr/bin/ssm-cli", - "md5_before": "22271cce0732d887e3980e5a6868e459", - "md5_after": "220a8f105af5e711f99e52583209a871", - "sha1_before": "4df65340f366c18f85be228c26817e20391f32c4", - "sha1_after": "c7414fd048c81361720e2d9c8d2f82faf33748b6" - }, - "hostname": "ip-172-16-2-16", - "p_log_type": "OSSEC.EventInfo", - "p_event_time": "2018-10-29T20:35:40Z", - "p_any_sha1_hashes": [ - "4df65340f366c18f85be228c26817e20391f32c4", - "c7414fd048c81361720e2d9c8d2f82faf33748b6" - ], - "p_any_md5_hashes": [ - "220a8f105af5e711f99e52583209a871", - "22271cce0732d887e3980e5a6868e459" - ] - } diff --git a/schemas/logs/salesforce/login.yml b/schemas/logs/salesforce/login.yml deleted file mode 100644 index 692266cb2..000000000 --- a/schemas/logs/salesforce/login.yml +++ /dev/null @@ -1,204 +0,0 @@ -schema: Salesforce.Login -version: 0 -referenceURL: https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_eventlogfile_login.htm -description: "Login events contain details about your org’s user login history." -parser: - csv: - delimiter: "," - hasHeader: true - columns: - - EVENT_TYPE - - TIMESTAMP - - REQUEST_ID - - ORGANIZATION_ID - - USER_ID - - RUN_TIME - - CPU_TIME - - URI - - SESSION_KEY - - LOGIN_KEY - - USER_TYPE - - REQUEST_STATUS - - DB_TOTAL_TIME - - BROWSER_TYPE - - API_TYPE - - API_VERSION - - USER_NAME - - TLS_PROTOCOL - - CIPHER_SUITE - - AUTHENTICATION_METHOD_REFERENCE - - TIMESTAMP_DERIVED - - USER_ID_DERIVED - - CLIENT_IP - - URI_ID_DERIVED - - LOGIN_STATUS - - SOURCE_IP - -fields: - - name: EVENT_TYPE - type: string - required: true - validate: - allow: ["Login"] - description: The type of event. The value is always Login. - - name: TIMESTAMP - required: false - type: timestamp - timeFormat: "%Y%m%d%H%M%S.%f" - description: "The access time of Salesforce services in GMT. For example: 20130715233322.670." - - name: REQUEST_ID - required: false - type: string - indicators: - - trace_id - description: >- - The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. For example: 3nWgxWbDKWWDIk0FKfF5DV. - - name: ORGANIZATION_ID - required: true - type: string - description: "The 15-character ID of the organization. For example: 00D000000000123." - - name: USER_ID - required: false - type: string - description: >- - The 15-character ID of the user who’s using Salesforce services through the UI or the API. For example: 00530000009M943 - - name: RUN_TIME - required: false - type: bigint - description: The amount of time that the request took in milliseconds. - - name: CPU_TIME - required: false - type: bigint - description: >- - The CPU time in milliseconds used to complete the request. This field indicates the amount of activity taking place in the app server layer. - - name: URI - required: false - type: string - description: "The URI of the page that’s receiving the request. For example: /home/home.jsp." - - name: SESSION_KEY - required: false - type: string - description: >- - The user’s unique session ID. You can use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For Login Event Type, this field is usually null because the event is captured before a session is created. Example d7DEq/ANa7nNZZVD - - name: LOGIN_KEY - required: false - type: string - description: >- - The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring. For example: GeJCsym5eyvtEK2I. - - name: REQUEST_STATUS - required: false - type: string - description: >- - The status of the request for a page view or user interface action. Possible values are: - - - S—Success. Salesforce handled the request successfully. If an Apex controller throws an exception, this status is also returned. - F—Failure. Typically 4xx or 5xx HTTP codes, such as no permission to view page, page took too long to render, page is read-only. - U—Undefined - A—Authorization Error - R—Redirect. Typically a 3xx HTTP code, possibly initiated by an Apex controller in a Visualforce page. - N—Not Found. 404 error. - - name: DB_TOTAL_TIME - required: false - type: bigint - description: >- - The time in nanoseconds for a database round trip. Includes time spent in the JDBC driver, network to the database, and DB_CPU_TIME. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code. - - name: BROWSER_TYPE - required: false - type: string - description: >- - The identifier string returned by the browser used at login. Example values are: - - - Go-http-client/1.1 - Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv%3A50.0) Gecko/20100101 Firefox/50.0 - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 - - name: API_TYPE - required: false - type: string - description: >- - The type of API request. Possible values are: - - - D—Apex Class - E—SOAP Enterprise - I—SOAP Cross Instance - M—SOAP Metadata - O—Old SOAP - P—SOAP Partner - S—SOAP Apex - T—SOAP Tooling - X—XmlRPC - f—Feed - l—Live Agent - p—SOAP ClientSync - - name: API_VERSION - required: false - type: string - description: "The version of the API that’s being used. For example: 36.0." - - name: USER_NAME - required: false - type: string - description: The username that’s used for login. - indicators: - - username - - name: TLS_PROTOCOL - required: false - type: string - description: "The TLS protocol used for the login. There are 3 possible values: 1.0, 1.1, 1.2" - - name: CIPHER_SUITE - required: false - type: string - description: >- - The TLS cipher suite used for the login. Values are OpenSSL-style cipher suite names, with hyphen delimiters. For more information, see OpenSSL Cryptography and SSL/TLS Toolkit. - - name: TIMESTAMP_DERIVED - required: true - type: timestamp - timeFormat: rfc3339 - isEventTime: true - description: >- - The access time of Salesforce services in ISO8601-compatible format (YYYY-MM-DDTHH:MM:SS.sssZ). For example: 2015-07-27T11:32:59.555Z. Timezone is GMT. - - name: USER_ID_DERIVED - required: false - type: string - description: >- - The 18-character case insensitive ID of the user who’s using Salesforce services through the UI or the API. For example: 00590000000I1SNIA0. - - name: CLIENT_IP - required: false - type: string - indicators: - - ip - description: >- - The IP address of the client that’s using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as "Salesforce.com IP". For example: 10.0.0.1. - - name: URI_ID_DERIVED - required: false - type: string - description: The 18-character case insensitive ID of the URI of the page that’s receiving the request. - - name: LOGIN_STATUS - required: false - type: string - description: >- - The status of the login attempt. For successful logins, the value is LOGIN_NO_ERROR. All other values indicate errors or authentication issues. For details, see https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_eventlogfile_login_status.htm - - name: SOURCE_IP - required: false - type: string - indicators: - - ip - description: The source IP of the login request. - - name: AUTHENTICATION_METHOD_REFERENCE - type: string - description: >- - The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol. This field is available in API version 51.0 and later. - - name: USER_TYPE - type: string - description: >- - The category of user license. - Possible values are: - CsnOnly — Users whose access to the application is limited to Chatter. This user type includes Chatter Free and Chatter moderator users. - CspLitePortal — CSP Lite Portal license. Users whose access is limited because they’re organization customers and access the application through a customer portal or an Experience Cloud site. - CustomerSuccess — Customer Success license. Users whose access is limited because they’re organization customers and access the application through a customer portal. - Guest — Users whose access is limited so that your customers can view and interact with your site without logging in. - PowerCustomerSuccess — Power Customer Success license. Users whose access is limited because they’re organization customers and access the application through a customer portal. Users with this license type can view and edit data they directly own or data owned by or shared with users below them in the customer portal role hierarchy. - PowerPartner — Power Partner license. Users whose access is limited because they’re partners and typically access the application through a partner portal or site. - SelfService — Users whose access is limited because they’re organization customers and access the application through a self-service portal. - Standard — Standard user license. This user type also includes Salesforce Platform and Salesforce Platform One user licenses, and admins for this org. diff --git a/schemas/logs/salesforce/login_as.yml b/schemas/logs/salesforce/login_as.yml deleted file mode 100644 index 95e228151..000000000 --- a/schemas/logs/salesforce/login_as.yml +++ /dev/null @@ -1,117 +0,0 @@ -schema: Salesforce.LoginAs -version: 0 -referenceURL: https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_eventlogfile_loginas.htm -description: "Login As events contain details about what a Salesforce admin did while logged in as another user." -parser: - csv: - delimiter: "," - hasHeader: true - columns: - - EVENT_TYPE - - TIMESTAMP - - REQUEST_ID - - ORGANIZATION_ID - - USER_ID - - RUN_TIME - - CPU_TIME - - URI - - SESSION_KEY - - LOGIN_KEY - - DELEGATED_USER_NAME - - DELEGATED_USER_ID - - TIMESTAMP_DERIVED - - USER_ID_DERIVED - - CLIENT_IP - - URI_ID_DERIVED - - DELEGATED_USER_ID_DERIVED -fields: - - name: EVENT_TYPE - required: true - type: string - validate: - allow: ["LoginAs"] - description: The type of event. The value is always LoginAs. - - name: TIMESTAMP - required: false - type: timestamp - timeFormat: "%Y%m%d%H%M%S.%f" - description: "The access time of Salesforce services in GMT. For example: 20130715233322.670." - - name: REQUEST_ID - required: false - type: string - description: >- - The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. For example: 3nWgxWbDKWWDIk0FKfF5DV. - indicators: - - trace_id - - name: ORGANIZATION_ID - required: true - type: string - description: "The 15-character ID of the organization. For example: 00D000000000123." - - name: USER_ID - required: true - type: string - description: >- - The 15-character ID of the user who’s using Salesforce services through the UI or the API. For example: 00530000009M943 - - name: RUN_TIME - required: false - type: bigint - description: The amount of time that the request took in milliseconds. - - name: CPU_TIME - required: false - type: bigint - description: >- - The CPU time in milliseconds used to complete the request. This field indicates the amount of activity taking place in the app server layer. - - name: URI - required: false - type: string - description: "The URI of the page that’s receiving the request. For example: /home/home.jsp." - - name: SESSION_KEY - required: false - type: string - description: >- - The user’s unique session ID. You can use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For example: d7DEq/ANa7nNZZVD. - - name: LOGIN_KEY - required: false - type: string - description: >- - The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring. For example: GeJCsym5eyvtEK2I. - - name: DELEGATED_USER_NAME - required: false - type: string - description: >- - The username of the user who’s using Salesforce services through the UI or API. In this case, the user who’s doing the impersonation. - indicators: - - username - - name: DELEGATED_USER_ID - required: true - type: string - description: >- - The 15-character ID of the user who’s using Salesforce services through the UI or API. In this case, the user who’s doing the impersonation. - - name: TIMESTAMP_DERIVED - required: true - type: timestamp - timeFormat: rfc3339 - isEventTime: true - description: >- - The access time of Salesforce services in ISO8601-compatible format (YYYY-MM-DDTHH:MM:SS.sssZ). For example: 2015-07-27T11:32:59.555Z. Timezone is GMT. - - name: USER_ID_DERIVED - required: false - type: string - description: >- - The 18-character case insensitive ID of the user who’s using Salesforce services through the UI or the API. For example: 00590000000I1SNIA0. - - name: CLIENT_IP - required: false - type: string - indicators: - - ip - description: >- - The IP address of the client that’s using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as "Salesforce.com IP". For example: 10.0.0.1. - - name: URI_ID_DERIVED - required: false - type: string - description: The 18-character case insensitive ID of the URI of the page that’s receiving the request. - - name: DELEGATED_USER_ID_DERIVED - required: false - type: string - description: >- - The 18-character case-insensitive ID of the user who’s using Salesforce services through the UI or API. In this case, the user who’s doing the impersonation. diff --git a/schemas/logs/salesforce/logout.yml b/schemas/logs/salesforce/logout.yml deleted file mode 100644 index 6634a6412..000000000 --- a/schemas/logs/salesforce/logout.yml +++ /dev/null @@ -1,209 +0,0 @@ -schema: Salesforce.Logout -version: 0 -referenceURL: https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_eventlogfile_logout.htm -description: Logout events contain details of user logouts. -parser: - csv: - delimiter: "," - hasHeader: true - columns: - - EVENT_TYPE - - TIMESTAMP - - REQUEST_ID - - ORGANIZATION_ID - - USER_ID - - USER_TYPE - - SESSION_TYPE - - SESSION_LEVEL - - BROWSER_TYPE - - PLATFORM_TYPE - - RESOLUTION_TYPE - - APP_TYPE - - CLIENT_VERSION - - API_TYPE - - API_VERSION - - USER_INITIATED_LOGOUT - - SESSION_KEY - - LOGIN_KEY - - TIMESTAMP_DERIVED - - USER_ID_DERIVED - - CLIENT_IP -fields: - - name: EVENT_TYPE - required: true - type: string - validate: - allow: ["Logout"] - description: The type of event. The value is always Logout. - - name: TIMESTAMP - required: false - type: timestamp - timeFormat: "%Y%m%d%H%M%S.%f" - description: "The access time of Salesforce services in GMT. For example: 20130715233322.670." - - name: REQUEST_ID - required: false - type: string - indicators: - - trace_id - description: >- - The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. For example: 3nWgxWbDKWWDIk0FKfF5DV. - - name: ORGANIZATION_ID - required: true - type: string - description: "The 15-character ID of the organization. For example: 00D000000000123." - - name: USER_ID - required: true - type: string - description: >- - The 15-character ID of the user who’s using Salesforce services through the UI or the API. For example: 00530000009M943 - - name: USER_TYPE - required: false - type: string - description: >- - The category of user license of the user that logged out. Possible Values: - - - A: Automated Process - b: High Volume Portal - C: Customer Portal User - D: External Who - F: Self-Service - G: Guest - L: Package License Manager - N: Salesforce to Salesforce - n: CSN Only - O: Power Custom - o: Custom - P: Partner - p: Customer Portal Manager - S: Standard - X: Salesforce Administrator - - name: SESSION_TYPE - required: false - type: string - description: >- - The session type that was used when logging out. Possible Values: - - - A: API - I: APIOnlyUser - N: ChatterNetworks - Z: ChatterNetworksAPIOnly - C: Content - P: OauthApprovalUI - O: Oauth2 - T: SiteStudio - R: SitePreview - S: SubstituteUser - B: TempContentExchange - G: TempOauthAccessTokenFrontdoor - Y: TempVisualforceExchange - F: TempUIFrontdoor - U: UI - E: UserSite - V: Visualforce - W: WDC_API - - name: SESSION_LEVEL - required: false - type: string - description: >- - The security level of the session that was used when logging out. Possible Values: 1: Standard Session, 2: High-Assurance Session - - name: BROWSER_TYPE - required: false - type: string - description: >- - The identifier string returned by the browser used at login. Example values are: - - - Go-http-client/1.1 - Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv%3A50.0) Gecko/20100101 Firefox/50.0 - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 - - name: PLATFORM_TYPE - required: false - type: bigint - description: >- - The code for the client platform. If a timeout caused the logout, this field is null. Example Values: - - - 1000: Windows - 2003: Macintosh/Apple OSX - 5005: Android - 5006: iPhone - 5007: iPad - - name: RESOLUTION_TYPE - required: false - type: float - description: The screen resolution of the client. If a timeout caused the logout, this field is null. - - name: APP_TYPE - required: false - type: string - description: >- - The application type that was in use upon logging out. Example Values: - - - 1007: SFDC Application - 1014: Chat - 2501: CTI - 2514: OAuth - 3475: SFDC Partner Portal - - name: CLIENT_VERSION - required: false - type: float - description: The version of the client that was in use upon logging out. - - name: API_TYPE - required: false - type: string - description: >- - The type of API request. Possible values are: - - - D—Apex Class - E—SOAP Enterprise - I—SOAP Cross Instance - M—SOAP Metadata - O—Old SOAP - P—SOAP Partner - S—SOAP Apex - T—SOAP Tooling - X—XmlRPC - f—Feed - l—Live Agent - p—SOAP ClientSync - - name: API_VERSION - required: false - type: string - description: "The version of the API that’s being used. For example: 36.0." - - name: USER_INITIATED_LOGOUT - required: false - type: boolean - description: >- - The value is 1 if the user intentionally logged out of the organization by clicking the Logout button. If the user’s session timed out due to inactivity or another implicit logout action, the value is 0. - - name: SESSION_KEY - required: false - type: string - description: >- - The user’s unique session ID. You can use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For example: d7DEq/ANa7nNZZVD. - - name: LOGIN_KEY - required: false - type: string - description: >- - The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring. For example: GeJCsym5eyvtEK2I. - - name: TIMESTAMP_DERIVED - required: true - type: timestamp - isEventTime: true - timeFormat: rfc3339 - description: >- - The access time of Salesforce services in ISO8601-compatible format (YYYY-MM-DDTHH:MM:SS.sssZ). For example: 2015-07-27T11:32:59.555Z. Timezone is GMT. - - name: USER_ID_DERIVED - required: false - type: string - description: >- - The 18-character case insensitive ID of the user who’s using Salesforce services through the UI or the API. For example: 00590000000I1SNIA0. - - name: CLIENT_IP - required: false - type: string - indicators: - - ip - description: >- - The IP address of the client that’s using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as "Salesforce.com IP". For example: 10.0.0.1. diff --git a/schemas/logs/salesforce/uri.yml b/schemas/logs/salesforce/uri.yml deleted file mode 100644 index bae40f048..000000000 --- a/schemas/logs/salesforce/uri.yml +++ /dev/null @@ -1,149 +0,0 @@ -schema: Salesforce.URI -version: 0 -referenceURL: https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_eventlogfile_uri.htm -description: "URI events contain details about user interaction with the web browser UI." -parser: - csv: - delimiter: "," - hasHeader: true - columns: - - EVENT_TYPE - - TIMESTAMP - - REQUEST_ID - - ORGANIZATION_ID - - USER_ID - - RUN_TIME - - CPU_TIME - - URI - - SESSION_KEY - - LOGIN_KEY - - REQUEST_STATUS - - DB_TOTAL_TIME - - DB_BLOCKS - - DB_CPU_TIME - - REFERRER_URI - - TIMESTAMP_DERIVED - - USER_ID_DERIVED - - CLIENT_IP - - URI_ID_DERIVED - - USER_TYPE -fields: - - name: EVENT_TYPE - required: true - type: string - validate: - allow: ["URI"] - description: The type of event. The value is always URI. - - name: TIMESTAMP - required: false - type: timestamp - timeFormat: "%Y%m%d%H%M%S.%f" - description: "The access time of Salesforce services in GMT. For example: 20130715233322.670." - - name: REQUEST_ID - required: false - type: string - indicators: - - trace_id - description: >- - The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. For example: 3nWgxWbDKWWDIk0FKfF5DV. - - name: ORGANIZATION_ID - required: true - type: string - description: "The 15-character ID of the organization. For example: 00D000000000123." - - name: USER_ID - required: false - type: string - description: >- - The 15-character ID of the user who’s using Salesforce services through the UI or the API. For example: 00530000009M943 - - name: RUN_TIME - required: false - type: bigint - description: "The amount of time that the request took in milliseconds." - - name: CPU_TIME - required: false - type: bigint - description: >- - The CPU time in milliseconds used to complete the request. This field indicates the amount of activity taking place in the app server layer. - - name: URI - required: true - type: string - description: >- - The URI of the page that’s receiving the request. For more granular URI information for Lightning Experience and the Salesforce app, see the Lightning Error, Lightning Interaction, Lightning Page View, and Lightning Performance event types. Examples: /aura (Lightning Experience), /lightning (Lightning Experience and the Salesforce app), /home/home.jsp (Salesforce Classic) - - name: SESSION_KEY - required: false - type: string - description: >- - The user’s unique session ID. You can use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For Login Event Type, this field is usually null because the event is captured before a session is created. Example d7DEq/ANa7nNZZVD - - name: LOGIN_KEY - required: false - type: string - description: >- - The string that ties together all events in a given user’s login session. It starts with a login event and ends with either a logout event or the user session expiring. For example: GeJCsym5eyvtEK2I. - - name: REQUEST_STATUS - required: false - type: string - description: >- - The status of the request for a page view or user interface action. Possible values are: - - - S—Success. Salesforce handled the request successfully. If an Apex controller throws an exception, this status is also returned. - F—Failure. Typically 4xx or 5xx HTTP codes, such as no permission to view page, page took too long to render, page is read-only. - U—Undefined - A—Authorization Error - R—Redirect. Typically a 3xx HTTP code, possibly initiated by an Apex controller in a Visualforce page. - N—Not Found. 404 error. - - name: DB_TOTAL_TIME - required: false - type: bigint - description: >- - The time in nanoseconds for a database round trip. Includes time spent in the JDBC driver, network to the database, and DB_CPU_TIME. Compare this field to CPU_TIME to determine whether performance issues are occurring in the database layer or in your own code. - - name: DB_BLOCKS - required: false - type: bigint - description: >- - Indicates how much activity is occurring in the database. A high value for this field suggests that adding indexes or filters on your queries would benefit performance. - - name: DB_CPU_TIME - required: false - type: bigint - description: >- - The CPU time in milliseconds to complete the request. Indicates the amount of activity taking place in the database layer during the request. - - name: REFERRER_URI - required: false - type: string - description: The referring URI of the page that’s receiving the request. - - name: TIMESTAMP_DERIVED - required: true - type: timestamp - timeFormat: rfc3339 - isEventTime: true - description: >- - The access time of Salesforce services in ISO8601-compatible format (YYYY-MM-DDTHH:MM:SS.sssZ). For example: 2015-07-27T11:32:59.555Z. Timezone is GMT. - - name: USER_ID_DERIVED - required: false - type: string - description: >- - The 18-character case insensitive ID of the user who’s using Salesforce services through the UI or the API. For example: 00590000000I1SNIA0. - - name: CLIENT_IP - required: false - type: string - indicators: - - ip - description: >- - The IP address of the client that’s using Salesforce services. A Salesforce internal IP (such as a login from Salesforce Workbench or AppExchange) is shown as "Salesforce.com IP". For example: 10.0.0.1. - - name: URI_ID_DERIVED - required: false - type: string - description: The 18-character case insensitive ID of the URI of the page that’s receiving the request. - - name: USER_TYPE - type: string - description: >- - The category of user license. - Possible values are: - CsnOnly — Users whose access to the application is limited to Chatter. This user type includes Chatter Free and Chatter moderator users. - CspLitePortal — CSP Lite Portal license. Users whose access is limited because they’re organization customers and access the application through a customer portal or an Experience Cloud site. - CustomerSuccess — Customer Success license. Users whose access is limited because they’re organization customers and access the application through a customer portal. - Guest — Users whose access is limited so that your customers can view and interact with your site without logging in. - PowerCustomerSuccess — Power Customer Success license. Users whose access is limited because they’re organization customers and access the application through a customer portal. Users with this license type can view and edit data they directly own or data owned by or shared with users below them in the customer portal role hierarchy. - PowerPartner — Power Partner license. Users whose access is limited because they’re partners and typically access the application through a partner portal or site. - SelfService — Users whose access is limited because they’re organization customers and access the application through a self-service portal. - Standard — Standard user license. This user type also includes Salesforce Platform and Salesforce Platform One user licenses, and admins for this org. diff --git a/schemas/logs/slack/access_logs.yml b/schemas/logs/slack/access_logs.yml deleted file mode 100644 index 2f4074bc9..000000000 --- a/schemas/logs/slack/access_logs.yml +++ /dev/null @@ -1,51 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Slack.AccessLogs -parser: - native: - name: Slack.AccessLogs -description: "Access logs for users on a Slack workspace. Note: Due to Slack's rate limits, Panther pulls only the events where the user or the access location or the access device is new. Panther will not update the `date_last`, `count` fields of an event." -referenceURL: https://api.slack.com/methods/team.accessLogs -version: 0 -fields: - - name: user_id - required: true - description: The id of the user accessing Slack. - type: string - - name: username - description: The username of the user accessing Slack. - type: string - indicators: - - username - - name: date_first - required: true - description: Unix timestamp of the first access log entry for this user, IP address, and user agent combination. - type: timestamp - timeFormat: unix - - name: date_last - required: true - description: "Unix timestamp of the most recent access log entry for this user, IP address, and user agent combination. Note: Panther will not update this field even if it is updated in the Slack API." - type: timestamp - timeFormat: unix - isEventTime: true - - name: count - required: true - description: "The total number of access log entries for that combination. Note: Panther will not update this field even if it is updated in the Slack API." - type: bigint - - name: ip - required: true - description: The IP address of the device used to access Slack. - type: string - indicators: - - ip - - name: user_agent - description: The reported user agent string from the browser or client application. - type: string - - name: isp - description: Best guess at the internet service provider owning the IP address. - type: string - - name: country - description: Best guesses on where the access originated, based on the IP address. - type: string - - name: region - description: Best guesses on where the access originated, based on the IP address. - type: string diff --git a/schemas/logs/slack/audit_logs.yml b/schemas/logs/slack/audit_logs.yml deleted file mode 100644 index 09768233c..000000000 --- a/schemas/logs/slack/audit_logs.yml +++ /dev/null @@ -1,233 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Slack.AuditLogs -parser: - native: - name: Slack.AuditLogs -description: Slack audit logs provide a view of the actions users perform in an Enterprise Grid organization. -referenceURL: https://api.slack.com/enterprise/audit-logs -version: 0 -fields: - - name: id - required: true - description: The event id - type: string - - name: date_create - required: true - description: Creation timestamp for the event - type: timestamp - timeFormat: unix - isEventTime: true - - name: action - required: true - description: The action performed. See https://api.slack.com/enterprise/audit-logs#audit_logs_actions - type: string - - name: actor - required: true - description: An actor will always be a user on a workspace and will be identified by their user ID, such as W123AB456. - type: object - fields: - - name: type - required: true - description: The type of actor (always user) - type: string - - name: user - description: Information about the user - type: object - fields: - - name: id - required: true - description: The id of the user ('USLACKUSER' if no user performed the action) - type: string - - name: name - description: The user's display name - type: string - indicators: - - username - - name: email - description: The user's email - type: string - indicators: - - email - - name: team - description: The user's team - type: string - - name: entity - required: true - description: An entity is the thing that the actor has taken the action upon and it will be the Slack ID of the thing. - type: object - fields: - - name: type - required: true - description: The type of item that was affected by the action (user,channel,file,app,workspace,enterprise,message,workflow) - type: string - - name: user - description: Information about the affected user - type: object - fields: - - name: id - required: true - description: The id of the user ('USLACKUSER' if no user performed the action) - type: string - - name: name - description: The user's display name - type: string - indicators: - - username - - name: email - description: The user's email - type: string - indicators: - - email - - name: team - description: The user's team - type: string - - name: channel - description: Information about the affected channel - type: object - fields: - - name: id - required: true - description: The id of the channel - type: string - - name: name - description: The name of the channel - type: string - - name: privacy - description: The privacy mode of the channel - type: string - - name: is_shared - description: Whether the channel is shared - type: boolean - - name: is_org_shared - description: Whether the channel is shared in the organisation - type: boolean - - name: teams_shared_with - description: The teams the channel is shared with - type: array - element: - type: string - - name: file - description: Information about the affected file - type: object - fields: - - name: id - required: true - description: The id of the file - type: string - - name: name - description: The filename - type: string - - name: title - description: The file title - type: string - - name: filetype - description: The filetype - type: string - - name: app - description: Information about the affected app - type: object - fields: - - name: id - required: true - description: The id of the app - type: string - - name: name - description: The name of the app - type: string - - name: is_distributed - description: Whether the app is distributed - type: boolean - - name: is_directory_approved - description: Whether the app is in the approved apps directory - type: boolean - - name: scopes - description: The OAuth2 scopes the app requires - type: array - element: - type: string - - name: workspace - description: Information about the affected workspace - type: object - fields: - - name: id - required: true - description: The id of the workspace - type: string - - name: name - description: The name of the workspace - type: string - - name: domain - description: The workspace domain - type: string - - name: enterprise - description: Information about the affected enterprise - type: object - fields: - - name: id - required: true - description: The id of the enterprise - type: string - - name: name - description: The name of the enterprise - type: string - - name: domain - description: The enterprise domain - type: string - - name: workflow - description: Information about the affected workflow - type: object - fields: - - name: id - required: true - description: The id of the workflow - type: string - - name: name - description: The name of the workflow - type: string - - name: message - description: Information about the affected message - type: object - fields: - - name: team - description: The team the message was posted in - type: string - - name: channel - description: The channel the message was posted on - type: string - - name: timestamp - description: The timestamp of the message - type: string - - name: context - required: true - description: Context is the location that the actor took the action on the entity. It will always be either a Workspace or an Enterprise, with the appropriate ID. - type: object - fields: - - name: ua - description: The user agent used for the action - type: string - - name: ip_address - description: The ip address the action was performed from - type: string - indicators: - - ip - - name: location - description: The location that the actor took the action on the entity. - type: object - fields: - - name: type - required: true - description: The location type. It will always be either a Workspace or an Enterprise - type: string - - name: id - required: true - description: The location id - type: string - - name: domain - description: The location domain - type: string - - name: name - description: The location name - type: string - - name: details - description: Additional details about the audit log event - type: json diff --git a/schemas/logs/slack/integration_logs.yml b/schemas/logs/slack/integration_logs.yml deleted file mode 100644 index aca4c7361..000000000 --- a/schemas/logs/slack/integration_logs.yml +++ /dev/null @@ -1,62 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Slack.IntegrationLogs -parser: - native: - name: Slack.IntegrationLogs -description: Integration activity logs for a team, including when integrations are added, modified and removed. -referenceURL: https://api.slack.com/methods/team.integrationLogs -version: 0 -fields: - - name: user_id - required: true - description: The id of the user performing the action. - type: string - - name: user_name - description: The username of the user performing the action. - type: string - indicators: - - username - - name: service_id - description: The service id for which this log is about. - type: string - - name: service_type - description: The service type for which this log is about. - type: string - - name: app_id - description: The app id for which this log is about. - type: string - - name: app_type - description: The app type for which this log is about. - type: string - - name: date - required: true - description: The date when the action happened. - type: timestamp - timeFormat: unix - isEventTime: true - - name: change_type - required: true - description: The type of this action (added, removed, enabled, disabled, updated). - type: string - - name: scope - required: true - description: The scope used for this action. - type: string - - name: channel - description: The related channel. - type: string - - name: reason - description: The reason of the disable action, populated if this event refers to such an action. - type: string - - name: rss_feed - description: True if this log entry is an RSS feed. If true, more RSS feed related fields will be present. - type: boolean - - name: rss_feed_change_type - description: The change type for the RSS feed. - type: boolean - - name: rss_feed_title - description: The title of the RSS feed. - type: boolean - - name: rss_feed_url - description: The url of the RSS feed. - type: boolean diff --git a/schemas/logs/slack/tests/slacklogs_tests.yml b/schemas/logs/slack/tests/slacklogs_tests.yml deleted file mode 100644 index 85b90da02..000000000 --- a/schemas/logs/slack/tests/slacklogs_tests.yml +++ /dev/null @@ -1,144 +0,0 @@ -# Copyright (C) 2020 Panther Labs Inc -# -# Panther Enterprise is licensed under the terms of a commercial license available from -# Panther Labs Inc ("Panther Commercial License") by contacting contact@runpanther.com. -# All use, distribution, and/or modification of this software, whether commercial or non-commercial, -# falls under the Panther Commercial License to the extent it is permitted. - -name: audit logs -logType: Slack.AuditLogs -input: | - { - "id":"0123a45b-6c7d-8900-e12f-3456789gh0i1", - "date_create":1521214343, - "action":"user_login", - "actor":{ - "type":"user", - "user":{ - "id":"W123AB456", - "name":"Charlie Parker", - "email":"bird@slack.com" - } - }, - "entity":{ - "type":"user", - "user":{ - "id":"W123AB456", - "name":"Charlie Parker", - "email":"bird@slack.com" - } - }, - "context":{ - "location":{ - "type":"enterprise", - "id":"E1701NCCA", - "name":"Birdland", - "domain":"birdland" - }, - "ua":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.186 Safari\/537.36", - "ip_address":"12.3.45.78" - } - } -result: | - { - "id":"0123a45b-6c7d-8900-e12f-3456789gh0i1", - "date_create":1521214343, - "action":"user_login", - "actor":{ - "type":"user", - "user":{ - "id":"W123AB456", - "name":"Charlie Parker", - "email":"bird@slack.com" - } - }, - "entity":{ - "type":"user", - "user":{ - "id":"W123AB456", - "name":"Charlie Parker", - "email":"bird@slack.com" - } - }, - "context":{ - "location":{ - "type":"enterprise", - "id":"E1701NCCA", - "name":"Birdland", - "domain":"birdland" - }, - "ua":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.186 Safari\/537.36", - "ip_address":"12.3.45.78" - }, - - "p_log_type": "Slack.AuditLogs", - "p_event_time":"2018-03-16T15:32:23Z", - "p_any_usernames":["Charlie Parker"], - "p_any_emails":["bird@slack.com"], - "p_any_ip_addresses":["12.3.45.78"] - } ---- -name: access logs -logType: Slack.AccessLogs -input: | - { - "user_id": "U12345", - "username": "white_rabbit", - "date_first": 1422922493, - "date_last": 1422922493, - "count": 1, - "ip": "127.0.0.1", - "user_agent": "SlackWeb Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B466 Safari/600.1.4", - "isp": "BigCo ISP", - "country": "US", - "region": "CA" - } -result: | - { - "user_id": "U12345", - "username": "white_rabbit", - "date_first": 1422922493, - "date_last": 1422922493, - "count": 1, - "ip": "127.0.0.1", - "user_agent": "SlackWeb Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B466 Safari/600.1.4", - "isp": "BigCo ISP", - "country": "US", - "region": "CA", - "p_log_type": "Slack.AccessLogs", - "p_event_time":"2015-02-03T00:14:53Z", - "p_any_ip_addresses":["127.0.0.1"], - "p_any_usernames":["white_rabbit"] - } - ---- -name: integration logs -logType: Slack.IntegrationLogs -input: | - { - "service_id": "3456789012", - "service_type": "Airbrake", - "user_id": "U3456CDEF", - "user_name": "Joey", - "channel": "C1234567890", - "date": "1392163202", - "change_type": "disabled", - "reason": "user", - "scope": "incoming-webhook" - } -result: | - { - "service_id": "3456789012", - "service_type": "Airbrake", - "user_id": "U3456CDEF", - "user_name": "Joey", - "channel": "C1234567890", - "date": 1392163202, - "change_type": "disabled", - "reason": "user", - "scope": "incoming-webhook", - - "p_log_type": "Slack.IntegrationLogs", - "p_event_time":"2014-02-12T00:00:02Z", - "p_any_usernames":["Joey"] - } diff --git a/schemas/logs/sophos/central.yml b/schemas/logs/sophos/central.yml deleted file mode 100644 index e8e9bb97b..000000000 --- a/schemas/logs/sophos/central.yml +++ /dev/null @@ -1,145 +0,0 @@ -schema: Sophos.Central -description: Sophos Central events -referenceURL: https://support.sophos.com/support/s/article/KB-000038307?language=en_US -version: 0 -fields: - - name: endpoint_id - required: true - description: Endpoint ID associated with the event - type: string - - name: endpoint_type - required: true - description: Type of endpoint - type: string - - name: customer_id - description: Customer ID - type: string - - name: severity - description: Severity of the event - type: string - - name: source_info - description: Source IP of the endpoint - type: object - fields: - - name: ip - description: First IPv4 address of the endpoint - type: string - indicators: - - ip - - name: name - description: Name of threat, or other event details - type: string - - name: id - required: true - description: Unique identifier for the event - type: string - - name: type - required: true - description: Type of event - type: string - - name: group - required: true - description: Category of event - type: string - - name: end - required: true - description: Time the event occurred on the endpoint - type: timestamp - timeFormat: rfc3339 - isEventTime: true - - name: rt - description: Time the event was uploaded to Sophos Central - type: timestamp - timeFormat: rfc3339 - - name: dhost - description: Source host of the event - type: string - - name: suser - description: Logged in user - type: string - indicators: - - username - - name: datastream - description: Alert, or Event, to distinguish between event types - type: string - - name: duid - description: Undocumented field - type: string - - name: threat - description: Name of the threat - type: string - - name: detection_identity_name - description: Name of the detection - type: string - - name: filePath - description: Path to the threat - type: string - - name: user - description: Undocumented field, but should be same as User - type: string - - name: rule - description: DLP rule - type: string - - name: user_action - description: DLP user action - type: string - - name: app_name - description: DLP application name - type: string - - name: action - description: DLP action - type: string - - name: file_type - description: DLP file type - type: string - - name: file_size - description: DLP file size - type: bigint - - name: file_path - description: DLP file path - type: string - - name: appSha256 - description: SHA 256 hash of the application associated with the threat, if available - type: string - indicators: - - sha256 - - name: appCerts - description: Certificate information for the application associated with the threat, if available - type: array - element: - type: object - fields: - - name: signer - description: PUA app certificate signer - type: string - - name: thumbprint - description: PUA app certificate thumbprint - type: string - - name: origin - description: Originating component of a detection - type: string - - name: core_remedy_items - description: Details of the items cleaned or restored - type: object - fields: - - name: items - description: List of remediations - type: array - element: - type: object - fields: - - name: type - description: Type of item - type: string - - name: result - description: Remedy outcome - type: string - - name: descriptor - description: Path to file - type: string - - name: processPath - description: Undocumented field - type: string - - name: totalItems - description: Remediation count - type: int diff --git a/schemas/logs/sophos/tests/central_tests.yml b/schemas/logs/sophos/tests/central_tests.yml deleted file mode 100644 index 428ee2f43..000000000 --- a/schemas/logs/sophos/tests/central_tests.yml +++ /dev/null @@ -1,233 +0,0 @@ ---- -name: Event::Endpoint::UpdateFailure -logType: Sophos.Central -input: | - { - "endpoint_type": "computer", - "endpoint_id": "decb3c59-1791-44cf-88cf-603fb4895baf", - "customer_id": "70511420-ab08-4b6b-ab52-239213ee27d9", - "severity": "low", - "source_info": { - "ip": "192.168.4.25" - }, - "type": "Event::Endpoint::UpdateFailure", - "name": "Failed to apply updates.", - "id": "403f1bf5-7fe4-484b-bbc9-18f1c601e111", - "group": "UPDATING", - "datastream": "event", - "end": "2020-05-19T22:17:26.033Z", - "duid": "5ba12fb3347c9a133517d258", - "rt": "2020-05-19T22:17:26.059Z", - "dhost": "JSmith-MBP-Remote", - "suser": "JSmith-MBP-Remote\\johnsmith" - } -result: | - { - "endpoint_type": "computer", - "endpoint_id": "decb3c59-1791-44cf-88cf-603fb4895baf", - "customer_id": "70511420-ab08-4b6b-ab52-239213ee27d9", - "severity": "low", - "source_info": { - "ip": "192.168.4.25" - }, - "type": "Event::Endpoint::UpdateFailure", - "name": "Failed to apply updates.", - "id": "403f1bf5-7fe4-484b-bbc9-18f1c601e111", - "duid": "5ba12fb3347c9a133517d258", - "group": "UPDATING", - "datastream": "event", - "end": "2020-05-19T22:17:26.033Z", - "rt": "2020-05-19T22:17:26.059Z", - "dhost": "JSmith-MBP-Remote", - "suser": "JSmith-MBP-Remote\\johnsmith", - - "p_any_usernames": ["JSmith-MBP-Remote\\johnsmith"], - "p_event_time": "2020-05-19T22:17:26.033Z", - "p_any_ip_addresses": [ "192.168.4.25" ], - "p_log_type": "Sophos.Central" - } ---- -name: Event::Endpoint::DataLossPreventionUserAllowed -logType: Sophos.Central -input: | - { - "customer_id": "70511420-ab08-4b6b-ab52-239213ee27d9", - "severity": "low", - "source_info": { - "ip": "192.168.2.213" - }, - "endpoint_id": "2019e526-65db-4d53-b16b-9a908c37d3ca", - "endpoint_type": "computer", - "type": "Event::Endpoint::DataLossPreventionUserAllowed", - "id": "c34081fe-0db1-4ed9-805b-5530a04be09e", - "group": "DATA_LOSS_PREVENTION", - "name": "allow transfer on acceptance by user", - "datastream": "event", - "duid": "5b14b14bf7d0ea1330117768", - "rt": "2020-07-28T02:21:10.000Z", - "end": "2020-07-28T02:21:07.000Z", - "suser": "DESKTOP-B5ADQ52\\John Smith", - "dhost": "DESKTOP-B5ADQ52", - "user": "DESKTOP-B5ADQ52\\John Smith", - "rule": "Finance and share trading activities [USA] - Person identification numbers [USA] - 1", - "user_action": "File open", - "app_name": "Google Chrome", - "action": "Allow", - "file_type": "Spreadsheet (Microsoft Excel-OLE)", - "file_size": "89984", - "file_path": "C:\\Users\\John Smith\\Downloads\\YEARENDDATA_01012019_12312019 (4).XLS" - } -result: | - { - "customer_id": "70511420-ab08-4b6b-ab52-239213ee27d9", - "severity": "low", - "source_info": { - "ip": "192.168.2.213" - }, - "endpoint_id": "2019e526-65db-4d53-b16b-9a908c37d3ca", - "endpoint_type": "computer", - "type": "Event::Endpoint::DataLossPreventionUserAllowed", - "id": "c34081fe-0db1-4ed9-805b-5530a04be09e", - "group": "DATA_LOSS_PREVENTION", - "name": "allow transfer on acceptance by user", - "datastream": "event", - "duid": "5b14b14bf7d0ea1330117768", - "rt": "2020-07-28T02:21:10Z", - "end": "2020-07-28T02:21:07Z", - "suser": "DESKTOP-B5ADQ52\\John Smith", - "dhost": "DESKTOP-B5ADQ52", - "user": "DESKTOP-B5ADQ52\\John Smith", - "rule": "Finance and share trading activities [USA] - Person identification numbers [USA] - 1", - "user_action": "File open", - "app_name": "Google Chrome", - "action": "Allow", - "file_type": "Spreadsheet (Microsoft Excel-OLE)", - "file_size": 89984, - "file_path": "C:\\Users\\John Smith\\Downloads\\YEARENDDATA_01012019_12312019 (4).XLS", - - "p_any_usernames": ["DESKTOP-B5ADQ52\\John Smith"], - "p_event_time": "2020-07-28T02:21:07Z", - "p_any_ip_addresses": [ "192.168.2.213" ], - "p_log_type": "Sophos.Central" - } ---- -name: Event::Endpoint::CorePuaDetection -logType: Sophos.Central -input: | - { - "appSha256": "c1c0160ddeeb82388aaf1b9957112a3ac9dbcfce6ef3822a9a3250dce2efec11", - "appCerts": [ - { - "signer": "Prey, Inc.", - "thumbprint": "872eb5b781c744be01b914434e03d771046557c40ee0192bb6d4a15d80590f45" - } - ], - "customer_id": "70511420-ab08-4b6b-ab52-239213ee27d9", - "severity": "medium", - "source_info": { - "ip": "10.0.0.251" - }, - "threat": "Generic ML PUA", - "endpoint_id": "86daafa5-16e8-4435-85d0-86d0ffca9841", - "endpoint_type": "computer", - "origin": "ML", - "name": "PUA detected: 'Generic ML PUA' at 'C:\\Users\\John Smith\\Downloads\\threat.exe'", - "id": "d56a541b-87f2-44af-8e59-d384c2fe2943", - "type": "Event::Endpoint::CorePuaDetection", - "group": "PUA", - "datastream": "event", - "end": "2020-07-20T16:26:32.837Z", - "duid": "5be0c11c7aa01a131ebfcad1", - "rt": "2020-07-20T16:26:38.424Z", - "dhost": "LAPTOP-O0ADB39D", - "suser": "LAPTOP-O0ADB39D\\John Smith" - } -result: | - { - "appSha256": "c1c0160ddeeb82388aaf1b9957112a3ac9dbcfce6ef3822a9a3250dce2efec11", - "appCerts": [ - { - "signer": "Prey, Inc.", - "thumbprint": "872eb5b781c744be01b914434e03d771046557c40ee0192bb6d4a15d80590f45" - } - ], - "customer_id": "70511420-ab08-4b6b-ab52-239213ee27d9", - "severity": "medium", - "source_info": { - "ip": "10.0.0.251" - }, - "threat": "Generic ML PUA", - "endpoint_id": "86daafa5-16e8-4435-85d0-86d0ffca9841", - "endpoint_type": "computer", - "origin": "ML", - "name": "PUA detected: 'Generic ML PUA' at 'C:\\Users\\John Smith\\Downloads\\threat.exe'", - "id": "d56a541b-87f2-44af-8e59-d384c2fe2943", - "type": "Event::Endpoint::CorePuaDetection", - "group": "PUA", - "datastream": "event", - "end": "2020-07-20T16:26:32.837Z", - "duid": "5be0c11c7aa01a131ebfcad1", - "rt": "2020-07-20T16:26:38.424Z", - "dhost": "LAPTOP-O0ADB39D", - "suser": "LAPTOP-O0ADB39D\\John Smith", - - "p_any_usernames": ["LAPTOP-O0ADB39D\\John Smith"], - "p_event_time": "2020-07-20T16:26:32.837Z", - "p_any_ip_addresses": [ "10.0.0.251" ], - "p_any_sha256_hashes": [ "c1c0160ddeeb82388aaf1b9957112a3ac9dbcfce6ef3822a9a3250dce2efec11" ], - "p_log_type": "Sophos.Central" - } ---- -name: Event::Endpoint::Threat::CleanupFailed -logType: Sophos.Central -input: | - { - "customer_id": "70511420-ab08-4b6b-ab52-239213ee27d9", - "severity": "high", - "source_info": { - "ip": "192.168.1.68" - }, - "threat": "W32/Elkern-C", - "endpoint_id": "2c85be2e-9341-4aca-aa2a-fb27eebee8e0", - "endpoint_type": "computer", - "name": "W32/Elkern-C", - "id": "8c254d23-7a8d-4d91-b7e7-56a30500e465", - "type": "Event::Endpoint::Threat::CleanupFailed", - "group": "MALWARE", - "datastream": "event", - "end": "2020-07-03T05:50:43.000Z", - "duid": "599cc41e1c2bb41295ac959e", - "rt": "2020-07-03T06:01:11.416Z", - "dhost": "JSMITH-MAC-SJ", - "suser": "JSMITH-MAC-SJ\\jsmith", - "detection_identity_name": "W32/Elkern-C", - "filePath": "/Users/jsmith/Dropbox/.dropbox.cache/new_files/eec8381bba1914aa2207f4a53c0fad1e" - } -result: | - { - "customer_id": "70511420-ab08-4b6b-ab52-239213ee27d9", - "severity": "high", - "source_info": { - "ip": "192.168.1.68" - }, - "threat": "W32/Elkern-C", - "endpoint_id": "2c85be2e-9341-4aca-aa2a-fb27eebee8e0", - "endpoint_type": "computer", - "name": "W32/Elkern-C", - "id": "8c254d23-7a8d-4d91-b7e7-56a30500e465", - "type": "Event::Endpoint::Threat::CleanupFailed", - "group": "MALWARE", - "datastream": "event", - "end": "2020-07-03T05:50:43Z", - "duid": "599cc41e1c2bb41295ac959e", - "rt": "2020-07-03T06:01:11.416Z", - "dhost": "JSMITH-MAC-SJ", - "suser": "JSMITH-MAC-SJ\\jsmith", - "detection_identity_name": "W32/Elkern-C", - "filePath": "/Users/jsmith/Dropbox/.dropbox.cache/new_files/eec8381bba1914aa2207f4a53c0fad1e", - - "p_any_usernames": ["JSMITH-MAC-SJ\\jsmith"], - "p_event_time": "2020-07-03T05:50:43.000Z", - "p_any_ip_addresses": [ "192.168.1.68" ], - "p_log_type": "Sophos.Central" - } diff --git a/schemas/logs/suricata/anomaly.yml b/schemas/logs/suricata/anomaly.yml deleted file mode 100644 index a1625d7d0..000000000 --- a/schemas/logs/suricata/anomaly.yml +++ /dev/null @@ -1,114 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Suricata.Anomaly -parser: - native: - name: Suricata.Anomaly -description: Suricata parser for the Anomaly event type in the EVE JSON output. -referenceURL: https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-output.html#anomaly -version: 0 -fields: - - name: anomaly - required: true - description: Suricata Anomaly Anomaly - type: object - fields: - - name: code - description: Suricata AnomalyDetails Code - type: bigint - - name: event - description: Suricata AnomalyDetails Event - type: string - - name: layer - description: Suricata AnomalyDetails Layer - type: string - - name: type - description: Suricata AnomalyDetails Type - type: string - - name: app_proto - description: Suricata Anomaly AppProto - type: string - - name: community_id - description: Suricata Anomaly CommunityID - type: string - - name: dest_ip - description: Suricata Anomaly DestIP - type: string - - name: dest_port - description: Suricata Anomaly DestPort - type: int - - name: event_type - required: true - description: Suricata Anomaly EventType - type: string - - name: flow_id - description: Suricata Anomaly FlowID - type: bigint - - name: icmp_code - description: Suricata Anomaly IcmpCode - type: bigint - - name: icmp_type - description: Suricata Anomaly IcmpType - type: bigint - - name: metadata - description: Suricata Anomaly Metadata - type: object - fields: - - name: flowbits - description: Suricata AnomalyMetadata Flowbits - type: array - element: - type: string - - name: flowints - description: Suricata AnomalyMetadata Flowints - type: object - fields: - - name: applayer.anomaly.count - description: Suricata AnomalyMetadataFlowints ApplayerAnomalyCount - type: bigint - - name: http.anomaly.count - description: Suricata AnomalyMetadataFlowints HTTPAnomalyCount - type: bigint - - name: tcp.retransmission.count - description: Suricata AnomalyMetadataFlowints TCPRetransmissionCount - type: bigint - - name: tls.anomaly.count - description: Suricata AnomalyMetadataFlowints TLSAnomalyCount - type: bigint - - name: packet - description: Suricata Anomaly Packet - type: string - - name: packet_info - description: Suricata Anomaly PacketInfo - type: object - fields: - - name: linktype - description: Suricata AnomalyPacketInfo Linktype - type: bigint - - name: pcap_cnt - description: Suricata Anomaly PcapCnt - type: bigint - - name: pcap_filename - description: Suricata Anomaly PcapFilename - type: string - - name: proto - description: Suricata Anomaly Proto - type: bigint - - name: src_ip - description: Suricata Anomaly SrcIP - type: string - - name: src_port - description: Suricata Anomaly SrcPort - type: int - - name: timestamp - required: true - description: Suricata Anomaly Timestamp - type: timestamp - timeFormat: rfc3339 - - name: tx_id - description: Suricata Anomaly TxID - type: bigint - - name: vlan - description: Suricata Anomaly Vlan - type: array - element: - type: bigint diff --git a/schemas/logs/suricata/dns.yml b/schemas/logs/suricata/dns.yml deleted file mode 100644 index 627686e77..000000000 --- a/schemas/logs/suricata/dns.yml +++ /dev/null @@ -1,167 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Suricata.DNS -parser: - native: - name: Suricata.DNS -description: Suricata parser for the DNS event type in the EVE JSON output. -referenceURL: https://suricata.readthedocs.io/en/suricata-5.0.2/output/eve/eve-json-output.html#dns -version: 0 -fields: - - name: community_id - description: Suricata DNS CommunityID - type: string - - name: dns - required: true - description: Suricata DNS DNS - type: object - fields: - - name: aa - description: Suricata DNSDetails Aa - type: boolean - - name: answers - description: Suricata DNSDetails Answers - type: array - element: - type: object - fields: - - name: rdata - description: Suricata DNSDetailsAnswers Rdata - type: string - - name: rrname - description: Suricata DNSDetailsAnswers Rrname - type: string - - name: rrtype - description: Suricata DNSDetailsAnswers Rrtype - type: string - - name: ttl - description: Suricata DNSDetailsAnswers TTL - type: bigint - - name: authorities - description: Suricata DNSDetails Authorities - type: array - element: - type: object - fields: - - name: rrname - description: Suricata DNSDetailsAuthorities Rrname - type: string - - name: rrtype - description: Suricata DNSDetailsAuthorities Rrtype - type: string - - name: ttl - description: Suricata DNSDetailsAuthorities TTL - type: bigint - - name: flags - description: Suricata DNSDetails Flags - type: string - - name: grouped - description: Suricata DNSDetails Grouped - type: object - fields: - - name: A - description: Suricata DNSDetailsGrouped A - type: array - element: - type: string - - name: AAAA - description: Suricata DNSDetailsGrouped Aaaa - type: array - element: - type: string - - name: CNAME - description: Suricata DNSDetailsGrouped Cname - type: array - element: - type: string - - name: MX - description: Suricata DNSDetailsGrouped Mx - type: array - element: - type: string - - name: PTR - description: Suricata DNSDetailsGrouped Ptr - type: array - element: - type: string - - name: TXT - description: Suricata DNSDetailsGrouped Txt - type: array - element: - type: string - - name: id - description: Suricata DNSDetails ID - type: bigint - - name: qr - description: Suricata DNSDetails Qr - type: boolean - - name: ra - description: Suricata DNSDetails Ra - type: boolean - - name: rcode - description: Suricata DNSDetails Rcode - type: string - - name: rd - description: Suricata DNSDetails Rd - type: boolean - - name: rrname - description: Suricata DNSDetails Rrname - type: string - - name: rdata - description: Suricata DNSDetails RData - type: string - - name: rrtype - description: Suricata DNSDetails Rrtype - type: string - - name: ttl - description: Suricata DNSDetails TTL - type: bigint - - name: tx_id - description: Suricata DNSDetails TxID - type: bigint - - name: type - description: Suricata DNSDetails Type - type: string - - name: version - description: Suricata DNSDetails Version - type: bigint - - name: dest_ip - required: true - description: Suricata DNS DestIP - type: string - - name: dest_port - description: Suricata DNS DestPort - type: int - - name: event_type - required: true - description: Suricata DNS EventType - type: string - - name: flow_id - description: Suricata DNS FlowID - type: bigint - - name: pcap_cnt - description: Suricata DNS PcapCnt - type: bigint - - name: pcap_filename - description: Suricata DNS PcapFilename - type: string - - name: proto - required: true - description: Suricata DNS Proto - type: bigint - - name: src_ip - required: true - description: Suricata DNS SrcIP - type: string - - name: src_port - description: Suricata DNS SrcPort - type: int - - name: timestamp - required: true - description: Suricata DNS Timestamp - type: timestamp - timeFormat: rfc3339 - - name: vlan - description: Suricata DNS Vlan - type: array - element: - type: bigint diff --git a/schemas/logs/syslog/rfc_3164.yml b/schemas/logs/syslog/rfc_3164.yml deleted file mode 100644 index 6e9d91c0f..000000000 --- a/schemas/logs/syslog/rfc_3164.yml +++ /dev/null @@ -1,40 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Syslog.RFC3164 -parser: - native: - name: Syslog.RFC3164 -description: Syslog parser for the RFC3164 format (ie. BSD-syslog messages) -referenceURL: https://tools.ietf.org/html/rfc3164 -version: 0 -fields: - - name: priority - required: true - description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message. - type: smallint - - name: facility - required: true - description: "Facility value helps determine which process created the message. Eg: 0 = kernel messages, 3 = system daemons." - type: smallint - - name: severity - required: true - description: "Severity indicates how severe the message is. Eg: 0=Emergency to 7=Debug." - type: smallint - - name: timestamp - description: Timestamp of the syslog message in UTC. - type: timestamp - timeFormat: rfc3339 - - name: hostname - description: Hostname identifies the machine that originally sent the syslog message. - type: string - - name: appname - description: Appname identifies the device or application that originated the syslog message. - type: string - - name: procid - description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting. - type: string - - name: msgid - description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic. - type: string - - name: message - description: Message contains free-form text that provides information about the event. - type: string diff --git a/schemas/logs/syslog/rfc_5424.yml b/schemas/logs/syslog/rfc_5424.yml deleted file mode 100644 index 6c62222b8..000000000 --- a/schemas/logs/syslog/rfc_5424.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Syslog.RFC5424 -parser: - native: - name: Syslog.RFC5424 -description: Syslog parser for the RFC5424 format. -referenceURL: https://tools.ietf.org/html/rfc5424 -version: 0 -fields: - - name: priority - required: true - description: Priority is calculated by (Facility * 8 + Severity). The lower this value, the higher importance of the log message. - type: smallint - - name: facility - required: true - description: "Facility value helps determine which process created the message. Eg: 0 = kernel messages, 3 = system daemons." - type: smallint - - name: severity - required: true - description: "Severity indicates how severe the message is. Eg: 0=Emergency to 7=Debug." - type: smallint - - name: version - required: true - description: Version of the syslog message protocol. RFC5424 mandates that version cannot be 0, so a 0 value signals no version. - type: int - - name: timestamp - description: Timestamp of the syslog message in UTC. - type: timestamp - timeFormat: rfc3339 - - name: hostname - description: Hostname identifies the machine that originally sent the syslog message. - type: string - - name: appname - description: Appname identifies the device or application that originated the syslog message. - type: string - - name: procid - description: ProcID is often the process ID, but can be any value used to enable log analyzers to detect discontinuities in syslog reporting. - type: string - - name: msgid - description: MsgID identifies the type of message. For example, a firewall might use the MsgID 'TCPIN' for incoming TCP traffic. - type: string - - name: structured_data - description: StructuredData provides a mechanism to express information in a well defined and easily parsable format. - type: json - - name: message - description: Message contains free-form text that provides information about the event. - type: string diff --git a/schemas/logs/zeek/dns.yml b/schemas/logs/zeek/dns.yml deleted file mode 100644 index c64eb0fab..000000000 --- a/schemas/logs/zeek/dns.yml +++ /dev/null @@ -1,90 +0,0 @@ -# Code generated by Panther; DO NOT EDIT. (@generated) -schema: Zeek.DNS -parser: - native: - name: Zeek.DNS -description: Zeek DNS activity -referenceURL: https://docs.zeek.org/en/current/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info -version: 0 -fields: - - name: ts - required: true - description: The earliest time at which a DNS protocol message over the associated connection is observed. - type: timestamp - timeFormat: rfc3339 - - name: uid - required: true - description: A unique identifier of the connection over which DNS messages are being transferred. - type: string - - name: id.orig_h - required: true - description: The originator’s IP address. - type: string - - name: id.orig_p - required: true - description: The originator’s port number. - type: int - - name: id.resp_h - required: true - description: The responder’s IP address. - type: string - - name: id.resp_p - required: true - description: The responder’s port number. - type: int - - name: proto - required: true - description: The transport layer protocol of the connection. - type: string - - name: trans_id - description: A 16-bit identifier assigned by the program that generated the DNS query. Also used in responses to match up replies to outstanding queries. - type: int - - name: query - description: The domain name that is the subject of the DNS query. - type: string - - name: qclass - description: The QCLASS value specifying the class of the query. - type: bigint - - name: qclass_name - description: A descriptive name for the class of the query. - type: string - - name: qtype - description: A QTYPE value specifying the type of the query. - type: bigint - - name: qtype_name - description: A descriptive name for the type of the query. - type: string - - name: rcode - description: The response code value in DNS response messages. - type: bigint - - name: rcode_name - description: A descriptive name for the response code value. - type: string - - name: AA - description: The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section. - type: boolean - - name: TC - description: The Truncation bit specifies that the message was truncated. - type: boolean - - name: RD - description: The Recursion Desired bit in a request message indicates that the client wants recursive service for this query. - type: boolean - - name: RA - description: The Recursion Available bit in a response message indicates that the name server supports recursive queries. - type: boolean - - name: Z - description: A reserved field that is usually zero in queries and responses. - type: bigint - - name: answers - description: The set of resource descriptions in the query answer. - type: array - element: - type: string - - name: TTLs - description: The caching intervals (measured in seconds) of the associated RRs described by the answers field. - type: array - element: - type: float - - name: rejected - description: The DNS query was rejected by the server. - type: boolean From 4321c05a592823468eb54d96d483927abedbbf75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ed=E2=81=A6?= Date: Fri, 5 Aug 2022 11:59:08 -0700 Subject: [PATCH 12/21] fix: panther specific github actions should not run on forks (#469) --- .github/workflows/asana.yml | 8 ++++++-- .github/workflows/main.yml | 4 +++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/asana.yml b/.github/workflows/asana.yml index 1f0ef23f6..e74929874 100644 --- a/.github/workflows/asana.yml +++ b/.github/workflows/asana.yml @@ -8,7 +8,9 @@ on: jobs: update_task_on_pr_open: - if: ${{ github.event.pull_request.state == 'open' }} + if: | + github.repository_owner == 'panther-labs' && + github.event.pull_request.state == 'open' runs-on: ubuntu-latest steps: - uses: panther-labs/github-asana-action@v3.0.5 @@ -27,7 +29,9 @@ jobs: targets: '[{"projectNameRegex": "(S|s)print", "section": "In Review"}]' update_task_on_pr_close: - if: ${{ github.event.pull_request.state == 'closed' }} + if: | + github.repository_owner == 'panther-labs' && + github.event.pull_request.state == 'closed' runs-on: ubuntu-latest steps: - uses: panther-labs/github-asana-action@v3.0.5 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 85f409f5d..d2ee31e15 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -24,7 +24,9 @@ on: jobs: sync_prs_from_community_to_dogfood: name: Syncs merged PRs from Panther-Analysis Community to Panther-Analysis-Dogfood - if: ${{ github.event.pull_request.merged == true && !contains(github.event.pull_request.labels.*.name, 'dogfood-backport') }} + if: | + github.repository_owner == 'panther-labs' && + ( github.event.pull_request.merged == true && !contains(github.event.pull_request.labels.*.name, 'dogfood-backport') ) runs-on: ubuntu-latest env: SOURCE_REPO_CHECKOUT_PATH: src From 59f8f22b0bd2f47531c88430d7ce8f2345ae09e3 Mon Sep 17 00:00:00 2001 From: kesten Date: Fri, 5 Aug 2022 15:32:27 -0500 Subject: [PATCH 13/21] Kbroughton/make lint action (#452) * kbroughton/make_lint_action * working * remove dogfood, add make install and test * update filename * update trigger action * update name Co-authored-by: Kyle Bailey --- .github/workflows/lint-test.yml | 46 +++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/workflows/lint-test.yml diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml new file mode 100644 index 000000000..380ab1a3c --- /dev/null +++ b/.github/workflows/lint-test.yml @@ -0,0 +1,46 @@ +# Panther is a Cloud-Native SIEM for the Modern Security Team. +# Copyright (C) 2020 Panther Labs Inc +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +on: pull_request + +jobs: + make_lint: + name: lint and test + runs-on: ubuntu-latest + + steps: + - name: Checkout Source Repo + uses: actions/checkout@v2 + + - name: Set python version + uses: actions/setup-python@v2 + with: + python-version: '3.9' + + - name: Install pipenv + run: pip install pipenv + + - name: Install + run: make install + + - name: Setup venv + run: make venv + + - name: make lint + run: make lint + + - name: make test + run: make test From b6f96df872bba16911aa00ae9dfa5de0e5ac2e94 Mon Sep 17 00:00:00 2001 From: Kyle Bailey Date: Fri, 5 Aug 2022 15:57:26 -0500 Subject: [PATCH 14/21] kbailey: remove circleCI (#470) --- .circleci/config.yml | 33 --------------------------------- 1 file changed, 33 deletions(-) delete mode 100644 .circleci/config.yml diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index aacd0a3b5..000000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,33 +0,0 @@ -version: 2.1 - -jobs: - lint: - docker: - - image: 'cimg/python:3.9' - steps: - - checkout - - run: - name: Setup the Virtual Environment and install dependencies - command: make venv - - run: - name: Run linting - command: make lint - unit_tests: - docker: - - image: 'cimg/python:3.9' - steps: - - checkout - - run: - name: Setup the Virtual Environment and install dependencies - command: make venv - - run: - name: Run unit tests - command: make test - -workflows: - version: 2 - pipeline: - jobs: - - lint - - unit_tests - From 409acf82deb4d99c198890ac7b49d7e57a90c8ea Mon Sep 17 00:00:00 2001 From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com> Date: Fri, 5 Aug 2022 16:32:48 -0500 Subject: [PATCH 15/21] Combine GSuite High/Medium/Low Rule alerts into one (#467) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Combine GSuite Alerts Rules * Update the GSuite Report Pack yml to reflect the combined GSuite Alerts Rules Co-authored-by: Kyle Bailey Co-authored-by: Ed⁦ --- .../gsuite_high_severity_rule.py | 20 ---- .../gsuite_low_severity_rule.py | 19 ---- .../gsuite_low_severity_rule.yml | 96 ------------------- .../gsuite_medium_severity_rule.yml | 96 ------------------- ...medium_severity_rule.py => gsuite_rule.py} | 10 +- ...high_severity_rule.yml => gsuite_rule.yml} | 45 ++++++--- packs/gsuite_reports.yml | 4 +- 7 files changed, 40 insertions(+), 250 deletions(-) delete mode 100644 gsuite_activityevent_rules/gsuite_high_severity_rule.py delete mode 100644 gsuite_activityevent_rules/gsuite_low_severity_rule.py delete mode 100644 gsuite_activityevent_rules/gsuite_low_severity_rule.yml delete mode 100644 gsuite_activityevent_rules/gsuite_medium_severity_rule.yml rename gsuite_activityevent_rules/{gsuite_medium_severity_rule.py => gsuite_rule.py} (57%) rename gsuite_activityevent_rules/{gsuite_high_severity_rule.yml => gsuite_rule.yml} (69%) diff --git a/gsuite_activityevent_rules/gsuite_high_severity_rule.py b/gsuite_activityevent_rules/gsuite_high_severity_rule.py deleted file mode 100644 index 022f80ff4..000000000 --- a/gsuite_activityevent_rules/gsuite_high_severity_rule.py +++ /dev/null @@ -1,20 +0,0 @@ -from panther_base_helpers import deep_get - - -def rule(event): - - if deep_get(event, "id", "applicationName") != "rules": - return False - - if not ( - deep_get(event, "parameters", "triggered_actions") - and deep_get(event, "parameters", "severity") == "HIGH" - ): - return False - return True - -def title(event): - if deep_get(event, "parameters", "rule_name"): - return "GSuite High Severity Rule Triggered : " + deep_get(event, "parameters", "rule_name") - - return "GSuite High Severity Rule Triggered" diff --git a/gsuite_activityevent_rules/gsuite_low_severity_rule.py b/gsuite_activityevent_rules/gsuite_low_severity_rule.py deleted file mode 100644 index c4869637d..000000000 --- a/gsuite_activityevent_rules/gsuite_low_severity_rule.py +++ /dev/null @@ -1,19 +0,0 @@ -from panther_base_helpers import deep_get - - -def rule(event): - - if deep_get(event, "id", "applicationName") != "rules": - return False - - if not ( - deep_get(event, "parameters", "triggered_actions") - and deep_get(event, "parameters", "severity") == "LOW" - ): - return False - return True - -def title(event): - if deep_get(event, "parameters", "rule_name"): - return "GSuite Low Severity Rule Triggered : " + deep_get(event, "parameters", "rule_name") - return "GSuite Low Severity Rule Triggered" diff --git a/gsuite_activityevent_rules/gsuite_low_severity_rule.yml b/gsuite_activityevent_rules/gsuite_low_severity_rule.yml deleted file mode 100644 index fafddc80d..000000000 --- a/gsuite_activityevent_rules/gsuite_low_severity_rule.yml +++ /dev/null @@ -1,96 +0,0 @@ -AnalysisType: rule -Filename: gsuite_low_severity_rule.py -RuleID: GSuite.LowSeverityRule -DisplayName: GSuite Low Severity Rule Triggered -Enabled: true -LogTypes: - - GSuite.ActivityEvent -Tags: - - GSuite -Severity: Low -Description: > - A low severity GSuite rule was triggered. -Reference: https://support.google.com/a/answer/9420866 -Runbook: > - Investigate what triggered the rule. -SummaryAttributes: - - actor:email -Tests: - - - Name: Non Triggered Rule - ExpectedResult: false - Log: - { - "id": { - "applicationName": "rules", - }, - "actor": { - "email": "some.user@somedomain.com" - }, - "parameters": { - "severity": "LOW", - "triggered_actions": null - }, - } - - - Name: Low Severity Rule - ExpectedResult: true - Log: - { - "id": { - "applicationName": "rules", - }, - "actor": { - "email": "some.user@somedomain.com" - }, - "parameters": { - "data_source": "DRIVE", - "severity": "LOW", - "triggered_actions": [ - { - "action_type": "DRIVE_UNFLAG_DOCUMENT" - } - ] - }, - } - - - Name: High Severity Rule - ExpectedResult: false - Log: - { - "id": { - "applicationName": "rules", - }, - "actor": { - "email": "some.user@somedomain.com" - }, - "parameters": { - "severity": "High", - "triggered_actions": [ - { - "action_type": "DRIVE_UNFLAG_DOCUMENT" - } - ] - }, - } - - - Name: Low Severity Rule with Rule Name - ExpectedResult: true - Log: - { - "id": { - "applicationName": "rules", - }, - "actor": { - "email": "some.user@somedomain.com" - }, - "parameters": { - "severity": "LOW", - "rule_name": "CEO Impersonation", - "triggered_actions": [ - { - "action_type": "MAIL_MARK_AS_PHISHING" - } - ] - }, - } \ No newline at end of file diff --git a/gsuite_activityevent_rules/gsuite_medium_severity_rule.yml b/gsuite_activityevent_rules/gsuite_medium_severity_rule.yml deleted file mode 100644 index fee9d7677..000000000 --- a/gsuite_activityevent_rules/gsuite_medium_severity_rule.yml +++ /dev/null @@ -1,96 +0,0 @@ -AnalysisType: rule -Filename: gsuite_medium_severity_rule.py -RuleID: GSuite.MediumSeverityRule -DisplayName: GSuite Medium Severity Rule Triggered -Enabled: true -LogTypes: - - GSuite.ActivityEvent -Tags: - - GSuite -Severity: Medium -Description: > - A medium severity GSuite rule was triggered. -Reference: https://support.google.com/a/answer/9420866 -Runbook: > - Investigate what triggered the rule. -SummaryAttributes: - - actor:email -Tests: - - - Name: Non Triggered Rule - ExpectedResult: false - Log: - { - "id": { - "applicationName": "rules", - }, - "actor": { - "email": "some.user@somedomain.com" - }, - "parameters": { - "severity": "MEDIUM", - "triggered_actions": null - }, - } - - - Name: Medium Severity Rule - ExpectedResult: true - Log: - { - "id": { - "applicationName": "rules", - }, - "actor": { - "email": "some.user@somedomain.com" - }, - "parameters": { - "data_source": "DRIVE", - "severity": "MEDIUM", - "triggered_actions": [ - { - "action_type": "DRIVE_UNFLAG_DOCUMENT" - } - ] - }, - } - - - Name: Low Severity Rule - ExpectedResult: false - Log: - { - "id": { - "applicationName": "rules", - }, - "actor": { - "email": "some.user@somedomain.com" - }, - "parameters": { - "severity": "LOW", - "triggered_actions": [ - { - "action_type": "DRIVE_UNFLAG_DOCUMENT" - } - ] - }, - } - - - Name: Medium Severity Rule with Rule Name - ExpectedResult: true - Log: - { - "id": { - "applicationName": "rules", - }, - "actor": { - "email": "some.user@somedomain.com" - }, - "parameters": { - "severity": "MEDIUM", - "rule_name": "CEO Impersonation", - "triggered_actions": [ - { - "action_type": "MAIL_MARK_AS_PHISHING" - } - ] - }, - } \ No newline at end of file diff --git a/gsuite_activityevent_rules/gsuite_medium_severity_rule.py b/gsuite_activityevent_rules/gsuite_rule.py similarity index 57% rename from gsuite_activityevent_rules/gsuite_medium_severity_rule.py rename to gsuite_activityevent_rules/gsuite_rule.py index 1cf77742b..bc3f7a7a1 100644 --- a/gsuite_activityevent_rules/gsuite_medium_severity_rule.py +++ b/gsuite_activityevent_rules/gsuite_rule.py @@ -1,19 +1,21 @@ from panther_base_helpers import deep_get - def rule(event): if deep_get(event, "id", "applicationName") != "rules": return False if not ( deep_get(event, "parameters", "triggered_actions") - and deep_get(event, "parameters", "severity") == "MEDIUM" ): return False return True def title(event): + rule_severity = deep_get(event, "parameters", "severity") if deep_get(event, "parameters", "rule_name"): - return "GSuite Medium Severity Rule Triggered: " \ + return "GSuite " + rule_severity + " Severity Rule Triggered: " \ + deep_get(event, "parameters", "rule_name") - return "GSuite Medium Severity Rule Triggered" + return "GSuite " + rule_severity + " Severity Rule Triggered" + +def severity(event): + return deep_get(event, "parameters", "severity", default="INFO") diff --git a/gsuite_activityevent_rules/gsuite_high_severity_rule.yml b/gsuite_activityevent_rules/gsuite_rule.yml similarity index 69% rename from gsuite_activityevent_rules/gsuite_high_severity_rule.yml rename to gsuite_activityevent_rules/gsuite_rule.yml index a4add8eaa..c01d5a844 100644 --- a/gsuite_activityevent_rules/gsuite_high_severity_rule.yml +++ b/gsuite_activityevent_rules/gsuite_rule.yml @@ -1,15 +1,15 @@ AnalysisType: rule -Filename: gsuite_high_severity_rule.py -RuleID: GSuite.HighSeverityRule -DisplayName: GSuite High Severity Rule Triggered +Filename: gsuite_rule.py +RuleID: GSuite.Rule +DisplayName: GSuite Rule Triggered Enabled: true LogTypes: - GSuite.ActivityEvent Tags: - GSuite -Severity: High +Severity: Info Description: > - A high severity GSuite rule was triggered. + A GSuite rule was triggered. Reference: https://support.google.com/a/answer/9420866 Runbook: > Investigate what triggered the rule. @@ -22,7 +22,7 @@ Tests: Log: { "id": { - "applicationName": "rules", + "applicationName": "rules" }, "actor": { "email": "some.user@somedomain.com" @@ -38,7 +38,7 @@ Tests: Log: { "id": { - "applicationName": "rules", + "applicationName": "rules" }, "actor": { "email": "some.user@somedomain.com" @@ -51,15 +51,36 @@ Tests: "action_type": "DRIVE_UNFLAG_DOCUMENT" } ] + } + } + - + Name: Medium Severity Rule + ExpectedResult: true + Log: + { + "id": { + "applicationName": "rules" }, + "actor": { + "email": "some.user@somedomain.com" + }, + "parameters": { + "data_source": "DRIVE", + "severity": "MEDIUM", + "triggered_actions": [ + { + "action_type": "DRIVE_UNFLAG_DOCUMENT" + } + ] + } } - Name: Low Severity Rule - ExpectedResult: false + ExpectedResult: true Log: { "id": { - "applicationName": "rules", + "applicationName": "rules" }, "actor": { "email": "some.user@somedomain.com" @@ -71,7 +92,7 @@ Tests: "action_type": "DRIVE_UNFLAG_DOCUMENT" } ] - }, + } } - Name: High Severity Rule with Rule Name @@ -79,7 +100,7 @@ Tests: Log: { "id": { - "applicationName": "rules", + "applicationName": "rules" }, "actor": { "email": "some.user@somedomain.com" @@ -92,5 +113,5 @@ Tests: "action_type": "MAIL_MARK_AS_PHISHING" } ] - }, + } } diff --git a/packs/gsuite_reports.yml b/packs/gsuite_reports.yml index 50a99880c..4d93f5952 100644 --- a/packs/gsuite_reports.yml +++ b/packs/gsuite_reports.yml @@ -12,11 +12,9 @@ PackDefinition: - GSuite.GoogleAccess - GSuite.GovernmentBackedAttack - GSuite.GroupBannedUser - - GSuite.HighSeverityRule - GSuite.LeakedPassword - GSuite.LoginType - - GSuite.LowSeverityRule - - GSuite.MediumSeverityRule + - GSuite.Rule - GSuite.DeviceCompromise - GSuite.DeviceUnlockFailure - GSuite.DeviceSuspiciousActivity From 6e6b7e593bf8834a635c8fd25c87329b18d4278e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ed=E2=81=A6?= Date: Fri, 5 Aug 2022 14:42:56 -0700 Subject: [PATCH 16/21] chore: update test badge to use github actions (#471) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 682fe1b13..b23194e01 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@

- CircleCI + GitHub Actions Link

From 22541edea641fea8b6604b2229290da649995e16 Mon Sep 17 00:00:00 2001 From: Weyland <71197790+wey-chiang@users.noreply.github.com> Date: Mon, 8 Aug 2022 18:30:19 -0400 Subject: [PATCH 17/21] Tweak - Cloudflare L7 DDoS (#475) * Tweaked the Cloudflare L7 DDoS detection to filter out blocks * Update cloudflare_rules/cloudflare_firewall_ddos.yml --- cloudflare_rules/cloudflare_firewall_ddos.py | 2 +- cloudflare_rules/cloudflare_firewall_ddos.yml | 31 +++++++++++++++++++ 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/cloudflare_rules/cloudflare_firewall_ddos.py b/cloudflare_rules/cloudflare_firewall_ddos.py index fbd8a0e75..1e6e86ca9 100644 --- a/cloudflare_rules/cloudflare_firewall_ddos.py +++ b/cloudflare_rules/cloudflare_firewall_ddos.py @@ -1,5 +1,5 @@ def rule(event): - if event.get("Source") != "l7ddos": + if event.get("Source") != "l7ddos" or event.get("Action") == "block": return False return True diff --git a/cloudflare_rules/cloudflare_firewall_ddos.yml b/cloudflare_rules/cloudflare_firewall_ddos.yml index 564b74569..9f2609599 100644 --- a/cloudflare_rules/cloudflare_firewall_ddos.yml +++ b/cloudflare_rules/cloudflare_firewall_ddos.yml @@ -22,6 +22,37 @@ Tests: - Name: Traffic Marked as L7DDoS ExpectedResult: true + Log: + { + "Action": "skip", + "ClientASN": 55836, + "ClientASNDescription": "RELIANCEJIO-IN Reliance Jio Infocomm Limited", + "ClientCountry": "in", + "ClientIP": "127.0.0.1", + "ClientRequestHost": "example.com", + "ClientRequestMethod": "GET", + "ClientRequestPath": "/main.php", + "ClientRequestProtocol": "HTTP/1.1", + "ClientRequestQuery": "", + "ClientRequestScheme": "http", + "ClientRequestUserAgent": "Fuzz Faster U Fool v1.3.1-dev", + "Datetime": "2022-05-10 06:36:57", + "EdgeColoCode": "DEL", + "EdgeResponseStatus": 403, + "Kind": "firewall", + "MatchIndex": 0, + "Metadata": { + "dos-source": "dosd-edge" + }, + "OriginResponseStatus": 0, + "OriginatorRayID": "00", + "RayID": "7090a9da88e333d8", + "RuleID": "ed651449c4a54f4b99c6e3bf863134d5", + "Source": "l7ddos", + } + - + Name: Traffic Marked as L7DDoS but blocked + ExpectedResult: false Log: { "Action": "block", From ba559fb5ee15825863178e1478f84bdbdaa447a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ed=E2=81=A6?= Date: Wed, 10 Aug 2022 12:43:09 -0700 Subject: [PATCH 18/21] feat: cyclomatic complexity linting (#474) * feat: enable mccabe method cyclomatic complexity to linter with default setting of 10 --- Makefile | 5 ++++- aws_cloudtrail_rules/aws_resource_made_public.py | 2 +- aws_cloudtrail_rules/aws_s3_activity_greynoise.py | 1 + aws_iam_policies/aws_iam_role_external_permission.py | 1 + data_models/zoom_operation_data_model.py | 1 + gsuite_reports_rules/gsuite_drive_visibility_change.py | 1 + standard_rules/unusual_login.py | 1 + 7 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 2e1a2fbed..9ca4f6963 100644 --- a/Makefile +++ b/Makefile @@ -11,7 +11,10 @@ deps-update: lint: pipenv run bandit -r $(dirs) --skip B101 # allow assert statements in tests - pipenv run pylint $(dirs) --disable=missing-docstring,duplicate-code,import-error,fixme,consider-iterating-dictionary,global-variable-not-assigned --max-line-length=100 + pipenv run pylint $(dirs) \ + --disable=missing-docstring,duplicate-code,import-error,fixme,consider-iterating-dictionary,global-variable-not-assigned \ + --load-plugins=pylint.extensions.mccabe \ + --max-line-length=100 venv: pipenv install --dev diff --git a/aws_cloudtrail_rules/aws_resource_made_public.py b/aws_cloudtrail_rules/aws_resource_made_public.py index 2bd4d11ef..6d67424de 100644 --- a/aws_cloudtrail_rules/aws_resource_made_public.py +++ b/aws_cloudtrail_rules/aws_resource_made_public.py @@ -15,7 +15,7 @@ def policy_is_internet_accessible(json_policy): # Normally this check helps avoid overly complex functions that are doing too many things, # but in this case we explicitly want to handle 10 different cases in 10 different ways. # Any solution that avoids too many return statements only increases the complexity of this rule. -# pylint: disable=too-many-return-statements +# pylint: disable=too-many-return-statements, too-complex def rule(event): if not aws_cloudtrail_success(event): return False diff --git a/aws_cloudtrail_rules/aws_s3_activity_greynoise.py b/aws_cloudtrail_rules/aws_s3_activity_greynoise.py index 366fbf204..f7a36395c 100644 --- a/aws_cloudtrail_rules/aws_s3_activity_greynoise.py +++ b/aws_cloudtrail_rules/aws_s3_activity_greynoise.py @@ -22,6 +22,7 @@ def rule(event): + # pylint: disable=too-complex # Filter: Non-S3 events if event.get("eventSource") != "s3.amazonaws.com": return False diff --git a/aws_iam_policies/aws_iam_role_external_permission.py b/aws_iam_policies/aws_iam_role_external_permission.py index 44ad2d65f..6d15b5d22 100644 --- a/aws_iam_policies/aws_iam_role_external_permission.py +++ b/aws_iam_policies/aws_iam_role_external_permission.py @@ -92,6 +92,7 @@ def check_policy(policy_text): def policy(resource): + # pylint: disable=too-complex if not check_account(resource): for policy_text in (resource.get("InlinePolicies") or {}).values(): if not check_policy(policy_text): diff --git a/data_models/zoom_operation_data_model.py b/data_models/zoom_operation_data_model.py index b5d77822f..a7f5c432b 100644 --- a/data_models/zoom_operation_data_model.py +++ b/data_models/zoom_operation_data_model.py @@ -4,6 +4,7 @@ def get_event_type(event): # pylint: disable=too-many-return-statements # pylint: disable=too-many-branches + # pylint: disable=too-complex if event.get("category_type") == "User": if event.get("action") == "Add": return event_type.USER_ACCOUNT_CREATED diff --git a/gsuite_reports_rules/gsuite_drive_visibility_change.py b/gsuite_reports_rules/gsuite_drive_visibility_change.py index e916cd649..edd111070 100644 --- a/gsuite_reports_rules/gsuite_drive_visibility_change.py +++ b/gsuite_reports_rules/gsuite_drive_visibility_change.py @@ -58,6 +58,7 @@ def user_is_external(target_user): def rule(event): + # pylint: disable=too-complex if deep_get(event, "id", "applicationName") != "drive": return False diff --git a/standard_rules/unusual_login.py b/standard_rules/unusual_login.py index 06d56d4ae..7a7744727 100644 --- a/standard_rules/unusual_login.py +++ b/standard_rules/unusual_login.py @@ -18,6 +18,7 @@ def rule(event): + # pylint: disable=too-complex # unique key for global dictionary log = event.get("p_row_id") From d79d703ce633d12aa31470d0a8ece798a43d172f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ed=E2=81=A6?= Date: Wed, 10 Aug 2022 12:56:40 -0700 Subject: [PATCH 19/21] feat: bring additional alert_context to AWS rules which had none (#472) * feat: add alert_context and global helper for all aws*rules/*py that lack them Co-authored-by: Weyland <71197790+wey-chiang@users.noreply.github.com> --- .../aws_ami_modified_for_public_access.py | 6 +++++- aws_cloudtrail_rules/aws_cloudtrail_created.py | 6 +++++- aws_cloudtrail_rules/aws_cloudtrail_stopped.py | 6 +++++- aws_cloudtrail_rules/aws_codebuild_made_public.py | 6 +++++- aws_cloudtrail_rules/aws_config_service_created.py | 5 +++++ .../aws_config_service_disabled_deleted.py | 5 +++++ aws_cloudtrail_rules/aws_console_login_failed.py | 6 +++++- aws_cloudtrail_rules/aws_console_login_without_mfa.py | 6 +++++- aws_cloudtrail_rules/aws_console_login_without_saml.py | 6 +++++- aws_cloudtrail_rules/aws_console_root_login_failed.py | 6 +++++- aws_cloudtrail_rules/aws_ec2_gateway_modified.py | 5 +++++ .../aws_ec2_manual_security_group_changes.py | 6 +++++- aws_cloudtrail_rules/aws_ec2_network_acl_modified.py | 5 +++++ aws_cloudtrail_rules/aws_ec2_route_table_modified.py | 5 +++++ .../aws_ec2_security_group_modified.py | 5 +++++ aws_cloudtrail_rules/aws_ec2_vpc_modified.py | 5 +++++ aws_cloudtrail_rules/aws_iam_anything_changed.py | 5 +++++ .../aws_iam_assume_role_blocklist_ignored.py | 6 +++++- .../aws_iam_entity_created_without_cloudformation.py | 6 +++++- aws_cloudtrail_rules/aws_iam_policy_modified.py | 5 +++++ aws_cloudtrail_rules/aws_iam_user_recon_denied.py | 6 +++++- aws_cloudtrail_rules/aws_key_compromised.py | 6 +++++- aws_cloudtrail_rules/aws_kms_cmk_loss.py | 5 +++++ .../aws_network_acl_permissive_entry.py | 6 +++++- aws_cloudtrail_rules/aws_resource_made_public.py | 6 +++++- aws_cloudtrail_rules/aws_root_access_key_created.py | 6 +++++- aws_cloudtrail_rules/aws_root_console_login.py | 6 +++++- aws_cloudtrail_rules/aws_root_failed_console_login.py | 6 +++++- aws_cloudtrail_rules/aws_root_password_changed.py | 6 +++++- aws_cloudtrail_rules/aws_s3_bucket_deleted.py | 6 +++++- aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py | 6 +++++- .../aws_security_configuration_change.py | 6 +++++- aws_cloudtrail_rules/aws_snapshot_made_public.py | 6 +++++- aws_cloudtrail_rules/aws_unauthorized_api_call.py | 6 +++++- aws_cloudtrail_rules/aws_update_credentials.py | 6 +++++- aws_guardduty_rules/aws_guardduty_high_sev_findings.py | 5 +++++ aws_guardduty_rules/aws_guardduty_low_sev_findings.py | 5 +++++ aws_guardduty_rules/aws_guardduty_med_sev_findings.py | 5 +++++ aws_s3_rules/aws_s3_access_error.py | 6 +++++- aws_s3_rules/aws_s3_access_ip_allowlist.py | 5 +++++ aws_s3_rules/aws_s3_insecure_access.py | 6 +++++- aws_s3_rules/aws_s3_unauthenticated_access.py | 5 +++++ aws_s3_rules/aws_s3_unknown_requester_get_object.py | 5 +++++ aws_vpc_flow_rules/aws_vpc_healthy_log_status.py | 5 +++++ .../aws_vpc_inbound_traffic_port_allowlist.py | 5 +++++ .../aws_vpc_inbound_traffic_port_blocklist.py | 5 +++++ aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py | 5 +++++ global_helpers/panther_base_helpers.py | 10 ++++++++++ 48 files changed, 245 insertions(+), 27 deletions(-) diff --git a/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py b/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py index 21faab80d..b85892638 100644 --- a/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py +++ b/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context def rule(event): @@ -16,3 +16,7 @@ def rule(event): return True return False + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_cloudtrail_created.py b/aws_cloudtrail_rules/aws_cloudtrail_created.py index 20665356e..4a5fa636c 100644 --- a/aws_cloudtrail_rules/aws_cloudtrail_created.py +++ b/aws_cloudtrail_rules/aws_cloudtrail_created.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context # API calls that are indicative of CloudTrail changes CLOUDTRAIL_CREATE_UPDATE = { @@ -15,3 +15,7 @@ def rule(event): def title(event): return f"CloudTrail [{deep_get(event, 'requestParameters', 'name')}] was created/updated" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_cloudtrail_stopped.py b/aws_cloudtrail_rules/aws_cloudtrail_stopped.py index 7ddd0ac95..fb2841971 100644 --- a/aws_cloudtrail_rules/aws_cloudtrail_stopped.py +++ b/aws_cloudtrail_rules/aws_cloudtrail_stopped.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success, lookup_aws_account_name -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context # API calls that are indicative of CloudTrail changes CLOUDTRAIL_STOP_DELETE = { @@ -22,3 +22,7 @@ def title(event): f"CloudTrail [{dedup(event)}] in account " f"[{lookup_aws_account_name(event.get('recipientAccountId'))}] was stopped/deleted" ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_codebuild_made_public.py b/aws_cloudtrail_rules/aws_codebuild_made_public.py index 955eff833..4f739aba8 100644 --- a/aws_cloudtrail_rules/aws_codebuild_made_public.py +++ b/aws_cloudtrail_rules/aws_codebuild_made_public.py @@ -1,5 +1,5 @@ from panther import lookup_aws_account_name -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context def rule(event): @@ -14,3 +14,7 @@ def title(event): f"AWS CodeBuild Project made Public by {deep_get(event, 'userIdentity', 'arn')} " f"in account {lookup_aws_account_name(deep_get(event, 'recipientAccountId'))}" ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_config_service_created.py b/aws_cloudtrail_rules/aws_config_service_created.py index c85f91339..dab181af1 100644 --- a/aws_cloudtrail_rules/aws_config_service_created.py +++ b/aws_cloudtrail_rules/aws_config_service_created.py @@ -1,4 +1,5 @@ from panther import aws_cloudtrail_success +from panther_base_helpers import aws_rule_context # API calls that are indicative of an AWS Config Service change CONFIG_SERVICE_CREATE_EVENTS = { @@ -10,3 +11,7 @@ def rule(event): return aws_cloudtrail_success(event) and event.get("eventName") in CONFIG_SERVICE_CREATE_EVENTS + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_config_service_disabled_deleted.py b/aws_cloudtrail_rules/aws_config_service_disabled_deleted.py index be558c2a8..e56714b7d 100644 --- a/aws_cloudtrail_rules/aws_config_service_disabled_deleted.py +++ b/aws_cloudtrail_rules/aws_config_service_disabled_deleted.py @@ -1,4 +1,5 @@ from panther import aws_cloudtrail_success +from panther_base_helpers import aws_rule_context # API calls that are indicative of an AWS Config Service change CONFIG_SERVICE_DISABLE_DELETE_EVENTS = { @@ -12,3 +13,7 @@ def rule(event): aws_cloudtrail_success(event) and event.get("eventName") in CONFIG_SERVICE_DISABLE_DELETE_EVENTS ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_console_login_failed.py b/aws_cloudtrail_rules/aws_console_login_failed.py index 4747c670e..fd927180f 100644 --- a/aws_cloudtrail_rules/aws_console_login_failed.py +++ b/aws_cloudtrail_rules/aws_console_login_failed.py @@ -1,5 +1,5 @@ from panther import lookup_aws_account_name -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context def rule(event): @@ -14,3 +14,7 @@ def title(event): return ( f"AWS logins failed in account [{lookup_aws_account_name(event.get('recipientAccountId'))}]" ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_console_login_without_mfa.py b/aws_cloudtrail_rules/aws_console_login_without_mfa.py index 0feaf2b2a..68964157b 100644 --- a/aws_cloudtrail_rules/aws_console_login_without_mfa.py +++ b/aws_cloudtrail_rules/aws_console_login_without_mfa.py @@ -2,7 +2,7 @@ import logging from panther import lookup_aws_account_name -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context from panther_oss_helpers import check_account_age # Set to True for environments that permit direct role assumption via external IDP @@ -84,3 +84,7 @@ def title(event): account_string = f"{account_name} account ({account_id})" return f"AWS login detected without MFA for [{user_string}] in [{account_string}]" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_console_login_without_saml.py b/aws_cloudtrail_rules/aws_console_login_without_saml.py index 0a47a0ba2..7d458ffab 100644 --- a/aws_cloudtrail_rules/aws_console_login_without_saml.py +++ b/aws_cloudtrail_rules/aws_console_login_without_saml.py @@ -1,5 +1,5 @@ from panther import lookup_aws_account_name -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context def rule(event): @@ -16,3 +16,7 @@ def title(event): f"AWS logins without SAML in account " f"[{lookup_aws_account_name(event.get('recipientAccountId'))}]" ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_console_root_login_failed.py b/aws_cloudtrail_rules/aws_console_root_login_failed.py index 5b4eec6da..369a5af39 100644 --- a/aws_cloudtrail_rules/aws_console_root_login_failed.py +++ b/aws_cloudtrail_rules/aws_console_root_login_failed.py @@ -1,5 +1,5 @@ from panther import lookup_aws_account_name -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context def rule(event): @@ -15,3 +15,7 @@ def title(event): f"AWS root login failed from [{event.get('sourceIPAddress')}] in account " f"[{lookup_aws_account_name(event.get('recipientAccountId'))}]" ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_ec2_gateway_modified.py b/aws_cloudtrail_rules/aws_ec2_gateway_modified.py index 15de274a8..69371efe1 100644 --- a/aws_cloudtrail_rules/aws_ec2_gateway_modified.py +++ b/aws_cloudtrail_rules/aws_ec2_gateway_modified.py @@ -1,4 +1,5 @@ from panther import aws_cloudtrail_success +from panther_base_helpers import aws_rule_context # API calls that are indicative of an EC2 Network Gateway modification EC2_GATEWAY_MODIFIED_EVENTS = { @@ -17,3 +18,7 @@ def rule(event): def dedup(event): return event.get("recipientAccountId") + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py b/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py index db238935b..a8be33b51 100644 --- a/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py +++ b/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get, pattern_match_list +from panther_base_helpers import deep_get, pattern_match_list, aws_rule_context PROD_ACCOUNT_IDS = {"11111111111111", "112233445566"} SG_CHANGE_EVENTS = { @@ -58,3 +58,7 @@ def title(event): title_template = SG_CHANGE_EVENTS[event.get("eventName")]["title"] title_fields["actor"] = user return title_template.format(**title_fields) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_ec2_network_acl_modified.py b/aws_cloudtrail_rules/aws_ec2_network_acl_modified.py index 960fe95c0..66ea047df 100644 --- a/aws_cloudtrail_rules/aws_ec2_network_acl_modified.py +++ b/aws_cloudtrail_rules/aws_ec2_network_acl_modified.py @@ -1,4 +1,5 @@ from panther import aws_cloudtrail_success +from panther_base_helpers import aws_rule_context # API calls that are indicative of an EC2 Network ACL modification EC2_NACL_MODIFIED_EVENTS = { @@ -17,3 +18,7 @@ def rule(event): def dedup(event): return event.get("recipientAccountId") + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_ec2_route_table_modified.py b/aws_cloudtrail_rules/aws_ec2_route_table_modified.py index 76cbee34a..bc9c9ee88 100644 --- a/aws_cloudtrail_rules/aws_ec2_route_table_modified.py +++ b/aws_cloudtrail_rules/aws_ec2_route_table_modified.py @@ -1,4 +1,5 @@ from panther import aws_cloudtrail_success +from panther_base_helpers import aws_rule_context # API calls that are indicative of an EC2 Route Table modification EC2_RT_MODIFIED_EVENTS = { @@ -18,3 +19,7 @@ def rule(event): def dedup(event): return event.get("recipientAccountId") + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_ec2_security_group_modified.py b/aws_cloudtrail_rules/aws_ec2_security_group_modified.py index b6f0e10a8..c7efd9d4b 100644 --- a/aws_cloudtrail_rules/aws_ec2_security_group_modified.py +++ b/aws_cloudtrail_rules/aws_ec2_security_group_modified.py @@ -1,4 +1,5 @@ from panther import aws_cloudtrail_success +from panther_base_helpers import aws_rule_context # API calls that are indicative of an EC2 SecurityGroup modification EC2_SG_MODIFIED_EVENTS = { @@ -17,3 +18,7 @@ def rule(event): def dedup(event): return event.get("recipientAccountId") + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_ec2_vpc_modified.py b/aws_cloudtrail_rules/aws_ec2_vpc_modified.py index bc527f6ff..1cd76e71d 100644 --- a/aws_cloudtrail_rules/aws_ec2_vpc_modified.py +++ b/aws_cloudtrail_rules/aws_ec2_vpc_modified.py @@ -1,4 +1,5 @@ from panther import aws_cloudtrail_success +from panther_base_helpers import aws_rule_context # API calls that are indicative of an EC2 VPC modification EC2_VPC_MODIFIED_EVENTS = { @@ -22,3 +23,7 @@ def rule(event): def dedup(event): return event.get("recipientAccountId") + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_iam_anything_changed.py b/aws_cloudtrail_rules/aws_iam_anything_changed.py index 2482e6590..46949f890 100644 --- a/aws_cloudtrail_rules/aws_iam_anything_changed.py +++ b/aws_cloudtrail_rules/aws_iam_anything_changed.py @@ -1,4 +1,5 @@ from panther import aws_cloudtrail_success +from panther_base_helpers import aws_rule_context IAM_CHANGE_ACTIONS = [ "Add", @@ -24,3 +25,7 @@ def rule(event): return False return any((event.get("eventName", "").startswith(action) for action in IAM_CHANGE_ACTIONS)) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py b/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py index 36ff1e1d8..9e060b7b2 100644 --- a/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py +++ b/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context # This is a list of role ARNs that should not be assumed by users in normal operations ASSUME_ROLE_BLOCKLIST = [ @@ -17,3 +17,7 @@ def rule(event): return False return deep_get(event, "requestParameters", "roleArn") in ASSUME_ROLE_BLOCKLIST + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py b/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py index 9460f8c1e..5aa808ad1 100644 --- a/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py +++ b/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py @@ -1,7 +1,7 @@ import re from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context # The role dedicated for IAM administration IAM_ADMIN_ROLES = { @@ -54,3 +54,7 @@ def rule(event): deep_get(event, "userIdentity", "sessionContext", "sessionIssuer", "arn") not in IAM_ADMIN_ROLES ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_iam_policy_modified.py b/aws_cloudtrail_rules/aws_iam_policy_modified.py index 5677a216f..55e05202a 100644 --- a/aws_cloudtrail_rules/aws_iam_policy_modified.py +++ b/aws_cloudtrail_rules/aws_iam_policy_modified.py @@ -1,4 +1,5 @@ from panther import aws_cloudtrail_success +from panther_base_helpers import aws_rule_context # API calls that are indicative of IAM Policy changes POLICY_CHANGE_EVENTS = { @@ -29,3 +30,7 @@ def rule(event): def dedup(event): return event.get("recipientAccountId") + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_iam_user_recon_denied.py b/aws_cloudtrail_rules/aws_iam_user_recon_denied.py index 8e4559466..51fe6eda1 100644 --- a/aws_cloudtrail_rules/aws_iam_user_recon_denied.py +++ b/aws_cloudtrail_rules/aws_iam_user_recon_denied.py @@ -1,7 +1,7 @@ from ipaddress import ip_address from panther import lookup_aws_account_name -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context # service/event patterns to monitor RECON_ACTIONS = { @@ -59,3 +59,7 @@ def title(event): "in account " f"[{lookup_aws_account_name(event.get('recipientAccountId'))}]" ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_key_compromised.py b/aws_cloudtrail_rules/aws_key_compromised.py index a73f0feb1..14a961e83 100644 --- a/aws_cloudtrail_rules/aws_key_compromised.py +++ b/aws_cloudtrail_rules/aws_key_compromised.py @@ -1,4 +1,4 @@ -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context EXPOSED_CRED_POLICY = "AWSExposedCredentialPolicy_DO_NOT_REMOVE" @@ -22,3 +22,7 @@ def title(event): f"{dedup(event)}'s access key ID [{deep_get(event, 'userIdentity', 'accessKeyId')}]" f" was uploaded to a public GitHub repo" ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_kms_cmk_loss.py b/aws_cloudtrail_rules/aws_kms_cmk_loss.py index c7ab950e9..8f27cba22 100644 --- a/aws_cloudtrail_rules/aws_kms_cmk_loss.py +++ b/aws_cloudtrail_rules/aws_kms_cmk_loss.py @@ -1,4 +1,5 @@ from panther import aws_cloudtrail_success +from panther_base_helpers import aws_rule_context # API calls that are indicative of KMS CMK Deletion KMS_LOSS_EVENTS = {"DisableKey", "ScheduleKeyDeletion"} @@ -14,3 +15,7 @@ def dedup(event): if resource.get("type", "") == KMS_KEY_TYPE: return resource.get("ARN") return event.get("eventName") + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_network_acl_permissive_entry.py b/aws_cloudtrail_rules/aws_network_acl_permissive_entry.py index 6b35e8bb2..f5f61b7a4 100644 --- a/aws_cloudtrail_rules/aws_network_acl_permissive_entry.py +++ b/aws_cloudtrail_rules/aws_network_acl_permissive_entry.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context def rule(event): @@ -13,3 +13,7 @@ def rule(event): and deep_get(event, "requestParameters", "ruleAction") == "allow" and deep_get(event, "requestParameters", "egress") is False ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_resource_made_public.py b/aws_cloudtrail_rules/aws_resource_made_public.py index 6d67424de..d7bcfd351 100644 --- a/aws_cloudtrail_rules/aws_resource_made_public.py +++ b/aws_cloudtrail_rules/aws_resource_made_public.py @@ -1,7 +1,7 @@ import json from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context from policyuniverse.policy import Policy @@ -83,3 +83,7 @@ def title(event): return f"Resource {event.get('Resources')[0].get('arn', 'MISSING')} made public by {user}" return f"{event.get('eventSource', 'MISSING SOURCE')} resource made public by {user}" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_root_access_key_created.py b/aws_cloudtrail_rules/aws_root_access_key_created.py index a22c3344f..11bf9bde8 100644 --- a/aws_cloudtrail_rules/aws_root_access_key_created.py +++ b/aws_cloudtrail_rules/aws_root_access_key_created.py @@ -1,4 +1,4 @@ -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context def rule(event): @@ -12,3 +12,7 @@ def rule(event): # Only alert if the root user is creating an access key for itself return event.get("requestParameters") is None + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_root_console_login.py b/aws_cloudtrail_rules/aws_root_console_login.py index 7881be34a..bb4b08583 100644 --- a/aws_cloudtrail_rules/aws_root_console_login.py +++ b/aws_cloudtrail_rules/aws_root_console_login.py @@ -1,4 +1,4 @@ -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context def rule(event): @@ -12,3 +12,7 @@ def rule(event): # Only alert if the login was a success return deep_get(event, "responseElements", "ConsoleLogin") == "Success" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_root_failed_console_login.py b/aws_cloudtrail_rules/aws_root_failed_console_login.py index 9419e2f4e..eee1195b8 100644 --- a/aws_cloudtrail_rules/aws_root_failed_console_login.py +++ b/aws_cloudtrail_rules/aws_root_failed_console_login.py @@ -1,4 +1,4 @@ -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context def rule(event): @@ -12,3 +12,7 @@ def rule(event): # Only alert if the login was a failure return deep_get(event, "responseElements", "ConsoleLogin") != "Success" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_root_password_changed.py b/aws_cloudtrail_rules/aws_root_password_changed.py index 22c3493fd..1ccdb862c 100644 --- a/aws_cloudtrail_rules/aws_root_password_changed.py +++ b/aws_cloudtrail_rules/aws_root_password_changed.py @@ -1,4 +1,4 @@ -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context def rule(event): @@ -12,3 +12,7 @@ def rule(event): # Only alert if the login was a success return deep_get(event, "responseElements", "PasswordUpdated") == "Success" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_s3_bucket_deleted.py b/aws_cloudtrail_rules/aws_s3_bucket_deleted.py index 4fcd2ddac..dc0ea2527 100644 --- a/aws_cloudtrail_rules/aws_s3_bucket_deleted.py +++ b/aws_cloudtrail_rules/aws_s3_bucket_deleted.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context def rule(event): @@ -24,3 +24,7 @@ def dedup(event): def title(event): return f"{deep_get(event, 'userIdentity', 'type')} [{dedup(event)}] destroyed a bucket" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py b/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py index 341351b67..e5042d551 100644 --- a/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py +++ b/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context # API calls that are indicative of KMS CMK Deletion S3_POLICY_CHANGE_EVENTS = { @@ -21,3 +21,7 @@ def rule(event): def title(event): return f"S3 bucket modified by [{deep_get(event, 'userIdentity', 'arn')}]" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_security_configuration_change.py b/aws_cloudtrail_rules/aws_security_configuration_change.py index 24fcf958b..08f425f55 100644 --- a/aws_cloudtrail_rules/aws_security_configuration_change.py +++ b/aws_cloudtrail_rules/aws_security_configuration_change.py @@ -1,7 +1,7 @@ from fnmatch import fnmatch from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context SECURITY_CONFIG_ACTIONS = { "DeleteAccountPublicAccessBlock", @@ -53,3 +53,7 @@ def title(event): ) return f"Sensitive AWS API call {event.get('eventName')} made by {user}" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_snapshot_made_public.py b/aws_cloudtrail_rules/aws_snapshot_made_public.py index 732640ca6..e1554778b 100644 --- a/aws_cloudtrail_rules/aws_snapshot_made_public.py +++ b/aws_cloudtrail_rules/aws_snapshot_made_public.py @@ -1,7 +1,7 @@ from collections.abc import Mapping from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context def rule(event): @@ -27,3 +27,7 @@ def rule(event): return "all" in deep_get(event, "requestParameters", "valuesToAdd", default=[]) return False + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_unauthorized_api_call.py b/aws_cloudtrail_rules/aws_unauthorized_api_call.py index 3759e82e8..e2669698a 100644 --- a/aws_cloudtrail_rules/aws_unauthorized_api_call.py +++ b/aws_cloudtrail_rules/aws_unauthorized_api_call.py @@ -1,6 +1,6 @@ from ipaddress import ip_address -from panther_base_helpers import aws_strip_role_session_id, deep_get +from panther_base_helpers import aws_strip_role_session_id, deep_get, aws_rule_context # Do not alert on these access denied errors for these events. # Events could be exceptions because they are particularly noisy and provide little to no value, @@ -31,3 +31,7 @@ def dedup(event): def title(event): return f"Access denied to {deep_get(event, 'userIdentity', 'type')} [{dedup(event)}]" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_cloudtrail_rules/aws_update_credentials.py b/aws_cloudtrail_rules/aws_update_credentials.py index dcdb422b1..ab2b1284e 100644 --- a/aws_cloudtrail_rules/aws_update_credentials.py +++ b/aws_cloudtrail_rules/aws_update_credentials.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get +from panther_base_helpers import deep_get, aws_rule_context UPDATE_EVENTS = {"ChangePassword", "CreateAccessKey", "CreateLoginProfile", "CreateUser"} @@ -17,3 +17,7 @@ def title(event): f"{deep_get(event, 'userIdentity', 'type')} [{deep_get(event, 'userIdentity', 'arn')}]" f" has updated their IAM credentials" ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_guardduty_rules/aws_guardduty_high_sev_findings.py b/aws_guardduty_rules/aws_guardduty_high_sev_findings.py index 0be7017d2..3f309abb7 100644 --- a/aws_guardduty_rules/aws_guardduty_high_sev_findings.py +++ b/aws_guardduty_rules/aws_guardduty_high_sev_findings.py @@ -1,3 +1,4 @@ +from panther_base_helpers import aws_rule_context def rule(event): return 7.0 <= float(event.get("severity", 0)) <= 8.9 @@ -8,3 +9,7 @@ def dedup(event): def title(event): return event.get("title") + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_guardduty_rules/aws_guardduty_low_sev_findings.py b/aws_guardduty_rules/aws_guardduty_low_sev_findings.py index 51629fae1..00d69a41d 100644 --- a/aws_guardduty_rules/aws_guardduty_low_sev_findings.py +++ b/aws_guardduty_rules/aws_guardduty_low_sev_findings.py @@ -1,3 +1,4 @@ +from panther_base_helpers import aws_rule_context def rule(event): return 0.1 <= float(event.get("severity", 0)) <= 3.9 @@ -8,3 +9,7 @@ def dedup(event): def title(event): return event.get("title") + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_guardduty_rules/aws_guardduty_med_sev_findings.py b/aws_guardduty_rules/aws_guardduty_med_sev_findings.py index cf08142f4..8eb43b32f 100644 --- a/aws_guardduty_rules/aws_guardduty_med_sev_findings.py +++ b/aws_guardduty_rules/aws_guardduty_med_sev_findings.py @@ -1,3 +1,4 @@ +from panther_base_helpers import aws_rule_context def rule(event): return 4.0 <= float(event.get("severity", 0)) <= 6.9 @@ -8,3 +9,7 @@ def dedup(event): def title(event): return event.get("title") + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_s3_rules/aws_s3_access_error.py b/aws_s3_rules/aws_s3_access_error.py index f6c2d1868..104d9b4e3 100644 --- a/aws_s3_rules/aws_s3_access_error.py +++ b/aws_s3_rules/aws_s3_access_error.py @@ -1,4 +1,4 @@ -from panther_base_helpers import pattern_match +from panther_base_helpers import pattern_match, aws_rule_context # https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html HTTP_STATUS_CODES_TO_MONITOR = { @@ -19,3 +19,7 @@ def rule(event): def title(event): return f"{event.get('httpstatus')} errors found to S3 Bucket [{event.get('bucket')}]" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_s3_rules/aws_s3_access_ip_allowlist.py b/aws_s3_rules/aws_s3_access_ip_allowlist.py index 8ae97ce27..a276df3e6 100644 --- a/aws_s3_rules/aws_s3_access_ip_allowlist.py +++ b/aws_s3_rules/aws_s3_access_ip_allowlist.py @@ -1,4 +1,5 @@ from ipaddress import ip_network +from panther_base_helpers import aws_rule_context BUCKETS_TO_MONITOR = { # Example bucket names to watch go here @@ -23,3 +24,7 @@ def rule(event): def title(event): return f"Non-Approved IP access to S3 Bucket [{event.get('bucket', '')}]" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_s3_rules/aws_s3_insecure_access.py b/aws_s3_rules/aws_s3_insecure_access.py index 4fb245fd6..3314952aa 100644 --- a/aws_s3_rules/aws_s3_insecure_access.py +++ b/aws_s3_rules/aws_s3_insecure_access.py @@ -1,4 +1,4 @@ -from panther_base_helpers import pattern_match +from panther_base_helpers import pattern_match, aws_rule_context def rule(event): @@ -9,3 +9,7 @@ def rule(event): def title(event): return f"Insecure access to S3 Bucket [{event.get('bucket', '')}]" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_s3_rules/aws_s3_unauthenticated_access.py b/aws_s3_rules/aws_s3_unauthenticated_access.py index 9187a763f..d61a7035b 100644 --- a/aws_s3_rules/aws_s3_unauthenticated_access.py +++ b/aws_s3_rules/aws_s3_unauthenticated_access.py @@ -1,3 +1,4 @@ +from panther_base_helpers import aws_rule_context # A list of buckets where authenticated access is expected AUTH_BUCKETS = {"example-bucket"} @@ -8,3 +9,7 @@ def rule(event): def title(event): return f"Unauthenticated access to S3 Bucket [{event.get('bucket', '')}]" ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_vpc_flow_rules/aws_vpc_healthy_log_status.py b/aws_vpc_flow_rules/aws_vpc_healthy_log_status.py index 9df7a2ff6..53a3caf63 100644 --- a/aws_vpc_flow_rules/aws_vpc_healthy_log_status.py +++ b/aws_vpc_flow_rules/aws_vpc_healthy_log_status.py @@ -1,2 +1,7 @@ +from panther_base_helpers import aws_rule_context def rule(event): return event.get("log-status") == "SKIPDATA" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py b/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py index 9a4cd5f71..3a7e8bde9 100644 --- a/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py +++ b/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py @@ -1,4 +1,5 @@ from ipaddress import ip_network +from panther_base_helpers import aws_rule_context APPROVED_PORTS = { 80, @@ -25,3 +26,7 @@ def rule(event): # # Defaults to False (no alert) if 'dstaddr' key is not present return ip_network(event.get("dstaddr", "1.0.0.0/32")).is_private + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py b/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py index 6969c0f30..0dc0c0f9f 100644 --- a/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py +++ b/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py @@ -1,4 +1,5 @@ from ipaddress import ip_network +from panther_base_helpers import aws_rule_context CONTROLLED_PORTS = { 22, @@ -23,3 +24,7 @@ def rule(event): # # Defaults to False(no alert) if 'dstaddr' key is not present return ip_network(event.get("dstaddr", "1.0.0.0/32")).is_private + + +def alert_context(event): + return aws_rule_context(event) diff --git a/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py b/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py index c07ac2aac..135b6c551 100644 --- a/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py +++ b/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py @@ -1,4 +1,5 @@ from ipaddress import ip_network +from panther_base_helpers import aws_rule_context APPROVED_DNS_SERVERS = { "1.1.1.1", # CloudFlare DNS @@ -22,3 +23,7 @@ def rule(event): # No clean way to default to False (no alert), so explicitly check for key return "dstaddr" in event and event.get("dstaddr") not in APPROVED_DNS_SERVERS + + +def alert_context(event): + return aws_rule_context(event) diff --git a/global_helpers/panther_base_helpers.py b/global_helpers/panther_base_helpers.py index e8dd62b5d..d1f81933e 100644 --- a/global_helpers/panther_base_helpers.py +++ b/global_helpers/panther_base_helpers.py @@ -248,6 +248,16 @@ def aws_strip_role_session_id(user_identity_arn): return user_identity_arn +def aws_rule_context(event: dict): + return { + "eventName": event.get("eventName", ""), + "recipientAccountId": event.get("recipientAccountId", ""), + "sourceIPAddress": event.get("sourceIPAddress", ""), + "userAgent": event.get("userAgent", ""), + "userIdentity": event.get("userIdentity", ""), + } + + def is_ip_in_network(ip_addr, networks): """Check that a given IP is within a list of IP ranges""" return any(ip_address(ip_addr) in ip_network(network) for network in networks) From 70294f95097c0b4f4eb80c385dfa6dafae23b68e Mon Sep 17 00:00:00 2001 From: Weyland <71197790+wey-chiang@users.noreply.github.com> Date: Mon, 15 Aug 2022 13:47:00 -0400 Subject: [PATCH 20/21] Packs: Cloudflare & Slack (#478) * Tweaked the Cloudflare L7 DDoS detection to filter out blocks * Added new packs for Cloudflare and Slack * Removed erroneous new line * Removed unused globals --- packs/cloudflare.yml | 15 +++++++++++++++ packs/slack.yml | 30 ++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 packs/cloudflare.yml create mode 100644 packs/slack.yml diff --git a/packs/cloudflare.yml b/packs/cloudflare.yml new file mode 100644 index 000000000..eb80226b9 --- /dev/null +++ b/packs/cloudflare.yml @@ -0,0 +1,15 @@ +AnalysisType: pack +PackID: PantherManaged.Cloudflare +DisplayName: Panther Cloudflare Pack +Description: Group of all Cloudflare detections +PackDefinition: + IDs: + - Cloudflare.Firewall.L7DDoS + - Cloudflare.Firewall.HighVolumeEventsBlocked + - Cloudflare.Firewall.HighVolumeEventsBlockedGreyNoise + - Cloudflare.Firewall.SuspiciousEventGreyNoise + - Cloudflare.HttpRequest.BotHighVolume + - Cloudflare.HttpRequest.BotHighVolumeGreyNoise + # Globals used in these rules/policies + - panther_cloudflare_helpers + - panther_greynoise_helpers diff --git a/packs/slack.yml b/packs/slack.yml new file mode 100644 index 000000000..26c2ccbb5 --- /dev/null +++ b/packs/slack.yml @@ -0,0 +1,30 @@ +AnalysisType: pack +PackID: PantherManaged.Slack +DisplayName: Panther Slack Pack +Description: Group of all Slack detections +PackDefinition: + IDs: + - Slack.AuditLogs.AppAccessExpanded + - Slack.AuditLogs.AppAdded + - Slack.AuditLogs.AppRemoved + - Slack.AuditLogs.ApplicationDoS + - Slack.AuditLogs.DLPModified + - Slack.AuditLogs.EKMConfigChanged + - Slack.AuditLogs.EKMSlackbotUnenrolled + - Slack.AuditLogs.EKMUnenrolled + - Slack.AuditLogs.IDPConfigurationChanged + - Slack.AuditLogs.InformationBarrierModified + - Slack.AuditLogs.IntuneMDMDisabled + - Slack.AuditLogs.LegalHoldPolicyModified + - Slack.AuditLogs.MFASettingsChanged + - Slack.AuditLogs.OrgCreated + - Slack.AuditLogs.OrgDeleted + - Slack.AuditLogs.PassthroughAnomaly + - Slack.AuditLogs.PotentiallyMaliciousFileShared + - Slack.AuditLogs.PrivateChannelMadePublic + - Slack.AuditLogs.ServiceOwnerTransferred + - Slack.AuditLogs.SSOSettingsChanged + - Slack.AuditLogs.UserPrivilegeEscalation + # Globals used in these rules/policies + - panther_base_helpers + - panther_oss_helpers From 0c9c65cce75b2501ddf50d26adadf215b1b695dd Mon Sep 17 00:00:00 2001 From: Kyle Bailey Date: Tue, 16 Aug 2022 17:08:01 -0500 Subject: [PATCH 21/21] fix: greynoise object function call not attribute (#479) --- aws_cloudtrail_rules/aws_s3_activity_greynoise.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws_cloudtrail_rules/aws_s3_activity_greynoise.py b/aws_cloudtrail_rules/aws_s3_activity_greynoise.py index f7a36395c..856381855 100644 --- a/aws_cloudtrail_rules/aws_s3_activity_greynoise.py +++ b/aws_cloudtrail_rules/aws_s3_activity_greynoise.py @@ -58,7 +58,7 @@ def rule(event): if pattern_match_list(deep_get(event, "userIdentity", "arn"), _ALLOWED_ROLES): # Only Greynoise advanced provides AS organization info if NOISE.subscription_level() == 'advanced': - if NOISE.organization == 'Amazon.com, Inc.': + if NOISE.organization() == 'Amazon.com, Inc.': return False # return false if the role is seen and we are not able to valide the AS organization else: